International Journal of Safety and Security Engineering

Vol. 15, No. 3, March, 2025, pp. 405-413

Journal homepage: http://iieta.org/journals/ijsse

Optimal Feature Extraction Model for Detecting Cyberattacks on IoT Devices

Monir Abdullah

Computer Science and Artificial Intelligence Department, College of Computing and Information Technology, University of
Bisha, Bisha 61922, Saudi Arabia

Corresponding Author Email: [email protected]

Copyright: ©2025 The author. This article is published by IIETA and is licensed under the CC BY 4.0 license
(http://creativecommons.org/licenses/by/4.0/).

https://doi.org/10.18280/ijsse.150301 ABSTRACT

Received: 12 November 2024 Internet of Things (IoT) is the technology of this modern era that focuses on connecting
Revised: 10 February 2025 devices and sensors to the Internet and can converse with each other without human
Accepted: 18 February 2025 interaction. IoT technology has been used in many applications, such as smart and
Available online: 31 March 2025 wearable devices automatically organizing people’s appointments, and in many fields,
such as communications in factories and companies. However, in contrast to its rapid
spread, it faces several challenges. In terms of privacy, security, and confidentiality, IoT
Keywords: is vulnerable to many types of cyberattacks, making it necessary to develop safe solutions
N-BaIoT dataset, IoT, machine learning, to secure IoT networks. In this paper, two feature extraction algorithms are integrated with
cyberattacks, spider monkey optimization three machine learning (ML) techniques to develop a model that detects a cyberattack
(SMO) faced by IoT devices. Butterfly optimization algorithm (BOA) and spider monkey
optimization (SMO) with Naïve Bayes (NB), Random Forest (RF), and K-Nearest
Neighbor (KNN) models are implemented. The experiment was conducted on the N-
BaIoT dataset containing more than 800,000 records covering 10 IoT device attacks. The
results show that the SMO feature extraction algorithm with the KNN classifier model
outperformed other algorithms and achieved 100% in all performance metrics.

1. INTRODUCTION that no authentic request gets through due to congestion.

Man-in-the-Middle Attack: An intruder intercepts the
IoT is classified as a technology that affects people messages between two devices so that a potential intruder may
positively. In daily activities in various areas of life, it has have eavesdropping capability along with data modification
improved the quality of life and provides the best methods for during transit. This could be made possible by several means,
communicating with various kinds of devices via the Internet. including address resolution protocol (ARP) spoofing and
For example, in the healthcare sector, the data are collected by domain name systems (DNS) poisoning. Thus, hackers steal
sensors and devices measuring the heartbeat and blood sensitive information and modify commands to effect
pressure levels. However, IoT attacks may cause privacy unauthorized actions.
violations and threaten people’s lives and privacy [1]. The Backdoor Attack: A backdoor software installation
healthcare sector has faced many electronic attacks. The vulnerability in a device is exploited by an attacker for
existing data are sensitive data, and their exposure to the attack constant and unauthorized access. This can allow the backdoor
endangers patients’ lives, so the privacy and security of the to continuously monitor or control the device without being
information must be appropriately applied. The IoT field has noticed. It can be lessened through periodic security audits and
received great attention, and IoT is growing on a large scale. assurance of software integrity through checksums.
IoT systems include a wide range of technologies and will Probing: This includes probing attacks an intruder uses to
continue to in the coming years. However, there are still many scan the network for information gathering or determining
new and severe challenges to the problem of security and possible vulnerabilities. A mapped sketch of available
privacy in this field. In this research, a model using the ML machines and services on the network provides data for future
algorithm will be built to discover cyberattacks targeting IoT exploits.
devices and networks by determining the type of attack [1]. Apart from these, replay attacks, password cracking, and
IoT security is different from other forms of computing in injection attacks would emulate other types of security threats
many ways, especially in the challenges of other computing an IoT device would generally face.
devices like desktops, laptops, servers, or mobile devices. For These are the main cyberattack detection methods:
all IoT systems, the authentication mechanism is crucial for (1) Modern technologies contribute to the protection and
security and privacy [2]. The N-BaIoT dataset attack types are security of information by monitoring and analyzing
summarized into the following [3]: cyberattacks.
DoS/DDoS: A type of attack in which an attacker causes a (2) That requires updating and developing antivirus
computing or memory resource to be overloaded to the extent programs, determining the most sensitive points prone to

405
penetration, and directly confronting cyberattacks. In reference [7], results have been produced by testing and
(3) The measures necessary to restrict the attacks on validating four binary classifiers: decision trees (DT), extra
cyberspace include increasing the level of awareness among trees classifiers, Random Forest (RF), and support vector
citizens, infrastructure development, and keeping pace with machines (SVMs). The RF classifier outperformed all other
techno-development. classifiers when it was trained on a specific device and used to
(4) The imperative of developing a rapid response plan and test the anomalies that come from completely unrelated
dealing with cybersecurity incidents [4]. devices.
In our research, an ML-based model to detect cyberattacks
targeting IoT devices and networks is proposed. Moreover, the 2.1 Feature extraction models
proposed model identifies the type of attacks by analyzing
more than 800,000 contact data related to various IoT device 2.1.1 Butterfly optimization algorithm (BOA) model
attacks. The main contributions of this article are as follows: BOA is a novel optimization technique inspired by how
(1) Adapting butterfly optimization algorithm (BOA) and butterflies forage for and attract mates. In this algorithm, the
spider monkey optimization (SMO) for dataset feature behavior of females using their chemoreceptors, an external
extraction. sensory organ present in many parts of the body, is modeled.
(2) Integrating BOA and SMO with ML classifier to detect These chemoreceptors help in perceiving flower or food odors,
cyberattacks in IoT devices. as well as in identifying the best possible mating partners.
(3) Evaluating the proposed model by applying several ML When the butterflies are in movement, they diffuse the odor in
performance metrics. variated concentrations, and this scent directs the movement
The remainder of this paper is divided into the following of the search agents (the butterflies) in the BOA algorithm. For
sections. Related works of different ML classification models, instance, where a butterfly cannot scent others’ fragrances
feature selection algorithms, ML-based cyberattack detection within a search area, it will tumble and reposition randomly.
models, and the N-BaIoT cyberattack dataset are presented in However, when a butterfly stabilizes and only detects the
Section II. Section III presents the proposed model perfume from the most successful butterfly it knows, it will try
implementation in detail. The results are discussed in Section to move toward that butterfly [8]. The BOA has shown
IV, and Section V concludes the article. promise in feature selection tasks across various studies. For
instance, in reference [9], the monarch BOA algorithm is
applied to feature selection, achieving high classification
2. RELATED WORKS accuracy (93%) while significantly reducing feature set size.
Moreover, binary variants of BOA demonstrate improved
The IoTs is the new discipline that not only takes care of classification accuracy compared to other wrapper-based
scientific, engineering and technical aspects but also integrates algorithms [10].
social sciences and analyzes big data derived from social
media. Recently, detection systems have become the prime 2.1.2 Spider monkey optimization (SMO) model
focus of researchers in IoT environments due to the ever- The SMO algorithm draws inspiration from the social and
increasing threat of botnet attacks on such devices. It foraging behaviors of spider monkeys. It uses a fission-fusion
effectively addresses network intrusion detection systems social structure where the monkeys form and dissipate groups
(IDSs) for protection against malicious activities on networks. of different sizes. Some primary characteristics that define
Most public detection systems operate based on attack spider monkeys in the SMO algorithm include the following
signatures; they are called signature-based detection systems. [11]:
These systems recognize all the known types of attacks by (1) Each group contains 40 to 50 monkeys; these are called
matching the pattern of incoming attacks with pre-recorded individuals within the framework of SMO.
signatures. They require a robust infrastructure and (2) Among the troop of monkeys, there is a global leader
sophisticated tools since many signature rules must be added (GL) who can divide them into subgroups of 3-8 when food is
to their databases. Various research works have proven that insufficient, where each subgroup will then forage
ML techniques can be of great assistance in attack detection independently.
tasks. It is already known that most attacks in the IoT (3) Each subgroup is usually led by a local leader (LL), who
environment are of a botnet nature, and several IoT devices usually guides foraging.
still present vulnerabilities owing to limited memory and (4) Members of the group use particular sounds to
computational resources, which seem to be an obstruction to communicate with one another and promote social behavior.
strong security mechanisms. Moreover, attackers can bypass For the SMO algorithms, a hybrid approach combining
many rule-based detection systems easily. Researchers have SMO with simulated annealing and ReliefF filtering
explored the development of an ML-based attack detection demonstrated superior performance in identifying biomarker
system featuring a sequential detection architecture. They genes from cancer datasets, achieving up to 99.45% accuracy
employed an efficient feature selection approach to develop a [12]. In fuzzy classifier construction, binary SMO was
lightweight, high-performance detection system that achieved employed for feature selection, while continuous SMO
improved overall detection results [5]. They also proposed a optimized fuzzy rule antecedents, resulting in classifiers with
framework for specifying an effective algorithm to detect minimal rules and reduced features while maintaining
malicious activity in IoT using ML, where a Naïve Bayes (NB) competitive accuracy [13]. These studies highlight the
model was observed to perform well in anomaly detection. A effectiveness of SMO-based approaches in feature selection
cyberattack detection system targeting sewage IoT devices across diverse applications. The SMO algorithm is presented
was also proposed, which managed to achieve an accuracy of in Figure 1.
92% in fixed scenarios and 72% in mobile environments [6].

406
 Figure 1. Spider monkey optimization (SMO) algorithm

Table 1. SMO-related works

Ref. Feature Selection by SMO Model Year ML Classifier Dataset Accuracy (%)
[13] Binary SMO (BSMO) 2019 Fuzzy Classifier 38 Datasets 99.45
SVM, LDA, KNN,
[14] Oscillating SMO 2021 Soil image dataset 82.25
and RF
[15] Conditional Random Field (CRF) & SMO 2021 CNN NSL-KDD Dataset 99
AID, UCM, NWPU45
[16] Gaussian Mutation-SMO(GM-SMO) 2022 ANN, CNN Highest 99.46
dataset
Deep Learning Belief
[17] Self-Improved Standard SMO 2022 COVID-19 Image Dataset 90.5
Network
[18] SMO 2023 CNN-LSTM Dementia sufferers images 89.72
NB = 91, RF = 94
Optimal feature extraction is achieved Magnetic resonance imaging
[19] 2023 NB, RF, SVM, DT SVM = 96
using a differential SMO (MRI) datasets
DT = 93.5
[20] Cuckoo search algorithm (CSA) & SMO 2024 ReliefF+ PCA 8 Cancer datasets 90.6

The SMO algorithm has many applications for feature cybersecurity to healthcare. SMO-related works are presented
selection over different datasets concerning accuracy and in Table 1.
classification performance. In 2019, a fuzzy classifier
developed with binary SMO reached an accuracy of 99.45% 2.2 ML-based models
for 38 datasets, showing the efficiency of SMO in optimizing
fuzzy classifiers [13]. It obtained an accuracy of 82.25% with 2.2.1 Naïve Bayes classifier
a dataset of soil images taken in 2021 by employing oscillating In statistics, NB classifiers are a family of simple
SMO fine-tuning for feature selection in an ensemble of "probabilistic classifiers" based on the application of Bayes'
classifiers comprised of SVMs, linear discriminant analysis, theorem with (Naïve) assumptions about independence
K-Nearest Neighbor (KNN), and RF [14]. The accuracy of between features. These are some of the simplest Bayesian
intrusion detection reached 99% using the proposed CNN network models but can be combined with kernel density
model combined with conditional random field and SMO on estimation to achieve higher levels of accuracy. The NB
the NSL-KDD dataset that enhances IoT security [15]. The classifier scales exceedingly well. There are only a few
highest value recorded was 99.46% in 2022 when both ANN parameters to be estimated, which scales linearly with the
and CNN models adopted GM-SMO in recognizing remote number of variables (features/predictors) in the learning
sensing scenes [16]. The adaptability of SMO flowed to problem. Maximum likelihood training can be done very
medical image analysis, with the accuracy of a deep belief efficiently by evaluating a closed-form expression that takes
network with self-optimizing SMO reaching 90.5% in linear time rather than an expensive iterative approximation,
COVID-19 prediction, while that of a CNN-LSTM framework as used by many other classifiers. It is also referred to in the
that employed SMO reached an accuracy of 89.72% in literature of statistics and computer science as NB models and
dementia detection [17, 18]. Furthermore, in MRI datasets, independent Bayes [21]. Recent research has addressed the use
differential SMO improved feature extraction such that of ML techniques, especially the NB model, for network attack
classification accuracy for detecting a particular lumbar spine detection. A Gaussian NB model was explored in classifying
disease reached 96% by SVM in 2023 [19]. Lastly, in 2024, cyberattacks in streaming data, focusing on its adaptability
the Cuckoo Search algorithm combined with SMO was [22]. The hybrid approach proposed in reference [23]
proposed for the detection of cancer and reported 90.6% combines the heuristics clustering algorithm and NB model to
accuracy on eight different cancer datasets [20]. These results detect DDoS attacks, which showed improved accuracy and
themselves indicate that SMO has always been able to enhance detection rates. In addition, three models, including NB, RF,
the performance of ML in a continuous manner, from and stochastic gradient boosting, have been compared for

407
DDoS attack classification. Among them, stochastic gradient developed using KNN achieved 92% accuracy, 100%
boosting proved to be the most accurate at 100% [24]. precision, and 95.8% F1-score in detecting denial-of-service
Recently, a probability-based supervised ML algorithm has attacks. Although KNN performs well when it comes to the
been introduced NB model for intrusion detection on the capability of detection, it may be inefficient when it comes to
UNSW-NB15 dataset [25]. All these studies indicate the bits' time complexity. Overall, these studies support KNN as a
potency of the NB model and other ML techniques in detecting feasible and efficient algorithm for intrusion detection in a
various network attacks; hence, research is ongoing to further network.
improve their accuracy and adaptability against evolving cyber
threats. 2.3 N-BaIoT cyberattacks dataset

2.2.2 Random Forest (RF) classifier The N-BaIoT dataset was utilized to validate the proposed
RF is flexible, easy to use, and gives the best results most of IDSs. The ensemble averaging deep neural networks achieved
the time without hyperparameter tuning. Because of its the target of attack detection by botnets in heterogeneous IoT
simplicity and efficiency, it is among the most used algorithms devices with an average accuracy of 97.21%, precision of
since it can be applied to ranking and regression. RF is one of 91.41%, recall of 87.31%, and an F1-score of 88.48% [36].
the algorithms for supervised learning. "Jungle" is an AdaBoost and eXtreme gradient boosting (XGBoost) models
ensemble of DTs usually trained by the "bagging" method. The have been implemented to meet particular security challenges
general intuition of this approach is that the ensemble of in IoT networks [37]. The N-BaIoT dataset, which was
learning models boosts the final outcome. In other words, RFs produced by the injection of the Bashlite and Mirai botnet
construct a large set of DTs and combine their predictions to attacks on various IoT devices, has widely been used in
produce more accurate and robust estimates. Among many research on the detection of IoT botnets [38, 39]. This dataset
advantages, one of the most important benefits of RF is that it addresses the scarcity of publicly available botnet-specific
can be used for both classification and regression problems, datasets in IoT domains [40]. Various research studies have
which constitute the biggest part of all ML systems today [26]. designed and built effective detection models based on ML
Recent works have discussed the adoption of RF for detecting and DL methodologies, of which most reported that RF and
network attacks, as in reference [27]. RF is combined with gradient boosting reliably showed higher accuracy. Feature
principal component analysis to enhance attack detection for selection methods, such as the Fisher Score or PCA, were
IoT devices, reaching as high as 99.2% accuracy [28]. In considered to optimize the effectiveness of the detection
previous study [29], an RF-based model was developed for performance [40]. It was confirmed that the N-BaIoT dataset
DDoS attack detection. The Gini Index and entropy criteria are indeed outperformed the existing wired datasets, such as NSL-
used in the model to improve its accuracy. For instance, ET- KDD, because it covers IoT-specific attacks and considers
RF [30] is proposed, attaining an accuracy of 99% in the relevant network layers [41]. Research supports the idea that
CICDDoS2019 dataset. In previous study [31], RF is utilized not all the features are necessary for effective detection, which
on the NSL-KDD dataset for intrusion detection. As such, could reduce the detection time for ML models.
feature selection should be done with the Gini importance that In our research, BOA and SMO feature selection algorithms
improves the effectiveness of the model. with ML-based models are integrated to detect cyberattacks
targeting IoT devices. Moreover, the proposed model
2.2.3 K-Nearest Neighbor (KNN) classifier identifies the type of attacks by analyzing more than 800,000
The KNN algorithm is the simplest form of ML based on contact data related to various IoT devices and attacks.
the technique of supervised learning. KNN assumes that new
cases or data points would be similar to the existing ones and
assigns them to the most similar categories. In this algorithm, 3. PROPOSED MODEL IMPLEMENTATION
it retains all the incoming data and classifies any new data
point by comparing its similarity with the stored examples. The experimental study in this work was conducted on a
This will easily classify any incoming data into the right range desktop running Microsoft Windows 10 Home (64-bit). The
of classes. Though KNN finds its applications in both machine used for the implementation is Alienware Aurora R9,
regression and classification, the most common area of with an octa-core Intel® Core™ i9-9900 processor that
application is classification. KNN is a nonparametric represents a base frequency of 3.10 GHz. It has 32 GB RAM
algorithm that does not make any assumptions on the and a 1 TB hard drive. The software requirements are fulfilled
underlying distribution of data. It is often referred to as a lazy using Keras and Python programming tools. Detailed
learning algorithm because it only stores the dataset in hardware and software specifications for the proposed
memory and does the classification when needed, rather than integrated model are illustrated in Table 2.
learning in advance from the training set. During the training
phase, KNN only stores the dataset, and when new data shows Table 2. System configuration for the proposed model
up, it classifies based on similarity to existing data points [32]. implementation
Recently, several works investigated the performance of KNN
for attack detection. KNN tends to have high accuracy and Processor Core i9
performance metrics while detecting different cyberattacks. GPU NVIDIA 4 GB
Previous study [33] reported 99.996% in binary classification OS Windows 10 - 64 Bit
and 99.988% in multi-class classification with the NSL-KDD RAM 32GB
dataset. In this direction, it has been seen that KNN performs Language Python
best in the CICIDS 2017 dataset, among other supervised Software Numpy, TensorFlow, Scikitlearn, Pandas
learning algorithms, for the highest F1-score and accuracy
[34]. In reference [35], an anomaly-based detection model

408
3.1 Experiment framework contained network.

The experiment framework was created to obtain a clear 3.3 Feature extraction
perspective of our experiment design on the problem area as
described in Figure 2. Feature selection is probably one of the most important
concepts in ML, as it has a high influence on the performance
of our model. The functional attributes of data utilized for
training the ML models are core contributors in terms of the
performance achievable from them. The features that are
irrelevant or only partially relevant might have adverse
implications on model effectiveness. Therefore, feature
selection and data cleaning should be the initial and primary
steps in model design. BOA and SMO are two feature
extraction algorithms that we will implement in our research,
shown in the above framework. To design an SMO fitness
function for feature selection on a given dataset, the goal
would be to identify an optimal subset of features that balances
high classification accuracy with a minimum number of
selected features. In general, both these objectives are included
in the fitness function. A typical fitness function (ft) for feature
selection in SMO can be represented as Eq. (1):

ft (sf ) =   (1 − Accuracy(sf )) +   (| sf | / | f |) (1)

where, sf is the subset of selected features, |sf| is the number of

features in subset sf, |f| is the total number of features in the
dataset, Accuracy(sf) is the classification accuracy of the
model trained using subset sf, and α and β are the weight
parameters that control the importance of classification
accuracy and feature subset size.

3.4 Model training and testing

The purpose of training the model is to overcome problems

such as overfitting when the model remembers the dataset
Figure 2. The proposed framework pattern. Making a bad choice in splitting the dataset can lead
to unwanted results. Therefore, by separating the training data
The framework consists of four phases: dataset cleaning, from the test data for evaluation, we can test our model with
feature extraction, ML classifiers, and evaluation. data samples that were not previously used. In our research,
The flowchart illustrates the process of building and the data are split into a 70/30 ratio. That is, 70% of the data are
evaluating an ML model on the N-BaIoT dataset. Below is a used to train the model, and the remaining 30% are used to test
step-by-step description of each stage: the model. Three ML classifier models are used: NB, RF, and
Dataset Cleaning (N-BaIoT Dataset): The input is the N- KNN.
BaIoT dataset, and the data is cleaned, where missing or NaN
values are removed. 3.5 Performance metrics
Feature Extraction: The dataset is first cleaned; then, the
features are extracted for further processing. The techniques This will be a necessary step in verifying the learning of our
used are BOA and SMO algorithms. model and determining its performance. The model’s
ML Classifiers: These extracted features will be fed to evaluation would include four different performance metrics:
several ML classifiers. NB, RF, and KNN models shall be accuracy, precision, F1-score, and recall. Performance metrics
implemented. using the formulas below were calculated based on the
Model Evaluation: The models will be evaluated in terms confusion matrix below:
of precision, accuracy, recall, and F1-score.
(𝑇𝑃 + 𝑇𝑁)
𝐴𝑐𝑐𝑢𝑟𝑎𝑐𝑦 = (2)
3.2 Dataset preparation (𝑇𝑃 + 𝐹𝑃 + 𝑇𝑁 + 𝐹𝑁)

N-BaIoT focuses on the network-based detection of IoT where, TP represents the number of true positives, TN is the
botnet attacks. Additionally, it closes the gap with respect to number of true negatives, FP refers to the number of false
publicly available botnet datasets related to IoT environments. positives, and FN refers to the number of false negatives.
Earlier works regarding the detection of IoT botnets or IoT
traffic anomalies relied on emulated or simulated data. In 𝑇𝑃
contrast, this dataset allows empirical evaluations using real 𝑃𝑟𝑒𝑐𝑖𝑠𝑖𝑜𝑛 = (3)
(𝑇𝑃 + 𝐹𝑃)
traffic data captured from nine commercial IoT devices
infected with genuine botnets of two different families in a

409
 𝑇𝑃 The metrics used in assessing the models are accuracy,
𝑅𝑒𝑐𝑎𝑙𝑙 = (4) precision, recall, and F1-score, where the effectiveness of each
(𝑇𝑃 + 𝐹𝑁)
classifier before and after optimization can be estimated.
(𝑃𝑟𝑒𝑐𝑖𝑠𝑖𝑜𝑛 ∗ 𝑅𝑒𝑐𝑎𝑙𝑙) All the performance metrics for NB, RF, and KNN
𝐹1− 𝑆𝑐𝑜𝑟𝑒 = 2 ∗ (5) classifiers improved significantly with various optimization
(𝑃𝑟𝑒𝑐𝑖𝑠𝑖𝑜𝑛 ∗ 𝑅𝑒𝑐𝑎𝑙𝑙)
techniques applied. KNN always has a higher score than other
models, with its non-optimized version scoring very high
4. RESULTS AND DISCUSSION (Accuracy = 0.982, F1-score = 0.969) while reaching
perfection after SMO optimization. The RF classifier
Our research presented an ML-based model to detect improved from the previous non-optimized settings to 0.942
cyberattacks targeting IoT devices and networks. The accuracy, with a respectable F1-score of 0.935. While NB
proposed model is classified and evaluated based on their indicates the poorest initial performance, it also improved with
performance, where all available features are used in this optimization, and SMO models boosted its F1-score from
classification based on the best-featured multiclass 0.789 to 0.880. In all cases, SMO outperforms BOA in terms
classification task where only the most relevant features are of accuracy and F1-score; therefore, SMO can be said to be a
used. Classification analysis is completed by the classifier to better optimization method for these classifiers. Figure 3
discuss the remarkable behavior. Moreover, the proposed presents the confusion matrix for the KNN model.
model identifies the type of attacks by analyzing more than The matrix shows how well the model differentiates
800,000 contact data related to various IoT devices and between benign traffic and various types of botnet attacks,
attacks. such as gafgyt and mirai, where most of the predictions
In Table 3, performance measures obtained from three ML correctly lie along the diagonal, which essentially reflects
classifiers, NB, RF, and KNN, are detailed. These three correct classification. Misclassifications are minimal
algorithms have run their vanilla model and have been according to the sparsity of the off-diagonal elements. As the
optimized by BOA and SMO algorithms for feature selection. confusion matrix from the KNN model indicates, the perfect
accuracy of prediction across all classes is as follows.

Table 3. Performance metrics for the three ML classifiers with SMO

ML Classifiers Feature Selection Models Accuracy Precision Recall F1-Score

Non-Optimized 0.847 0.775 0.833 0.789
NB Classifier BOA Models 0.857 0.797 0.857 0.817
SMO Models 0.897 0.887 0.907 0.880
Non-Optimized 0.871 0.919 0.878 0.841
RF Classifier BOA Models 0.893 0.928 0.893 0.855
SMO Models 0.942 0.932 0.963 0.935
Non-Optimized 0.982 0.979 0.968 0.969
KNN Classifier BOA Models 0.995 0.994 0.987 0.986
SMO Models 1.0 1.0 1.0 1.0

Figure 3. Confusion matrix of the KNN model with SMO

410
 This includes 29,455 observations for benign_traffic, all of Harris Hawks optimization algorithm for neural networks
which are correctly predicted, and 17,127 for gafgyt_combo, (IHHO-NN) has balanced but lower scores [42]. In reference
also fully predicted. There is a correct prediction of 8,741 for [39], XGBoost delivers consistent performance with 99%
gafgyt_junk, 8,543 for gafgyt_scan, 26,936 for gafgyt_tcp, across all metrics, and the IHHO-NN also shows robust
and 31,368 for gafgyt_udp. Among the mirai classes, the results, though slightly lower than the SMO-KNN model [39].
model predicts 17,476 for mirai_ack, 29,094 for mirai_scan, Overall, SMO-KNN stands out as the top-performing model
18,740 for mirai_syn, 47,485 for mirai_udp, and 16,072 for with optimal performance. This means that the algorithm
mirai_udpplain, where every class has its observation increases its accuracy in finding the best features and speeds
correctly classified. up its convergence to the optimal solution [14]. It enhances
The results show that the KNN + SMO classifier excelled SMO to be more robust and reliable, especially when the
in all the metrics, with perfect scores; this could suggest that it complication of optimization settings makes conventional
captured the pattern in the dataset very well. However, this methods inefficient.
could raise eyebrows regarding overfitting. The RF + SMO
classifier is in good standing in performance, where precision Table 4. Performance metrics of various integrated models
and recall are high, showing that the balancing between
identifying positive cases and minimizing false alarms worked Integrated
Accuracy Precision Recall
F1-
well. Whereas the NB + SMO classifier presents a good Model Score
performance, it also somewhat lags behind, with lower NB + SMO 0.897 0.887 0.907 0.880
accuracy and F1-score, which is indicative of fields that may RF + SMO 0.942 0.932 0.963 0.935
harbor improvement as per Table 4 and Figure 4. KNN + SMO 1.0 1.0 1.0 1.0
The performance of different ML models on the N-BaIoT
dataset is presented for the detection of cyberattacks. This
discussion covers critical metrics, including accuracy,
precision, recall, and F1-score, and thus involves insight into
each model's effectiveness. In particular, perfection scores
across all metrics were achieved for the integrated proposed
method in 2024; this, therefore, shows the progress being
made within ML techniques in cybersecurity, as defined in
Table 5.
The proposed integrated SMO-KNN model has perfect
performance, with 100% accuracy, precision, recall, and F1-
score, which indicates faultless classification. Whereas in
comparison, deep neural network-long short-term memory
performs nearly perfectly, though slightly lower in precision
and recall [41]. KNN, RF, and NB have good accuracy but Figure 4. Performance of integrated ML classifier with SMO
perform poorly in terms of precision [41]. The improved model

Table 5. Performance metrics of various ML models on N-BaIoT dataset

Ref. Year Algorithm(s) Accuracy (%) Precision (%) Recall (%) F1-Score (%)
[41] 2019 DNN-LSTM 99.96 99.77 99.66 99.66
[42] 2021 KNN, RF, NB 99.00 86.65 99.00 99.00
[43] 2023 IHHO-NN 98.07 97.04 98.73 97.87
[44] 2023 HMMLB-BND 99.43 99.13 99.12 99.13
[39] 2024 XGBoost 99.00 99.00 99.00 99.00
Proposed Model 2024 Integrated (SMO-KNN) 100 100 100 100

5. CONCLUSION AND FUTURE WORKS ACKNOWLEDGEMENT

In this research, three ML classifiers were implemented to The authors are thankful to the Deanship of Graduate
classify cyber security attacks against IoT devices. The three Studies and Scientific Research at the University of Bisha for
classifier models were successfully integrated with two feature supporting this work through the Fast-Track Research Support
selection algorithms and produced optimal results. The Program.
experiment study has been conducted for KNN, NB, and RF
classifier models on an N-BaIOT dataset. The experimental
results showed that the KNN with SMO feature selection REFERENCES
algorithm performed better than other models with an
accuracy as high as 100%. Additionally, our proposed [1] Chen, K., Zhang, S., Li, Z., Zhang, Y., Deng, Q., Ray, S.,
integrated model is compared with other robust and state-of- Jin, Y. (2018). Internet-of-Things security and
the-art detection schemes. In the future, we can implement the vulnerabilities: Taxonomy, challenges, and practice.
integrated models in different related problems and datasets. Journal of Hardware and Systems Security, 2: 97-110.
https://doi.org/10.1007/s41635-017-0029-7

411
[2] Fatayer, T.S., Azara, M.N. (2019). IoT secure selection and deep learning. In 2021 International
communication using ANN classification algorithms. In Conference on Computer Communication and
2019 International Conference on Promising Electronic Informatics (ICCCI), Coimbatore, India, pp. 1-4.
Technologies (ICPET), Gaza, Palestine, pp. 142-146. https://doi.org/10.1109/ICCCI50826.2021.9402562
https://doi.org/10.1109/ICPET.2019.00033 [15] Shaik, A.L.H.P., Manoharan, M.K., Pani, A.K., Avala,
[3] Sasi, T., Lashkari, A.H., Lu, R., Xiong, P., Iqbal, S. R.R., Chen, C.M. (2022). Gaussian mutation-spider
(2024). A comprehensive survey on IoT attacks: monkey optimization (GM-SMO) model for remote
Taxonomy, detection mechanisms and challenges. sensing scene classification. Remote Sensing, 14(24):
Journal of Information and Intelligence, 2(6): 455-513. 6279. https://doi.org/10.3390/rs14246279
https://doi.org/10.1016/j.jiixd.2023.12.001 [16] Rao, J.M., Narayan, B.H. (2022). Novel coronavirus
[4] Khan, R.U., Kumar, R., Alazab, M., Zhang, X. (2019). A (COVID-19) prediction using deep learning model with
hybrid technique to detect botnets, based on P2P traffic improved meta-heuristic optimization approach. In 2022
similarity. In 2019 Cybersecurity and Cyberforensics 4th International Conference on Smart Systems and
Conference (CCC), Melbourne, VIC, Australia, pp. 136- Inventive Technology (ICSSIT), Tirunelveli, India, pp.
142. https://doi.org/10.1109/CCC.2019.00008 935-943.
[5] Haq, S., Singh, Y. (2018). Botnet detection using https://doi.org/10.1109/ICSSIT53264.2022.9716478
machine learning. In 2018 Fifth International Conference [17] Sweety, K., Nagalakshmi, M. (2023). A robust deep
on Parallel, Distributed and Grid Computing (PDGC), neural network framework for the detection of dementia.
Solan, India, pp. 240-245. In 2023 3rd International Conference on Pervasive
https://doi.org/10.1109/PDGC.2018.8745912 Computing and Social Networking (ICPCSN), Salem,
[6] Joshi, S., Abdelfattah, E. (2020). Efficiency of different India, pp. 686-691.
machine learning algorithms on the multivariate https://doi.org/10.1109/ICPCSN58827.2023.00119
classification of IoT botnet attacks. In 2020 11th IEEE [18] Singh, D., Singla, J., Rahmani, M.K.I., Ahmad, S., et al.
Annual Ubiquitous Computing, Electronics & Mobile (2023). Lumbar spine disease detection: Enhanced CNN
Communication Conference (UEMCON), New York, model with improved classification accuracy. IEEE
NY, USA, pp. 517-521. Access, 11: 141889-141901.
https://doi.org/10.1109/UEMCON51285.2020.9298095 https://doi.org/10.1109/ACCESS.2023.3342064
[7] Arora, S., Singh, S. (2019). Butterfly optimization [19] Rajasekar, M., Arunachalam, P., Priyadharsini, P., Devi,
algorithm: A novel approach for global optimization. N.L., Abbas, H.H., Al-Qaisy, S.A. (2024). An optimized
Soft Computing, 23: 715-734. framework development of ABC algorithm along with
https://doi.org/10.1007/s00500-018-3102-4 SVMP algorithm for lung cancer detection. In 2024 4th
[8] Alweshah, M., Khalaileh, S.A., Gupta, B.B., Almomani, International Conference on Advance Computing and
A., Hammouri, A.I., Al-Betar, M.A. (2022). The Innovative Technologies in Engineering (ICACITE),
monarch butterfly optimization algorithm for solving Greater Noida, India, pp. 184-187.
feature selection problems. Neural Computing and https://doi.org/10.1109/ICACITE60783.2024.10616706
Applications, 34: 11267-11281. [20] Hasan, M., Islam, M.M., Zarif, M.I.I., Hashem, M.M.A.
https://doi.org/10.1007/s00521-020-05210-0 (2019). Attack and anomaly detection in IoT sensors in
[9] Arora, S., Anand, P. (2019). Binary butterfly IoT sites using machine learning approaches. Internet of
optimization approaches for feature selection. Expert Things, 7: 100059.
Systems with Applications, 116: 147-160. https://doi.org/10.1016/j.iot.2019.100059
https://doi.org/10.1016/j.eswa.2018.08.051 [21] Desai, P. (2024). Enhancing cybersecurity through
[10] Bansal, J.C., Sharma, H., Jadon, S.S., Clerc, M. (2014). Bayesian node profiling and attack classification.
Spider monkey optimization algorithm for numerical International Journal of Wireless and Microwave
optimization. Memetic Computing, 6: 31-47. Technologies, 14(1): 43-51.
https://doi.org/10.1007/s12293-013-0128-0 https://doi.org/10.5815/ijwmt.2024.01.04
[11] Sahu, B., Panigrahi, A., Dash, B., Sharma, P.K., Pati, A. [22] Bista, S., Chitrakar, R. (2017). DDoS attack detection
(2023). A hybrid wrapper spider monkey optimization- using heuristics clustering algorithm and Naïve Bayes
simulated annealing model for optimal feature selection. classification. Journal of Information Security, 9(1): 33.
International Journal of Reconfigurable and Embedded https://doi.org/10.4236/jis.2018.91004
Systems, 12(3): 360-375. [23] Firmansyah, R., Utami, E., Pramono, E. (2022).
https://doi.org/10.11591/ijres.v12.i3.pp360-375 Evaluation of naïve bayes, random forest and stochastic
[12] Hodashinsky, I.A., Nemirovich-Danchenko, M.M., gradient boosting algorithm on DDoS attack detection.
Samsonov, S.S. (2019). Feature selection for fuzzy Proceeding International Conference on Information
classifier using the spider monkey algorithm. Бизнес- Science and Technology Innovation, 1(1): 92-97.
Информатика, 13(2): 29-42. https://doi.org/10.35842/icostec.v1i1.16
https://doi.org/10.17323/1998-0663.2019.2.29.42 [24] Sonule, A.R., Kalla, M., Jain, A., Chouhan, D.S. (2021).
[13] Agarwal, R., Shekhawat, N.S., Kumar, S., Nayyar, A., Detection of network attacks using machine learning: A
Qureshi, B. (2021). Improved feature selection method new approach. International Journal for Research in
for the identification of soil images using oscillating Applied Science & Engineering Technology, 9(12):
spider monkey optimization. IEEE Access, 9: 167128- 1881-1890. https://doi.org/10.22214/ijraset.2021.39640
167139. [25] Wu, Y., He, X., Chen, X. (2022). IoT-botnet traffic
https://doi.org/10.1109/ACCESS.2021.3135536 detection based on deep forest. In 2022 IEEE 22nd
[14] Parimala, G., Kayalvizhi, R. (2021). An effective International Conference on Communication
intrusion detection system for securing IoT using feature Technology (ICCT), Nanjing, China, pp. 1388-1393.

412
 https://doi.org/10.1109/ICCT56141.2022.10072774 devices. Scientific Reports, 14(1): 3878.
[26] Pirtama, A., Prasetia, Y., Saputra, R.I., Winanto, E.A. https://doi.org/10.1038/s41598-024-54438-6
(2024). Improvement attack detection on internet of [36] Awan, K.A., Din, I.U., Almogren, A., Kim, B.S.,
thinks using principal component analysis and random Guizani, M. (2024). Enhancing IoT security with trust
forest. Media Journal of General Computer Science, management using ensemble XGBoost and AdaBoost
1(1): 14-19. https://doi.org/10.62205/mjgcs.v1i1.8 Techniques. IEEE Access, 12: 116609-116621.
[27] Chu, T.S., Si, W., Simoff, S., Nguyen, Q.V. (2022). A https://doi.org/10.1109/ACCESS.2024.3413600
machine learning classification model using random [37] Kim, J., Shim, M., Hong, S., Shin, Y., Choi, E. (2020).
forest for detecting DDoS attacks. In 2022 International Intelligent detection of IoT botnets using machine
Symposium on Networks, Computers and learning and deep learning. Applied Sciences, 10(19):
Communications (ISNCC), Shenzhen, China, pp. 1-7. 7009. https://doi.org/10.3390/app10197009
https://doi.org/10.1109/ISNCC55209.2022.9851797 [38] Meidan, Y., Bohadana, M., Mathov, Y., Mirsky, Y.,
[28] Lahasan, B., Samma, H. (2022). Optimized deep Shabtai, A., Breitenbacher, D., Elovici, Y. (2018). N-
autoencoder model for internet of things intruder BaIoT-network-based detection of IoT botnet attacks
detection. IEEE Access, 10: 8434-8448. using deep autoencoders. IEEE Pervasive Computing,
https://doi.org/10.1109/ACCESS.2022.3144208 17(3): 12-22.
[29] Gaur, V., Kumar, R. (2022). ET-RF based model for https://doi.org/10.1109/MPRV.2018.03367731
detection of distributed denial of service attacks. In 2022 [39] Rathod, G., Sabnis, V., Jain, J.K. (2024). Improving IoT
International Conference on Sustainable Computing and Botnet attack detection using machine learning:
Data Communication Systems (ICSCDS), Erode, India, Comparative analysis of feature selection methods and
pp. 1205-1212. classifiers in intrusion detection systems. In 2024 3rd
https://doi.org/10.1109/ICSCDS53736.2022.9760938 International Conference for Innovation in Technology
[30] Negandhi, P., Trivedi, Y., Mangrulkar, R. (2019). (INOCON), Bangalore, India, pp. 1-8.
Intrusion detection system using random forest on the https://doi.org/10.1109/INOCON60754.2024.10511883
NSL-KDD dataset. In Emerging Research in Computing, [40] Seong, T.B., Ponnusamy, V., Jhanjhi, N.Z., Annur, R.,
Information, Communication and Applications: Talib, M.N. (2021). A comparative analysis on
ERCICA 2018, pp. 519-531. traditional wired datasets and the need for wireless
https://doi.org/10.1007/978-981-13-6001-5_43 datasets for IoT wireless intrusion detection. Indonesian
[31] Odim, M.O., Ojo, S.O., Oyenike, B. (2023). Analysis of Journal of Electrical Engineering and Computer Science,
K-Nearest Neighbor for network intrusion detection. 22(2): 1165-1176.
Behaviour, 11(5): 52-58. https://doi.org/10.11591/ijeecs.v22.i2.pp1165-1176
https://doi.org/10.26821/IJSHRE.11.5.2023.110508 [41] Alazzam, H., Alsmady, A., Shorman, A.A. (2019).
[32] Maliha, M. (2021). A supervised learning approach: Supervised detection of IoT botnet attacks. In
Detection of cyber attacks. In 2021 IEEE International Proceedings of the Second International Conference on
Conference on Telecommunications and Photonics Data Science, E-Learning and Information Systems,
(ICTP), Dhaka, Bangladesh, pp. 1-5. Dubai, United Arab Emirates, pp. 1-6.
https://doi.org/10.1109/ICTP53732.2021.9744169 https://doi.org/10.1145/3368691.3368733
[33] Heramil, J.A., Dumbrique, K., Mirarza, M.R., Ejorango, [42] Qureshi, S., He, J., Tunio, S., Zhu, N., et al. (2021). A
L.K., Gardon, R.W., Rabago, L. (2023). Threatlocke: An hybrid DL-based detection mechanism for cyber threats
anomaly based detection model. In 2023 8th in secure networks. IEEE Access, 9: 73938-73947.
International Conference on Information Technology https://doi.org/10.1109/ACCESS.2021.3081069
and Digital Applications (ICITDA), Yogyakarta, [43] Taher, F., Abdel-Salam, M., Elhoseny, M., El-Hasnony,
Indonesia, pp. 1-6. I.M. (2023). Reliable machine learning model for IIoT
https://doi.org/10.1109/ICITDA60835.2023.10426915 botnet detection. IEEE Access, 11: 49319-49336.
[34] Xiao, L., Wan, X., Lu, X., Zhang, Y., Wu, D. (2018). IoT https://doi.org/10.1109/ACCESS.2023.3253432
security techniques based on machine learning: How do [44] Almuqren, L., Alqahtani, H., Aljameel, S.S., Salama,
IoT devices use AI to enhance security? IEEE Signal A.S., Yaseen, I., Alneil, A.A. (2023). Hybrid
Processing Magazine, 35(5): 41-49. metaheuristics with machine learning based botnet
https://doi.org/10.1109/MSP.2018.2825478 detection in cloud assisted internet of things
[35] Wardana, A.A., Kołaczek, G., Warzyński, A., Sukarno, environment. IEEE Access, 11: 115668-115676.
P. (2024). Ensemble averaging deep neural network for https://doi.org/10.1109/ACCESS.2023.3322369
botnet detection in heterogeneous Internet of Things

413