Introduction

Advances in the IoT relate to a system of physical entities, tools, automobiles, and other components equipped with electronic hardware, circuits, sensors, software, and internet connectivity that enable these elements to gather and share information1. The IoT permits these items to be monitored and managed remotely through available network setups, generating possibilities for tighter connection of the physical environment with digital platforms, ultimately leading to enhanced performance and precision2. The IoT stands as a ground-breaking advancement that signals the future of digital technology and communication, and its progress relies on evolving technical breakthroughs in numerous key areas, including wireless detection systems and nanoscale technologies. The IoT concept offers an infinite amount of availability, accessibility, scalability, integrity, confidentiality, and other benefits related to connected devices3. Nevertheless, IoT devices are vulnerable to cyber threats due to a combination of numerous potential vulnerabilities and their relative novelty, resulting in the absence of established security norms and protocols. A broad spectrum of cyber threats is employed against IoT systems, based on the specific component being targeted and the attacker’s objectives4.

However, the deployment of IoT systems has also introduced several significant cybersecurity challenges, where loopholes and unauthorized access to information and critical infrastructure have become major concerns5. The IoT represents a global web of smart devices connected to the internet without human intervention, which is beneficial yet prone to cyberattacks, like any conventional system. Studies focus on integrating machine learning (ML)- driven solutions with IoT. An IDS is a reliable method for identifying cyberattacks within any system6. Many modern IDS frameworks employ ML models to detect cyber threats in the system. This IDS alerts the network administrator about any doubtful behaviour occurring within the network and therefore serves as an information security mechanism that blocks harmful intrusions7. An intrusion occurs when an individual gains unauthorized entry to, or manipulates data assets with malicious intent. A tangible entity aiming to extract information unlawfully, cause harm to others, or perform malicious tasks is referred to as a cybercriminal or an intruder8. Figure 1 denotes the general architecture of IDSs in IoT.

Fig. 1
figure 1

General structure of intrusion detection in IoT.

Full size image

Cybersecurity threats have expanded rapidly in several fields, including healthcare, smart homes, agriculture, energy, industrial processes, and automation. Due to its extensive range of services, IoT sensors generate vast volumes of data, which necessitate privacy, security, and authentication9. Previously, classical techniques were used to ensure IoT security. The employment of more artificial intelligence (AI) techniques for identifying cybersecurity threats has become increasingly popular over time. Consequently, there is a substantial body of investigation concentrated on IoT cybersecurity10. This encompasses AI strategies for safeguarding IoT systems against threats, typically by detecting abnormal activities that could indicate an ongoing attack. As interconnected devices are widely utilized in various sectors, they have created a demand for smarter environments and automated processes. However, this growth is accompanied by increasingly advanced security threats, which may compromise data integrity and user privacy. Efficient threat detection methods that can operate in real-time and on resource-constrained devices are urgently required. Improving security while maintaining system performance is significant to unlocking the full potential of connected technologies. This drives the development of innovative, optimized models that balance accuracy, interpretability, and privacy protection in intrinsic network environments.

This study proposes an Optimised Multi-Head Self-Attention Model for an Intelligent Intrusion Detection Framework Using Plant Rhizome Growth Optimisation (OMHSA-IDPRGO) method to advance IoT security. The primary focus is on developing an automated cyberattack detection system for an IoT environment by employing advanced techniques. Initially, the mean normalization process is used to measure input data into a structured format. Furthermore, the Crayfish Optimisation Algorithm (COA) is used for optimal feature subset selection, identifying the most relevant features from the dataset. For the cybersecurity detection process, the OMHSA-IDPRGO method employs a hybrid model that encompasses a convolutional neural network and a bidirectional gated recurrent unit with a multi-head self-attention mechanism (CNN-BiGRU-MHSAM) technique. Finally, the hyperparameter selection is performed using the plant rhizome growth optimization (PRGO) approach to enhance classification performance. The experimentation of the OMHSA-IDPRGO model is examined under Edge-IIoT and ToN-IoT datasets. The key contribution of the OMHSA-IDPRGO model is listed below.

  • The OMHSA-IDPRGO method applies mean normalization during pre-processing to convert raw input data into a uniformly scaled format, thereby improving consistency across features. This enhances training stability and learning efficiency. It also assists in better convergence during model optimization.

  • The OMHSA-IDPRGO approach utilizes the COA technique to identify the most relevant features, effectively mitigating dimensionality while preserving crucial data. This selection improves detection accuracy and mitigates computational complexity. As a result, the model becomes more efficient and reliable in processing IoT data.

  • The OMHSA-IDPRGO methodology employs a hybrid CNN-BiGRU architecture integrated with the MHSAM model for capturing intrinsic temporal and spatial patterns in IoT network data. This enhances the model’s ability to detect a wide range of cyber threats accurately. It significantly improves intrusion detection performance in dynamic environments.

  • The OMHSA-IDPRGO technique implements the PRGO model to fine-tune hyperparameters, improving learning efficiency and predictive accuracy automatically. This optimization reduces manual tuning efforts and accelerates convergence. Consequently, it enhances overall model performance in complex IoT scenarios.

  • The integration of COA-based FS with the CNN-BiGRU-MHSAM model, optimized through PRGO, presents a novel and efficient solution for intelligent threat detection. This incorporation uniquely balances dimensionality reduction, deep temporal-spatial feature extraction, and automated hyperparameter tuning. It significantly improves detection accuracy and computational efficiency in complex IoT environments, setting it apart from existing methods.

Related works

Alzahrani11 proposed a gorilla troops optimizer and DL-assisted BAD (GTODL-BADC) method. This method utilizes feature selection (FS) in conjunction with fine-tuned DL-aided classification to achieve security within the IoT landscape. The min–max data normalization technique was employed for data pre-processing, and the GTO framework for FS selects the optimal feature subclasses. Furthermore, the multi-head attention-driven LSTM model is used for BAD. Sekhar et al.12 provided an effective model for identifying and classifying cyber intrusions. The authors employed a new model with honeybees mating optimization (HBMO) and stochastic gradient boosted distributed decision trees (SGB-DDT) techniques. To advance the recognition precision, an SGD-DDT is a learning approach that is effective and scalable. Alotaibi13 suggested an innovative structure, which integrates DL, blockchain (BL), and software-defined networking (SDN) technologies for improving IoT cybersecurity. This study aims to identify a potential method for forming a cybersecurity system for IoT-enabled smart settings to safeguard data privacy, identify appropriate threats, and secure financial transactions. The suggested method is an amalgamation of numerous state-of-the-art techniques. The SDN control plane incorporates the SE-driven Bi-LSTM approach for traffic management. In14, a smart IDS model is presented for identifying cyber threats in the IoAT. The presented model utilizes the downsized kernel partial least squares (DKPLS) and reduced kernel approach for extracting and reducing data features to improve the recognition efficiency. This DRKPLS technique was employed to reduce the dimensions of the kernel matrix produced by the kernel partial least squares (KPLS) model by selecting relevant features. In15, the Ant Colony-Optimised Artificial Neural-Adaptive Tensorflow (ACO-ANT) approach was recommended for identifying suspicious software. To highlight the importance of tokens in source duplicate data, the noise data underwent processing by weighted attribute and tokenization approaches. DL methods are later deployed for detecting source code duplication. Aljebreen et al.16 developed a new DDoS attack detection method using the snake optimizer and ensemble learning (DDAD-SOEL) technique in the IoT landscape. The motivation behind this method lies in the effective and automatic detection of DDoS attacks. To fulfil this, the created method leverages the SO procedure for selecting a feature subset.

Kumar et al.17 combined SDN, digital twin (DT) BC, and DL techniques in the SG network structure. Specifically, a secure communication network was initially established using an authentication model based on BC technology, which mitigates some identified security threats. Then, a different DL design, which contains a softmax classifier, Bi-GRU, and a self-attention mechanism, is proposed to enhance the threat recognition step in SG networks. In18, an advanced cybersecurity framework assisted in trucking the heuristic process was introduced with three methodologies: improved virtual honeypot (IVHD), IDS, and hidden Markov models (HMM) for segmenting devices into four diverse stages based on their planned task, and observing communication traffic to identify suspicious edge devices. Saheed, Misra, and Chockalingam19 proposed a model by using an autoencoder with a deep convolutional neural network (DCNN) and long short-term memory (LSTM) for feature reduction and anomaly detection in Industrial Control Systems (ICS), enabling accurate, low-cost, and real-time cyber-attack detection. Thayalan et al.20 presented a collaborative federated learning framework with edge-cloud architecture using the two-stage attention integrated graph-based multi-source spatio-temporal data fusion (2S-AGMSTDF) network, including Attention-based LSTM, attention-based knowledge graph convolutional network (AKGCN), and graph convolutional network-residual network-based transformer (GCN-ResNet Transformer or GRCMT) method to enhance accurate, scalable, and privacy-preserving predictive security in IoT consumer applications. Saheed, Abdulganiyu, and Ait Tchakoucht21 presented a framework that integrates a modified genetic algorithm (MGA) model for feature selection with a deep LSTM network, optimized via a genetic algorithm (GA) for hyperparameter tuning, to efficiently detect cyberattacks in IoT networks within an edge computing environment. Kumar, Jolfaei, and Islam22 proposed a DL-based threat hunting framework (DLTHF) technique by using an LSTM contractive sparse autoencoder (LSTM-CSAE) model for feature extraction and a multi-head self-attention bidirectional recurrent neural network (MhSaBiGRNN) methodology for accurate cyber threat detection in Software Defined-IoT (SD-IoT) networks. Paul et al.23 presented a model to enhance cybersecurity in deep web environments, utilizing a novel framework that integrates federated learning (FL), graph-based analysis, and a hybrid web crawler with an ontology-based scoring system to detect threats and safeguard sensitive data across cloud, fog, and edge systems.

Kathole et al.24 developed a secure attack detection framework for Vehicular Ad-Hoc Networks (VANETs) using a modernized random parameter-based green anaconda optimization (MRP-GAO) model for feature selection and an ensemble ML model (EMLM) integrating multi-layer perceptron (MLP), support vector machine (SVM), AdaBoost, and Bayesian network for effective intrusion detection and classification. Amer, Al-Rimy, and El-Sappagh25 proposed the Modbus-NFA Behaviour Distinguisher (MNBD) model, which applies a non-deterministic finite automaton (NFA) framework to analyze Modbus frame sequences and identify abnormal device behaviour with high accuracy and generalization. Sardar et al.26 introduced a model by using a graph neural network (GNN) model trained on various datasets and evaluated via NS2 simulations. Kathole et al.27 presented an ensemble DL model (EDLM) technique that integrates multiple DL models to improve detection accuracy, reduce false alarms, and strengthen network security by averaging prediction scores for robust anomaly detection. Saheed and Chukwuere28 developed a robust cyber-attack detection system for cyber-physical industrial IoT (CPS-IIoT) that utilizes the Pearson correlation coefficient and agglomerative clustering for privacy preservation, as well as a bidirectional LSTM with scaled dot-product attention (BiLSTM-SDPA) method for accurate threat detection. Kathole et al.29 developed a secure federated cloud storage system for Internet of Medical Things (IoMT) using a hybrid Mexican axolotl with energy valley optimizer (HMO-EVO)-based attribute-based encryption (ABE) for secure data encryption and multi-scale bi-long short-term memory and gated recurrent unit (MBiLSTM-GRU) technique with FL for accurate disease prediction. Saheed, Omole, and Sabit30 developed a model using a genetic algorithm with an attention mechanism and a modified adaptive moment estimation optimized LSTM (GA-mADAM-IIoT) methodology, incorporating explainability via Shapley Additive Explanations (SHAP). Saheed and Chukwuere31 developed an explainable AI (XAI) ensemble transfer learning (TL) model using SHAP and a hybrid bidirectional long short-term memory with autoencoders (BiLAE) technique for zero-day botnet attack detection, optimized by barnacle mating optimizer (BMO). Saheed and Misra32 presented an explainable and privacy-preserving deep neural network (DNN) framework with SHAP for accurate and interpretable anomaly detection in Cyber-Physical Systems enabled IoT (CPS-IoT) networks. Ullah et al.33 developed SecNet-FLIDS, a Blockchain-based FL model with a TOP-K Node selection scheme and context-aware transformer networks, incorporated with synthetic minority over-sampling technique (SMOTE) and edited nearest neighbours (ENN) for imbalanced data handling, to enable accurate, privacy-preserving, and scalable cyberattack detection in the Internet of Vehicles (IoV).

Despite various advanced methods, such as GTO, HBMO, Bi-LSTM, and FL, being applied across IoT, CPS-IIoT, IoV, and SDN environments, several limitations still exist. Various models rely on large, labelled datasets, which are often scarce or imbalanced, thereby affecting detection accuracy and generalizability. Trust among users and security experts is reduced as few models suffer from interpretability issues. Furthermore, various solutions lack scalability or are computationally intensive, which restricts their real-time deployment on resource-constrained edge devices. The integration of multiple technologies, such as BC, DL, and optimization algorithms, remains complex, resulting in increased system overhead. The research gap in addressing these challenges lies in developing lightweight, explainable, and privacy-preserving IDS that efficiently handle imbalanced data, optimize feature selection, and adapt to heterogeneous IoT and CPS environments with minimal human intervention.

Methodology

This study designs and develops an OMHSA-IDPRGO model to advance IoT security. The primary focus of this novel is to enhance automatic cyberattack detection in IoT environments by employing advanced techniques. To achieve this, the OMHSA-IDPRGO technique contains numerous stages, namely data pre-processing, FS, classification model, and parameter tuning process. Figure 2 signifies the overall working flow process of the OMHSA-IDPRGO technique.

Fig. 2
figure 2

Working procedure of the OMHSA-IDPRGO model.

Full size image

Mean normalization

To achieve this, the proposed method initially executes a mean normalization method to transform the input data into a structured format34. This normalization is chosen due to its effective capability in scaling features to have a mean of zero, which assists in stabilizing and speeding up the training process of ML models. This method mitigates the impact of outliers by centring the data around zero without strictly bounding it within a fixed range. This enhances gradient descent convergence, especially in DL methods, by preventing features with large magnitudes from dominating the learning process. Additionally, mean normalization maintains the relative distribution of data, which is significant when dealing with complex IoT datasets. Overall, it presents a balanced approach that enhances model stability and accuracy compared to simpler scaling techniques.

This method signifies a frequently implemented data normalization model in data analysis and ML domains. It comprises scaling the data so that the mean (average) of the feature becomes 0. This procedure focuses on the data around the mean, effectually extracting some bias in the value of features. A feature \(x\)’ is specified:

$$x^{\prime} = \frac{x - mean\left( x \right)}{{\max \left( x \right) - \min \left( x \right) }}$$
(1)

Now, \(\text{min}\left(x\right)\) and \(\text{max}\left(x\right)\) signify the minimal and maximal values of \(x\), and \(mean(x)\) depicts the mean of feature \(x\).

FS using COA model

Next, the COA approach is employed for the optimal selection of feature subsets35. This model is chosen for its robust global search capability and effective balancing. This technique also avoids local optima, ensuring the selection of the most relevant and informative features. Its bio-inspired nature allows it to adapt dynamically to complex, high-dimensional IoT datasets, enhancing feature relevance and mitigating redundancy. Furthermore, COA requires relatively low computational resources, making it appropriate for real-time applications. Overall, COA improves detection accuracy and model efficiency better than many conventional FS models. The mathematical model for the optimization issue is developed by considering the natural behaviours of crayfish at diverse phases. COA is a metaheuristic swarm intelligence model. The significant stages of COA are given.

Initialize population

During this initial stage of the model, the crayfish population is described as a matrix \(X\), where \({X}_{i}\) \(({X}_{i}=\left\{{X}_{i,1}, {X}_{i,2},\dots ,{X}_{i,dim}\right\},\) with \(dim\) depicting the dimension) indicates the location of \({the l}^{th}\) crayfish. Every \({X}_{i}\) is constrained within a predefined boundary and represented as a \(1\times dim\) vector, equivalent to a possible solution. The function \(f\left(\cdot \right)\) is presented to assess \({X}_{i}\), offering its fitness value. According to the size of population \(N\) and dimension \(dim\), the COA initializes the procedure by arbitrarily generating a set of candidate solutions \(X\). The location of individual \(i\) in dimension \({X}_{\text{i},\text{j}}\cdot\) is specified:

$$X_{i,j} = lb_{j} + \left( {ub_{j} - lb_{j} } \right) \times rand$$
(2)

Here, \(u{b}_{j}\) and \(l{b}_{j}\) refer to the upper and lower bounds, respectively, while \(rand\) indicates an arbitrary value.

Define temperature

Temperature variations influence the behaviour of crayfish, prompting them to enter various phases. The temperature is specified:

$$temp = rand \times 15 + 20$$
(3)

While the ambient temperature ranges from 15 to 30 °C, particularly at 25 °C, crayfish display searching behaviour. The feeding amount is assessed by employing the expression specified in Eq. (4).

$$p = C_{1} \times \left[ {\frac{1}{{\sqrt {2\pi } \times \sigma }} \times {\text{exp}}\left( { - \frac{{(temp - \mu )^{2} }}{{2\sigma^{2} }}} \right)} \right]$$
(4)

Here, \(\mu\) depicts the optimum feeding temperature. The crayfish’s food intake is influenced by the parameters \({C}_{1}\) and \(\sigma\), and set to 3 and 0.2, respectively.

Summer resort and competition stage

The temperature \(temp\) is greater than 30 during these dual stages, and the cave \({X}_{shade}\) is deliberated as:

$$X_{shade} = \left( {X_{G} + X_{L} } \right)/2$$
(5)

Now, \({X}_{L}\) and \({X}_{G}\) refer to the optimal locations attained through iterative calculations for individuals and populations.

While \(rand<0.5\), no other individuals participate in the competition, and the crayfish immediately enters the cave, upgrading its location.

$$X_{i,j}^{t + 1} = X_{{{\text{i}},j}}^{t} + C_{2} \times rand \times \left( {X_{shade} - X_{i,j}^{t} } \right)$$
(6)

Now \(t\) and \(t+1\) indicate the next and existing iteration stages. \({C}_{2}\) is specified:

$$C_{2} = 2 - \left( \frac{t}{T} \right)$$
(7)

Here, \(T\) specifies the upper limit of iterations. While rand \(\ge 0.5\), other individuals are also interested in the cave, inducing competition, and their locations are upgraded accordingly.

$$X_{i,j}^{t + 1} = X_{i,j}^{t} - X_{z,j}^{t} + X_{shade}$$
(8)

Now, \(z\) refers to an arbitrarily selected individual from the population.

$$z = round\left[ {rand \times \left( {N - 1} \right)} \right] + 1$$
(9)

Foraging stage

During this phase, the temperature does not exceed 30 °C, and the crayfish will evaluate the dimensions of the food after positioning it and select diverse feeding approaches. The position of food \({X}_{food}\) is specified:

$$X_{food} = X_{G}$$
(10)

The size of food \(Q\) is given:

$$Q = C_{3} \times rand \times \left( {fitness_{i} /fitness_{food} } \right)$$
(11)

Here, \(fitness_{i}\) and \(fitness_{food}\) represent the fitness values of the crayfish and the food, respectively. \(C_{3}\) represents the food factor, set to a value of 3, correspondingly. The crayfish will assess the size of the food based on its type. While \(Q > \left( {C_{3} + 1} \right)/2\), it specifies that the food is huge, inducing the crayfish to tear it apart, utilizing its primary claw foot.

$$X_{food} = {\text{exp}}\left( { - \frac{1}{Q}} \right) \times X_{food}$$
(12)

Once the food is torn apart and turns small, the preceding dual paws will alternatively pinch the food to consume it. This alternative approach is designed by integrating \(sine\) and \(cosine\) functions. Additionally, food diversity is achieved by simulating the feeding behaviour of the animals.

$$X_{i,j}^{t + 1} = X_{i,j}^{t} + Xfood \times p \times \left[ {{\text{cos}}\left( {2 \times \pi \times rand} \right) - {\text{sin}}\left( {2 \times e \times rand} \right)} \right]$$
(13)

While \(Q \le \left( {C_{3} + 1} \right)/2\), the crayfish might instantly move towards the nutrition and upgrade its location:

$$X_{i,j}^{t + 1} = \left( {X_{i,j}^{t} - X_{food} } \right) \times p + p \times rand \times X_{i,j}^{t}$$
(14)

Due to its simplicity, fast convergence speed, and higher computational efficiency, the COA is used to address the SRB optimizer concern.

The fitness function (FF) determines the classifier’s precision and the various features chosen. It increases the classifier’s precision and decreases the size of the desired feature set. Thus, the subsequent FF is used to evaluate different solutions presented in Eq. (15).

$$Fitness = \alpha * ErrorRate + \left( {1 - \alpha } \right)*\frac{\# SF}{{\# All\_F}}$$
(15)

Here, \(ErrorRate\) signifies the rate of classification errors using the chosen features. \(ErrorRate\) is computed as the percentage of improperly classified instances to the total number of classifications made, expressed as a value between 0 and 1. \(\#SF\) is the number of chosen aspects, and \(\#All\_F\) is the total number of attributes in the original dataset. \(\alpha\) is utilized to control the significance of subset length and classifier quality.

Hybrid classification model

For the cybersecurity detection process, the hybrid model, named CNN-BiGRU-MHSAM, is used36. This technique is chosen for its ability to capture both spatial and temporal patterns in complex IoT network data. CNN layers outperform in extracting local features, while BiGRU handles long-term dependencies in sequential data. The addition of the MHSAM improves the capability of the technique in concentrating on the most relevant parts of the input, enhancing detection accuracy. Compared to standalone models, this hybrid approach mitigates overfitting and increases robustness against diverse cyber threats. It also presents better interpretability and scalability, making it superior to conventional ML and simpler DL methods. Figure 3 represents the structure of the CNN-BiGRU-MHSAM technique.

Fig. 3
figure 3

Structure of the CNN-BiGRU-MHSAM technique.

Full size image

CNN reduces the parameter counts and sizes of the data by removing spatial features from the input data through methods such as pooling, weight sharing, and local connections. These processes improve the analytical capabilities and computational efficiency of the CNN. The network includes pooling, input, output, convolutional, and fully connected (FC) layers. As a fundamental module of CNNs, the convolutional process focuses on capturing spatial relationships and various patterns. This framework combines dual convolutional components—the first layer uses 16 \(3{\text{x}}3\) kernel filters, whereas the subsequent layer uses 32 \(3{\text{x}}5\). dimensional matrices to analyze the combined input resources. The pooling layer decreases the input data dimensionality, improving CNN calculation speed and alleviating overfitting. Normal pooling techniques include stochastic pooling, max pooling, and mean pooling. The FC layer connects every neuron to each neuron in the previous layer.

The GRU method effectively transfers its capability to process time-series data, successfully addressing problems such as exploding and vanishing gradients. In comparison with LSTM, the GRU requires fewer parameters, provides faster training, and reduces overfitting, making it particularly effective for time-series prediction. This method is primarily composed of two segments: the gate of reset \(r_{t}\) and the gate of update \(z_{t}\). The data processing process executed by the GRU model is as demonstrated:

  1. (i)

    The update gate \(z_{t}\) controls the extent to which the data from the preceding instant is preserved at present moments. The greater the update gate’s output value \(z_{t}\), the additional data from the prior instant is preserved. The evaluation equation of the update gate \(z_{t}\). is as stated in Eq. (16).

    $$z_{t} = \sigma \left( {w_{z} \cdot \left[ {h_{{t - 1^{\prime}}} x_{t} } \right] + b_{z} } \right){ }$$
    (16)

    Here, \(\sigma \left( \cdot \right)\) refers to the sigmoid function, \(w_{z}\) denotes the update gate weight, \(h_{t - 1}\) signifies the hidden layer (HL) of the preceding moment, \(x_{t}\) stands for the present moment input, and \(b_{z}\). Means the bias value.

  2. (ii)

    The reset gat \(r_{t}\). Controls the extent to which the data from the preceding moment is maintained on the present moment candidate HL \(\tilde{h}_{t}\). The greater the reset gate’s output value, s \(r_{t}\). The more additional data from the prior instant is kept in the candidate HL, \(\tilde{h}_{t}\). The prediction formula for the reset gate, \(r_{t}\), is represented in Eq. (17).

    $$r_{t} = \sigma \left( {w_{r} \cdot \left[ {h_{{t - 1^{\prime}}} x_{t} } \right] + b_{r} } \right)$$
    (17)

    N, \(w_{r}\). denot reset gate weight, and \(b_{r}\) signifies bias value.

  3. (iii)

    The upgrade of the ndidate HL information \(\tilde{h}_{t}\) is as stated in Eq. (18).

    $$\tilde{h}_{t} = tanh\left( {w_{h} \cdot \left[ {r_{t} \odot h_{t - 1} , x_{t} } \right] + b_{h} } \right)$$
    (18)

    Whereas, \(tanh\left( \cdot \right)\) symbolizes activation function, \(w_{h}\) characteristics ndidate HL weight, and \(b_{h}\) denotes bias value of the candidate HL.

  4. (iv)

    Compute the present moment HL \(h_{t}\) according to \(\tilde{h}_{t}\) and \(h_{t - 1}\):

    $$h_{t} = \left( {1 - z_{t} } \right) \odot h_{t - 1} + z_{t} \odot \tilde{h}_{t}$$
    (19)

This model successfully takes the forward characteristics. Nevertheless, time series data are also affected by previous data, not only upcoming values. To address either forward or backwards dependencies, the BiGRU model is presented. This method combines either forward or backwards GRU elements to well-examine the relationships in time-series data. This model comprises a forward GRU, an input, an output and a reverse GRU. The forward and reverse GRUs extract data from the relevant reverse and forward sequences of the input data.

$$\vec{h} = f\left( {x_{{t^{\prime}}} \vec{h}_{t - 1} } \right)$$
(20)
$$\mathop{h}\limits^{\leftarrow} _{t} = f\left( {x_{{t^{\prime}}} \mathop{h}\limits^{\leftarrow} _{t - 1} } \right)$$
(21)
$$Q_{t} = \vec{w}\vec{h} + \mathop{w}\limits^{\leftarrow} \mathop{h}\limits^{\leftarrow} _{t} + b_{t}$$
(22)

Here, \(\vec{w}\) and \(\mathop{w}\limits^{\leftarrow}\). represent output weights of the forward and backwards GRU HLs, individually, and \(b_{t}\) denotes the bias value of the Bi-GRU method.

The MHSA model creates numerous data sequences by using dissimilar linear projections. Every prediction, or “head”, captures different data features. These sequences are then concatenated and passed through additional linear projections to form the final sequence. For the input sequence of data \(X = \left[ {x_{1} , x_{2} , x_{3} , \cdots , x_{m} } \right]\), multiply the put sequence of data by the matrices of linear transformation \(W_{j}^{Q} ,\) \(W_{j}^{K}\), and \(W_{j}^{V}\), correspondingly, to get the vectors \(Q_{j} ,\) \(K_{j}\), and \(V_{j} ,\) \(j \in \left( {1,2,3, \cdots , N} \right)\), and \(N\) characterizes head counts. The particular computation procedure is presented in Eqs. (2325).

$$Q_{j} = W_{j}^{Q} \cdot X$$
(23)
$$K_{j} = W_{j}^{K} \cdot X$$
(24)
$$V_{j} = W_{j}^{V} \cdot X$$
(25)

Formerly, the attention computation equation of the \(jth\) head is presented in Eq. (26).

$$head_{i} = Attention\left( {Q_{i} , K_{i} , V_{i} } \right) = softmax\left( {\frac{{Q_{i} \cdot K_{i}^{T} }}{\sqrt N }} \right) \cdot V_{i}$$
(26)

The output is measured by Eq. (27).

$$Y = Concat\left( {head_{1} ,head_{2} ,head_{3} , \cdots , head_{N} } \right) \cdot W^{o}$$
(27)

Now, \(W^{o}\) refers to the output weighted matrix. Table 1 describes the key parameters utilized in the CNN-BiGRU-MHSAM model.

Table 1 Key hyperparameters used in the proposed attention-based DL model for intelligent threat detection in IoT networks.
Full size table

PRGO-based parameter tuning model

Finally, the hyperparameter range is implemented by the PRGO approach37. This model is chosen for its effective global search capability, motivated by the natural rhizome growth patterns. This model helps avoid local minima and find optimal hyperparameter values, thereby efficiently balancing the exploration and exploitation phases. Compared to conventional tuning methods, such as grid or random search, PRGO requires fewer iterations and computational resources while achieving better convergence. Its adaptability to complex, high-dimensional search spaces make it ideal for optimizing DL techniques in IoT environments. Overall, PRGO enhances model accuracy and training speed, outperforming many conventional optimization techniques.

In this paper, a method is required to model plant rhizome growth and explain the fundamental meaning of five terms: soil space, adventitious, fibrous, lateral, and primary roots, in the context of root system development. Indeterminate and fibre roots serve as searching agents within the solution area and represent primary elements to discover the solution area. Lateral roots stimulate development by combining food absorbed by earlier fibre roots with nutrients taken up by the fibre roots. The primary root stimulates development by combining nutrition formerly absorbed by lateral and fibre roots with food intake by now evolving fibre roots.

Numerical growth method for taproot plants

Assume that taproot plants arbitrarily have \(N\) fibrous roots, signified by \(\left( {\left\{ {X_{1} ,X_{2} \ldots ,X_{N} } \right\}} \right)\). Fibrous roots additionally absorb nutrients from the soil, apart from exploring the nutrition‐rich parts of the soil individually; therefore, all fibrous root is considered as an experimental solution to the optimization issue, and the consistent soil region is observed as the solution area of the targeted problem.

  1. 1.

    The numerical representation of fibrous root growth.

$$Seed_{1} = X_{i}^{t} + \alpha_{1} \left( {X_{best} - X_{r1}^{t} } \right)$$
(28)

whereas \(Seed_{1}\) denote \(ith\) fiber root at the \(tth\) growth time, \(X_{best}\) signifies the optimal fiber root \(,r_{1}\) refers to randomly generated numbers amongst \(\left( {1, N} \right)\), \(X_{r1}^{t}\) signifies the fiber root ars, \(\alpha_{1} \in 2 \times rand\left( {0,1} \right) - 0.5\) denote randomly generated number applied to produce \(\left( { - 0.5,1.5} \right)\) intervals, if \(\alpha_{1} \in \left( {0,1.5} \right)\), it means that the arbitrarily chosen fiber root \(X_{r1}^{t}\) advance to the historic finest fiber root \(X_{best}\), and if \(\alpha_{1} \in \left( { - 0.5,0} \right)\), then \(X_{best}\) develops to \(X_{r1}^{t}\). The model of this searching mechanism, in addition, guarantees that the historic finest fibre root \(X_{best}\) plays an integral part in directing each fibre root to mature in the best way. It is additionally guaranteed that a few arbitrary fibre roots \(X_{r1}^{t}\) direct the remaining fibre roots to carry out arbitrary searching that may prevent the search from dropping into a local best to the particular area.

  1. 2.

    The numerical modelling of lateral root growth in the soil area.

$$Seed_{2} = X_{mean}^{t} + \alpha_{2} \left( {X_{mean}^{t} - X_{r2}^{t} } \right)$$
(29)

whereas \(Seed_{2}\) means the nutrition capture by lateral roots at the \(t + lst\) development, \(X_{mean}^{t}\) represents average value, \(r_{2}\) refers to a randomly generated number among \(\left( {1, N} \right),X_{r2}^{t}\) signifies the fiberous root arbitrarily chosen from the \(N\) fibre roots inside the \(tth\) development, \(\alpha_{2} \in 2 \times rand\left( {0,1} \right) - 1\) signifies randomly generated numbers applied to create the interval \(\left( { - 1,1} \right)\). If \(\alpha_{2} \in \left( {0,1} \right)\), it means that the root absorbs nutrients, and if \(\alpha_{2} \in \left( { - 1,0} \right)\), it indicates that the root permits organic mixtures to the nearby atmosphere.

  1. 3.

    The numerical modelling of primary root growth in the soil area.

$$Seed_{3} = Seed_{2} + \alpha_{3} \left( {Seed_{1} - R_{l}^{u} } \right)$$
(30)

Here \(Seed_{3}\) embodies the food absorbs by the primary root at the \(t + 1st\) growing, \(R_{l}^{u}\) refers to complete soil area (for example: the targeted problem search area), \(u\) and \(l\) characterize lower and upper limits of the problem area, \(\alpha_{3} \in \varepsilon \times rand\left( {0,1} \right) + \tilde{\varepsilon },\varepsilon\) denote randomly generated integer of \(0\) or 1 produced by \(randi\left( {0,1} \right)\) function, \(\tilde{\varepsilon }\) stands for reverse of \(\varepsilon\). If \(\varepsilon\) is selected as 1, \(\alpha_{3} \in \left( {0,1} \right)\), which specifies that fibre roots do not get sufficient food intake, and if \(\varepsilon\) is set to \(0,\) \(\alpha_{3} = 1\), which stipulates that the fibrous roots can get the nutrition. This randomly generated number rule ensures that \(\alpha_{3}\) is an arbitrary number within the range of (0, 1), which accurately reflects the actual food intake by the plant root system. \(Seed_{1} - R_{l}^{u}\) characterizes the food intake by the fibrous roots.

Numerical model of plant growth in the fibre root system

The primary root of the fibrous root system deteriorates during seed germination, and simultaneously, the adventitious or fibrous root matures at the bottom of the stem. The adventitious root’s growing point \(X_{i}^{t + 1}\) at the following instant is jointly defined by the present \(X_{i}^{t}\), the thick (best) \(X_{lbest}\), \(X_{r3}\) and \(X_{r4}\) inside the soil area, and this searching method guarantees that \(X_{i}^{t}\) emerges from the local optimal with a higher possibility. Besides, while the growth of adventitious roots within the fibre root system is highly arbitrary, each of the adventitious roots maintains a particular number of aggregations, which allows the adventitious roots to discover additional nutrition‐rich regions. According to the preliminary study, the root growth of fibrous-root plants is demonstrated as shown.

$$X_{c} = \frac{{\alpha_{4} \left( {X_{r3} + X_{r4} + X_{i}^{t} } \right)}}{3}$$
(31)
$$Seed_{4} = X_{c} + \left( {X_{lbest} - X_{i}^{t} + X_{r3} + X_{r4} } \right)$$
(32)

whereas \(X_{c}\) signifies the food intake by the present adventitious root \(X_{i}^{t}\), directing the remaining portion of the rhizomes, apart from the thick adventitious root, to mature extensively within the soil, \(X_{lbest}\) refers to the global best for the present fiber root. \(\alpha_{4} \in \sigma \times rand\left( {0, 1} \right)\), \(\sigma\) signifies randomly generated integer of 0 or 1 made by utilizing the \(rand\;i\left( {0, 1} \right)\) function, if \(\sigma = 1\), \(\alpha_{4} \in \left( {0, 1} \right)\) specifies that \(X_{c}\) has initiated the area comprising the nutrition by developing extendedly within the soil, if \(\sigma = 0\), \(\alpha_{3} = 0\) designates that \(X_{c}\) failed to detect the region consisting of the nutrition in Eq. (5) defines the stochastic searching method, with r3 and r4 denote randomly chosen integers.

The PRGO model creates an FF to achieve enhanced classification performance. It calculates a positive integer to depict the enhanced performance of the candidate solution. In this manuscript, the minimization of the classification error rate is deliberated as the FF, as shown in Eq. (33).

$$\begin{aligned} fitness\left( {x_{i} } \right) = & Classifier\;Error\;Rate\left( {x_{i} } \right) \\ & = \frac{no. \;of \;misclassified\; samples}{{Total \;no. \;of\; samples}} \times 100 \\ \end{aligned}$$
(33)

Experimental outcome

The experimental study of the OMHSA-IDPRGO technique is examined under the Edge-IIoT dataset38. The dataset comprises 30,000 total records with 12 types of events, as summarised in Table 2. The complete no. of features is 63, but only 35 were chosen.

Table 2 Details of edge-IIoT dataset.
Full size table

Figure 4 represents the classifier results of the OMHSA-IDPRGO technique on the Edge-IIoT dataset. Figure 4a, b portray the confusion matrices, which precisely classify all classes under a 70:30 ratio. Figure 4c exhibits the PR investigation, demonstrating maximum performance for each class. Finally, Fig. 4d exemplifies the ROC examination, signifying capable outcomes with greater values of ROC.

Fig. 4
figure 4

Edge-IIoT dataset (ab) confusion matrices, (c) curve of PR, and (d) curve of ROC.

Full size image

Table 3 and Fig. 5 denote the intrusion detection result of the OMHSA-IDPRGO model on the Edge-IIoT dataset. With 70%TRPHE, the OMHSA-IDPRGO model provides average \(accu_{y}\), \(prec_{n}\), \(reca_{l} , F1_{Score}\), and \(G_{Measure}\) of 99.11%, 94.67%, 94.66%, 94.66%, and 94.66%, respectively. Moreover, under 30%TSPHE, the OMHSA-IDPRGO method provides average \(accu_{y}\), \(prec_{n}\), \(reca_{l} , F1_{Score}\), and \(G_{Measure}\) of 99.06%, 94.38%, 94.37%, 94.37%, and 94.37%, correspondingly.

Table 3 Intrusion detection of OMHSA-IDPRGO model on edge-IIoT dataset.
Full size table
Fig. 5
figure 5

Average values of the OMHSA-IDPRGO model on the Edge-IIoT dataset.

Full size image

Figure 6 depicts the classifier outcomes of the OMHSA-IDPRGO model on the Edge-IIoT dataset. Figure 6a presents the accuracy study of the OMHSA-IDPRGO model. The figure indicates that the OMHSA-IDPRGO model yields increasing values across successive epochs. Furthermore, the rising validation over training demonstrates that the OMHSA-IDPRGO method proficiently learns from the test dataset. Finally, Fig. 6b illustrates the loss analysis. The findings indicate that the OMHSA-IDPRGO method achieves similar validation and training loss values.

Fig. 6
figure 6

(a) Accuracy curve and (b) loss curve on Edge-IIoT dataset.

Full size image

Also, the OMHSA-IDPRGO technique is examined under the ToN-IoT dataset39. The dataset contains a total of 119,957 samples across nine classes. The complete details are presented in Table 4 below. The no. of attributes present in this dataset is 42, but only 31 were selected.

Table 4 Details of ToN-IoT dataset.
Full size table

Figure 7 displays the classifier results of the OMHSA-IDPRGO model on the ToN-IoT dataset. Figure 7a, b illustrate the confusion matrices with precise classification across all classes under a 70:30 ratio. Figure 7c illustrates the PR investigation, which specifies the maximum performance for all class labels. Lastly, Fig. 7d exemplifies the ROC study, representing skilful outcomes with increased ROC values.

Fig. 7
figure 7

ToN-IoT dataset (ab) confusion matrices, (c) curve of PR, and (d) curve of ROC.

Full size image

Table 5 and Fig. 8 signify the intrusion detection result of the OMHSA-IDPRGO technique on the ToN-IoT dataset. Under 70%TRPHE, the OMHSA-IDPRGO model gives average \(accu_{y}\), \(prec_{n}\), \(reca_{l}\), \(F1_{Score}\), and \(G_{Measure}\) of 99.18%, 91.34%, 84.72%, 86.47%, and 87.18%, respectively. Furthermore, depending on 30%TSPHE, the OMHSA-IDPRGO model provides an average \(accu_{y}\), \(prec_{n}\), \(reca_{l}\), \(F1_{Score}\), and \(G_{Measure}\) of 99.17%, 91.59%, 84.77%, 86.70%, and 87.38%, respectively.

Table 5 Intrusion detection outcome of the OMHSA-IDPRGO model on the ToN-IoT dataset.
Full size table
Fig. 8
figure 8

Average values of the OMHSA-IDPRGO model on the ToN-IoT dataset.

Full size image

Figure 9 establishes the classifier outcomes of the OMHSA-IDPRGO method on the ToN-IoT dataset. Figure 9a determines the accuracy of the OMHSA-IDPRGO method. The figure indicates that the OMHSA-IDPRGO method yields increasing values over successive epochs. Additionally, the growing validation over training exhibits that the proposed approach learns efficiently on the testing dataset. Lastly, Fig. 9b illustrates the loss examination of the OMHSA-IDPRGO model. The outcomes denote that the OMHSA-IDPRGO model accomplishes close values of training and validation loss.

Fig. 9
figure 9

(a) Accuracy curve and (b) loss curve on ToN-IoT dataset.

Full size image

Table 6 presents a comparative study of the OMHSA-IDPRGO model on Edge-IIoT and ToN-IoT datasets, evaluating various measures against existing techniques22,23,25,26,40,41,42,43.

Table 6 Comparative analysis of OMHSA-IDPRGO model on Edge-IIoT and ToN-IoT datasets22,23,25,26,40,41,42,43.
Full size table

Figure 10 shows the comparison findings of the OMHSA-IDPRGO model on the Edge-IIoT dataset. The results highlighted that the LSTM-CSAE, MhSaBiGRNN, FL, EECA-LSTM, LSTM-KPCA, ML-PCC, IF, Shallow ANN, Baseline DNN, DAE-LSTM, and XCT-DF methods performed the worst. Additionally, the OMHSA-IDPRGO model demonstrated enriched performance with maximum \(accu_{y} ,{ }prec_{n}\), \(reca_{l} ,\) and \(F1_{score}\) of 99.11%, 94.67%, 94.66%, and 94.66%, respectively.

Fig. 10
figure 10

Comparative analysis of the OMHSA-IDPRGO model on the edge-IIoT dataset.

Full size image

The comparative exploration of the OMHSA-IDPRGO approach on the ToN-IoT dataset with current approaches is displayed in Fig. 11. The OMHSA-IDPRGO approach achieves the highest performance, with \(accu_{y} ,{ }prec_{n}\), \(reca_{l} ,\) and \(F1_{score}\) of 99.18%, 91.34%, 84.72%, and 86.47%, correspondingly. Whereas the present models, namely MNBD, NFA, GNN, CNN, DNN, LSTM, DT, kNN, PCA, and NB, obtain lesser values across diverse metrics.

Fig. 11
figure 11

Comparative analysis of the OMHSA-IDPRGO model on the ToN-IoT dataset.

Full size image

Conclusion

This study designs and develops an OMHSA-IDPRGO model to advance IoT security. The primary focus of this novel is improving the automatic cyberattack detection in an IoT environment by employing advanced techniques. To achieve this, the OMHSA-IDPRGO method executes a mean normalization method to transform the raw data into a structured format. Following this, the COA approach is employed to select the optimal feature subset, thereby identifying the most relevant features from a dataset. For the cybersecurity detection process, the OMHSA-IDPRGO method uses a hybrid model named CNN-BiGRU-MHSAM. Finally, the hyperparameter selection is implemented by the PRGO approach to enhance the classification performance. The experimentation of the OMHSA-IDPRGO model is examined under Edge-IIoT and ToN-IoT datasets. The comparison study of the OMHSA-IDPRGO model yielded superior accuracy values of 99.11 and 99.18% compared to existing techniques on the dual datasets. The limitations of the OMHSA-IDPRGO model comprise the use of static datasets, which may not fully capture the real-time dynamics of evolving network environments. The model also faces scalability threats when deployed in large-scale or heterogeneous networks. Additionally, the absence of real-world deployment restricts practical validation. Environmental factors, such as varying mobility patterns or interference, were not extensively considered. The framework may require frequent updates to keep pace with newly emerging threats. Future work may explore real-time adaptive systems with continuous learning capabilities. Expanding the model to handle multi-domain and cross-platform data sources will also improve its robustness and applicability.