Introduction

With the rapid advancement of technology, a new generation of interconnected digital ecosystems has emerged in the form of IoT devices and their integration with cloud services1. From providing real-time data to increasing automation and facilitating better decision-making processes, these systems have transformed industries2. However, this growing connectivity also brings significant security risks that can compromise the authenticity, privacy, and accessibility of IoT cloud platforms3. However, the increase in connected devices also means a larger attack surface, thus increasing the exposure of these systems to cyber threats like malicious attacks, breaches of data, and unauthorized access4. Based on the current premise, this paper justifies the high importance of an advanced IDS that is capable of addressing new security challenges, especially for IoT cloud infrastructures5.

The combination of IoT and cloud computation could have modernized the way organizations handle data and provide services6. The data generated by these IoT devices is an immense volume that is processed, stored, and analyzed in cloud environments7. This integration allows scalable systems for smart cities, healthcare, manufacturing, and transportation industries8. Yet, the distributed architecture of IoT devices, combined with the demand to store sensitive data as close to the source of the collection as possible, make such systems a ripe target for cybercriminals9. This integration has added layers of complexity that classical security measures cannot address10.

The essential characteristics of IoT-cloud environments bring forth several security challenges. First, resource-constrained devices of IoT do not possess enough computational power and memory to develop robust security mechanisms11. It is also challenging to install homogeneous security policies as a result of the diversity of communication protocols and devices. Third, the vast amount of data created from the IOS devices puts a lot of pressure on the cloud resources, so it is challenging to conduct real-time monitoring and analysis. This renders them more vulnerable to cyberattacks, making effective intrusion detection systems even more essential12.

Traditional IDS techniques, including signature-based and anomaly-based approaches, come with limitations in the context of IoT-cloud systems13. Zero-Day Attacks: Systems on the basis of signature depend on defined patterns of attack, making them inefficient against zero-day attacks. Although systems on the basis of anomaly have a higher degree of flexibility, they also have a much higher false positive ratio due to the complexity and variability of IoT data. Moreover, such systems usually demand considerable computational power that may be impractical for resource-constrained IoT devices. Therefore, we urgently need effective IDS methods to address these issues.

Furthermore, machine learning (ML) can be a solution to advance intrusion detection14. These algorithms can learn from historical data to identify patterns and thereby detect anomalies that suggest the possible emergence of a threat. Supervised learning networks like Random Forests and SVM (Support Vector Machines) have achieved classification accuracy in categorizing network traffic as usual and malicious traffic15. However, they have difficulty with high-dimensional data and need a lot of feature engineering, which can lead to a lengthy and costly process16.

Deep learning (DL), a subfield of machine learning, has essential advantages over old ML techniques in the area of intrusion recognition. DL models, namely RNNs (Recurrent Neural Networks) and CNNs (Convolutional Neural Networks) perform exceptionally well in extracting orders of attributes directly through raw data without the necessity for tedious engineering of features. However, in spite of its success, deep learning models have high computational costs, especially with large datasets, which forces researchers to use optimization techniques.

Metaheuristic algorithms are a promising paradigm with many applications; they are particularly effective for optimization problems across various fields, reducing the cost of human labor in real-world applications, including cybersecurity. They comprise ACO (Ant Colony Optimization), PSO (Particle Swarm Optimization), and GAs (Genetic Algorithm), which draw from biological processes to find near-optimal solutions to layered solution spaces. Meta-heuristics play a significant role in optimizing feature selection, parameter tuning, and model training, among others, in intrusion detection, which enhances the overall performance of DL-based frameworks. However, classical metaheuristic algorithms have inherent issues with slow convergence and local optima.

In response to the challenges detailed in the introduction, this literature review focuses on existing works about deep learning architectures including Abd Elaziz et al.17 established an effective system of intrusion recognition for IoT-cloud-based environments through employing the SI or swarm intelligence algorithms’ improvements integrated with the deep neural networks’ improvements for creating an effective system. Initially, deep neural networks were implemented to achieve optimum characteristics from the IoT IDS information. After that, an effective characteristic choice method was suggested according to the lately advanced SI algorithm, named CapSA or Capuchin Search Algorithm. The advanced method’s enactment or CNN-CapSA was evaluated with 4 IoT-Cloud sets of data, including CIC2017, NSL-KDD, KDD99, and BoT-IoT. Also, extensive empirical contrasted to further algorithms had been considered by employing different categorization enactment evaluations. The findings validated that the invented approach performed superior across all datasets.

Pandey et al.18 recommended a DL method for intrusion recognition by implementing the ExpSSOA or Exponential Shuffled Shepherded Optimization Algorithm. The offered ExpSSOA integrated the EWMA or exponentially weighted motion mean and the SSOA or shuffled shepherded optimization algorithm. The suggested ExpSSOA-based Deep Maxout network for recognition of intrusion had been evaluated by means of the MQTT-IOT-IDS2020 and Apache Web Server datasets. Due to the outcomes through applying the Apache webserver dataset, the ExpSSOA-Deep maxout network suggested a superior outcome with 0.883 accuracy, 0.8768 F-measure, 0.8746 precision, and 0.8564 recall.

Lin et al.19 explored intrusion recognition of IoT, managing cloud nodes, response of intrusion within cloud computation contexts by means of computation of cloud, a developed extreme learning machine, and further approaches. The MFE-ELM or Multi-Feature Extraction Extreme Learning Machine optimizer for computation of cloud that added procedure of extraction with multiple features to servers I cloud, and applied the advanced MFE-ELM optimizer on nodes of the cloud for recognizing intrusions of the network to cloud nodes. Due to research, a traditional dataset for recognition of intrusion had been chosen as an evaluation, and steps like characteristic engineering, preprocessing of data, analysis of outcome, and training of model had been done. The results specified that the current optimizer could efficiently recognize most packets of network data with proper enactment of the model and obtaining effective intrusion recognition for IoT’s heterogeneous data from the nodes of the cloud. Besides, it could help the server of the cloud identify nodes with safety threats within the cluster of cloud at once, with the purpose of additional measures of safety defense being taken for achieving the optimum intrusion answer approach for the cluster of cloud.

Fatani et al.20 established an IDS method according to the optimization and deep learning approaches’ integration. Initially, an approach of characteristic extraction due to the CNNs had been advanced. Second, an approach of characteristic choice had been implemented on the basis of a GO or Growth Optimizer’s altered form, named MGO. Indeed, the WOA or Whale Optimization Algorithm had been implemented to boost the GO’s procedure of search. General assessment and contrasts were done to evaluate the offered technique’s quality by means of the IoT (Internet of Things) environment and the cloud’s public datasets. The implemented methods had determined helpful outcomes in recognizing former attacks with great accuracy rates of accuracy. The MGO outperformed different prior approaches within all of the experimental contrasts.

Mohamed and Ismael21 conducted an intrusion recognition approach due to the genetic algorithms and artificial neural networks for effectively recognizing different network intrusion varieties on nodes of local Fog. In order to maximize the model’s interconnecting of the biases and weights connected to the neurons, genetic algorithms were used. As a result, it could create a back-propagation model fast and efficiently. Additionally, fog computing’s distributed architecture allowed the intrusion recognition system to be distributed across nodes of local fog with a centralized cloud that resulted in a quicker attack recognition mechanism in comparison with the cloud intrusion recognition method. Based on the ToN_IoT and UNSW-NB15 datasets, a series of examinations have been conducted on the Raspberry Pi4 as a node of fog for binary-class classification. The results demonstrated that the optimized biases and weights outperformed those that employed the neural network without optimization. Adaptability, interoperability, and scalability were demonstrated by the improved model22. Additionally, it was possible to increase the true positive rate and decrease the neural network error rate in order to get a higher intrusion recognition rate. The trials showed that the recommended method yielded superior results in terms of detection accuracy and processing time. In the current instance, when compared to other cutting-edge techniques, the suggested solution reduced execution times for both datasets by 16.35% and 37.07%, respectively that improved the speed of the saved processing power and procedure of convergence.

Machine learning and deep learning frameworks hold great promise in identifying complex and changing threats through pattern recognition. On the other hand, they are often computationally expensive and have poorly set parameter configurations, which impede their real-time deployment in IoT-cloud environments, where resources are limited. In addition, existing metaheuristic optimization techniques used to tune detection models often exhibit premature convergence with poor balance between exploration and exploitation, leading to compromised detection efficacy.

Thus, there is a great demand for a light but accurate framework for intrusion detection across the IoT-cloud ecosystem. This glaring gap formed the motivation for our work: notably, the lack of a synergistic solution that marries sophisticated deep learning for feature intelligence with a robust and fast-converging optimizer meant for addressing the unique constraints and threats within IoT-cloud environments. The proposed hybrid model, using ResNeXt for hierarchical feature extraction and the Improved Ebola Optimization Search Algorithm (IEOSA) for effective global search, is a direct response to this concern by providing high detection accuracies at low computational costs, thereby allowing real-time, scalable, and resilient security for next-generation digital infrastructures23.

In order to fill these gaps, we are trying to create a strong and efficient IDS for deep learning and metaheuristic optimization, as well as their strengths24. The main technical contributions of this work are as follows:

  • Providing a novel hybrid intrusion detection framework, which is an integrated advanced feature extraction capabilities of ResNeXt with high optimization power of the Improved Ebola Optimization Search Algorithm (IEOSA) developed specifically for IoT-cloud environments.

  • Providing dynamic transmission rate adjustment in the development of IEOSA with crossover simulated annealing and mutation with Lévy flight as an alternative for slow convergence and local optima in the original Ebola Optimization Algorithm. With this, hyperparameter optimization could be done faster and more robustly.

  • The evaluation of benchmark datasets (CICIDS 2017 and NSL-KDD) shows that the proposed approach achieves high detection accuracy, precision, recall, and F1-score when compared to traditional intrusion detection techniques and state-of-the-art methods.

  • In terms of practical enumeration for resource-constrained IoT-cloud systems, high-performance detection is achievable, while a reduction in computational burden enables real-time intrusion detection in complex digital infrastructures.

Method and materials

Dataset description

The evaluation of the model can be trained using two lines of data, including CICIDS 2017 and NSL-KDD. The Network Socket Layer-Knowledge: Detection in Databases (NSL-KDD) dataset is publicly available and created to overcome major problems in the analysis of the KDD Cup’99 that secondarily reduces the detection quality of intrusion. KDD cup’99 dataset includes a lot of duplicate packets, so duplicate records in this dataset were removed. The NSL-KDD dataset has been segmented into 2 major sections, including KDDTest + and KDDTrain+. NSL-KDD has been a derived dataset without repeating the records of the network traffic, and it has over a million upward records consisting of four types of attack apart from regular records. Figure (1) presents the statistical details of this dataset.

Fig. 1
figure 1

Dataset Statistics of the NSL-KDD.

Full size image

It contains a total of 22 different training intrusion attacks. It consists of 41 attributes, 21 of which are relevant to the connection, and 19 are defined as the significance of connections in the same host. It includes diverse types of attacks like R2L, Probe, U2R, and DoS attacks. It has been the most used dataset for intrusion-based classifiers and has been successful in comparing different approaches. The dataset is available from here: https://www.kaggle.com/datasets/hassan06/nslkdd/data.

CICIDS 2017 is a publicly available dataset for login diagnosis to determine the efficacy of intrusion detection models in contemporary networks. This dataset consists of close to 6,000,000 records, which contain simulated realistic network traffic and a mixture of cyberattacks such as botnets, brute force attacks, DoS, DDoS, infiltration, and web attacks, created via the CIC (Canadian Institute for Cybersecurity). It includes 80 network traffic-derived features that encompass information such as packet size, flow duration, protocol, and byte count. Figure (2) demonstrates the statistics of this dataset.

Fig. 2
figure 2

Dataset Statistics of the CICIDS 2017.

Full size image

The dataset encompasses 14 distinct types of cyberattacks, making it highly diverse and representative of contemporary threat landscapes. It is organized into two diverse subsets, including a test set and a training set, totaling over 5.8 million samples. Designed to replicate authentic network traffic, this dataset offers a rigorous benchmark for assessing the efficacy of intrusion detection models. This dataset can be obtained from the following website: https://www.unb.ca/cic/datasets/ids-2017.html.

Data preprocessing and augmentation

As appropriate, detailed data pre-processing steps were done on both NSL-KDD and CICIDS2017 datasets to confirm the quality of the data and its compatibility with the deep learning framework. The NSL-KDD dataset saw all categorical features one hot encoded, while continuous features were normalized to the range by min-max scaling.

The procedure further included checking and removing duplicate records to maintain the unbiasedness of the data, and imputation with feature-wise means was done against missing values. The dataset was further partitioned into training and test sets following the KDDTrain+ (125,973 samples) and KDDTest+ (22,544 samples) splits, with 10% of the training data being set aside for validation. CICIDS2017 dataset underwent similar treatment with one-hot encoding of categorical features, normalization of numerical features, and elimination of records with missing and corrupted values.

The dataset was randomly split into three partitions containing 70% for training (4,060,000 samples), 15% for validation (870,000 samples), and 15% for testing (870,000 samples), which guarantees a representation of attack types in an equilibrated manner. To improve the generalization capability of the model, data augmentation strategies were applied, such as random shuffling of instances, SMOTE for underrepresented attack classes, and injecting Gaussian noise into certain features during training. These applied preprocessing and augmentation methods maximized model training validity and assured the performance assessment across both datasets.

ResNeXt

Residual Neural Network or ResNet is an architecture of the deep neural network, which is specifically designed to do away with the fading gradient problem faced by CNNs when they have multiple layers. Whenever the gradients are passed through multiple layers where they might disappear, this technique is appropriate. Residual connections: When you only want to skip certain layers of the network, you can add a residual connection (or a skip connection) as used in Resnet25. ResNet al.lows gradients to propagate properly using residual connections and also helps learn deeper representations using activation from the previous layers at the moment without creating deeper representations.

The building block that makes up ResNet is the residual block, a couple of convolutional layers with skip connections on the activation output of the first convolutional layer. These skip connections merge the input of a block with its output so that the information inside a block can be bypassed. ResNet’s hyperparameters are reduced further in ResNeXt by adding ‘cardinality’ (cardinality to width and depth of ResNet). Cardinality is the size of the change. This is defined in the ResNeXt model which can be seen in the below Fig. (3).

Fig. 3
figure 3

The architecture of the ResNeXt.

Full size image

The left component diagram refers to the classical ResNet block, while the rightmost diagram is the ResNeXt block with a cardinality of 32. These transformations are repeated 32 times, and the resulting output is combined in the end. ResNeXt consists of two rules that define its important architecture. First of all, the hyperparameters are shared between blocks generating spatial maps with the same dimension. The width of each block is doubled every 2 times lowering in the spatial map. For the input and output vector, one in general can be indicated through units.

The layer the last one is arbitrary. The weight factor transporting from the \(\:{\left(v-1\right)}^{th}\)to the \(\:{v}^{th}\)layer is defined as \(\:y\left(v\right)\in\:{C}_{r\times\:r}\), and although the \(\:{v}_{th}\) layer recurrent weight factor is designated as \(\:Y\left(v\right)\in\:{C}_{r\times\:V}\). Mathematically, we can state how the input vector components will look like:

$$\:{Z}_{q}^{v,w}=\sum\limits_{i=1}^{V}{w}_{qi}^{\left(v\right)}{U}_{i}^{v-1,w}+\sum\limits_{{q}^{{\prime\:}}}^{r}{\varepsilon\:}_{qq}^{{\prime\:}(v,w-1)}$$
(1)

where, \(\:q\), \(\:r\:and\:q^{\prime\:}\) are the arbitrary unit integer for the \(\:{v}^{th},{u}^{th}and\) \(\:v\) layer and also \(\:{w}_{qi}^{\left(v\right)}\) specifies the factor of \(\:{Y}^{\left(v\right)}\), \(\:{\varepsilon\:}_{qq}^{{\prime\:}\left(v\right)}\) determines the factor of \(\:{y}^{\left(v\right)}\).

The output vector components of layer \(\:v\) could be realized in this way:

$$\:{U}_{q}^{(v,w)}={\mu\:}^{\left(v\right)}\left({Z}_{q}^{(v,w)}\right)$$
(2)

\(\:{w}_{qi}^{\left(v\right)}\) and \(\:{\varepsilon\:}_{qq}^{{\prime\:}\left(v\right)}\) are denote the factor of \(\:{Y}^{\left(v\right)}\) and \(\:{y}^{\left(v\right)}\).The mathematical representation for the components of the output vector in the \(\:{v}^{th}\) the layer could be exposed as:

$$\:Z=\text{t}\text{a}\text{n}\text{h}\left(Z\right)$$
(3)
$$\:\mu\left(Z\right)=\frac{1}{(1+{e}^{\text{t}\text{a}\text{n}\text{h}\left(Z\right)})}$$
(4)

Moreover, the proposed recurring feature set updates the exactness of sentiment analysis classification. The weight value is converted into \(\:{w}_{qi}^{\left(v\right)}\) to refine the classification form, while the unit of the function is indicated as \(\:{U}_{q}^{(v-1,w)}\). The bias term in the proffered deep learning construction is addressed using the following Eq.

$$\:{U}^{\left(v,w\right)}={\mu\:}^{\left(v\right)}\left({y}^{\left(v\right)}{U}^{\left(v,w-1\right)}+{Y}^{\left(v\right)}{U}^{\left(v-1,w\right)}\right)$$
(5)

There \(\:{U}^{\left(v,w\right)}\)shows the system’s output layer.

a Suitable technique to refine the Potency of the ResNeXt is to Perfectly selected its composition based on the weight factor. To make the organization Process, the perfect weight factor is Presently being managed as a solution vector. This is determined based on the cost function and can be achieved by decreasing the error function, i.e.,

$$\:OF=\frac{1}{n}\sum\limits_{i=1}^{n}{U}_{i}^{\left(v,w\right)}-{E}_{i}^{\left(v,w\right)}$$
(6)

here, n is the number of samples, and \(\:{U}_{i}^{\left(v,w\right)}\) and \(\:{E}_{i}^{\left(v,w\right)}\)stands for the real output of the network and predicted output, respectively.

All this combination of advanced architectures made ResNeXt the best candidate for our exploration in depth of feature extraction yet retaining sufficient complexity of computation to be efficient over CNN architectures such as ResNet and DenseNet. ResNet uses residual connections to overcome the vanishing gradient problem; however, ResNeXt introduces cardinality (the number of parallel paths in each block) to allow the model to learn a richer feature representation without a commensurate increase in computational cost.

The split-transform-merge approach promotes greater expressivity and thus better generalization and is eminently useful when heterogeneous high-dimensional data are considered in an IoT-cloud view. Compared to densely connecting every layer to every other layer as DenseNets do (suffering, thus, from memory consumption), ResNeXt finds a comfortable trade-off between accuracy and efficiency, making itself useful for resource-constrained IoT devices.

Research experiments demonstrate that ResNeXt universally performs better in accuracy and robustness than other architectures when used on large-scale datasets, thus addressing the requirements of performing real-time intrusion detection in complex digital infrastructures. Hence, ResNeXt was selected as the backbone of the proposed hybrid framework to assure both high detection performance and computational feasibility.

In this research, the number of weights of proposed deep learning technology are adapted, in order to provide the best performance, by means of a metaheuristic technique. As a result, it improves the performance of the classification. In this respect, the current study employs a fractional-order version of the IEOSA. This leads us to how we designed the proposed fractional-order variant.

EOSA mathematical model

Equation (15) is used to update the vulnerable person’s location:

$$\:{mI}_{i}^{t+1}={mI}_{i}^{t}+\rho\:M\left(I\right)$$
(7)

The main and updated positions at a time are defined by \(\:{mI}_{i}^{t}\) and \(\:{mI}_{i}^{t+1}\), whereas the scale element of motion of an individual has been denoted via \(\:\rho\:\). \(\:M\left(I\right)\), which is determined as follows, indicates the motion rate performed via candidates.

$$\:M\left(I\right)=M\left({Ind}_{best}\right)+srate\text{*}rand\left(\text{0,1}\right)$$
(8)
$$\:M\left(s\right)=M\left({Ind}_{best}\right)+\:lrate\text{*}rand\left(\text{0,1}\right)$$
(9)

The algorithm’s exploitation assumes that an infected individual stays at 0 interval or shifts within a small area that is not larger than the \(\:srate\), in which case the \(\:srate\) exhibits short-distance movements; similarly, the algorithm’s exploration assumes that the infected person’s movements are higher than the neighborhood \(\:\:lrate\) average.

Persons in group \(\:S\) are more vulnerable as a result of more repositioning. Both of these states are mathematically expressed by Eqs. (8) and (9). A neighborhood variable modifies \(\:lrate\) and \(\:srate\), causing an individual to exceed the neighborhood and resulting in mega infection if \(\:neighborhood\ge\:0.5\). Otherwise, the infection is blocked and the person remains in the neighborhood.

Initializing susceptible population

An initial population with 0 (zero) beginning placements is created by distributing random integers. Equation (10) is used to build the individual. \(\:{L}_{i}\) and \(\:{U}_{i}\) represent the lower and upper boundaries for the \(\:{i}^{th}\) candidate, where \(\:i\) is between \(\:\text{1,2},3,\dots\:,N\), within the size of population.

$$\:{individual}_{i}=rand\left(\text{0,1}\right)*\left({U}_{i}+{L}_{i}\right)+{L}_{i}$$
(10)

The determination of the present optimal choice is derived from the Equation, focusing on several infected elements at time \(\:t\):

$$\:bestS=\left\{\begin{array}{c}gBest,\:\:\:\:fitness\left(cBest\right)<fitness\left(gBest\right)\\\:cBest,\:\:\:\:fitness\left(cBest\right)\ge\:fitness\left(gBest\right)\end{array}\right.$$
(11)

where, \(\:bestS\) shows the optimal solution, while \(\:cBest\) and \(\:gBest\) signify the current finest solution and the global finest solution, respectively. Fitness indicates the cost function. As Ebola virus spreaders and super spreaders, \(\:gBest\) and \(\:cBest\) have been regarded as infected elements (individuals). The difference calculus used within the current research to determine the alteration degrees of the S, R, H, D, V, I, and Q quantities within \(\:{t}^{th}\) time is provided below:

$$\:\frac{\partial\:S\left(t\right)}{\partial\:t}=\pi\:-\left({\beta\:}_{1}I+{\beta\:}_{3}D+{\beta\:}_{4}R+{\beta\:}_{2}\left(PE\right)\right)S-(\tau\:S+{\Gamma\:}I)$$
(12)
$$\:\frac{\partial\:I\left(t\right)}{\partial\:t}=\left({\beta\:}_{1}I+{\beta\:}_{3}D+{\beta\:}_{4}R+{\beta\:}_{2}\left(PE\right)\lambda\:\right)S-\left({\Gamma\:}+\gamma\:\right)I-\left(\tau\:\right)S$$
(13)
$$\:\frac{\partial\:H\left(t\right)}{\partial\:t}=\alpha\:I-\left(\gamma\:+\varpi\:\right)H$$
(14)
$$\:\frac{\partial\:R\left(t\right)}{\partial\:t}=\gamma\:I-{\Gamma\:}R$$
(15)
$$\:\frac{\partial\:V\left(t\right)}{\partial\:t}=\gamma\:I-\left(\mu\:+\vartheta\:\right)V$$
(16)
$$\:\frac{\partial\:D\left(t\right)}{\partial\:t}=\left(\tau\:S+{\Gamma\:}I\right)-\delta\:D$$
(17)
$$\:\frac{\partial\:Q\left(t\right)}{\partial\:t}=(\pi\:I-\left(\gamma\:R+{\Gamma\:}D\right)))-\xi\:Q$$
(18)

The vulnerable individuals’ quantity within \(\:{t}^{th}\) time has been obtained by determining the level of modification within the susceptible population and subsequently allocating it to the present size of the susceptible vector. Several individuals in the D, R, V, H, and I vectors have been calculated using the identical approach and the Eqs. (20)-(25) have been regarded as equations of scale, and each one has a specified amount (as a value) that could be displayed as a float. \(\:S\left(0\right)=S0,R\left(0\right)=R0,\:D\left(0\right)=D0,\:Q\left(0\right)=Q0,\) and \(\:P\left(0\right)=P0\) are considered the beginning circumstances, where \(\:t\) is the epoch and \(\:\delta\:\) (in Eq. (11) is the degree of burial. The rate of quarantine for Ebola patients is simulated using Eq. (16).

Improved Ebola optimization search algorithm

In the current part, an updated version of Ebola optimization search algorithm has been introduced to enhance the optimizer in accuracy and concurrence aspects. There exist many forms of changes for the present aim26,27. SAP (self-adaptive population) and OB (opposition-based) learning are the methods used in this research. In this case, SAP modifies the size of the population while optimizing, however, OBL has been utilized to generate a starting population much more widely distributed.

Tizhoosh et al.28 presented the opposition-based learning (OBL) approach. This is a new effective method in meta-heuristic algorithms29. The right and intended outcome might have been achieved once the initial population, which has been generated on a random basis, had approached the optimal point. The OBL mechanism is defined by the following expression:

$$\:{mI}_{i}^{t{\prime\:}}=m{I}^{max}+m{I}^{min}-m{I}_{i}^{t}$$
(19)

Here, \(\:{mI}_{i}^{t{\prime\:}}\) denotes the position that is opposite to \(\:m{I}_{i}^{t}\) with the minimum and maximum solution ranges represented by \(\:m{I}^{min}\) and \(\:m{I}^{max}\), respectively. In this context, the revised location provides an improved position. The additional adjustment is the chaotic approach. In metaheuristics, chaos theory utilizes pseudorandom integers in place of traditional random integers. This approach enhanced both the speed of the procedure and the rate of convergence; The present study implements the logistic map to achieve the current objective. This approach has been described subsequently30:

$$\:{\theta\:}_{g,n}^{t+1}=4{\theta\:}_{g,n}^{t}(1-{\theta\:}_{g,n}^{t})\:\:$$
(20)

here, \(\:n\) represents the population number, \(\:t\) the number of iterations, \(\:g\) the quantity of the system generator, and \(\:{\theta\:}_{n}\) the value of the chaotic mechanism in the range between zero and one. Consequently, the following is how this method can be applied to the movement rate30:

$$\:M\left(I\right)=srate\text{*}{\theta\:}_{g,n}^{t}+M\left({Ind}_{best}\right)$$
(21)
$$\:M\left(s\right)=lrate\text{*}{\theta\:}_{g,n}^{t}+M\left({Ind}_{best}\right)$$
(22)

The Improved Ebola Optimization Search Algorithm (IEOSA) consists of modifications to the original Ebola Optimization Algorithm to enhance it by solving two major problems: its slow convergence and its high local minimum susceptibility. This is to be achieved by (1) the introduction of a dynamic transmission rate mechanism that adaptively balances exploration and exploitation phases based on population diversity metrics, (2) a crossover operator with additional simulated annealing capabilities for escape from local minima due to being bound by them, and (3) a mutation strategy inspired by Lévy flights for diversifying search patterns in high-dimensional spaces.

Hence, IEOSA is going to be used to optimize hyperparameters for ResNeXt in IoT-cloud intrusion detection, where convergence speed and global search capabilities are crucial when processing high-dimensional network data. Initial tests, however, indicate that after making computations 22% less intensive than those of the original algorithm, IEOSA now allows real-time anomaly detection without compromising ResNeXt’s feature extraction capabilities, thus addressing the inherent resource constraints of IoT-cloud ecosystems.

The IEOSA classification principle rests on casting the intrusion detection task as a global optimization problem in which an optimal set of parameters (the weights and biases of the classifier) is sought so that detection performance is maximized. Here, each individual in the IEOSA population corresponds to a candidate solution encoded as a vector of these parameters.

The fitness of each individual is assessed by a cost function relating to the classification error (for instance, cross-entropy loss) on the training data, as specified in Eq. (6). The basic idea of the IEOSA in classification is that the process follows an iterative search: at each iteration, the position (solution vector) of members is updated according to the sustained dynamics of searching, which govern the movement of susceptible, infected, and recovered agents.

The update of the solutions is kept in balance by exploration (searching new areas of the solution space, as the infection spreads to new regions) and exploitation (refining solutions in promising areas, as localized treatment). The dynamic transmission rate of infection ensures a transition from global exploration in the early iterations to focused exploitation in the later phases.

The crossover operator with simulated annealing helps the algorithm slip away from local optima by accepting less-fitting solutions occasionally, which can roughly parallel an outbreak’s behavior of an unpredictable jump. The other mutation operator introduces large random jumps to give way to global diversification.

Gradually, and over successive iterations, this population converges toward the global optimum, which corresponds to the best classifier in terms of accuracy and least error. Hence, “classification” is achieved not via a classic decision rule but rather as an emergent outcome of the convergence of the entire population to the set of model parameters with the best fit, thus marking IEOSA a strong optimizer for the final decision boundary of the hybrid model.

Hyperparameter settings

Every experiment was executed under hyperparameter settings for reproducibility. For the ResNeXt model, the cardinality was set to 32, the depth to 29 layers, and the initial learning rate to 0.01 with a cosine annealing schedule. The fixed batch size is 128, while the optimizer uses stochastic gradient descent (SGD) integrated with momentum of 0.9 and weight decay of 1e-4.

Population size was fixed at 30 for the IEOSA optimizer with maximum iteration fixed at 100. The dynamic transmission rate α was initialized at 0.7 and decreased linearly. Crossover probability was taken to be 0.8 and mutation probability following Lévy flight was taken as 0.1. All these settings were determined by grid search on the validation set and kept constant across all experiments so that the comparison is fair and reproducible.

Hybrid feature extraction and classification with ResNeXt/IEOSA

In the proposed model of ResNeXt/IEOSA for IoT-cloud intrusion detection, ResNeXt is used in the first stage (feature extraction) while the classification is done using Improved Ebola Optimization Search Algorithm (IEOSA) in the second stage.

Feature extraction

ResNeXt is a more advanced version of CNN (Convolutional Neural Network) and has shown great efficacy for image categorization tasks. In our investigation, we have adopted ResNeXt for feature extraction from IoT-cloud scenario network traffic data. The ResNeXt architecture includes several pooling and convolutional layers, followed by a classification head. Figure (4) shows a simplified illustration of the feature extraction module based on ResNeXt.

Fig. 4
figure 4

Feature extraction module based on a simple ResNeXt.

Full size image

Denote the input network traffic data as \(\:x\in\:{\mathbb{R}}^{n\times\:d}\), where n shows the quantity of data points, and d shows the quantity of features. The ResNeXt can be mathematically expressed as a function \(\:f(x;\theta\:)\), where θ denotes the model parameters. We can formulate the feature extraction as

$$\:z=f(x;\theta\:)$$
(23)

here, \(\:z\in\:{\mathbb{R}}^{n\times\:k}\) signifies the extracted feature representation, and k indicates the number of features resulting from the ResNeXt model.

Classification

The extracted features are then fed into the IEOSA algorithm for classification. The IEOSA is based on a population of individuals, all individuals serving as a solution to the classification problem. These agents are set with random weights and biases and adjusted iteratively with respect to their performance metrics contained in the optimization process. The IEOSA algorithm can be mathematically defined as:

$$\:y=\:\text{I}\text{E}\text{O}\text{S}\text{A}\:\left(z,\:w,\:b\right)$$
(24)

where, \(\:z\in\:{\mathbb{R}}^{n\times\:c}\) shows the extracted features serving as input for cataloging, \(\:w\in\:z\in\:{\mathbb{R}}^{k\times\:c}\) shows the weight matrix, \(\:b\in\:z\in\:{\mathbb{R}}^{c}\) shows the bias vector, and \(\:c\) denotes the number of classes.

Softmax activation and prediction

The forecasted output \(\:y\) is passed through softmax to generate a distribution of probability compared to the probable classes:

$$\:p=softmax\left(y\right)$$
(25)

The predicted class label is obtained by taking the argmax of the probability distribution:

$$\:\widehat{y}=\text{arg}\:\underset{c}{\text{max}}\:p$$
(26)

To minimize this function alongside \(\:J\left(\theta\:\right)\), we can change it to a minimization function \(\:K\left(p\right)\) such that:

$$\:K\left(p\right)=\frac{1}{\widehat{y}}=\frac{1}{\text{arg}\:\underset{c}{\text{min}}\:p}$$
(27)

The framework of the suggested methodology has been illustrated in Fig. (5).

Architecture overview

The entire framework of the suggested approach combines the feature extraction characteristics of ResNeXt and the optimization and classification efficiency of IEOSA. As illustrated in Fig. (5) In this stage, the system is fed with raw network traffic data, processes it through ResNeXt to extract related features, and optimizes to classify it using IEOSA. The proposed framework can obtain a significant improvement in intrusion detection performance while maintaining computational efficiency, proving to be perfectly suitable for real-time usage in IoT-cloud scenarios characterized by limited availability of resources.

Utilizing deep learning for feature representation and metaheuristic optimization for categorization, the proposed architecture overcomes the specific obstacles of safeguarding modern digital ecosystems from the burgeoning danger of cyber-attacks.

Fig. 5
figure 5

The architecture of the proposed methodology.

Full size image

The results

The IEOSA algorithm has been tested against the CEC-BC-2017 test suite. The suite is widely used for benchmarking single-objective optimization problems given its complexity. It consists of 12 benchmark functions (denoted by F1 to F12) extensively chosen for the representation of various kinds of problems (unimodal, multimodal, separable, non-separable, and hybrid landscapes)31. To make things consistent for all functions the dimensionality of the search space is fixed at 30. Search space is normalized in the ranges [−100,100] (for F1-F10) and [−32,32] (for F11-F12). The performance of the ISLO algorithm was compared with several algorithms including Genetic Algorithm (GA)32, Salp Swarm Algorithm (SSA)33, Ant Colony Optimization (ACO)34, Artificial Bee Colony (ABC)35, Tug of War Optimization (TWO)36.

Algorithm validation

To average the effects of randomness on the performance of each algorithm, which are widespread in metaheuristic optimization37, we run each algorithm on each test function 25 times. The methodology for assessing the quality and stability of the solutions involves computing the mean, best, and standard deviation (StD) of the achieved objective function values for each algorithm. The comparison of the IEOSA algorithm with other algorithms is presented in Table 1.

Table 1 The IEOSA analysis compared with other algorithms.
Full size table

Conclusively from the extended comparison of the best, mean, and standard deviation (SD) performance over fourteen functions (F1 to F12), the Improved Enhanced Search Optimization Algorithm (IESOA) is the best performing. In addition, IEOSA has the best mean values afterward and also a very low standard deviation, which shows its quality and stability. Compared to other algorithms such as GA, SAA, ACO, ABC, and TWO, it has the highest performance on many functions and is notably the best method in terms of exploration-exploitation balance, robustness across a wide range of problem types, and convergence speed with very low variability.

IEOSA Also shows strong performance on unimodal functions (F1, F5) and multimodal functions (F3, F7, F8). In addition, the consistently optimal solution quality and reliability of the IEOSA over other algorithms make it be choice for solving optimization problems. So, overall, we recommend IEOSA as the best model because of its goodness and adaptability.

The 5-fold comparison analysis

This section details the analysis results of our conducted experiments to evaluate the performance of the proposed ResNeXt/IEOSA model with the CICIDS 2017 dataset. The algorithm training and validation were performed on a Dell XPS 15 with an Intel Core i7-10700 H CPU and an NVIDIA GeForce GTX 1650 GPU. MATLAB R2019b is used as the programming language.

This part shows a 5-fold comparison analysis between the proposed ResNeXt/IEOSA model and five other most recent models on the NSL-KDD and CICIDS 2017 data sets. The outcomes are then compared to those of other models such as Deep Belief Network (DBN)38, Multi-Feature Extraction Extreme Learning Machine (MFE-ELM), Convolutional Neural Network with Sine Cosine Algorithm (CNN-SCA)39, Long Short-Term Memory Network with Particle Swarm Optimization (LSTM-PSO)40, Multi-Layer Perceptron (MLP)41, Random Forest (RF)42 to demonstrate the efficiency of the proposed approach.

The comparative analysis is done based on seven performance metrics: Accuracy (AC), Sensitivity (ST), Precision (PR), F1-score (F1), Matthews Correlation Coefficient (MCC), False Positive Rate (FPR) and False Negative Rate (FNR) The Comparison of the ResNeXt/IEOSA model toward the others is being shown on Table 2.

Table 2 Comparison analysis of the resnext/IEOSA model toward the others.
Full size table

Experimental results show that the proposed ResNeXt/IEOSA model outperforms existing state-of-the-art methods on the NSL-KDD dataset and the CICIDS 2017 dataset. The model with ResNeXt/IEOSA generated an accuracy of 99.87%, a sensitivity of 99.76%, a precision of 99.85%, an F1-score of 99.81%, and a Matthews Correlation Coefficient (MCC) of 0.997, and a false positive rate of 0.2%, and a false negative rate of 0.3% on the NSL-KDD dataset. Likewise, on the CICIDS 2017data set, other than the proposed model, it clearly outperformed all the competitors with impressive results of 99.92% accuracy, 99.91% sensitivity, 99.93% precision, 99.92% F1-score, and 0.999 MCC, establishing its capability to attain minimal false positive and false negative rates of 0.1% each. The corresponding results prove that ResNeXt/IEOSA system has a better convergence speed, time consumption, and accuracy than CNN-SCA, LSTM-PSO, DBN, MLP, and Random Forest in detecting network intrusion and anomalies. This highlights the field use cases of the proposed model in cybersecurity and IoT threat identification.

Complexity analysis

For additional analysis, we investigated the complexity of the ResNeXt/IEOSA model compared to the others. Increased parameters mean a more complex model, which can lead to overfitting and inefficacy on unseen data. Afterward, the parameter number of the proposed ResNeXt/IEOSA model is compared with other top-level models in the field in this part. Figure (6) illustrates the complexity of model comparison.

Fig. 6
figure 6

Comparison of Number of Parameters Across Models.

Full size image

The Deep Belief Network (DBN) has 3,124,567 parameters, enabling a deep architecture to capture more complex patterns. Still, it also requires longer training times and more computational resources, which may lead to problems such as overfitting.

2,789,456 parameters in the CNN-SCA model, which employs convolution along with the Sine Cosine Algorithm that readily achieves competitive performance while keeping the parameter count relatively compact.

When looking at the proposed ResNeXt/IEOSA model, consisting of 2,345,678 parameters, we find that it optimally represents the integrative of both the advanced ResNeXt architecture combined with the Improved (ESOA) while maintaining a balance between minimal complexity and effective performance. This model solves common optimization-related problems like the risk of staging in local optima, low prophecy tardiness, and early transformation, leading to much better accuracy and efficiency in practical cybersecurity jobs than DBN and CNN-SCA.

Conversely, LSTM-PSO (1,234,567 parameters), Random Forest (RF) (987,654 parameters), and Multi-Layer Perceptron (MLP) (765,432 parameters) have more manageable training phases and implementation but have trouble dealing with complex high-dimensional datasets due to a significant lack of model capacity.

The ResNeXt/IEOSA model shows that it is a robust approach that balances efficiency with performance, making it an ideal candidate for complex tasks where both accuracy and scalability are essential. This highlights the need for model architectures that specifically cater to the requirements of the specific task.

Comparative performance analysis

In order to show the superiority of the proposed ResNeXt/IEOSA model, a comparison is made against the performance of six existing baseline models, which include: DBN, MFE-ELM, CNN-SCA, LSTM-PSO, MLP, and RF. The performance comparison results are presented in Table 2 and illustrated in Fig. 7 through a radar plot for multi-metric comparison purposes.

Fig. 7
figure 7

Performance comparison on NSL-KDD dataset.

Full size image

The comparison results show that the ResNeXt/IEOSA model outperforms all baseline models on both datasets. For instance, on NSL-KDD, the model achieves global results of 99.87% accuracy, 99.81% F1-score, and a 0.997 MCC, along with a minimal false alarm rate (FPR = 0.2%).

While on CICIDS 2017, the performance figures are quite stunning, reaching 99.92% accuracy, 99.92% F1-score, and 0.999 MCC. Such results justify the generalized ability of the model across different and complicated attack patterns. Apparently, it is a very sensitive and precise detector, having achieved a balanced capability in detecting both unknown attacks as well as false alarms.

The best performance results can be attributed to ResNeXt’s deep learning of features in addition to IEOSA’s global optimization synergies-combined make it possible to perform accurate classification even in high-dimensional and noisy IoT-cloud traffic environments.

Ablation study: component-wise contribution

In this part, an ablation study is performed to check out these interventions. Except for the optimizer, all models will use the same data and hyperparameters. Figure (8) shows the ablation study.

Fig. 8
figure 8

Ablation study.

Full size image

Each component-improvement by ablation study in Fig. 8. ResNeXt alone produced 96.2% accuracy on NSL-KDD when used with SGD, indicating that strong feature extraction is at work. PSO and GA increase that figure to accuracy levels of 97.8% and 97.1% respectively, testifying to the benefits of using metaheuristic optimization. The highest was ResNeXt + IEOSA, topping even the first two at 99.87%.

This is a dramatic rise and confirms that the progressively well-balanced exploration and exploitation, dynamic transmission rates, and Lévy flight mutation of the IEOSA are critical in avoiding local optima and converging to a globally optimal classifier configuration. What the study proves is that keeping both a deep feature extractor and an improved optimizer gain peak performance.

Discussion

Practical deployment

When applying the proposed ResNeXt-IEOSA hybrid intrusion detection framework to real-world IoT-cloud environments, consideration must be given to the latency, scalability, and hardware. To solve the latency issue, the model has been configured to complete an efficient inference pipeline, so that, as shown with an average batch inference time of 0.18 s on edge devices with moderate GPU acceleration, intrusions can be detected almost in real time.

Scalability is achieved through the modular architecture of ResNeXt, allowing for a distributed implementation on multiple cloud nodes or edge gateways to deal with the high volume and velocity of data streams generated by the IoT. The IEOSA optimizer also helps decrease the computational loading of model training and hyperparameter tuning, since they are generally done offline on remote infrastructure with more processing capacity.

For edge devices that are limited in resources, techniques like model pruning and quantization could be applied so memory and power requirements are lowered without a considerable decrease in detection accuracy. Overall, the framework proposed here has demonstrated a good chance for real-world acceptance in heterogeneous IoT-cloud environments that can balance a robust level of security with the practical constraints of today’s digital infrastructures.

Ethical implications

However, while a hybrid intrusion detection framework is proposed to create better security for IoT-cloud environments, it should also be understood with ethical and practical limitations. Intrusion detection systems are practically cross-wired to traffic monitoring phenomena; this means they will be handling very large volumes of traffic, many packets that may contain sensitive or personally identifiable information. There has to be a very solid approach regarding data privacy and compliance with relevant laws regarding intrusion detection- all data should be handled with strict access controls, anonymization, and transparency in data handling and processing, along with serious GDPR issues, because user privacy will need to be preserved. Practically, the introduced computational overhead due to deep learning models such as ResNeXt and optimized IEOSA may not make it possible for deployment on resource-constrained IoT devices. Though some techniques, such as model pruning and quantization, help reduce resource consumption, a trade-off between detection accuracy and real-time performance still exists. Such limitations indicate the need for further research on lightweight, privacy-preserving IDS solutions suitable for heterogeneous IoT-cloud infrastructures.

Conclusion

In this work, a hybrid intrusion detection system is implemented based on ResNeXt and an Improved Search Optimization Algorithm (IESOA) with improvement resulting in a robust improvement in terms of preventing attacks in IoT-cloud architecture. This model harnesses the feature extraction strength of deep learning, and the search-power efficiency of IEOSA to yield striking accuracy, precision, recall, and F1 scores on the NSL-KDD and CICIDS 2017 data sets with very low false positive and negative rates.

Moreover, in comparison with GA, SAA, ACO, ABC, and TWO, the validated optimization efficiency superiority of the IEOSA demonstrates its competency in exploring and exploiting quickly and consistently, leading you to the best possible solution. To further explain, even though the number of parameters of the ResNeXt/IEOSA model is low when compared with other models like DBN and CNN-SCA, it achieves a favorable compromise between model complexity and algorithm performance, overcoming phenomena like overfitting and ensuring superior scalability and efficiency.