Nandhini et al.

Journal of Cloud Computing (2024) 13:159 Journal of Cloud Computing:

https://doi.org/10.1186/s13677-024-00722-9
Advances, Systems and Applications

RESEARCH Open Access

Cyber attack detection in IOT‑WSN

devices with threat intelligence using hidden
and connected layer based architectures
S. Nandhini1*, A. Rajeswari2 and N. R. Shanker3

Abstract
In this paper, cyber-attacks in IOT-WSN are detected through proposed optimized-Neural Network algorithms such
as (i) Equilibrium Optimizer Neural Network (EO-NN), (ii) Particle Swarm Optimization (PSO-NN), (iii) Single Candidate
Optimizer Neural Network (SCO-NN) and (iv) Single Candidate Optimizer Long Short-Term Memory (SCO-LSTM)
with different connecting, hidden neural network layers and threat intelligence data. The proposed algorithms detect
the attacker node, which frequently changes the behaviour such as attacker node/ normal node. Existing IDS system
detects the attacks in WSN and unable to detect the changing behavior attacker nodes in IOT-WSN. The behaviour
of attacker node changes from normal behaviour to attacker behaviour due to nodes connected to internet continu-
ously. The classification accuracy rates of proposed SCO-LSTM algorithm without and with threat intelligence are
about 99.7% and 99.89%, respectively.
Keywords WSN attack, IOT-WSN attack- false data injection, Brute force, Hybrid brute force, IDS

Introduction IOT-WSN attacks helps in mitigation of attack [6]. The

Internet of Things (IoT) is the interconnection of devices different types of attacks [7] are discussed in this section.
using internet [1]. IoT devices are vulnerable to attacks In Jamming attack, attackers disrupt the communication
such as data theft, phishing, spoofing, and Distributed between nodes through interference signals, blocks the
Denial of Service (DDoS) attacks [2, 3]. Recent cyber- wireless communication, channels and causes denial-of-
attacks are ransomware and breaches, which are very service situation. In Sybil attack, attackers create multiple
frequent in IOT devices. In IoT devices, hackers com- fake sensor nodes to compromise the existing nodes and
promise the infrastructure, disrupts the network and provides false information. In Sinkhole attack, attackers
access the data. The cyberattack in IOT devices [4, 5] compromise a specific node in the WSN and routes the
are Malware, Phishing, SQL Injection Attack, Cross-Site data through the compromised node. The attackers take
Scripting (XSS), Denial-of-Service (DoS), Session Hijack- the control of network traffic, manipulates transmitted
ing, Botnets and Ransomware attack. Awareness about data. In Selective forwarding attack, attackers compro-
mise specific nodes in the WSN, selectively forwards or
drops the packets. The attacker disruptions communi-
*Correspondence: cation or transmits the data to unauthorized destina-
S. Nandhini
[email protected] tions. In Spoofing attack, attackers spoof the identity of
1
Department of Electronics and Communication Engineering, a legitimate sensor node in WSN and gains the unau-
Dhanalakshmi College of Engineering, Tambaram, India thorized access or manipulates the network. In Replay
2
Department of Computer Science and Engineering, Velammal
Engineering College, Chennai, Tamil Nadu, India attack, attackers acquire the packets during exchange of
3
Department of Computer Science and Engineering, Aalim Muhammed packets between the sensor nodes. The Attacker replays
Salegh College of Engineering, Avadi, India these packets, disrupts the network’s normal functioning

© The Author(s) 2024. Open Access This article is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0
International License, which permits any non-commercial use, sharing, distribution and reproduction in any medium or format, as long
as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if
you modified the licensed material. You do not have permission under this licence to share adapted material derived from this article or
parts of it. The images or other third party material in this article are included in the article’s Creative Commons licence, unless indicated
otherwise in a credit line to the material. If material is not included in the article’s Creative Commons licence and your intended use is not
permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To
view a copy of this licence, visit http://creativecommons.org/licenses/by-nc-nd/4.0/.
Nandhini et al. Journal of Cloud Computing (2024) 13:159 Page 2 of 21

In Physical attack, attackers tamper the physical compo- attacker nodes and location change of attacker in nodes
nents of the WSN, such as sensor nodes or communica- within the cluster.
tion infrastructure through injecting the malicious code
in any node. In Energy depletion attack, attackers target Contribution
the limited energy resources of WSNs by draining the
energy of specific nodes which results in network failures 1. To detect and prevent the frequent change of attacker
and disruptions. In Insider attack, authorized / trusted node, which performs the False Data, Brute Force
nodes carry outs the insider attacks. They exploit their and Hybrid Brute Force, tenfold and fivefold layer
privileges and compromises the network security, manip- based neural network algorithm optimized with dif-
ulates the data. In Information disclosure attack, attack- ferent methods are proposed.
ers eavesdrop on wireless communication within the 2. To detect the above attacks, optimized methods such
WSN, extracts sensitive information such as sensor read- as EO-NN, PSO-NN, SCO-LSTM are proposed, and
ings or network configuration details. This led to privacy threat intelligence is applied in the above algorithm
breaches and compromises sensitive data. Nowadays, for detection of attacks.
IOT-WSN nodes are prone to cyber-attack due to inter- 3. To prevent above attacks in TOI-WSN devices the
net connectivity in each node in WSN. following proposed algorithms such as PSO-NNN,
In IoT-WSN system, all nodes directly send the infor- EO-NNN, PSO-WNN, SCO-MNN, SCO-WNN and
mation through internet in WSN. Integration of WSN in hidden layer algorithms are SCO-LSTM-NNN, SCO-
IoT uses cloud services for better monitoring and con- LSTM-MNN, SCO-LSTM-WNN are applied.
trol. IOT-WSN has certain dissimilarities to WSNs, sens- 4. To compare the proposed methods with traditional
ing devices collects the data and pass to the sink node, algorithms and efficiency of the proposed algorithms
whereas in IoT-WSN networks, sensing devices transmits with and without threat intelligence is performed.
the data to server. IoT-WSN are vulnerable to various
attacks such as Malicious Code Attack [8], Exhaustion
attacks, Malware, timing attacks, False Data Injection, Novelty
Sensor Overwhelming and hello flood attack. IoT—WSN
based devices facilitates and supports day-to-day activi- a) Number of Neurons in Neural Network helps to
ties of the people. In this paper, prevention, detection and detect the changing behavior of nodes in IOT-WSN.
mitigation of attacks in IoT-WSN is the topic of interest. b) The frequent behavior changes of any node need
Figure 1 shows IOT-WSN and WSN Architecture. additional method to detect. The additional meth-
ods are the hyperparameter optimization and hidden
neural network layers.
Problem statement c) To detect different attacks based on recent character
In IOT-WSN, cyber-attacks are performed by any node of the attack, threat intelligence data are used.
in the network through the intruder. IDS algorithms of
WSN never suits for IOT – WSN [9]. IOT – WSN cyber Literature survey
– attacks are False data injection, Brute Force, Hybrid Traditional prevents of cybersecurity attacks through
Brute Force, Blackhole, Grayhole, Flooding, Schedul- various methods [13] such as Encryption, which secures
ing and Time Division Multiple Access [10]. Prevention the transmission and storage of data between cloud
and mitigation of attacks requires an efficient detec- devices and in the networks. Authentication and Author-
tion method. However, Traditional methods never apply ization are used for cyber-attack detection and preven-
threat intelligence for cyber-attack detection and pre- tion. This prevents unauthorized access to devices and
vention. The traditional WSN- IDS algorithms detection ensures trusted entities connect with devices. Access
time is high, when IDS algorithm of WSN is applied for Control mechanisms enforces privileges and permis-
IOT-WSN cyber-attack detection. The Prediction accu- sions for cloud devices and users. This ensures author-
racy [11] is less, when attacker changes the node for ized actions, prevents unauthorized activities. The access
cyber-attack. Changing of attacker node in IOT-WSN control drawbacks are overly permissive or strict access
is very frequent due to internet connectivity available in settings, administrative overhead, vulnerability to privi-
each node. The change in attacker node location within lege escalation, insider threats, lack of granularity, man-
the cluster network reduces the prediction accuracy of agement challenges. Secure Bootstrapping establishes a
the traditional algorithm [12]. Moreover, False Data, secure connection for IoT devices in the network. The
Brute Force and Hybrid Brute Force detection in IOT- technique verifies the integrity and authenticity of the
WSN are challenging due to rapid change in behavior of devices during the initial setup process. Over-the-Air
Nandhini et al. Journal of Cloud Computing (2024) 13:159 Page 3 of 21

Fig. 1 WSN and IOT – WSN Architecture

(OTA) in the cloud devices update firmware and fix the Table 1 shows the traditional attack method and
bugs on time. Updates the devices on regular basis and devices. There are certain drawbacks in Encryption [14]
removes the fix bugs and defense against known assaults. such as performance overhead, key management com-
In Intrusion Detection and Prevention Systems (IDS/IPS) plexity, vulnerability to quantum computing, compat-
monitors the system and device activities for signs of sus- ibility issues, backdoor risks, encrypted data recovery
picious behaviour and known attack patterns. IDS detect challenges, security-usability trade-off, key distribution
and prevent attacks. difficulties, communication overhead, and maintenance.
Nandhini et al. Journal of Cloud Computing (2024) 13:159 Page 4 of 21

Table 1 List of attacks in various devices

Ref/ Year Problem /Attack Methods Attacks in Devices Limitations

[18] /2023 Distributed denial of service (DDOS) Bi-LSTM, Improved RFE, RNN classi- IoT -Cloud Potential for False Positives, Limited
attacks fier and CMIHBO optimization Visibility
[19] /2022 Cyber-attacks Long short-term memory (LSTM), IoT- Cloud system Training Complexity, High Computa-
deep reinforcement learning (DRL) tional Cost, Inefficiency, Instability
for the classification process
[20] /2022 Network Intrusion Attack Convolutional neural network (CNN) IoT-Cloud Limited Applicability, Complexity,
and multi-layer perception (MLP) Vulnerable to Adversarial Attacks
[21] /2022 Insider Attacks, Denial of Service Chaotic maps-based public key WSN False Alarms, Maintenance Burden
Attacks cryptosystem scheme
[22] /2020 Intrusion detection problem Stacked Generalization Approach Internet of Things (IoT)-Cloud Lack of surge prediction accuracy
(SGA) and big data technology and identifying different kinds of intru-
sions
[23]/2022 Intrusion detection problem Key distribution mechanism WSN False Positives, False Negatives,
and Intrusion detection system Complexity
[24] /2022 DDOS SDN- Hybrid Deep Learning Cyber Threats in Server Complex Implementation, Scalability
Issues
[25] /2020 DoS attacks LEACH- LSTM Server Potential for False Positives/Negatives
[26] /2022 DBN based Attack Convolution neural network (CNN) IOT -Cloud Limited Applicability, Complexity
and deep belief network (DBN), Vulnerable to Adversarial Attacks
seagull adopted elephant herding
optimization (SAEHO)
[27] /2022 False data injection (FDI) attacks SVM-FS Hybrid Cyber-attacks in IOT enabled smart Resource-Intensive, Overfitting Risk,
grids Feature Selection Challenges, Inter-
pretability Issues
[28] /2020 Cyber Security Attacks Network function virtualization IoT SDN Scalability Challenges, Performance
(NFV), software defined network Concerns
(SDN) and enforce IOT honeynet
[29] /2023 Cyber-attacks Adaptive incremental passive- Internet of Things Cloud Slow Convergence, Overfitting, Data
aggressive machine learning Scarcity, Parameter Tuning
(AI-PAML) method-based network
attack detection system (NADS)
[30] /2023 Signature-based NIDS ineffective Vector data description (OI-SVDD) Industrial IoT Devices Sensitive to Noise, Complex Parameter
and adaptive sequential extreme Tuning, Intricate Parameter Adjust-
learning machine (AS-ELM) ment
[31] /2023 Network attack LSA, security protocol for sensor IoT-Cloud Vulnerability to Attacks, Complex
networks (SPINS) with the secure IOT Management Overhead
(SIT) encryption technique
[32] /2023 Cyber attack blockchain technology IoT-Cloud Scalability, Energy Consumption,
Privacy, Interoperability Challenges
[33] /2023 Cyber attack reusable open-source software IoT System Scalability, Energy Consumption
[34] /2023 Fault Data Injection Attacks Time, special, event correlation WSN Interferes with System Reliability,
method Integrity And Performance Signifi-
cantly
[35] /2023 Cloud Security LEACH protocol Internet of Things (IoT)-Cloud Limited Applicability, Increased
Complexity
[36] /2023 Network Threat LEACH, Particle Swarm Optimization Internet of Things-system Limited Applicability, Complexity
(PSO), and River Formation Dynam-
ics (RFD)
[37] /2021 Cyber attack Cyber -threat Intelligence (CTI) IoT-Cloud High Computational Cost, Sensitive
to Hyperparameters
2024 False data injection attack, Brute PSO NN, NNN, MNN, WNN, SCO- IOT-WSN
(Proposed) force attack and Hybrid brute force LSTM, EO-NN
(IOT-WSN attack
own dataset)

The Drawbacks in authentication and authorization The Drawbacks of secure bootstrapping are [16], key
[15] are single Point of Failure, credential Theft, Com- management challenges, compatibility issues, hardware
plexity, False Positives and Negatives, Insider Threats, limitations, delayed deployment, vulnerability to attacks,
Multi-factor Authentication (MFA) Adoption, Creden- lack of industry standards, firmware update complex-
tial Management, Access Control List (ACL) Manage- ity, costs, and usability impact device development. The
ment, Delay in User Onboarding, Privacy Concerns. Drawbacks of OTA are Network vulnerabilities, Update
Nandhini et al. Journal of Cloud Computing (2024) 13:159 Page 5 of 21

authentication challenges, Bandwidth limitations, Device Fig. 2. Threat intelligence collects recent variants attacks
compatibility issues, Firmware update failures, Security of False data, Brute Force, Hybrid Brute Force and anal-
risks, Version management complexities, Timing and yses attack and enhances the dataset for detection of
scheduling coordination, Power consumption impact attack using proposed system. Event reports, dark web
and Rollback risks. The Drawbacks of IDS [17] are False forums, and open-source intelligence are used for threat
alerts, missed sophisticated attacks, performance over- intelligence. Threat intelligence facilitates proactive inci-
head, signature-based limitations, complexity, data dent response, educates for decision-making, and threat
privacy concerns, evasion techniques, alert overload, lim- identification by providing an awareness of the strategies
ited visibility, and compatibility issues, which arises dur- and methods.
ing detection of False Data, Brute Force and Hybrid Brute Threat intelligence shares the information about the
Force. attacker community, promotes collaboration against
common threats. The threat intelligence enhances the
Inferences situational awareness, strategic planning, and compliance
GPUs and parallel processing methods for password with regulations. Overall, threat intelligence empowers to
cracking in Brute force attacks are examples of tradi- stay ahead of evolving cyber threats, optimizes resource
tional algorithms and methodologies. Passwords with allocation, and builds a resilient defense against poten-
eight characters or more are tough to break using brute tial security breaches. To address this challenge, data
force [38]. In MQTT-IoT networks, fivefold cross vali- from IOT-WSN is collected. The dataset is analyzed for
dation testing produced lower performance than hold- attacks through proposed optimized algorithms such as
out testing [39]. The diagnostic algorithm used in false Equilibrium Optimizer Neural Network (EO-NN), Parti-
data injection attacks [40] need to be expanded and the cle Swarm Optimization Neural Network (PSO-NN) and
IOT network devices [41]. In this paper false data injec- Single Candidate Optimizer Long Short-Term Memory
tion attack, Brute force attack and Hybrid brute force (SCO-LSTM).
attack are detected in nodes of IoT-WSN using proposed In this paper, IOT-WSN Dataset is used for detection of
algorithms such as (i) EO-NN, (ii) PSO-NN and (iii) normal and anomalous behaviors from acquired dataset.
SCO-LSTM. For the proposed study, IOT-WSN Dataset is frequently
In preprocessing steps, missing values are obtained updated using the threat intelligence source-based data
using imputation technique, categorical encoding, feature for detection of attack variant.
selection, and shuffling data to enhance model perfor-
mance and prevent overfitting. Min–Max Normalization
and Z-Score Normalization [42] to rescale the IOT-WSN Cyber attack data collection from test‑bed IOT‑
data. This paper we used Min–Max adjusts values to [0, WSN
1], while Z-Score standardizes using the mean (μ) and In the proposed study, IOT-WSN dataset are called from
standard deviation (σ). each node in IOT-WSN. The Table 2 explains about the
Different types of attack in WSN are (i) Blackhole (ii) IOT-WSN attacks. Figure 3 shows the data collection
Gray hole (iii) flood attack and (iv) Scheduling attack from test-bed in IOT-WSN for detection of cyber-attack.
and detected with proposed algorithms. The various The Table 3 explains about the Benchmark datasets. Due
types of cyberattack in IOT- WSN are (i) False data to demerits mentioned in the table for existing datasets
injection attack (ii) Brute force attack (iii) Hybrid Brute with above optimized techniques and created dataset is
force attack and detected with proposed algorithms. The used.
three attacks such as false data, brute force and hybrid
brute force are detected and prevented in IOT-WSN
using the proposed algorithms a) Equilibrium Optimizer Neural network model used in IOT‑WSN cyber
Neural Network (EO-NN), b) Particle Swarm Optimiza- attack detection
tion Neural Network (PSO-NN) and c) Single Candidate Neural Network Model:
Optimizer Long Short-Term Memory (SCO-LSTM). The The Neural Network Models utilized for IOT-WSN
growth in internet technologies and low power embed- Cyber Attack detection are Narrow Neural Network
ded system, WSN nodes are connected with internet (NNN), Medium Neural Network (MNN) and Wide
and forms IOT-WSN network. To mitigate cyberattacks Neural Network.
in TOI-WSN, proposed algorithms are (1) EO-NN, (2)
PSO-NN and (3) SCO-LSTM with threat intelligence. a) Narrow Neural Network
The above work flow of proposed methods to detect
cyberattacks using threat intelligence and shown in
Nandhini et al. Journal of Cloud Computing (2024) 13:159 Page 6 of 21

Fig. 2 Workflow of proposed algorithms with threat intelligence implementation using neural network classifier for IOT-WSN attack detection

A narrow neural network typically has fewer neurons c) Wide Neural Network
in each layer, which can be represented mathematically
as follows in Eq. (1) A wide neural network has a larger number of neu-
rons in each layer, which can capture more features as
y = f (W T .x + b) (1) in Eq. (4) and (5)
where f denotes the activation, function applied to intro- Hidden Layer
duce non-linearity, y is the output, W is the weight vec-  
h = f WhT .x + bh (4)
tor, x is the input vector, b is the bias.
Output Layer
b) Medium Neural Network
y = f (WoT .h + bo ) (5)
A medium neural network has a moderate number of
neurons, allowing for more complex representations in In this case, both WhT and WoT  ​have a larger number
Eq. (2) and (3) of columns (neurons), leading to increased capacity for
Hidden Layer feature extraction.

h = f WhT .x + bh (2) Optimization techniques used in IOT‑WSN cyber

attack detection
Output Layer The proposed Optimization Techniques for IOT-WSN
Cyber Attack are: EO-NN, PSO-NN, SCO-LSTM.
y = f (WoT .h + bo ) (3)
(i) EO-NN
Where h denotes the hidden layer output, h and WoT
are the weight matrices for hidden and output layers,bh
and bo are the biases for hidden and output layers.
 Nandhini et al. Journal of Cloud Computing

Table 2 Types of attacks in IOT-WSN

Aspect False Data Injection Hybrid Brute Force Brute Force

Nature of Attack Introduces deceptive or misleading data into a system Combines a brute force approach with other attack Systematically tries all possible combinations of pass-
(2024) 13:159

to manipulate outcomes methods to compromise passwords or credentials words or encryption keys until the correct one is found
Target Typically targets databases, machine learning models, Primarily targets login credentials or encryption keys Targets login credentials, encryption keys, or other
or systems that rely on inaccurate data secrets by systematically trying all possible combina-
tions
Strategy Manipulates data inputs to deceive the system, lead- Combines dictionary attacks, credential stuffing, Exhaustively tries all possible combinations, leaving
ing to incorrect decisions or outputs or other methods with brute force to compromise no stone unturned in finding the correct password
passwords or key
Common Countermeasures Data validation, input sanitization, anomaly detection, Account lockout policies, multi-factor authentication, Account lockout policies, CAPTCHA, rate limiting,
and integrity checks and rate limiting and strong password policies
Detection Challenges May be challenging to detect as it involves subtle Detection may be challenging due to the combina- Detection is often straightforward, especially
manipulation of data to mislead systems tion of multiple attack methods with the implementation of account lockout policies
or monitoring for numerous failed login attempts
Examples Manipulating training data for machine learning mod- Combining a dictionary attack with brute force Trying all possible combinations of alphanumeric char-
els to skew predictions to crack a password acters to guess a password
Page 7 of 21
Nandhini et al. Journal of Cloud Computing (2024) 13:159 Page 8 of 21

Fig. 3 Cyber attack data collection created (IOT-WSN Dataset) from Test-Bed IOT- WSN

An optimized neural network analyzes attack patterns

Table 3 List of Benchmark datasets from dataset, detects the attacker nodes and deletes the
Benchmark Dataset Demerits node during routing. Equilibrium Optimization (EO) can
be effectively applied to neural networks to enhance their
NSL-KDD - Limited diversity in attack types
- May not reflect current network
training and optimization processes. The algorithm is
conditions inspired by mass balance equations and aims to find opti-
- Outdated compared to modern mal solutions by modeling the dynamic and equilibrium
threats
states of nodes.
UNSW-NB15 - Synthetic data may not accurately
represent real-world scenarios
- Some attack types may be under- a) Initialization:
represented
- Requires careful tuning for effec-
tive use The initial population of nodes is generated within
CICIDS2017 - Complexity in data processing defined boundaries as in Eq. (6)
- May have inconsistencies in traffic
patterns
- Requires substantial computational (0)
xi = xmin + rand(0,1).(xmax − xmin ) (6)
resources for analysis
ToN-IoT - Limited to IoT-specific attacks (0)
Where, xi ​: Initial position of nodes, xmin and xmax ​:
- May not generalize well to other
network environments Boundaries of the search space
- Data may be insufficient for com-
prehensive evaluation
b) Updating Concentration:
Edge-IIoTset - Focused on specific IoT and IIoT
scenarios, limiting broader appli-
cability The position of each nodes is updated based on its
- Potential lack of diverse attack best-known position and the average of the best nodes
scenarios
- May require extensive preprocess-
(equilibrium candidates) based on Eq. (7)
ing (t+1) (t) (t)
IOT-WSN DATASET Advantages xi = xi + r.(Ceq − xi ) (7)
(Created/own dataset) - Potential of diverse attack scenarios (t)
- Data may be well sufficient Where, xi : Position of nodes i at iteration t, r : A ran-
for comprehensive evaluation dom factor influencing exploration, Ceq : The equilibrium
- Synthetic data are accurately repre-
sented in real-world scenarios candidate derived from the best-performing nodes.

c) Equilibrium Pool:
Equilibrium Optimization method utilized in neural
network for tuning the network and detects the attack. The equilibrium pool is defined as in Eq. (8)
Nandhini et al. Journal of Cloud Computing (2024) 13:159 Page 9 of 21

and manipulation. The 1.st phase concludes after ‘α’ func-

 
Ceq,pool = Ceq(1) , Ceq(2) , Ceq(3) , Ceq(4) , Cavg (8)
tion evaluations, followed by the second phase compris-
Where, Ceq(k): The top four nodes with the highest ing ‘β’ function evaluations (α + β = T). In the initial phase
fitness values, Cavg ​: The average position of these top [20], candidate solutions update position based on Eq.
nodes. (10)
d) Final Output:
   
gbestj + wgbestj ifr1 < 0.5
xj =
gbestj − wgbestj  otherwise (10)
The final output from the neural network can be com-
puted as follows in Eq. (9)
The exact description of the dynamic parameter W(t) is
T
y = f (W .h + b) (9) specified as in Eq. (11),
 b
Where, y : Output of the neural network, f : Activation W(t) = exp
− bt
T (11)
function applied to introduce non-linearity, W : Weight
matrix connecting inputs to hidden layers, h: Output Here, ‘b’ represents a persistent, ‘t’ denotes the present
from the hidden layer, b: Bias term. function estimation or repetition, and T is the extreme
number of function calculations. In the 2nd phase, can-
(ii) PSO-NN
didate solutions adjust their positions based on Eq. (12),
The proposed Particle Swarm Optimization (PSO-   
NN), has three main steps: (1) creating base predic- gbestj + r2w(ubj − lbj) ifr2 < 0.5
xj =
gbestj − r2w(ubj − lbj) otherwise (12)
tion models using neural networks (NNs), (2) optimizes
base model weights through the PSO meta-heuristic
where ‘r2’​is random variable in the array [0, 1], ubj​and
algorithm, and (3) integrates sub-models into a meta/
lbj​are upper and lower bounds, and w balances explora-
learning model. PSO-NN utilizes Particle Swarm
tion and exploitation.
Optimization and optimizes the parameters of Neural
From (11), ‘w’ experiences an exponential decrease
Network, enhances performance and solves complex
with an increasing number of function evaluations. This
problems or tasks. This combination is used in IOT-
dynamic behavior is pivotal, initially high ‘w’ facilitates
WSN attack detection.
effective exploration of the search space, diminishes ‘w’
and enhances exploitation capabilities in the optimiza-
tion process. Meta-heuristic algorithms stucks with local
optima, during phases of search. SCO addresses the
above problem through the candidate solution’s position,
updates in the 2nd phase, if no fitness development hap-
pens in successive function estimations. Tracks the num-
ber of successive function evaluations without achieving
fitness improvement. The binary parameter determines
the updated candidate and attains successful fitness
improvement or experiences failure in fitness develop-
ment. In the ­2nd phase of SCO, Eq. (12) updates the posi-
tion of a potential solution.
The dynamic behavior of ‘w’ involves an exponential
decrease with function evaluations. SCO addresses local
optima challenges by modifying position updates in the
second phase after consecutive function evaluations
without fitness improvement. The candidate solution
updates as in Eq. (13),
Algorithm 1: Pseudocode for PSO –NN   
gbestj + r3w(ubj − lbj) ifr3 < 0.5
(iii) SCO-NN xj =
gbestj − r3w(ubj − lbj) otherwise (13)
Single Candidate Optimizer (SCO) has unique equa-
Where, r2 the value of the random number falls
tions for updating candidate solution positions, rely
between [0, 1]. The candidate solution switch from
solely on current information. The 2-phase approach
exploitation to exploration, location updated in (13),
confirms variety and equilibrium between examination
Nandhini et al. Journal of Cloud Computing (2024) 13:159 Page 10 of 21

which is useful for escaping the local optimum. If fitness ct = ft .ct−1 + it .Cet (20)
improvement fails in consecutive evaluations, update
follows with a random number in [0, 1]. The algorithm Wf ,Wi,Wc,Wo represents the weight matrices for the for-
limits variables from exceeding boundaries through get gate, input gate, candidate cell state, and output gate.
assigning the global best value, if out of bounds are as in bf ,bi,bc,bo denotes the biases for the forget gate, input
Eq. (14), gate, candidate cell state, and output gate.
 ft,it,ot –– forget, input, and output gates
gbestjifxj > ubj ct –– candidate cell state at time t
xj =
gbestjifxj < lbj (14)
ht−1 –– hidden state at the previous time step
xt –– input data at time t
In (14), if the updated position crosses boundaries, the
σ –– sigmoid activation function and
candidate solution’s updates dimension and assign the
tanh –– hyperbolic tangent activation function.
same value as the global best value. A candidate solu-
LSTM networks possess memory cells and manipulates
tion in SCO is created at random and updated repeatedly,
relevant temporal information, effective for tasks involv-
which starts with a random candidate in the search space
ing sequential data.
as in Eq. (15),
xj = lbj + r4(ubj − lbj) (15) Results and discussion
This paper detects the mitigating attacks, with minimal
where r4 is a random number between 0 and 1, and lbj processing and less energy consumption for four distinct
and ubj represent the lower and upper bounds of the types of Denial of Service (DoS) attacks such as Black-
search space. hole, Grayhole, Flooding, and Scheduling attacks and
(iv) SCO-LSTM cyber-attack such as false injection data attack, brute
force attack and hybrid brute force attack.
Long Short-Term Memory (LSTM) harness the impor- IOT-WSN Dataset is collected Created dataset from
tance of memory in understanding context. LSTM is IOT-WSN Test Bed and has 374,661 entries, encompasses
an extension of Recurrent Neural Network (RNN) [21], a spectrum of attack categories such as Blackhole, Gray
excels in managing time series problems. It stores rele- hole, Flooding, and Scheduling attacks false data injection
vant historical data in memory cells, disregard irrelevant attack, Brute force attack and Hybrid brute force attack.
information, suites for time series applications. Architec- The paper uses performance metrics such as True Posi-
ture comprises of three gates such as input, forget, and tive Rate (TPR), True Negative Rate (TNR), False Positive
output gates. Rate (FPR), False Negative Rate (FNR), Overall Accuracy
The forget gate is the initial gate, decides data to (A), Precision (P), and Root Mean Square Error (RMSE) for
retained or discarded from the memory cell state. The detection of attack in IOT-WSN.
formula is as in Eq. (16) TPR detects attack cases accurately, TNR identifies nor-
mal cases correctly, FPR indicates false alarms, and FNR
ft = σ (Wf .[ht−1 , xt ] + bf ) (16) represents missed attacks. A reflects overall correctness in
The input gate calculates new information to be stored identification. Precision (P) captures accurate positive clas-
and involves two steps. The sigmoid function determines sifications. RMSE gauges output-target differences, lower
the values for updates. Current cell state is as in Eq. (17) values signifying better evaluation.
and (18) Mathematically: The TPR, TNR, FPR, FNR, A, P, F –
Measure [23], ADR [23] & RMSF are represented as in the
it = σ (Wi .[ht−1 , xt ] + bi ) (17) equation below
TP
Cet = tanh(wc .[ht−1 , xt ] + bc ) (18) TPR = (21)
TP + FN
The output gate is the final gate, determines output
information as in Eq. (19) TN
TNR = (22)
FN + TP
ot = σ (Wo .[ht−1 , xt ] + bo ) (19)
The cell state is updated using the outcomes of the FP
forget and input gates, which influences the previous FPR = (23)
TN + FP
cell state ct−1 ​and candidate value Cet ​. The cell state [22]
update is computed using Eq. (20)
Nandhini et al. Journal of Cloud Computing (2024) 13:159 Page 11 of 21

Fig. 4 Comparison of Proposed PSO-NNN, PSO-MNN, PSO-WNN method with One connecting layers Attack Detection

Fig. 5 Comparison of Proposed PSO-NNN, PSO-MNN, PSO-WNN method with Two connecting layers Attack Detection

Fig. 6 Comparison of Proposed PSO-NNN, PSO-MNN, PSO-WNN method with Three connecting layers Attack Detection
Nandhini et al. Journal of Cloud Computing (2024) 13:159 Page 12 of 21

Fig. 7 Comparison of Proposed EO-NNN, EO-MNN, EO-WNN method with one, two and three connecting layers Attack Detection

FN The proposed methods consider three core modules for

FNR = (24) detection of false injection attacks such as energy con-
TP + FN
sumption, data sent, and data received. The PSO tunes
TP + TN single-connecting-layer Neural Network parameter such
A= (25) as results in remarkable classification with an accuracy
TP + TN + FP + FN
of 99.3%. This is achieved with 147,684 instances out of
149,865 instances. The Figs. 6, 7, 8, 9, 10 illustrates the
TP Comparison of Proposed methods.
P= (26)
TP + FP In this paper Neural Network classifier-based anal-
ysis of the confusion matrix achieves an accuracy of
99.6%, surpassing both the narrow and medium neu-

 n
 (Oi − Ti )2
RMSE =  (27) ral networks. EO enables effective intrusion detection
n and adaptive security protocols, dynamically adjusts
i=1
hyper parameter and energy efficiently detects cyber
Where TP, TN, FP, FN classifies the attack cases, cor- threat responses. The integration of an Equilibrium
rectly classified normal cases, normal cases misclassi- Optimization Neural Network (EO-NN) in IOT-WSN
fied as attacks, and attack cases misclassified as normal, enhances the security and energy efficiency. Figure 4
respectively.

Fig. 8 Comparison of Proposed SCO-NNN, SCO-MNN, SCO-WNN method with one, two and three connecting layers Attack Detection
Nandhini et al. Journal of Cloud Computing (2024) 13:159 Page 13 of 21

Table 4 Attributes of the dataset

Attribute Description

Node ID A unique identifier for distinguishing each sensor node during any round and at any stage
Time The current simulation time for the node
RSSI Received Signal Strength Indicator between the node and its Cluster Head (CH) in the current round
Distance to CH The distance from the node to its CH in the current round
Max Distance to CH The maximum distance between the CH and all nodes within the cluster
Average Distance to CH The average distance from nodes in the cluster to their CH
Current Energy The remaining energy of the node in the current round
Energy Consumption The amount of energy consumed by the node in the previous round
ADV CH Send The number of advertisement messages sent by the CH to notify nodes
ADV CH Receives The number of advertisement messages received from CHs by the nodes
Join REQ Send The number of join request messages sent by nodes to the CH
Join REQ Receive The number of join request messages received by the CH from nodes
ADV SCH Send The number of broadcast messages sent to advertise the TDMA schedule to nodes
ADV SCH Receives The number of TDMA schedule messages received from CHs by nodes
Rank The position of this node within the TDMA schedule
Data Sent The total number of data packets transmitted from a sensor to its CH
Data Received The total number of data packets received by the node from its CH
Data Sent to BS The total number of data packets sent from the node to the Base Station (BS)
Distance CH to BS The distance between the CH and the Base Station (BS)
Send Code The code used for cluster communication
Attack Type Identifies if the node is an attacker, including types such as Blackhole, Grayhole, Flooding, Schedul-
ing, Normal, False Data, Brute Force, and Hybrid Brute Force

shows PSO-NNN, PSO-MNN, PSO-WNN perfor- the SCO-NNN, SCO-MNN, SCO-WNN with one, two
mance of Narrow Neural Network (NNN), Medium and three connecting layers for attack detection.
Neural Network (MNN), and Wide Neural Network
(WNN) with single connecting layer for attack detec- Threat intelligence based proposed algorithm
tion. Figure 5 shows the PSO-NNN, PSO-MNN, PSO- (SCO‑LSTM)
WNN plot for two connecting layers. The Fig. 6 shows Among the Proposed methods SCO-NNN Performance
the PSO-NNN, PSO-MNN, PSO-WNN plots for the is better than other algorithms such as EO-NNN, EO-
NNN, MNN, and WNN method in attack detection MNN, EO-WNN, PSO-NNN, PSO-MNN, PSO-WNN,
with three connecting layers. Figure 7 shows EO-Opti- SCO-MNN and SCO-WNN. The SCO-NNN is fur-
mized-NNN, MNN, WNN with one, two and three ther improved through the threat intelligence based
connecting layers for attack detection. Figure 8 shows on dark web and increases the attack detection in IOT-
WSN. SCO allows for a smooth shift from exploration

Table 5 Confusion matrix of SCO-NNN through one connecting layer for Blackhole attack (Ref 6)
BH FL GH NR TDMA FD BF HBF BH FL GH NR TDMA FD BF HBF

BH 8855 0 1187 5 2 0 0 0 BH 10,049 0 0 0 0 0 0 0

FL 0 2738 0 57 0 0 0 72 FL 0 2867 0 0 0 0 0 0
GH 1939 0 12,148 224 5 0 0 0 GH 0 0 14,316 0 0 0 0 0
NR 9 338 276 333,225 30 26 1 13 NR 0 0 0 333,918 0 0 0 0
TDMA 7 0 10 484 6123 2 1 1 TDMA 0 0 0 0 6628 0 0 0
FD 0 21 2 26 7 2210 0 7 FD 0 0 0 0 0 2273 0 0
BF 0 14 4 50 2 0 2550 3 BF 0 0 0 0 0 0 2623 0
HBF 0 265 1 136 3 0 0 2293 HBF 0 0 0 0 0 0 0 2698
Without threat intelligence With threat intelligence
Nandhini et al. Journal of Cloud Computing (2024) 13:159 Page 14 of 21

Table 6 Confusion matrix of SCO-MNN through two connecting layers for Flooding attack (Ref 6)
BH FL GH NR TDMA FD BF HBF BH FL GH NR TDMA FD BF HBF

BH 8990 0 402 3 2 0 0 0 BH 9397 0 0 0 0 0 0 0

FL 0 2250 1 25 0 3 0 88 FL 0 2367 0 0 0 0 0 0
GH 1392 0 11,780 210 75 2 112 0 GH 0 0 13,571 0 0 0 0 0
NR 9 327 145 323,789 30 126 43 27 NR 0 0 0 324,496 0 0 0 0
TDMA 243 0 9 270 9843 4 0 0 TDMA 0 0 0 0 10,369 0 0 0
FD 0 120 1 124 98 7899 3 10 FD 0 0 0 0 0 8255 0 0
BF 0 114 1 26 2 10 2077 5 BF 0 0 0 0 0 0 2235 0
HBF 0 216 1 290 0 9 0 4166 HBF 0 0 0 0 0 0 0 4682
Without threat intelligence With threat intelligence

Table 7 Confusion matrix of SCO-WNN through three connecting layers for Grayhole attack (Ref 6)
BH FL GH NR TDMA FD BF HBF BH FL GH NR TDMA FD BF HBF

BH 9389 0 92 5 1 0 5 2 BH 9494 0 0 0 0 0 0 0
FL 0 4897 1 101 0 0 1 15 FL 0 5015 0 0 0 0 0 0
GH 202 0 13,256 111 6 0 4 3 GH 0 0 13,582 0 0 0 0 0
NR 5 241 107 329,789 23 4 9 5 NR 0 0 0 330,183 0 0 0 0
TDMA 4 0 7 367 5870 0 46 0 TDMA 0 0 0 0 6294 0 0 0
FD 0 0 0 28 0 4677 3 10 FD 0 0 0 0 0 4718 0 0
BF 0 0 1 74 4 2 3357 5 BF 0 0 0 0 0 0 3443 0
HBF 0 0 1 344 0 9 0 2289 HBF 0 0 0 0 0 0 0 2643
Without threat intelligence With threat intelligence

Table 8 Confusion matrix of SCO-LSTM through one Hidden layer for TDMA attack (Ref 6)
BH FL GH NR TDMA FD BF HBF BH FL GH NR TDMA FD BF HBF

BH 8655 0 1187 5 2 0 0 0 BH 9849 0 0 0 0 0 0 0

FL 0 2456 0 235 0 0 0 987 FL 0 3678 0 0 0 0 0 0
GH 5468 0 11,245 824 5 0 0 0 GH 0 0 17,542 0 0 0 0 0
NR 9 3568 276 316,925 345 26 1 65 NR 0 0 0 321,215 0 0 0 0
TDMA 7 0 10 987 7089 2 1 1 TDMA 0 0 0 0 8097 0 0 0
FD 0 567 2 26 98 3050 0 7 FD 0 0 0 0 0 3750 0 0
BF 0 543 4 50 2 4 3245 3 BF 0 0 0 0 0 0 3851 0
HBF 0 265 1 1187 3 0 0 4134 HBF 0 0 0 0 0 0 0 5590
Without threat intelligence With threat intelligence

to exploitation. Performance is improved through the confusion matrix of SCO-NNN through two connecting
SCO, especially for problems with large number of local layers for Flooding attack. Table 7 represents confusion
optima. matrix of SCO-NNN through three connecting layers for
Table 4 represents Attributes of the dataset. Table 5 Grayhole attack. The table shows Black Hole (BH), Flood-
shows confusion matrix of SCO-NNN through one con- ing (FL), Gray Hole (GH), Normal (NR), TDMA Access
necting layer for Blackhole attack. Table 6 represents
Nandhini et al. Journal of Cloud Computing (2024) 13:159 Page 15 of 21

Table 9 Confusion matrix of SCO-LSTM through two Hidden layers for FDI attack (Ref 23)
BH FL GH NR TDMA FD BF HBF BH FL GH NR TDMA FD BF HBF

BH 8670 0 402 3 2 0 0 0 BH 9077 0 0 0 0 0 0 0

FL 0 3670 1 25 0 3 0 88 FL 0 3787 0 0 0 0 0 0
GH 1392 0 15,467 210 75 2 112 0 GH 0 0 17,258 0 0 0 0 0
NR 9 327 145 319,799 30 126 43 27 NR 0 0 0 320,506 0 0 0 0
TDMA 243 0 9 270 8970 4 0 0 TDMA 0 0 0 0 9496 0 0 0
FD 0 120 1 124 98 7790 3 32 FD 0 0 0 0 0 8168 0 0
BF 0 114 1 26 2 10 2144 5 BF 0 0 0 0 0 0 2302 0
HBF 0 216 1 290 0 4 0 4267 HBF 0 0 0 0 0 0 0 4778
Without threat intelligence With threat intelligence

Table 10 Confusion matrix of SCO-LSTM through three Hidden layers for Brute Force attack (Ref 21)
BH FL GH NR TDMA FD BF HBF BH FL GH NR TDMA FD BF HBF

BH 9265 0 92 16 1 0 5 2 BH 9381 0 0 0 0 0 0 0
FL 0 4355 1 101 0 0 1 85 FL 0 4543 0 0 0 0 0 0
GH 202 0 12,489 111 6 0 4 3 GH 0 0 12,815 0 0 0 0 0
NR 5 241 107 333,789 9 4 9 5 NR 0 0 0 334,169 0 0 0 0
TDMA 4 0 7 367 2567 0 46 0 TDMA 0 0 0 0 2991 0 0 0
FD 0 0 0 28 0 5077 3 10 FD 0 0 0 0 0 5118 0 0
BF 0 0 1 74 4 2 3459 5 BF 0 0 0 0 0 0 3545 0
HBF 0 0 1 344 0 9 0 2456 HBF 0 0 0 0 0 0 0 2810
Without threat intelligence With threat intelligence

Table 11 Confusion matrix of SCO-LSTM through one Hidden layer for Hybrid Brute Force attack (Ref 20)
BH FL GH NR TDMA FD BF HBF BH FL GH NR TDMA FD BF HBF

BH 9065 0 92 16 1 0 5 2 BH 9181 0 0 0 0 0 0 0
FL 0 4255 1 101 0 0 1 85 FL 0 4443 0 0 0 0 0 0
GH 202 0 12,689 111 6 0 4 3 GH 0 0 13,015 0 0 0 0 0
NR 5 241 107 343,789 9 4 9 5 NR 0 0 0 344,169 0 0 0 0
TDMA 4 0 7 367 2467 0 46 0 TDMA 0 0 0 0 2891 0 0 0
FD 0 0 0 28 0 5277 3 10 FD 0 0 0 0 0 5318 0 0
BF 0 0 1 74 4 2 3059 5 BF 0 0 0 0 0 0 3145 0
HBF 0 0 1 344 0 9 0 2556 HBF 0 0 0 0 0 0 0 2910
Without threat intelligence With threat intelligence

(TDMA), False Data (FD), Brute Force (BF), Hybrid Brute layers for Brute Force attack. Table 11 represents confu-
Force (HBF) attack detection results. sion matrix of SCO-LSTM through one Hidden layer for
Table 8 represents confusion matrix of SCO-LSTM Hybrid Brute Force attack.
through one Hidden layer for TDMA attack. Table 9 Figure 9 shows comparison of SCO-LSTM with one,
represents confusion matrix of SCO-LSTM through two and three Hidden layers for IOT-WSN attack detec-
two Hidden layers for FDI attack. Table 10 represents tion. In Fig. 10 shows True Positive Rate with tenfold and
confusion matrix of SCO-LSTM through three Hidden
Nandhini et al. Journal of Cloud Computing (2024) 13:159 Page 16 of 21

Fig. 9 Comparison of SCO-LSTM with one, two and three Hidden layers for IOT-WSN attack detection

Fig. 10 Comparison of proposed fold cross validation and traditional methods

Table 12 The accuracy results of attack detection using neural network classifier
WITHOUT THREAT INTELLIGENCE WITH THREAT INTELLIGENCE

CONNECTING LAYERS

1 Connecting Layer 2 Connecting Layer 3 Connecting Layer 1 Connecting Layer 2 Connecting Layer 3 Connecting Layer
Nandhini et al. Journal of Cloud Computing

FDI ATTACK BRUTE FORCE ATTACK HYBRID BRUTE FORCE ATTACK FDI ATTACK BRUTE FORCE ATTACK HYBRID BRUTE FORCE ATTACK

Accuracy Precision Recall Accuracy Precision Recall Accuracy Precision Recall Accuracy Precision Recall Accuracy Precision Recall Accuracy Precision Recall

PSO- 99.1 98.1 98.1 98.9 98.2 98.2 98.7 98.1 98.1 99.2 98.2 98.2 98.4 98.3 98.3 98.9 98.2 98.2
NNN
(2024) 13:159

PSO- 98.8 98.3 98.3 98.8 98.1 98.1 98.8 98.3 98.3 99 98.4 98.4 98.9 98.2 98.2 98.9 98.3 98.3
MNN
PSO- 98.9 98.8 98.8 98.9 98.4 98.4 98.9 98.4 98.4 99.2 98.9 98.9 99 98.7 98.7 99 98.5 98.5
WNN
EO- 99 98.5 98.5 99 98.3 98.3 99 98.5 98.5 99.3 98.7 98.7 99.2 98.4 98.4 99.2 98.6 98.6
NNN
EO- 99.2 98.9 98.9 99.2 98.8 98.8 99.2 98.8 98.8 99.4 99 99 99.4 99 99 99.4 98.8 98.8
MNN
EO- 99.4 99.1 99.1 99.3 99 99 99.4 99.2 99.2 99.5 99.2 99.2 99.5 99.3 99.3 99.6 99.3 99.3
WNN
SCO- 99.3 99.2 99.2 99.3 99.2 99.2 99.3 99.2 99.2 99.4 99.4 99.4 99.6 99.4 99.4 99.5 99.4 99.4
NNN
SCO- 98.9 99 99 98.9 99 99 99.2 99.3 99.3 99 99.2 99.2 99 99.1 99.1 99.6 99.5 99.5
MNN
SCO- 99.5 99.3 99.3 99.5 99.2 99.2 99.5 99.4 99.4 99.6 99.4 99.4 99.7 99.2 99.2 99.7 99.6 99.6
WNN
HIDDEN LAYERS
1 Hidden Layer 2 Hidden Layer 3 Hidden Layer 1 Hidden Layer 2 Hidden Layer 3 Hidden Layer
SCO- 99.7 99.5 99.5 99.7 99.4 99.4 99.6 99.3 99.3 99.89 99.6 99.6 99.8 99.5 99.5 99.8 99.7 99.7
LSTM
Page 17 of 21
Nandhini et al. Journal of Cloud Computing (2024) 13:159 Page 18 of 21

Table 13 Performance comparison with existing techniques with hybrid brute force attack
Dataset Detection Algorithm Accuracy Precision Recall F1 Score Testing Time 10-Fold 5-Fold

[7] WSN-DS LEACH-LSTM 92.3 93.2 95.6 97.9 120 ms NO YES

[12] DRL-IDS LSTM-CNN, DQNN 98.8 97.84 96.58 98.74 100 ms NO YES
[13] KASH LIBRARY​ NVIDIA GEFORCE GTX 98.7 94.9 94.9 98.2 6.6 s NO YES
[18] MQTT-IDS 2022 MQTT 99.1 98.9 96.8 98.4 240 ms NO YES
[23] CICIDS2017 CU(LSTM-CNN) 98.60 99.37 92.9 99.2 296 ms YES NO
[24] CICDDoS2019 CUDNNLSTM + CUDNNGRU​ 99.14 99.2 99.23 99.44 9.33 ms YES NO
[25] NSL-KDD GRU-LSTM 87.90 83.50 77.90 80.90 - - -
[43] NSL-KDD K-Mean Clustering 99.59 99.4 99.1 98.0 - - -
[44] CICIoV2024 DNN 95.0 74.0 68.0 63.0 - - -
proposed IOT-WSN EO-WNN 99.4 99.1 99.1 99.0 7.01.ms YES YES
PSO-NNN 98.7 98.1 98.1 98.9 7.27 ms YES YES
SCO-WNN 99.5 99.4 99.4 99.3 6.89 ms YES YES
SCO-LSTM 99.89 99.6 99.6 99.5 6.67 ms YES YES

Table 14 Computational efficiency of proposed methods

Optimization Technique Power Consumption (Watts) Energy
Consumption
(wh)

Particle Swarm Optimization (PSO) 0.0281 20.2

Equilibrium Optimizer (EO) 0.0370 15.2
Single Candidate Optimizer Long Short-Term Memory (SCO- LSTM) 0.0185 10.1
Multi-Objective 0.0780 25.6
Genetic Algorithm (MOGA) [45]
Teacher Learning Based Optimization (TLBO) [46] 0.0670 27

fivefold Cross validation through one, two and three con- Existing Techniques with Hybrid Brute Force Attack
necting layers with tenfold and fivefold Cross validation Table 14 provides Computational efficiency of proposed
through one, two, three Hidden layers and compared method. Table 15 shows Performance Comparison of
with traditional algorithms. Table 12 provide a com- Accuracy with Proposed Techniques. Table 16 represents
prehensive summary of the accuracy results of attack Evaluation and effectiveness of the detection models.
detection which is achieved by the Neural network Clas- Table 17 shows the Advantages of Optimizers. Table 18
sifier. Table 13 represents Performance Comparison with shows Comparison of Adversarial attacks against the
neural network models.
Table 15 Performance comparison of accuracy with proposed Robustness metrics are essential for analyzing
techniques state-of-the-art techniques in network robustness.
Key metrics include the Cross Lipschitz Extreme
IDS System FDI Attack Brute Force Hybrid Brute
Attack Force Attack Value for network Robustness (CLEVER) score, loss
sensitivity, and empirical robustness. The CLEVER
EO-WNN (Proposed) 99.3 99 99 score is calculated per sample, and its average and
PSO-NNN (Proposed) 99.5 99.5 99.6 standard deviation are presented in the results.
SCO-WNN (Proposed) 99.6 99.7 99.7 Notably, the CLEVER targeted score improves by
SCO-LSTM (Proposed) 99.89 99.8 99.8 10%, rising from 0.0218 to approximately 0.024. The
HMDR-DLFDIA [47] 97.44 - - loss sensitivity score increases from 5.5390 to 6.8399
RF [48] - 99 98.9 in the SCO-LSTM model. Lastly, empirical robust-
Diagnosis Algorithm [8] 98.15 - - ness shows a slight increase from 0.0616 to 0.0648,
Hashtag [13] - - 98.24 indicating enhanced resilience against adversarial
MQTT [18] - 99 - attacks.
Nandhini et al. Journal of Cloud Computing (2024) 13:159 Page 19 of 21

Table 16 Evaluation and effectiveness of the detection models

Algorithm Attacks Statistical Parameters Remarks

SCO-LSTM Brute force Accuracy The Single Candidate Optimizer (SCO) accelerates training and improves recall rates, enhanc-
ing LSTM networks ability to detect cyber threats [49] while managing long-term dependen-
cies and class imbalances for better accuracy and performance [50]. However, it shows lower
precision and recall for brute force attacks [51], leading to a reduced F1 score
SCO-WNN FDI attack F1 Score SCO optimizes wide neural networks (WNN) for detecting FDI attacks [52], achieving higher
accuracy and balancing precision [53] and recall to improve the F1 score while reducing
false positives
PSO, EO Hybrid brute force Precision, Recall (PSO) and Equilibrium Optimizer (EO) face challenges such as slow convergence, local
optima trapping [54], and high parameter dependency, which diminish their reliability.
Although EO provides a more structured approach to balancing exploration and exploita-
tion [55], it struggles with high-dimensional optimization problems. As a result, this leads
to significantly lower recall and precision, yielding a much lower F1 score for hybrid brute
force attacks compared to SCO-LSTM

Table 17 Advantages and limitations of optimizers

Optimizer Brute Force Attack FDI Attack Hybrid Brute Force
Detection Detection Attack Detection

EO Advantages Advantages Limitations

• Improves convergence speed Bal- • Optimizes neural network parameters • Struggles with high-dimensional optimization
ances exploration and exploitation to enhance detection accuracy problems
• Handles high-dimensional optimi- • Mitigates risk of local optima trapping
zation problems effectively
PSO Advantages Advantages Limitations
• Improves convergence speed • Effectively handles high-dimensional data • Not optimal, several attacks not detected
• Optimizes initial parameters • Results in robust attack detection performance optimally
• Increases classification accuracy
• Reduces overfitting
SCO Advantages Advantages Advantages
• Improves training efficiency • Enhances accuracy for FDI attack detection • Accelerates training
• Increases accuracy • Effectively manages complex multi-stage cyber • Improves recall rates
• Balances precision and recall threats • Manages long-term dependencies and class
• Reduces false positives imbalances
• Results in superior accuracy and performance
compared to PSO and EO

Table 18 Comparison of Adversarial attacks against the neural network models

WITHOUT ADVERSARIAL ATTACK

METRIC SCO-LSTM SCO-WNN PSO-NNN
CLEVER UNTARGETED, RADIUS = 8, NORM = 2 Avg.:0.0058 Dev.:0.0050 Avg.:0.0059 Dev.:0.0058 Avg.:0.0047 Dev.:0.0031
CLEVER TARGETED, RADIUS = 8, NORM = 2 Avg.:0.0218 Dev.:0.0363 Avg.:0.0239 Dev.:0.0305 Avg.:0.0210 Dev.:0.0243
LOSS SENSITIVITY 5.5390 4.7920 6.8399
EMPIRICAL ROBUSTNESS, FGSM Ε = 0.05 0.0616 0.0613 0.0648
WITH ADVERSARIAL ATTACK
METRIC SCO-LSTM SCO-WNN PSO-NNN
CLEVER UNTARGETED, RADIUS = 8, NORM = 2 Avg.:0.0068 Dev.:0.0060 Avg.:0.0062 Dev.:0.0059 Avg.:0.0057 Dev.:0.0041
CLEVER TARGETED, RADIUS = 8, NORM = 2 Avg.:0.0298 Dev.:0.0383 Avg.:0.0249 Dev.:0.0335 Avg.:0.0290 Dev.:0.0263
LOSS SENSITIVITY 5.5990 4.9020 6.9399
EMPIRICAL ROBUSTNESS, FGSM Ε = 0.05 0.0686 0.0693 0.0708
Nandhini et al. Journal of Cloud Computing (2024) 13:159 Page 20 of 21

Conclusions Funding
This research received no external funding.
This paper addresses the detection of frequent behaviour
change attacker nodes in IOT-WSN. The frequent behav- Data availability
iour changing attacker nodes with different character No datasets were generated or analysed during the current study.
needs novel approach. The novel approach is the (i) Opti-
mized hyperparameter (ii) Hidden layer (iii) Connecting Declarations
layers (iv) Threat intelligence. Based on the combination Competing interests
of novel approach, the different algorithms such as PSO- The authors declare no competing interests.
NNN, EO-NNN, PSO-WNN, SCO-MNN, SCO-WNN
and hidden layer algorithms are SC0-LSTM-NNN, SCO- Received: 8 July 2024 Accepted: 4 December 2024
LSTM-MNN, SCO-LSTM-WNN are proposed.
The proposed intelligent system detects and prevents
false data injection, Brute force and Hybrid Brute Force
attack. This paper focus on neural network-based classi- References
fication of attack detection using 5-Fold Cross Validation, 1. Brindha Devi V, Ranjan NM & Sharma H (2022) IoT Attack Detection and
Mitigation with Optimized Deep Learning Techniques. Cybernet Syst
with one, two, and three connecting layers. From results,
https://​doi.​org/​10.​1080/​01969​722.​2022.​21456​60
5-Fold Cross Validation with connecting layer has high 2. Wentao Liu, Mohammad Hossein Khosravi (2023) Intrusion detection for
percentages of classification accuracies as 99.3%, 99.5%, maritime transportation systems with batch federated aggregation. IEEE
transactions on intelligent transportation systems
99.6% and 99.89% in EO-WNN, PSO-NNN, SCO-WNN
3. Alzaqebah A, Aljarah I, Al-Kadi O, Damaševiˇcius R (2022) A Modified
and SCO-LSTM respectively. Grey Wolf Optimization Algorithm for an Intrusion Detection System.
The Internet of Things (IoT) and Wireless Sen- Mathematics 10:999. https://​doi.​org/​10.​3390/​math1​00609​99
4. Kumar D, Chand S, Kumar B (2020) Cryptanalysis and improvement of a
sor Networks (WSN) are vital for different applica-
user authentication scheme for wireless sensor networks using chaotic
tions. They enable real-time data collection, enhances maps. IET Network
efficiency and decision-making. However, WSNs are 5. Ghazi MR, Raghava NS (2023) A Scalable and Stacked Ensemble
Approach to Improve Intrusion Detection in Clouds. Inf Technol Control
prone to vulnerabilities. Despite these challenges, IoT-
52(4):898–914. https://​doi.​org/​10.​5755/​j01.​itc.​52.4.​32042
WSN integration with Hidden layer, connecting layer 6. Djallel Eddine Boubiche (2020) Samir Athmani, Sabrina Boubiche,
and threat intelligence have advantages such as cost- Homero Toral Cruz2,"Cybersecurity Issues in Wireless Sensor Networks:
Current Challenges and Solutions”. Wireless Pers Commun. https://​doi.​
effectiveness, scalability, and robust automation across
org/​10.​1007/​s11277-​020-​07213-5
diverse applications. In the future, attacks in data link 7. Almomani I, Al-Kasasbeh B, Al-Akhras M (2016) WSN-DS: A Dataset
layer in IOT-WSN need to be addressed. for Intrusion Detection Systems in Wireless Sensor Networks. J Sensor
https://​doi.​org/​10.​1155/​2016/​47319​53
Abbreviations 8. Hu J, Yang X, Yang L (2023) A Novel Diagnosis Scheme against Collusive
IOT Internet of Things False Data Injection Attack. Sensors. 23(13):5943
WSN Wireless Sensor Network 9. Alnajim AM, Habib S, Islam M, Thwin SM, Alotaibi F (2023) A comprehen-
IDS Intrusion Detection System sive survey of cybersecurity threats, attacks, and effective countermeas-
FDIA False Data Injection Attack ures in industrial internet of things. Technologies 161 https://​doi.​org/​10.​
LSTM Long Short-Term Memory 3390/​techn​ologi​es110​60161
PSO-NNN Particle Swarm Optimization Narrow Neural Network 10. Alshambri H, AlZain MA, Soh B, Masud M, Al-Amri J (2022) Cybersecurity
PSO-MNN Particle Swarm Optimization Medium Neural Network attacks on wireless sensor networks in smart cities: an exposition. Com-
PSO-WNN Particle Swarm Optimization Wide Neural Network puters 113:102540.
EO-NNN Equilibrium Optimizer Narrow Neural Network 11. Rani D, Gill NS, Gulia P (2023) Classification of security issues and cyber
EO-MNN Equilibrium Optimizer Medium Neural Network attacks in layered internet of things
EO-WNN Equilibrium Optimizer Wide Neural Network 12. Tharewal S, Shabaz M (2022) Intrusion detection system for industrial
SCO-NNN Single Candidate Optimizer Narrow Neural Network internet of things based on deep reinforcement learning. Wireless Com-
SCO-MNN Single Candidate Optimizer Medium Neural Network mun Mobile Comput 2022(1):9023719
SCO-WNN Single Candidate Optimizer Wide Neural Network 13. Alkhwaja I, Albugami M, Alkhwaja A, Alghamdi M, Abahussain H, Alfawaz
FD False Data F, Almurayh A, Min-Allah N (2023) Password Cracking with Brute Force
BF Brute Force Algorithm and Dictionary Attack Using Parallel Programming. Appl Sci
HBF Hybrid Brute Force 13(10):5979. https://​doi.​org/​10.​3390/​app13​105979
14. Sufi F (2023) Novel application of open-source cyber intelligence. Elec-
Acknowledgements tronics 12:3610. https://​doi.​org/​10.​3390/​elect​ronic​s1217​3610
The authors wish to acknowledge the anonymous reviewers for providing 15. Dey SK, Rahman MM (2020) Effects of machine learning approach in
valuable feedback on the initial versions of the manuscript. flow-based anomaly detection on software-defined networking. Sym-
metry 7 https://​doi.​org/​10.​3390/​sym12​010007.
Authors’ contributions 16. Savanović N, Toskovic A, Petrovic A, Zivkovic M, Damaševičius R,
Writing—original draft, S.N. (Nandhini S), A.R. (A Rajeswari), N.R.S. (N.R.Shanker); Jovanovic L, Bacanin N, Nikolic B (2023) Intrusion Detection in Healthcare
writing— review and editing, S.N.(Nandhini S),A.R. (A Rajeswari), N.R.S. 4.0 Internet of Things Systems via Metaheuristics Optimized Machine
(N.R.Shanker). All authors have read and agreed to the published version of Learning. Sustainability 15:12563. https://​doi.​org/​10.​3390/​su151​612563
the manuscript. 17. Abbas Yazdinejad, Ali Dehghantanha, Hadis Karimipour and Gautam
Srivastava (2024) A Robust Privacy-Preserving Federated Learning Model
Nandhini et al. Journal of Cloud Computing (2024) 13:159 Page 21 of 21

Against Model Poisoning Attacks. IEEE Transactions on Information Foren- 39. Namakshenas D, Yazdinejad A, Dehghantanha A, Srivastava G (2024)
sics and Security https://​doi.​org/​10.​1109/​TIFS.​2024.​34201​26 Federated quantum-based privacy-preserving threat detection model for
18. Otoom AF, Wafa’ Eleisah, Abdallah EE (2023) Deep Learning for Accurate consumer internet of things. IEEE Transactions on Consumer Electronics
Detection of Brute Force attacks on IoT Network. The 14th International 40. Yazdinejad A, Dehghantanha A, Srivastava G (2024) Hybrid privacy
Conference on Ambient Systems, Networks and Technologies (ANT), preserving federated learning against irregular users in next-generation
Leuven, Belgium Internet of Things. J Syst. 148:103088
19. Rekha H, Siddappa M (2022) Hybrid deep learning model for attack 41. Yazdinejad A, Zolfaghari B, Dehghantanha A, Karimipour H, Srivastava G,
detection in internet of things. Serv Oriented Comput Appl 16:293–312 Parizi RM (2023) Accurate threat hunting in industrial internet of things
20. Shami TM, Grace D, Burr A, Mitchell PD (2022) Single candidate optimizer: edge devices. Digit Commun Netwk. 9:1123–30
a novel optimization algorithm. Evol Intell https://​doi.​org/​10.​1007/​ 42. Henderi H, Wahyuningsih T, Rahwanto E (2021) Comparison of Min-Max
s12065-​022-​00762-7 normalization and Z-Score Normalization in the K-nearest neighbor (kNN)
21. Ali MH, Jaber MM, Abd SK, Rehman A, Awan MJ, Damaševičius R, Bahaj Algorithm to Test the Accuracy of Types of Breast Cancer. Int J Inf Inform
SA (2022) Threat Analysis and Distributed Denial of Service (DDoS) Attack Syst 4(1):13–20
Recognition in the Internet of Things (IoT). Electronics 11:494. https://​doi.​ 43. Mohammed Mynuddin, Sultan Uddin Khan, Zayed Uddin Chowdhury,et.
org/​10.​3390/​elect​ronic​s1103​0494 al. (2024) Automatic Network Intrusion Detection System Using Machine
22. Zhang Z, Gan Lv Z, C, Zhu Q, (2020) Human action recognition using learning and Deep learning https://​doi.​org/​10.​36227/​techr​xiv.​17079​2293.​
convolutional LSTM and fully-connected LSTM with different attentions. 35058​961/​v1.
Neurocomputing 410:304–316 44. Carlos Pinto Neto E, Taslimasa H, Dadkhah S, Iqbal S, Xiong P, Rahman
23. Padmashree A, Krishnamoorthi M (2022) Decision tree with pearson T, Ghorbani A (2024) CICIoV2024: Advancing realistic IDS approaches
correlation-based recursive feature elimination model for attack detec- against DoS and spoofing attack in IoV CAN bus. Intern Things. 26:101209
tion in IoT environment. Inf Technol Control 51(4):771–785. https://​doi.​ 45. Shah AS, Nasir H, Fayaz M, Lajis A, Shah A (2019) A Review on Energy
org/​10.​5755/​j01.​itc.​51.4.​31818 Consumption Optimization Techniques in IoT Based Smart Building
24. Javeed D, Gao T, Khan MT (2021) SDN-Enabled Hybrid DL-Driven Frame- Environments. Information 10:108. https://​doi.​org/​10.​3390/​info1​00301​08
work for the Detection of Emerging Cyber Threats in IoT. Electronics 46. Javaid N, Ahmed A, Iqbal S, Ashraf M (2018) Day ahead real time pricing
10(8):918. https://​doi.​org/​10.​3390/​elect​ronic​s1008​0918 and critical peak pricing based power scheduling for smart homes with
25. Malik J, Akhunzada A, Bibi I, Imran M, Musaddiq A, Kim SW (2020) Hybrid different duty cycles. Energies 11:1464. https://​doi.​org/​10.​3390/​en110​
deep learning: an efficient reconnaissance and surveillance detection 61464
mechanism in SDN. IEEE Access 8:134695–134706 47. ThavavelVaiyapuri, HudaAldosari, GhadaAlharbi, Yassine Bouteraa,
26. Sagu A, Gill NS, Gulia P (2022) Hybrid deep neural network model for Gyanendra Prasad Joshi and Woong Cho (2024) Metaheuristics based
detection of security attacks in IoT enabled environment. Int J Adv Com- dimensionality reduction with deep learning driven false data injection
put Sci Appl 13(1):120–127 attack detection for enhanced network security https://​doi.​org/​10.​1038/​
27. Alwageed HS (2022) Detection of cyber-attacks in smart grids using s41598-​024-​69806-5https://​www.​nature.​com/​scien​tific​repor​ts
SVM-boosted machine learning models. Serv Oriented Comput Appl 48. Amer Ali Hamza and Rana Jumma surayh Al-Janabi (2024) Detecting
16:313–26 Brute Force Attacks Using Machine Learning. BIO Web of Conferences 97
28. Zarca AM, Bernabe JB, Skarmeta A, Calero JM (2020) Virtual IoT HoneyNets https://​doi.​org/​10.​1051/​bioco​nf/​20249​700045.
to mitigate cyberattacks in SDN/NFV-enabled IoT networks. IEEE Journal 49. Sánchez PM, Celdrán AH, Bovet G, Pérez GM (2023) Adversarial attacks
on Selected Areas in Communications, pp- 1262 – 1277, https://​doi.​org/​ and defenses on ML- and hardware-based IoT device fingerprinting and
10.​1109/​JSAC.​2020.​29866​21 identification. Future Gene Comput Syst https://​doi.​org/​10.​1016/j.​future.​
29. Gyamfi E, Jurcut A (2023) An Adaptive Network Security System for 2023.​10.​011.
IoT-Enabled Maritime Transportation. IEEE transactions on intelligent 50. https://​search.​world​cat.​org/
transportation systems 51. Karthic S and Manoj Kumar S (2024) Hybrid Optimized Deep Neural
30. Gyamfi E, Jurcut A (2023) Novel Online Network Intrusion Detection Network with Enhanced Conditional Random Field Based Intrusion
System for Industrial IoT Based on OI-SVDD and AS-ELM. IEEE Internet of Detection on Wireless Sensor Network. Neural Process Lett https://​doi.​
Things Journal org/​10.​1007/​s11063-​022-​10892-9.
31. Mahlake N, Muchenje T (2023) A Lightweight Encryption Algorithm to 52. Karthic S, Manoj Kumar S and Senthil Prakash PN (2022) Grey wolf based
Enhance Wireless Sensor Network Security on the Internet of Things. J feature reduction for intrusion detection in WSN using LSTM. Int J Inf
Commun Technol https://​doi.​org/​10.​1007/​s41870-​022-​01015-7.
32. Singh R, Kukreja D (2023) Sharma DK,"Blockchain-enabled access control 53. Karthic Sundaram, Yuvaraj Natarajan, Anitha Perumalsamy and Ahmed
to prevent cyber-attacks in IoT: Systematic literature review". Front Big Abdi Yusuf Ali (2024) A Novel Hybrid Feature Selection with Cascaded
Data 5:1081770 LSTM: Enhancing Security in IoT Networks. Wireless Communications and
33. Siwakoti YR, Bhurtel M, Rawat DB, Oest A, Johnson RC (2023) Advances Mobile Computing https://​doi.​org/​10.​1155/​2024/​55224​31.
in IoT Security: Vulnerabilities, Enabled Criminal Services, Attacks, and 54. Karthic Sundaram, Suhana Subramanian, Yuvaraj Natarajan and Sumathi
Counter measures. IEEE Internet Things J 10(13):11224–39 Thirumalaisamy (2023) Improving Performance of Intrusion Detection
34. YingxuLai, Liyao Tong a, Jing Liu a, Yipeng Wang a, Tong Tang a, Zijian Using ALO Selected Features and GRU Network. SN Computer Science
Zhao a, Hua Qin a (2023) Identifying malicious nodes in wireless sensor https://​doi.​org/​10.​1007/​s42979-​023-​02311-0.
networks based on correlation detection 55. Suhana S, Karthic S and Yuvaraj N (2023) Ensemble based Dimensional-
35. AvinashBhagat, Manmohan Sharma, Ajay Shriram Kushwaha, Shilpa ity Reduction for Intrusion Detection using Random Forest in Wireless
Sharma and HussienSobahi Mohammed (2023) Nonlinear Energy Opti- Networks. 2023 5th International Conference on Smart Systems and
mization in the Wireless Sensor Network through NN-LEACH. Math Prob Inventive Technology (ICSSIT) https://​doi.​org/​10.​1109/​ICSSI​T55814.​2023.​
Eng 2023 https://​doi.​org/​10.​1155/​2023/​51436​20 10060​929
36. Rella Usha Rani, P. Sankara Rao, KothapalliLavanaya, Nimmala Satyanaray-
ana, SudulaLallitha, Phani Prasad J (2023) Optimization of Energy-Efficient
Cluster Head Selection Algorithm for Internet of Things in Wireless Sensor Publisher’s Note
Networks. Int J Recent Innov Trends Comput Commun ISSN: 2321–8169 Springer Nature remains neutral with regard to jurisdictional claims in pub-
11(4) https://​doi.​org/​10.​17762/​ijrit​cc.​v11i4.​6445 lished maps and institutional affiliations.
37. Randa Basheer and BasselAlkhatib (2021) Threats from the Dark: A Review
over Dark Web Investigation Research for Cyber Threat Intelligence. J
Comput Netwk Commun 2021 https://​doi.​org/​10.​1155/​2021/​13029​99,20
38. Yazdinejad A, Parizi RM, Dehghantanha A, Zhang Q, Choo KK (2020)
An Energy-efficient SDN Controller Architecture for IoT Networks with
Blockchain-based Security. IEEE Transact Serv Comput 13:625–38