Improved smart city security using a deep maxout network-based intrusion detection system with walrus optimization

Problem statement

IDS is a crucial security solution for emerging web-based applications in smart cities and IoT applications. IDSs have lately gained the interest of security professionals for protecting IoT networks, devices, and applications in fields like smart homes/cities and health monitoring. Traditional IDS-based solutions may not be suitable for IoT due to the special requirements and limitations of IoT devices and networks, including protocol stacks, standards, and resource limits. This might restrict the rapid growth of smart city applications. Researchers in computer and network security are focusing on developing advanced IDS-based solutions to address these issues, which is a top priority for users, security researchers, manufacturers, and IoT infrastructures. Hence, enhancing the design of resilient information security systems would facilitate the fast growth of smart city applications and IoT technologies (Alhakami et al., 2019). This research proposes an intrusion detection model for smart public transportation infrastructure using Raspberry Pi devices. The model integrates the recursive feature elimination (RFE) method for feature selection and a deep maxout network (DMN) optimized by the walrus optimization (WO) algorithm for classification, utilizing the CIC-IDS-2018 and CIC-DDoS-2019 datasets. The objective is to optimize input data, enhance accuracy, and address the complexity of the network, ensuring real-time threat detection in a resource-constrained smart city environment.

Research objectives and questions

The main research problem to be addressed in this research is the challenge of improving intrusion detection in IoT-enabled smart city environments, particularly within public transportation infrastructure, which requires models that are both highly accurate and optimized for resource-constrained devices. The objective of this research is to develop and validate a novel intrusion detection model that combines the DMN with the WO algorithm. This model aims to enhance the detection accuracy, reduce false positives, and ensure efficient operation on devices with limited computational resources.

To guide this research, the article is focused on the following key questions:

• How can the integration of the DMN with the WO algorithm improve the detection accuracy of IDS in IoT-enabled smart city environments?

• How effective is the WO algorithm for parameter tuning in the DMN?

• How effective is the proposed DMN-WO model in real-world scenarios, particularly when applied to public transportation infrastructure within smart cities, and how does it perform on resource-constrained devices?

Motivation: The motivation behind this research is to design an IDS framework that balances high detection accuracy with low energy consumption. Given that IoT devices are often deployed in large-scale networks with diverse applications in smart cities, ensuring the security of these devices while optimizing for energy efficiency is essential. The integration of DMN and WO provides a novel approach that can enhance detection accuracy without overloading system resources.

Research contribution

1. Developed a unique approach by combining the DMN and WO algorithms, addressing cybersecurity challenges in IoT-enabled smart city environments.

2. Designed a DMN with multi-layer maxout activation functions and optimized its parameters using the WO algorithm, enhancing detection accuracy and reducing overfitting.

3. Ensured the DMN-WO model is resource-efficient and suitable for real-time deployment on constrained devices like Raspberry Pi, typical in IoT systems.

4. Successfully applied the model to secure public transportation infrastructure in Tabuk City, Saudi Arabia, tackling physical access and cybersecurity threats.

The remainder of the article is organized as follows: The section second provides an analysis of the relevant literature. The third section discusses the implementation of the proposed research model. This includes the presentation of data preprocessing, RFE-based feature selection and DMN-WO-based classification. In the fourth section, the performances of the research model are analyzed and compared with several IDS models. Finally, the conclusion is presented along with some suggestions for further research.

Research gap

Existing research in the field of IDS for IoT-based SC environments demonstrates a diverse range of approaches. Researchers have explored hybrid DL models, ML-driven IDSs, and methodologies utilizing techniques such as RBMs, chaotic mapping, and ensemble learning. These models have shown promising results in enhancing security by detecting various cyber threats, including DDoS attacks, replay attacks, and botnet activities. Additionally, researchers have addressed challenges in feature selection, network architecture optimization, and distributed IDS. They have employed evaluation metrics, such as accuracy, false positive rate, and efficiency, to assess the effectiveness of these models’ using datasets like UNSW-NB-15, NSL-KDD, and CIC-IDS. However, existing research primarily concentrates on general smart city security, neglecting the specific challenges of securing public transportation hubs like bus stops. Limited attention is given to the unique security requirements of transportation infrastructure within smart cities. Furthermore, there is a lack of exploration into optimizing IDS models for resource-constrained edge devices like Raspberry Pi, crucial for real-world deployment. Addressing this gap is vital for the effective and practical implementation of IDSs in public transportation settings within the broader context of smart city environments.

While previous studies have explored various ML and DL models for intrusion detection, this research is the first to integrate the DMN with the WO algorithm. This novel combination utilizes the capacities of both techniques, where DMN’s advanced feature learning capabilities are enhanced by WO’s efficient parameter optimization, resulting in superior performance in intrusion detection tasks. Unlike many existing works that address general IDS in smart cities, this research specifically focuses on the unique challenges associated with securing public transportation infrastructure. This focus on a critical aspect of smart city security, which is mostly excluded in the literature, adds a new dimension to the field and addresses a significant gap. The proposed DMN-WO model is specifically designed to operate efficiently on resource-constrained devices like those commonly used in public transportation systems. This aspect of the proposed work is particularly novel, as most existing models do not adequately consider the practical deployment constraints of such environments. Table 1 summarize the related works.

Training dataset

The CIC-IDS-2018 data set was created together by the Communications Security Establishment (CSE) and the Canadian Institute for Cybersecurity (CIC). Originally designed to assess intrusion detection research, this dataset has evolved into a standard for assessing IDSs. This dataset has been carefully selected to simulate authentic cyber threats and attacks, providing a broad and detailed range of scenarios for analysis. Its importance lies in its ability to simulate complex network environments, enabling researchers and professionals to effectively evaluate and enhance IDS. The data was collected during a 10-day duration, consisting of 80 columns, and includes 15 types of harmful attacks. FTP and SSH brute force attacks, DoS attacks like Hulk, Slowloris, GoldenEye, and SlowHTTPTest, DDoS attacks such as LOIC-HTTP, HOIC, and LOIC-UDP, as well as Brute Force attacks targeting web and XSS vulnerabilities, labelling, infiltration, SQL injection, and bot activities. The research concentrates on DDoS attacks due to their complex nature, which makes them challenging to mitigate. DDoS incursions were detected on the second day of data analysis, namely in the files named 02-20-2018.csv and 02-21-2018.csv. The dataset has a total of 80 extracted features from the captured traffic using CICFlowMeter-V3 (Songma, Sathuphan & Pamutha, 2023). Hence, the research utilized this dataset for the analysis. Table 2 shows the descriptions of CIC-IDS-2018 dataset.

The research model was additionally trained using the CIC-DDoS-2019 dataset. This dataset has been widely employed to identify and categorize DDoS attacks. The data collection was created by the CIC. The dataset consists of benign and current DDoS attacks that replicate observed real-world data. The application layer has observed the emergence of several novel attacks that exploit TCP/UDP-standardized protocols. The dataset was analyzed using the CICFlowMeter program to extract the required features. Each record inside the collection possesses 88 statistical features, including the IP addresses of both the source and destination, timestamp, port numbers of both the source and destination, attack protocol, and a label denoting the type of DDoS attack (CIC-DDoS-2019 Dataset, https://www.unb.ca/cic/datasets/ddos-2019.html). Table 3 shows the distributions of CIC-DDos-2019 dataset.

Normalization of data

Normalization is employed in the preprocessing stage of ML to normalize integer values in columns and guarantee they are on a uniform range. It is for transforming data, and significantly enhances the model’s accuracy and performance, particularly in cases if the data specification is unknown. Efficient normalization depends on huge data sets to eliminate outliers and smooth data, especially in the absence of a clear manner. This method, crucial for data preparation in network IDS, normalizes data to a certain range, regularly between 0 and 1. This guarantees that every feature maintains uniform ranges and scales, thus enhancing the efficiency and precision of network IDS. Z-score normalization is a beneficial method for data pre-processing in cybersecurity datasets, especially when handling outliers (Sarhan et al., 2022).

(1) $$A_n={\displaystyle \frac{\left(A-\mu \right)}{\sigma }.}$$

Z-score normalization involves adjusting the values of a feature to achieve the mean ( $\mu$) of zero and standard deviation ( $\sigma$) of one. This was achieved by eliminating the $\mu$ of the features from all values and hence dividing by $\sigma$. The equation for this method was represented by Eq. (1), where $A$ is the actual value and $A_n$ is the normalized value (Alrayes et al., 2023).

Selection of features

Features selection is the process of eliminating unnecessary features that might minimize the accuracy of a system, automatically or manually and choosing the feature that leads to the highly accurate outputs or intended results. Feature selection aids in distinguishing distinct patterns among different classes. RFE was a feature selection method that removes features iteratively, creating a model with the rest of the parameters to assess its correctness. The RFE approach manipulates the organization of features to forecast the intended outcome (Sharma & Yadav, 2021). RFE involves fitting a model and iteratively removing the least important features until a predetermined number of features is left. The model ranks features based on coefficients or feature importance characteristics. Through recursive elimination of a limited count of features in every loop, RFE aims to remove collinearity and dependencies present in the system. RFE necessitates a predetermined count of features to retain, although the exact number of acceptable features is typically unknown. This work utilized univariate feature selection by employing the analysis of variance (ANOVA) F-test to assess the strength of each feature’s relation with the target attribute.

ANOVA is a statistical approach that compares the means of many groups to discover if there is substantial variation between them. Like the Chi-squared method, discretization is required before it can be used. ANOVA aims to assess the overall variance of the data in comparison to the variance within and between groups. Equation (2) calculates the within-group sum of squares (GSS) to quantify the variance within the groupings. GSS is computed using Eq. (2).

(2) $$GSS=\sum _{i=1}^k\left[\left(n{g}_i-1\right)\times V\left(i\right)\right].$$

Here, $n{g}_i$ represents the total instances in group i, while $V\left(i\right)$ was the variance of group i. Equation (3) for the Sum of Squares between groups (SSG) quantifies the difference in means among the groups. The SSG is calculated using Eq. (3).

(3) $$SSG=D\times \sum {\left(m_i-{\overline{\overline{m}}}_i\right)}^2.$$

$D$ represents the number of groups, $m_i$ denotes the mean of group i, and ${\overline{\overline{m}}}_i$ signifies the mean of all instances. Equation (4) provides the formula for the total sum of squares (TSS).

(4) $$TSS=GSS+SSG.$$

The null hypothesis in ANOVA states that each group have an identical mean, indicating that the values of the analyzed characteristic do not impact the final classification. The alternative hypothesis posits that there is a difference in means in at least one group. The null hypothesis is assessed using the F-ratio, calculated as the ratio of SSG to GSS in Eq. (5). If the F-ratio exceeds a specific threshold value (known as the critical F-value), it suggests a notable difference between the group means, leading to the rejection of the null hypothesis.

(5) $$F={\displaystyle \frac{SSG}{GSS}.}$$

The critical F-value is determined by the degrees of freedom for the numerator ( $d{f}_{SSG}=D-1$) and the degrees of freedom for the denominator ( $d{f}_{SSG}=N-D$) in the F-distribution. N represents the total instances (W.S. & B, 2020).

DMN classifier

Classification in an IDS categorizes attacks as either multiclass or binary to differentiate between benign and malignant network traffic. Binary categorization deals with two classes, whereas multiclass can contain several classes. The complex nature of the problem places an impact on algorithms regarding computational resources and time, perhaps leading to less efficient results. During classification, the data set was assessed and classified as normal or abnormal. Existing instances are preserved, and new samples are created. The classification was used to find abnormal patterns and discover anomalies; however, it is mostly used for detecting abnormalities. A DMN classifier optimized using WO was used in this research, along with a feature selection technique that deals with class imbalances.

DMNs are recognized as universal approximators due to their uncomplicated feed-forward structure, like deep CNNs, which utilize a new type of activation function known as the maxout unit. Furthermore, it overcomes the challenges of traditional activation function architecture and is very resilient, easy to train, and delivers excellent performance. The DMN converges more rapidly compared to other networks. The selected features, known as feature vector E from the feature selection module, are inputted into the DMN to categorize attacks and identify their existence in the network. The DMN’s training speed has been significantly enhanced, making it suitable for attack detection (Battula & Eppili, 2022). Figure 3 displays the DMN’s general architecture.

The DMN consists of trainable activation functions inside a multi-layer model. The input data is analyzed by a network classifier to demonstrate the activation of hidden components. The DMN’s activation functions are configurable and expressed by the following equations (Boopathi, Chavan & Kumar, 2023).

(6) $$X_{m,n}^1=\underset{n\in \left[1,h_1\right]}{max}{U}^T{H}_{\dots mn}+z_{mn}$$

(7) $$X_{m,n}^2=\underset{n\in \left[1,h_2\right]}{max}{\left(X_{m,n}^1\right)}^T{H}_{\dots mn}+z_{mn}$$ (8) $$X_{m,n}^w=\underset{n\in \left[1,h_w\right]}{max}{\left(X_{m,n}^{w-1}\right)}^T{H}_{\dots mn}+z_{mn}$$ (9) $$X_{m,n}^y=\underset{n\in \left[1,h_y\right]}{max}{\left(X_{m,n}^{w-1}\right)}^T{H}_{\dots mn}+z_{mn}$$ (10) $$X_m=\underset{n\in \left[1,h_y\right]}{\mathrm{m}\mathrm{a}\mathrm{x}}{X}_{m,n}^y$$

In the above equations, $y$ reflects the total number of layers in the DMN. $h_w$ denotes the number of hidden units in the w^th layer, with $H_{\dots mn}$ as weight and $z_{mn}$ as bias. The DMN can estimate any random function by adjusting the value of $h$. When $h$ is greater than two, the network can estimate non-linear activation functions. The DMN efficiently classifies the event as normal or abnormal, providing the output $X_m$ (Waddenkery & Soma, 2023).

DMN-WO-based classification

The WO method is a metaheuristic algorithm where the population consists of walruses acting as searchers. Each walrus in the optimization problem represents a possible solution. The walruses’ positions in the search region present the problem variable’s potential values. Every walrus represents a vector, and the walrus populations could be statistically represented utilizing a population matrix. Initially, populations of walruses are randomly created during the implementation of the WO. The WO population matrix is calculated using the following Eq. (11).

(11) $$Z={\left[\begin{array}{c}{Z}_1\\ ⋮\\ Z_i\\ ⋮\\ Z_N\end{array}\right]}_{N\times m}={\left[\begin{array}{ccccc}{z}_{1,1}& \cdots & z_{1,j}& \cdots & z_{1,m}\\ ⋮& \ddots & ⋮& \ddots & ⋮\\ z_{i,1}& \cdots & z_{i,j}& \cdots & z_{i,m}\\ ⋮& \ddots & ⋮& \ddots & ⋮\\ z_{N,1}& \cdots & z_{N,j}& \cdots & z_{N,m}\end{array}\right]}_{N\times m}.$$

Here, $Z$ represents the population of walruses, $Z_i$ was the candidate solution (i-th walrus), $z_{i,j}$ was the j-th decision variable’s value proposed using the candidate solution, $N$ was the total count of walruses, and $m$ was the total decision variables.

Each walrus serves as a potential solution, and by considering its decision variable’s proposed values, the objective function (OBF) of the issue could be assessed. Equation (12) specifies the OBF’s estimated values derived from walruses.

(12) $$O={\left[\begin{array}{c}{O}_1\\ ⋮\\ O_i\\ ⋮\\ O_N\end{array}\right]}_{N\times 1}={\left[\begin{array}{c}O\left(Z_1\right)\\ ⋮\\ O\left(Z_i\right)\\ ⋮\\ O\left(Z_N\right)\end{array}\right]}_{N\times 1}.$$

Here, $O$ is the OBF vector, and $O_i$ is the OBF value calculated for the candidate solution. The values of $O$ are the most accurate quality indicator of potential solution. The i-th walrus that yields the optimal value for the OBF was referred to as the member best. The i-th walrus that yields the lowest values for the OBF was referred to as the worst member. The worst and best members were updated based on the changes in the OBF values in each cycle. The position updating of walruses in the WO is simulated in three distinct stages.

Stage 1: Exploration (feeding strategy). Walruses consume about sixty marine species. Walruses like benthic bivalve mollusks, especially clams, and searches by grazing on the sea bed with their rapid flipper movements and sensitive vibrissae. The most powerful walrus with the large tusks leads the group in food search. The potential solutions’ OBF values and walrus tusk length are similar. The group’s strongest walrus is the best solution with the best OBF values. This walrus search behavior results in varied regions of the search region, improving the WO’s global search exploration capacity. Equations (13) and (14) represent walrus position updates according to the feeding scheme beneath the most essential member of a group. This technique generates a new walrus position using Eq. (13). Equation (14) models whether this newer location exchanges the prior one if it enhances the OBF.

(13) $$z_{i,j}^{Q_1}=z_{i,j}+ran{d}_{i,j}\cdot \left(BC{S}_j-I_{i,j}\cdot z_{i,j}\right)$$

(14) $$Z_i=\{\begin{array}{c}{Z}_i^{Q_1},O_i^{Q_1}<O_i,\\ Z_i,else,\hfill \end{array}.$$

Here, $Z_i^{Q_1}$ was the newly created location for the candidate solution according to the initial step, $z_{i,j}^{Q_1}$ was its j-th dimensional, $O_i^{Q_1}$ was its OBF value, $ran{d}_{i,j}$ were random integers from zero or one, $BCS$ was the best solution and the powerful walrus, and $I_{i,j}$ were numbers randomly chosen among one and two. $I_{i,j}$ increases the algorithm’s exploration capabilities, thus a value of 2 generates more substantial and broader changes in walrus positions than 1, the default displacement state. These requirements aid the algorithm’s global search for the original optimum problem-solving space and escape from local optima.

Stage 2: Migration. Late summer air warming causes walruses to relocate to rocky or outcrops beaches. The WO employs this migratory mechanism to help walruses find acceptable search space. Equations (15) and (16) are utilized mathematically to model this behaviour. This model implies each walrus migrates to a randomly determined point in the search area. The recommended newer position was created using Eq. (15). Equation (16) states that if this new location improves the OBF, it replaces walrus.

(15) $$z_{i,j}^{Q_2}=\{\begin{array}{c}{z}_{i,j}+ran{d}_{i,j}\cdot \left(z_{k,j}-I_{i,j}\cdot z_{i,j}\right),O_k<O_i;\\ z_{i,j}+ran{d}_{i,j}\cdot \left(z_{i,j}-z_{k,j}\right),else,\hfill \end{array}$$ (16) $$Z_i=\{\begin{array}{c}{Z}_i^{Q_2},O_i^{Q_2}<O_i;\\ Z_i,else,\end{array}$$

Here, $Z_i^{Q_2}$ represents the new position of the i-th walrus in the second stage, $z_{i,j}^{Q_2}$ was its j-th dimensional, $O_i^{Q_2}$ was its OBF value, $Z_k,k\in \left\{1,2,\dots ,N\right\}$ and $k\ne i$, indicates the position of the chosen walrus to move the candidate solution closer to it, $z_{k,j}$ was its j-th dimension, and $O_k$ was its OBF value.

Stage 3: Escape and fight against predators (Exploitation). Polar bears and killer whales always attack walruses. Escaping and fighting these predators changes the walruses’ location. Walrus behaviour simulation boosts WO exploitation ability in problem-solving local space surrounding i-th walruses. The WO design assumes that this level of walrus relocate process happens in a neighbourhood of walrus-centered with a particular space since it occurs near each walrus. The space of this neighbourhood was modifiable because global search was prioritized in the initial iterations of the algorithm to find the optimal area in the search space. It starts at the highest value and decreases over time. This stage of WO uses local lower/upper boundaries to produce a variable radius with algorithm repeats. WO simulates this behaviour by assuming a neighbourhood surrounding each walrus and randomly generating a new position utilizing Eqs. (17) and (18). The new location replaces the old one if the OBF improves, based on Eq. (19).

(17) $$z_{i,j}^{Q_3}=z_{i,j}+\left(lo{b}_{loc,j}^t+\left(up{b}_{loc,j}^t-rand\cdot lo{b}_{loc,j}^t\right)\right)$$

(18) $$LocB=\{\begin{array}{c}lo{b}_{loc,j}^t={\displaystyle \frac{lo{b}_j}{t}}\hfill \\ up{b}_{loc,j}^t={\displaystyle \frac{up{b}_j}{t}}\end{array}$$ (19) $$Z_i=\{\begin{array}{c}{Z}_i^{Q_3},O_i^{Q_3}<O_i;\\ Z_i,else,\hfill \end{array}.$$

Here, $Z_i^{Q_3}$ represents the newer location of the candidate solution in the third step. $z_{i,j}^{Q_3}$ was its j-th dimensional, $O_i^{Q_3}$ was its OBF value, t was the iteration count, $LocB$ was the local bound, $up{b}_j$ and $lo{b}_j$ are the upper and lower bounds of the j-th variable. $up{b}_{loc,j}^t$ and $lo{b}_{loc,j}^t$ are the local upper and lower bounds for the variable j used for local search near the i-th walruses.

Upon updating the walruses’ position following the three stages, the initial WO iteration concludes, leading to the computation of new values for both the walruses’ positions and the OBFs. Revise and enhance potential solutions iteratively using the WO processes outlined in Eqs. (13) to (19) until the last iteration. After running the algorithm, WO produces the best optimal solutions identified while executing as the solutions to the issue for DMN. Using a DMN has the benefit of efficiently learning inherent characteristics from the data. The weight factor of the DMN model is updated throughout each iteration depending on the fitness measure to get better outcomes by minimizing the error value. The DMN weights are learned using a WO optimization technique. The optimization technique helps in producing precise outcomes. The learning rate of training finite-width, DMN is 10⁻⁵. The batch size is 256. The number of epochs is 100. The WO is applied to tune other hyperparameters. The width is selected from {5; 50; 500; 5,000}, depth from {1; 5; 9; 13; 17; 21}, the maxout rank from {2; 3; 4}, the standard deviation (Std Dev) of the initialization of weights from {0:001; 0:01; 0:1; 0:5; 1}, the Std Dev of the initialization of biases from {0:1; 0:5; 1}.

Equation (20) communicates and determines the fitness value utilized to identify the best optimal solution for the DMN’s weight factor (Trojovský & Dehghani, 2023).

(20) $$FV={\displaystyle \frac{1}{S}\sum _{\omega =1}^S{\left[E_{\omega }-D_{\omega }\right]}^2.}$$

Here, FV specifies the fitness value, the total number of samples is denoted by S, D represents the desired output, and E represents the expected output of the DMN classifier. The following represents the DMN-WO algorithm.

Figure 4 depicts the flowchart of DMN-WO algorithm. The DMN is configured with multiple layers, where each layer consists of neurons with maxout activation functions. The architecture is designed to optimize the balance between depth and computational efficiency, ensuring that the model can handle large-scale IoT data without excessive computational overhead. The WO algorithm is parameterized with a population size of walruses (N) and a total number of iterations (T), with specific analysis for exploration, migration, and exploitation. These parameters were selected based on preliminary experiments to maximize the convergence speed and accuracy of the model.

The selection of DMN and WO was driven by their complementary advantages. DMN’s DL capabilities are essential for accurately modelling the complex data patterns associated with IoT-based intrusions, while WO’s optimization strategies are critical for fine-tuning the model parameters to achieve optimal performance. The integration of these two methods ensures that the research model is both powerful in detection and efficient in computation, addressing the challenges of intrusion detection in resource-constrained IoT environments.

Experimental setup

In this section, a complete analysis of the experimental results acquired through the utilization of the proposed research model DMN-WO is presented. The experiments were conducted on a machine with an Intel Core i7-10700K CPU @ 3.80 GHz, 32 GB RAM, and an NVIDIA GeForce RTX 3080 GPU (10 GB VRAM) running Ubuntu 20.04 LTS. The TensorFlow and Keras frameworks were used for model development, training, and testing, while Python was employed for preprocessing and analysis tasks. The primary dataset utilized was the CIC-IDS-2018, which provides labeled data for various attack types, including DDoS, brute force, and botnet attacks. Additionally, real-time data collected using Raspberry Pi devices in the Tabuk IoT environment served as validation data to assess the system’s performance under practical conditions. During data preprocessing, normalization was applied to standardize numerical values, and recursive feature elimination (RFE) was used to select 15 key features critical for intrusion detection. A variety of metrics, such as accuracy, recall, precision, and F1-score, are utilized to assess the effectiveness of the research model. The computation of the metrics is evaluated based on factors like true positives, true negatives, false positives, and false negatives. Following that, the estimated performances are compared with the models that are being evaluated in the review procedure for validation.

Hardware setup

To implement the hardware required for the proposed research model, a Raspberry Pi model running on the Kali Linux operating system and the 24 × 7, functional intrusion detection system framework is utilized. This research intends to provide a reliable IDS model that can be implemented at edge gateways to identify attacks in real-time. The Raspberry Pi 4B, a single-board computer, is the physical representation of the edge gateway. It is equipped with a quad-core Cortex-A72 CPU and 8 gigabytes of RAM. The active mode is being utilized by this system, which is linked in line with the wireless router. The system keeps track of all the network packets that are coming into the wireless router as well as the internet traffic that is going out of the router. The network capacity and limited storage resources of the IoT devices are impacted by denial-of-service attacks, which in turn cause problems with applications that run on the IoTs and result in severe damage to the ecosystem’s performance and functionality. The attacks similar to the ones present in the dataset were carried out on the IoT devices, with the inline model being responsible for the initial onboarding and administration of the IoT devices. The proposed IDS model follows both incoming and outgoing data to identify any abnormal traffic behaviour. This kind of malicious traffic is promptly prevented, and alerts are generated and relayed to the authorized personnel. This is accomplished by categorizing the attacks that are detected. Anything that deviates from the typical pattern of behaviour is identified as an abnormal occurrence. The comparison with various IDS models discussed in the survey and the results achieved with the dataset that was used for training and testing as well as real-time data are shown in the following section.

Researchers collect real-time data for this research from Raspberry Pi devices deployed in public transportation infrastructure in Tabuk, Saudi Arabia. These devices capture environmental and network-related information, such as sensor data, network traffic, and system logs. Researchers utilize the collected data for model validation, enabling the IDS model to assess its performance in real-world scenarios. This ensures the mode’s effectiveness in detecting intrusions and enhancing the security of public transportation within the smart city environment. In data collection, the real-time data were gathered using Raspberry Pi devices deployed across public transportation infrastructure in Tabuk. The collected data were then processed using the research model to assess its performance in real-world scenarios. This involved pre-processing the raw data, normalizing it, and applying the feature selection technique before feeding it into the model for training and testing.

Performance analysis

To test the performances of the proposed model, various performance metrics like accuracy, specificity, precision, detection rate, and F1-score are utilized. Accuracy in an IDS refers to the ability of the system to correctly identify and classify malicious and non-malicious activities. An IDS with high accuracy will correctly identify and classify a high percentage of activities as either malicious or non-malicious.

(21) $$Accuracy={\displaystyle \frac{TP+TN}{FN+TP+FP+TN}.}$$

The detection rate in an IDS refers to the percentage of malicious activities that the IDS can detect out of all the potentially malicious activities that it analyzes. In other words, the detection rate represents the effectiveness of an IDS in detecting malicious behaviour.

(22) $$Detectionrate={\displaystyle \frac{TP}{TP+FN}.}$$

Precision in an IDS refers to the proportion of alerts generated by the IDS that are relevant or true positives. In other words, precision measures the accuracy of the alerts generated by the IDS.

(23) $$Precision={\displaystyle \frac{TP}{TP+FP}.}$$

Specificity in an IDS is its capacity to accurately recognize and categorize non-malicious activity as true negatives. A high specificity rate demonstrates the IDS’s ability to properly differentiate between malicious and non-malicious activity, only alerting for possible security issues.

(24) $$Specificity={\displaystyle \frac{TN}{TN+FP}.}$$

F-measure in an IDS is a metric that combines precision and recall into a single score to evaluate the overall effectiveness of the system. A high F-measure indicates that the IDS can effectively detect attacks while generating fewer false positives.

(25) $$Fmeasure=2\times {\displaystyle \frac{Precision\times Recall}{Precision+Recall}.}$$

Energy efficiency score (EES): Compute an efficiency metric such as energy consumed per operation or energy consumed per task. ESS is calculated using Eq. (26).

(26) $$\mathrm{E}\mathrm{E}\mathrm{S}={\displaystyle \frac{\mathrm{T}\mathrm{o}\mathrm{t}\mathrm{a}\mathrm{l}\mathrm{E}\mathrm{n}\mathrm{e}\mathrm{r}\mathrm{g}\mathrm{y}\mathrm{C}\mathrm{o}\mathrm{n}\mathrm{s}\mathrm{u}\mathrm{m}\mathrm{p}\mathrm{t}\mathrm{i}\mathrm{o}\mathrm{n}\left(\mathrm{J}\right)}{\mathrm{T}\mathrm{a}\mathrm{s}\mathrm{k}\mathrm{s}\mathrm{C}\mathrm{o}\mathrm{m}\mathrm{p}\mathrm{l}\mathrm{e}\mathrm{t}\mathrm{e}\mathrm{d}}.}$$

Cross-validation

In this section, we conducted a comprehensive analysis of the DMN-WO model’s performance using five-fold cross-validation. The dataset was divided into five subsets, with each subset being used as a test set while the remaining four subsets were used for training. This process was repeated five times, and the performance metrics were averaged across all folds to obtain a reliable estimate of the model’s effectiveness. The performance results of the DMN-WO model, evaluated using five-fold cross-validation on both the CIC-IDS and CIC-DDoS datasets, are summarized in Tables 4 and 5.

The five-fold cross-validation results demonstrate that the DMN-WO model achieves consistent and reliable performance across different subsets of the data. The average metrics are closely aligned with those obtained in the initial evaluation, indicating that the model is robust and generalizes well to unseen data. This comprehensive analysis using cross-validation provides a more reliable estimate of the model’s performance, reinforcing its effectiveness in detecting intrusions within the IoT environment.

The performance evaluation of the proposed research model, DMN-WO was evaluated using both the actual data and the training dataset’s data. For this evaluation, the dataset was split into 80:20 ratio, which refers that 80% was utilized for training the research model and the remaining was utilized to test the research model. By using the RFE-ANOVA, the important features present in the dataset were selected for the research model adaptability. Figure 5 displays the selected features from the dataset with a total of 11 features. Out of 80 features present in the dataset, only 11 important features are utilized in the proposed research. The following sections represent the performance analysis of the DMN-WO model and its comparison.

Table 6 presents the performance results of the research model evaluated using the CIC-IDS dataset. The performance was evaluated on both the training and test set. The model attained 99.87% accuracy in training and 99.43% in testing, which has a small difference of 0.4% in the performance. The number of training data is higher compared to the test set, which is one of the causes of this improved performance. However, the model obtained a close performance in testing as it shows its efficiency in attack detection. The detection rate or recall of the DMN-WO was 99.75% in training and 99.61% in test set, which is very closely similar to their performance computed. The specificity of the DMN-WO was 99.38% in training and 99.22% in test set. As both the performance rates are higher, the model is effective in differentiating the normal and abnormal activity. The precision rate of the model in training was 99.85% and 99.70% in testing, which reflects its efficiency in a higher TPR rating. The model obtained a 99.79% F-score in training and 99.64% in testing, this indicates that the research model can effectively detect attacks while generating fewer false positives. Figure 6 represents the graphical plot for this analysis.

Table 7 presents the performance results of the research model evaluated using the CIC-DDoS dataset. The performance was evaluated on both the training and test set. The model attained 99.45% accuracy in training and 99.30% in testing, which has a small difference of 0.15% in the performance. The detection rate of the DMN-WO was 99.50% in training and 99.38% in test set, which is very closely similar to their performance computed. The specificity of the DMN-WO was 99.26% in training and 99.15% in test set. The precision rate of the model in training was 99.48% and 99.36% in testing, which reflects its efficiency in a higher TPR rating. The model obtained a 99.43% F-score in training and 99.29% in testing, this indicates that the research model can effectively detect attacks while generating fewer false positives. Figure 7 represents the graphical plot of the DMN-WO model’s performance in the CIC-DDoS Dataset.

Table 8 presents the performance results of the research model evaluated using the real-time data collected from the IoT devices deployed for this research. The real-time data collected from Raspberry Pi devices in Tabuk’s public transportation infrastructure serves a crucial role in the research model. Researchers utilize this data for training and validating the DMN-WO model, extracting relevant features representing system behaviour, and facilitating intrusion detection. The model is continuously evaluated in real-time, generating alerts for potential security incidents. Feedback from real-time data ensures ongoing model optimization, allowing researchers to adapt it dynamically to emerging patterns and environmental changes in the smart city environment. This comprehensive integration of real-time data enhances the model’s efficacy in promptly detecting and responding to security threats. The model attained an accuracy of 99.02% in training and 98.06% in test set, which has a difference of 0.9% in the performance. The detection rate of the DMN-WO was 98.91% in training and 98.50% in test set. The specificity of the DMN-WO was 98.83% in training and 98.24% in test set. The precision rate of the model in training was 99.05% and 99.81% in testing. The model obtained a 98.93% F-score in training and 98.57% in testing. Compared to the performance obtained for the CIC-IDS dataset, the results obtained for the real-time data were less in the performances. Figure 8 represents the graphical plot for the real-time data analysis.

Table 9 represents the comparison of the DMN-WO model’s performance with the other models discussed in the survey section. Figure 9 illustrates a comparison between the proposed model and existing models based on key performance metrics such as accuracy, detection rate, precision, specificity, and F-measure. All the compared models are implemented only for the IoT-smart city applications. The test set results of the DMN-WO model in both CIC-IDS and real-time data are utilized in this comparison. As mentioned earlier, the research model’s performance in the CIC-IDS dataset was higher compared to all other models. The results are compared with the models evaluated on the publicly available dataset used for IoT applications. In comparison, the research model has a higher accuracy with 99.43%, which is 0.9% to 3.03% higher than the all compared models. The performance comparison of intrusion detection models highlights the superiority of the proposed DMN-WO in real-time scenarios. It achieved the highest metrics across all categories, with an accuracy of 98.24%, detection rate of 98.57%, precision of 98.06%, specificity of 98.50%, and F-measure of 98.81%. The CNN-LSTM and GRU (Kilichev, Turimov & Kim, 2024) models demonstrated balanced performance, recording an accuracy, detection rate, specificity, and F-measure of 97%, with a slightly lower precision of 96%. Meanwhile, the LSTM (Rajasoundaran et al., 2024) model achieved a detection rate of 97.12%, precision of 96.40%, specificity of 96.50%, and an F-measure of 97.01%, but its accuracy was not reported. The results clearly indicate that DMN-WO outperforms the other models, making it a robust choice for real-time intrusion detection in IoT environments, while CNN-LSTM and GRU offer competitive but less optimal performance, and LSTM remains a viable option with limitations.

Empirically, the proposed DMN-WO model demonstrates superior performance in detecting intrusions compared to existing methods. The effectiveness of the model is validated using the CIC-IDS-2018 and CIC-DDoS datasets and real-time data collected from an IoT-enabled smart city infrastructure. On the CIC-IDS-2018 dataset, the model achieved an accuracy of 99.43%, a detection rate of 99.61%, a precision of 99.70%, a specificity of 99.22%, and an F1-score of 99.64%. On the CIC-DDoS-2019 dataset, the model achieved an accuracy of 99.30%, a detection rate of 99.38%, a precision of 99.15%, a specificity of 99.36%, and an F1-score of 99.29%. These results indicate a significant improvement over other intrusion detection model.

When applied to real-time data, the DMN-WO model maintained its high performance, achieving 98.06% accuracy, 98.50% detection rate, 98.81% precision, 98.24% specificity, and 98.57% F1-score. This consistency in performance across different datasets underscores the model’s robustness and practical applicability in real-world scenarios. The combination of DMN and WO not only enhances detection accuracy but also reduces the risk of overfitting, making the model more generalizable to various types of intrusion patterns.

Time complexity analysis: The complexity of the DMN-WO algorithm can be broken down into two main components: the DMN-WO algorithm. The computational complexity of the DMN architecture is O(n*m), where n is the number of neurons in the layer and m is the number of input features, and the training process, involving backpropagation, has a complexity of O(n*m*k), where k is the number of training samples. The WO algorithm’s exploration phase requires O(n*m) for random initialization of solutions, and both migration and exploitation steps also take O(n*m), as they involve recalculating the fitness function for the DMN. The overall combined complexity of the DMN-WO algorithm is represented as O(T*I*(n*m+n*k)), where T is the number of iterations, I is the number of walruses (candidate solutions), n is the number of neurons in the DMN, mmm is the number of features, and k is the number of training samples. This reflects the computational cost of both the optimization (via WO) and training (via DMN) processes in each iteration.

Performance evaluation of energy consumption: In addition to assessing the proposed DMN-WO model’s performance, an energy consumption analysis was conducted to evaluate the computational efficiency of the model compared to other baseline approaches. Energy consumption is a critical factor, particularly in resource-constrained IoT environments. The experimental setup utilized a power meter to measure the energy consumed during the training and testing phases. The models were evaluated based on their energy consumption as a percentage of the total energy used during the experiment. The comparison of energy consumption across various models is shown in Table 10.

Advantages and limitations of the model

Advantages: The research model’s use of data normalization ensures that it standardizes diverse data types and ranges, enhancing the training stability of the DMN-WO. Recursive feature elimination with ANOVA for feature selection contributes to improved model efficiency by identifying and prioritizing the most relevant features, enhancing the model’s interpretability, and reducing computational complexity. The DMN-WO classification approach combines the strengths of deep learning and optimization algorithms, allowing the model to adapt dynamically to evolving intrusion patterns, providing a robust and effective intrusion detection system for smart city public transportation infrastructure.

Limitations: While data normalization contributes to model stability, it may be sensitive to outliers, potentially affecting performance. Recursive feature elimination can be computationally intensive, leading to longer training times, especially with large datasets. The effectiveness of the DMN-WO model depends on the quality and representativeness of the training data, and its complexity might pose challenges for deployment on resource-constrained devices. Additionally, the interpretability of deep learning models can be limited, making it challenging to understand the exact reasoning behind certain predictions. Ongoing monitoring and adaptation are essential to address potential limitations and ensure the model’s continued effectiveness in real-world scenarios.