Chen et al.

Journal of Engineering
Journal of Engineering and Applied Science (2025) 72:69
https://doi.org/10.1186/s44147-025-00635-7 and Applied Science

RESEARCH Open Access

A novel lightweight deep learning

framework using enhanced pelican
optimization for efficient cyberattack detection
in the Internet of Things environments
Yaozhi Chen1*, Yan Guo1, Yun Gao1 and Baozhong Liu1

*Correspondence:
[email protected] Abstract
1
Sichuan Vocational The extensive use of Internet of Things (IoT) technology produces unprecedented con-
and Technical College, nectivity and cyberattack exposure. Recent attack detection tools have poor accuracy,
Suining 629000, China efficiency, and adaptability in the case of IoT systems with scarce resources. To counter
these challenges, the current study proposes a hybrid model incorporating an efficient
convolutional neural network (CNN) and an enhanced pelican optimization algorithm
(EPOA) to detect IoT network attacks. Inspired by how pelicans hunt, EPOA maximizes
CNN’s hyperparameters and feature selection for higher accuracy and efficiency
in computation. Experimentation with the Bot-IoT, CICIDS2018, and NSL-KDD data-
sets validates the performance of the proposed EPOA-based deep learning method
for cyberattack detection. The model achieves 98.1% accuracy on Bot-IoT, 97.4%
on NSL-KDD, and 97.9% on CICIDS2018, outperforming conventional approaches
like long short-term memory (LSTM), gated recurrent unit (GRU), support vector
machine (SVM), logistic regression (LR), artificial neural network (ANN), and recurrent
neural network (RNN). The model also produces a minimum loss value of 0.17, out-
performing other approaches with the shortest execution duration. With its efficient
design and high detection performance, the proposed approach is highly suitable
for continuous IoT cyberattack detection in practical deployment scenarios.
Keywords: Internet of Things, Cyberattack, Deep learning, Pelican algorithm,
Optimization

Introduction
Background and motivation
The Internet of Things (IoT) is transforming countless industries through the pervasive
interconnectivity of devices and sensors over the Internet [1]. This technology facili-
tates various applications, such as smart cities, healthcare delivery, agricultural appli-
cations, process automation in industries, and smart homes, and injects convenience
and efficiency into operations [2]. With billions of IoT devices being deployed and used,
information generated through them is growing exponentially, attesting to its role in
modern infrastructure on a large scale [3]. However, such widespread connectivity is

© The Author(s) 2025. Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits
use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original
author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third
party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the mate-
rial. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or
exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://
creativecommons.org/licenses/by/4.0/. The Creative Commons Public Domain Dedication waiver (http://creativecommons.org/publicdo-
main/zero/1.0/) applies to the data made available in this article, unless otherwise stated in a credit line to the data.
Chen et al. Journal of Engineering and Applied Science (2025) 72:69 Page 2 of 26

accompanied by a high level of security vulnerability, making IoT networks attractive

targets for malicious actors and cybercriminals [4]. Similar to how advanced constitu-
tive models improve the accuracy of geomechanically simulated results by accounting
for complex nonlinear behaviors [5], robust intrusion detection frameworks are essen-
tial for capturing the intricate attack patterns and evolving cybersecurity threats in IoT
environments [6]. Owing to their high distribution, apart from heterogeneous software
and hardware settings, IoT networks have become vulnerable to various types of attacks,
including infections with malware, DoS attacks, and unauthorized access [7, 8].
Anomalies in IoT networks must be detected in a manner that enables the timely
determination of system failure and malicious activity in an attempt to secure networks
[9]. However, traditional anomaly detection approaches, such as statistics and rules,
struggle with high-dimensional, real-time IoT networks and dynamically changing and
emerging attack types in IoT networks. Existing approaches lack adaptability, cannot
handle high-dimensional real-time data, and do not support large-scale IoT deploy-
ments. Machine learning (ML) and deep learning (DL) techniques provide powerful
alternatives that detect intricate attack patterns using extensive training data [10, 11].
Equipped to detect minute deviations in device usage patterns and network traffic, they
have emerged as powerful tools for countering IoT-based security threats [12].

Related work
Ge et al. [13] proposed a DL-driven intrusion detection system for IoT environments.
An in-built tiered feed-forward neural network (FNN) deals with high-dimensional cate-
gorical feature spaces. Embedded IoT data involving a range of vulnerabilities, including
denial of service (DoS), information harvesting, and information stealing, was utilized to
train the system. In addition, transfer learning for feature encoding refinement and high-
accuracy binary and multi-class classifiers were used.
Saheed et al. [14] presented an ML-based IDS for secure IoT applications. They
focused on supervised ML algorithms and performed feature scaling through the min–
max normalization procedure to prevent information leaks in the UNSW-NB15 dataset.
Furthermore, they applied feature extraction using principal component analysis (PCA)
and compared six ML classifiers regarding various performance factors. The experi-
ments indicated that the proposed scheme was effective, as evidenced by the competi-
tive accuracy (99.9%) and the high Matthews correlation coefficient (99.97%) value that
their proposed scheme achieved.
Dey et al. [15] presented a metaheuristic-inspired IDS model integrating feature selec-
tion and classification techniques through an ensemble mechanism. Binary grey wolf
optimizer (BGWO) and binary gravitational search algorithm (BGSA) enhanced fea-
ture selection, dimensionality, and learning efficiency. Decision trees (DTs), AdaBoost,
and random forest (RF) were adopted for feature selection. RF offers a 99.4% accuracy
in detection and a 0.03% false-positive rate, making it one of the most dependable IoT
threat detection methodologies.
Sagu et al. [16] designed two new metaheuristic search algorithms for DL-based IDS
optimization. These algorithms were optimized for deep learners: CNN + deep belief
network (DBN) and Bi-LSTM + gated recurrent unit (GRU), with model weight fine-
tuning in their proposed model. The two proposed approaches outperformed standard
Chen et al. Journal of Engineering and Applied Science (2025) 72:69 Page 3 of 26

approaches on two datasets, performing well in various evaluation factors, including

accuracy, F-measure, and Matthews correlation coefficient (MCC).
Alrayes et al. [17] developed a distributed cyberattack detection system, DMCD-
GJODL, using a Golden Jackal Optimization (GJO) algorithm and DL to strengthen
IoT security. Feature selection and hyperparameter tuning included feature selection
through min–max feature scaling, bidirectional gated recurrent units (BiGRU), and cha-
otic crow-search optimization algorithm (CSSOA). Testing with BoT-IoT confirmed its
performance with 98.7% accuracy and an F1-score of 98.2%, and its efficiency in real IoT
security scenarios was confirmed.
Alserhani [18] proposed a DL and cryptographic hybrid scheme to secure IoT net-
works against routing attacks. RSA encryption, key generation using Self-Adaptive
Tasmanian Devil Optimization (SA_TDO), and SHA3-512 hashing were used in their
scheme for added security. In addition, an optimized deep neural network (DNN) with
convolutional spiking neural networks (CSNNs) and an Archimedes optimization algo-
rithm (AOA) for intrusion detection have been proposed. Python simulations with high
efficiency were attained, resulting in a precision of 98.8%, an accuracy of 98.8%, and
an F1-score of 98.9%, confirming its efficiency in providing rapid, secure, and effective
cyber-attack detection.
Antonijevic et al. [19] developed a two-step model with CatBoost, LightGBM, and
metaheuristic optimizers in a hybrid model of ML and CNN for IoT attack detection
in a metaverse environment. In experiments with real IoT datasets, a 99.8% multi-class
classification accuracy was achieved, and the explanatory capabilities of AI in providing
information regarding model decision processes have been proven.
Elsedimy and AboHashish [20] intelligently designed an intrusion detection mecha-
nism for smart city IoTs. In their model, the sperm whale algorithm (SWA) and fuzzy
C-means (FCM) clustering were merged for smart city infrastructure cyberattack detec-
tion and optimality. An optimization mechanism was incorporated into their model
to keep it from becoming trapped in local optima, and its global search capability was
increased. The accuracy, detection, and precision performance were high in experiments
with datasets NSL-KDD, AWID, and BoT-IoT.
Despite significant advances in intrusion detection for IoT networks, several signifi-
cant challenges remain, as listed in Table 1. Most current techniques suffer from scal-
ability, adaptability, and computational efficiency and are unrealistically applicable in
real-time IoT environments. Feature selection and hyperparameter tuning are critical,
with poor configuration resulting from increased false-positive values and compro-
mised detection accuracy. Although metaheuristic search has proven effective in feature
selection and model hyperparameter tuning, most studies have not effectively balanced
exploration and exploitation and have, therefore, converged prematurely.
In addition, DL approaches, even with high accuracy, have high computational com-
plexity and cannot function with IoT devices with poor computational capacities. This
study attempts to fill these gaps through a proposed hybrid DL model with EPOA inte-
gration. In our work, EPOA is utilized for hyperparameter and feature selection in an
optimized manner, improving the accuracy, efficiency, and scalability in IoT environ-
ment cyberattack detection. In contrast to conventional approaches, our model is
Table 1 Recent intrusion detection approaches for IoT networks
Reference Methodology Optimization approach Classifier used Dataset Key achievements Limitations

[13] Deep learning-based intrusion Transfer learning for feature Feed-forward neural net- IoT attack dataset Achieved superior classifica- High computational cost, lacks
detection using feed-forward encoding works tion accuracy for multi-class adaptability to unknown attack
neural networks with embed- and binary attack detection patterns
ding layers
[14] ML-based intrusion detection PCA for dimensionality reduc- 6 ML models UNSW-NB15 Competitive performance Limited scalability, struggles
with feature scaling and PCA tion with 99.9% accuracy and with high-dimensional data,
Chen et al. Journal of Engineering and Applied Science

99.97% MCC and potential overfitting

[15] Metaheuristic ensemble- BGSA and BGWO for feature Decision tree, AdaBoost, RF UNSW-NB15 Optimized feature selection Limited feature interpretability,
based feature selection using selection (4 features from 42), 99.41% lacks real-time adaptability
BGSA and BGWO accuracy, and low FPR (0.03%)
[16] Metaheuristic-optimized deep Novel optimization algo- CNN + DBN, BiLSTM + GRU​ Two datasets Outperformed conventional High computational complex-
learning classifiers rithms and cutting-edge methods on ity, prone to convergence issues
(2025) 72:69

multiple performance metrics

(accuracy, F-measure, MCC)
[17] DMCD-GJODL with GJO and GJO for hyperparameter Bi-GRU​ BoT-IoT Enhanced classification with Requires large-scale data for
BiGRU​ optimization 98.70% accuracy, 98.92% pre- generalization, lacks lightweight
cision, and 98.25% F1-score deployment feasibility
[18] Cryptographic and deep SA_TDO and AOA CSNN + DNN IoT routing dataset Improved security through High computational overhead
learning hybrid method RSA encryption, optimized due to encryption, unsuitable
deep learning detection, and for low-power IoT devices
high classification precision
[19] Hybrid CNN + ML framework Metaheuristics for optimiza- CNN, CatBoost, LightGBM Real-world IoT dataset Achieved 99.8% accuracy for Lacks adaptability to dynamic
for metaverse security tion multi-class classification and threat evolution, high training
explainable AI insights for cost
attack identification
[20] Smart city cyberattack detec- SWA for clustering optimiza- FCM NSL-KDD, AWID, BoT-IoT Improved clustering perfor- Susceptible to local optima,
tion using FCM-SWA tion mance, adaptive threshold requires further validation on
strategy for global search, real-time IoT networks
and effective cyberattack
mitigation
Page 4 of 26
Chen et al. Journal of Engineering and Applied Science (2025) 72:69 Page 5 of 26

designed for lightweight deployment with high detection performance; therefore, it is

particularly suitable for real-time IoT security applications.

Research problem and challenges

While ML-based anomalous behavior detection models show great promise, they face
many challenges in IoT scenarios. The heterogeneous software and hardware environ-
ments of IoT networks generalize traditional signature-driven intrusion detection
systems (IDSs). Such IDSs cannot effectively function under these conditions [21]. In
addition, dynamically changing cybersecurity threats introduce a long interval between
attack discovery and model update. Hence, specific techniques lose their effectiveness
in countering 0-day attacks [22]. Another challenge arises from IoT device restrictions
regarding resources, and such computationally intensive cloud- and edge-based ML
architectures become infeasible, considering factors such as network latency, bandwidth
consumption, and information secrecy. Existing ML models, in most scenarios, face dif-
ficulty choosing proper features, leading to inaccurate classifications and even misclas-
sification [23].
Current DL breakthroughs enable increasingly efficient and practical frameworks for
anomaly detection through architectures that extract complex relationships from IoT-
created datasets. Meanwhile, federated learning serves as a security-preserving mecha-
nism for allowing IoT devices to collaboratively build and update shared models without
requiring them to expose raw information, thus strengthening security with localized
capabilities for training and updating shared models in a decentralized manner [24].
Nevertheless, despite such advances, the high demand for efficient, scalable, and adapt-
able approaches for balancing detection accuracy, computational requirements, and
real-time adaptability in securing IoT networks from emerging cyber threats continues
to prevail [25].
Optimization-inspired approaches are essential to deep model refinement for IoT
cybersecurity to enhance detection accuracy and efficiency. Traditional deep archi-
tectures suffer from hyperparameter selection, feature extraction, and computational
efficiency, demonstrating poor performance and high processing loads. Metaheuris-
tic search algorithms, such as evolutionary algorithms and swarm intelligence, facili-
tate model parameter refinement, feature selection, and accuracy improvement with
less computational complexity. With an additional intelligence mechanism, cyberat-
tack detection models can accelerate convergence, generalizability to a broader range of
threats, and real-time adaptability. Thus, employing optimization-inspired deep frame-
works is necessary to develop efficient, scalable, and reliable intrusion detection in IoT
environments.

Contribution
This study applies an enhanced pelican optimization algorithm (EPOA) for efficient and
dependable cyberattack detection in an IoT system. EPOA extends the pelican optimiza-
tion algorithm (POA), a newly presented probabilistic, nature-based metaheuristic optimi-
zation algorithm. POA has robust exploration and exploitation capacity to search for global
optimum values [26]. With swarm-based optimization algorithms becoming increasingly
popular, POA replicates pelicans’ hunting mechanism. In their natural hunting approach,
Chen et al. Journal of Engineering and Applied Science (2025) 72:69 Page 6 of 26

pelicans flock to a target together to spot prey, dive into the water, and open their wings to
enclose fish close to the surface to facilitate an efficient and collaborative attack.
EPOA extends POA by incorporating adaptive parameter settings, dynamic diversifica-
tion strategies, and enhanced convergence techniques to overcome the major weaknesses of
classical POA. These extensions provide a better balance between exploration and exploita-
tion by minimizing the risk of premature convergence and enhancing the algorithmic abil-
ity to escape local optima. Therefore, EPOA has better optimization efficiency and provides
excellent hyperparameter tuning and feature selection in DL-based IoT cyberattack detec-
tion. This paper contributes to the following:

• EPOA is combined with a light convolutional neural network (CNN) for hyperparam-
eter search and feature selection refinement to enhance detection accuracy and compu-
tational efficiency.
• The proposed model can be extended to multiple IoT environments and is adaptable
to handling ever-evolving cybersecurity threats, overcoming traditional rule-based and
static ML model vulnerabilities.
• This model was designed to be effective on IoT devices with limited capabilities. It has a
low computational expense and high detection performance.
• The scheme’s effectiveness is assured through benchmarking IoT security datasets with
comparative performance with cutting-edge DL and metaheuristic optimizations.

Methods
This section discusses the methodology for cyberattack detection in IoT environments
using RF and EPOA. The methodology consists of three primary stages: data preprocessing,
feature selection, and ranking.

Dataset preprocessing
The first phase involves data collection and preprocessing, ensuring the dataset is optimized
for feature extraction and classification. The NSL-KDD dataset is the primary dataset used
to train and test the model. The dataset is structured as a matrix D, where each row cor-
responds to an instance and each column represents a feature, as defined by the following:

d ′ 11 d ′ 12 · · · d ′ 1n
d ′ 21 d ′ 22 · · · d ′ 2n
D= .. .. .. . (1)
. . . ..
dN′ ′ ′
1 dN 2 · · · dNn

where dij denotes the jth feature of the ith row, N is the total number of instances, and n is
the number of features. These values satisfy the following constraints:

N , n ∈ N+
N, n ≥ 0 (2)
rank(D) = min(N , n)

Since the dataset includes both features and labels, it is further decomposed into sepa-
rate feature and label matrices:
Chen et al. Journal of Engineering and Applied Science (2025) 72:69 Page 7 of 26

  
f11 f12 · · · f1n l11
 f21 f22 · · · f2n  l21 
D′ = 
 .. .. . . ..   .  (3)
. . . .  .. 
f N 1 fN 2 · · · fNn lN 1

where D′ represents the dataset without labels, F is the feature matrix, and L represents
the label set. To ensure uniform feature distribution, min–max normalization is applied,
defined as follows:

fij − min(F )
fij′ = (4)
max(F ) − min(F )

This normalization ensures that all feature values are scaled between 0 and 1, improv-
ing the training stability of the model. The preprocessed dataset, Dreduced, is then gener-
ated by concatenating the normalized feature set and labels:
 ′ f′ ′   
f11 12 · · · f1n l11
f ′ f′ ′
· · · f2n   l21 
 21 22
Dreduced =
 .. .. . . ..  + .  (5)
. . . .   .. 
fN′ 1 fN′ 2 ′
· · · fNn lN 1

The entire data preprocessing workflow is illustrated in Fig. 1.

Feature selection
Feature selection reduces dimensionality and improves model efficiency [27]. The RF
algorithm extracts valuable features from the dataset. RF operates as an ensemble of T
decision trees, each trained separately, and a majority vote determines classification.

y = majority_vote(h1 (x), h2 (x), . . . , hT (x))

 (6)

where x represents an instance from Dreduced.

Fig. 1 Data preprocessing workflow

Chen et al. Journal of Engineering and Applied Science (2025) 72:69 Page 8 of 26

At the training phase, decision trees ℎt are trained using bootstrap samples (X, y).
Randomly selected features are used for splitting at each node, reducing variance and
enhancing generalization. The importance of a feature j is determined based on the aver-
age decrease in impurity across all trees:

T
1  
Ij =
T
△Impurity(n, j) (7)
t=1 n∈nodes(ht )

 
where Impurity n, j represents the reduction in impurity at node n when feature j is
used for splitting.
The feature selection process is illustrated in Fig. 2. Once feature importance scores
are computed, they are ranked in descending order as follows:

Rank(I) = argsort (I)[ : : − 1] (8)

where the most significant features appear first. k features are then chosen based on
their ranked importance:

 
Top_features = j1 , j2 , . . . , jk = Rank(I)[: k] (9)

This step preserves key characteristics for the final classification, enhancing model
efficiency while reducing computational complexity.

Enhanced pelican optimization algorithm

POA is a new swarm-based metaheuristic approach replicating pelicans’ hunting pro-
cess. It captures pelicans’ natural foraging and cooperative hunting mechanisms when
foraging for food, especially with group-based foraging, exploration, and exploitation
techniques [28]. Although POA has quick convergence and efficiency, it also suffers
from premature convergence and poor diversity, resulting in suboptimal solutions [29].
To overcome these limitations, the EPOA can incorporate enhanced movement and
dynamic mutation strategies to improve search diversity and avoid stagnation. The hunt-
ing strategies and movement mechanisms are depicted in Fig. 3. POA replicates pelicans’

Fig. 2 Feature selection process

Chen et al. Journal of Engineering and Applied Science (2025) 72:69 Page 9 of 26

hunting process, which involves two fundamental strategies: approaching prey and soar-
ing over water.

Moving toward prey (exploration phase)

At this stage, pelicans locate prey (representing the optimal solution to an optimization
problem) and move toward it. The movement strategy depends on the fitness value of
a randomly selected pelican in the population. If the chosen pelican has a better fitness
score, the current pelican moves toward it; otherwise, it moves away, enhancing explora-
tion. This movement is expressed as follows:
 � �

 X t + rand. X t − I.X t ,

 i,d � t � r,d � t � i,d

t+1 if F Xr� < F Xi �
Xi,d = (10)
 X t + rand. X t − I.X t ,


 i,d i,d r,d

otherwise

t is the position of the ith pelican at iteration t, X t is a randomly selected peli-

where Xi,d r,d
can’s position, I is a random integer (1 or 2), and F(X) represents the fitness function,
evaluating the quality of a solution.

Winging on the water (exploitation phase)

After moving toward the prey, pelicans spread their wings and disturb the water surface,
forcing the prey to move upward. This phase corresponds to the exploitation process
in the optimization framework, refining solutions by adjusting their positions within a
localized neighborhood. The mathematical model for this phase is expressed as follows:
 
t+1 t t t
Xi,d = Xi,d +R· 1− · (2 · rand − 1) · Xi,d (11)
Tmax

where R stands for the neighborhood radius, Tmax denotes the maximum number of
iterations, and rand is a random number between 0 and 1. R decreases linearly over

Fig. 3 Illustration of pelican-inspired exploration and exploitation phases

Chen et al. Journal of Engineering and Applied Science (2025) 72:69 Page 10 of 26

time, ensuring that the search process transitions from global to local exploration, refin-
ing the solution set.

Greedy selection mechanism

Each candidate solution generated in the exploration and exploitation phases is evaluated,
and only the best solutions are retained using a greedy selection mechanism as follows:
    
t+1 Xit+1 , if F Xit+1 < F Xit
Xi = t , otherwise (12)
Xi,d

This ensures that each iteration maintains an improving or at least stable set of solutions.

Enhanced movement strategies

Although POA is efficient and straightforward, it has limitations regarding limited aware-
ness of optimal solutions, and a shrinking neighborhood radius reduces diversity. The
movement is randomly guided by another pelican’s fitness value rather than a strate-
gic selection of an optimal leader. This reduces convergence speed and increases the risk
of premature convergence when the chosen leader is suboptimal. While decreasing R
improves local search, it also reduces diversity, making the algorithm more susceptible to
local optima. To overcome these issues, EPOA enhances the original POA with adaptive
movement and mutation strategies.
If a pelican has sufficient personal knowledge, it relies on its previous best experiences
instead of a randomly selected neighbor. The movement is calculated using Eq. 13.
 t 
t+1
Xi,d t
= Xi,d +−
→
r3 · Xbest t
− I · Xi,d (13)

If a pelican lacks self-knowledge, it follows a random member of the flock for guidance
using Eq. 14.
 
t+1
Xi,d t
= Xi,d +− → t
r4 · Xjt − I · Xi,d (14)

where Xjt is a randomly selected pelican’s position.

When self-knowledge and member-based knowledge are insufficient, the pelican follows
the best leader and a random member. The mathematical formulation is as follows:
   → t 
t+1
Xi,d t
= Xi,d +−→r5 · Xjt − I · Xit + −→
r6 · 2 · −
r7 · Xbest − I · Xit (15)

This strategy ensures adaptive movement in a dynamically evolving search space. Since
movement strategies might lead to out-of-bound solutions, EPOA applies constraint
handling:
 � �
 max X t , LBt
i
t
Xi,d = � i,d � (16)
 min X t , UBt
i,d i

where LBti and UBti are the lower and upper bounds.
Additionally, dynamic hunting learning (DHL) mutation enhances diversity as follows:
Chen et al. Journal of Engineering and Applied Science (2025) 72:69 Page 11 of 26

• Computing adaptive search neighborhood

t t
Dmax = |Xbest − Xit | (17)

• Selecting neighboring solutions

 
t
NSit = XNt | |Xit − XNt | ≤ Dmax , N = 1, . . . , Npop (18)

• Applying adaptive mutation

 
t+1 t t  t t

Xi,d = Xi,d +R· 1− · (2 · rand − 1) · Xi,d − Xr,N ,d (19)
Tmax

In contrast to conventional POA, which depends mainly on direct positional updates

based on the optimum solution, EPOA incorporates a variety of advanced strategies to
enhance exploration and convergence stability. Some of the significant enhancements
include the application of a chaotic logistic map during population initialization. In
contrast to the uniform random initialization in POA, the method enhances popula-
tion diversity to increase the algorithm’s global search ability and decrease the tendency
toward early convergence to local minima. Another addition to EPOA is the Gaussian
mutation approach, which focuses on the elite solution to fine-tune its location locally.
This controlled perturbation allows the search to balance exploration and exploitation in
its search for the optimum.
EPOA also includes a mechanism for elite preservation, which embodies and refines
the best-found solution for each generation to avoid discarding high-potential winners
due to chance. In addition, a fitness-based dynamic selection mechanism skews the
mutation process toward top performers to speed up convergence without sacrificing
solution quality. These enhancements provide stronger and more precise performance
in complex optimization problems than the standard POA. A detailed side-by-side com-
parison of these algorithmic features is presented in Table 2, highlighting the distin-
guishing characteristics and operational advantages of EPOA.

Convolutional neural network model

The optimized CNN scheme classifies IoT data flows by leveraging extracted features
and fine-tuning hyperparameters using the EPOA. As illustrated in Fig. 4, the CNN
model is composed of an input layer x ∈ R10×L, where L represents the input sequence
length. The architecture features two convolutional layers containing ReLU activation
and max pooling for feature extraction. The first convolutional layer applies a 1D convo-
lution operation using Eq. 20.

z1 = Conv1d(x; W1 , b1 ) (20)

Followed by activation:
Chen et al. Journal of Engineering and Applied Science (2025) 72:69 Page 12 of 26

Table 2 Key algorithmic differences between POA and EPOA

Mechanism Standard POA EPOA

Initialization Random uniform Chaotic logistic map for diverse population

Mutation Not present Gaussian mutation applied to the elite individual
Elite strategy Best solution guides update The best solution is preserved and refined through
mutation
Selection strategy Random or fixed Fitness-based dynamic selection for improved
exploitation
Exploration vs. exploitation Basic trade-off via randomness Enhanced balance via adaptive mutation and elite
refinement
Search efficiency Moderate convergence Faster convergence with better solution diversity

Fig. 4 CNN optimization process

a1 = ReLU (z1 ) (21)

And pooling:

p1 = MaxPool1d(a1 ) (22)

The second convolutional layer follows the same pattern:

z2 = Conv1d(p1 ; W2 , b2 ) (23)

a2 = ReLU (z2 ) (24)

p2 = MaxPool1d(a2 ) (25)

The flattening layer transforms the extracted feature maps into a fully connected struc-
ture using Eq. 26.

f = Flatten(p2 ) (26)

Two fully connected layers further refine the classification process. The first fully con-
nected layer computes as follows:
Chen et al. Journal of Engineering and Applied Science (2025) 72:69 Page 13 of 26

z3 = fW 3 + b3 (27)

a3 = ReLU (z3 ) (28)

d = Droput(a3 ; r) (29)

Equation 30 computes the second fully connected layer.

z4 = dW 4 + b4 (30)

The final output layer applies the softmax activation procedure using Eq. 31.

y = Softmax(z4 )
 (31)

For performance improvement, the learning rate and other hyperparameters are tuned
using EPOA, which adaptively updates the network for better accuracy and less com-
putation. While EPOA directs the search toward optimal settings, the starting values of
hyperparameters may affect the convergence path and optimization efficiency. Hence,
the empirically chosen starting points have been utilized to provide a stable basis for
the model for quick convergence and a clearer understanding of suboptimal areas. This
optimization process improves weight updates and stops the model from reaching its
optimal limit due to overfitting, rendering it more efficient for real-time IoT anomaly
identification.

Results and discussion

This section thoroughly examines the simulation environment and the results of testing
the proposed approach. Throughout all experiments, we aim to quantify the efficiency
and accuracy of the proposed EPOA-based CNN model for cyberattack detection in an
IoT context. Experimental tests were conducted in a Windows 10 environment with an
Intel i7 CPU and an NVIDIA GeForce RTX 3090 GPU for computational acceleration.
The suggested architecture was implemented in Python as a Jupyter Notebook and Ten-
sorFlow version 2.5.0. A few third-party libraries used during data processing, model
building, and evaluation include scikit-learn, NumPy, Keras, and Pandas.
To validate the effectiveness of the proposed approach, its performance was compared
against several well-established deep learning and classical machine learning mod-
els, including logistic regression (LR), artificial neural network (ANN), recurrent neu-
ral network (RNN), long short-term memory (LSTM), support vector machine (SVM),
and GRU. To ensure a fair comparison, the baseline models were all trained using a uni-
form hyperparameter optimization approach through a grid search. The key parameters
involving the learning rate, the number of epochs, the batch size, and the dropout rate
were tuned using a validation set through fivefold cross-validation to guarantee that
each model was run in its optimal achievable configuration.
Three highly recommended network security datasets were used to thoroughly assess
the suggested framework: Bot-IoT, NSL-KDD, and CICIDS2018. For maximizing the
model’s performance, hyperparameter tuning was performed meticulously, as presented
in Table 3. EPOA allows tuning of these parameters to balance detection accuracy with
Chen et al. Journal of Engineering and Applied Science (2025) 72:69 Page 14 of 26

Table 3 Selected hyperparameters for model training

Hyperparameter Bot-IoT CICIDS2018 NSL-KDD

Learning rate 0.0002 0.0002 0.0002

Dropout rate 0.3 0.3 0.3
LSTM units 16 16 16
CNN filter size 64 64 64
Batch size 100,000 10,000 10,000
Epochs 20 20 20

Table 4 Layer-wise output dimensions for the Bot-IoT dataset

Layer type Activation function Dropout applied Batch normalization Output size

Input LeakyReLU ✓ ✓ 10 × 1

✓
Dense Sigmoid - - 2

✓
Flatten - - 80
Dense - - 10 × 8

✓ ✓
LSTM - - - 10 × 16

✓ ✓
Convolution LeakyReLU 10 × 16

✓ ✓
Convolution LeakyReLU 10 × 16

✓ ✓
Convolution LeakyReLU 10 × 32

✓ ✓
Convolution LeakyReLU 10 × 64
Convolution LeakyReLU 10 × 64

computation efficiency regardless of the dataset. The considered datasets contain various
forms of attacks, including DoS and botnet attacks, which were the primary focus of this
study. Data samples related to these attack scenarios were selected, processed, and split
into 80% for training, 10% for validation, and 10% for testing. The layer-wise architecture
of the proposed scheme for each dataset is outlined in Tables 4, 5, and 6, illustrating the
input size, convolutional layers, activation functions, and dropout configurations.
To enhance classification performance while minimizing computational complexity,
an FCBF (fast correlation-based feature selection) algorithm was utilized to select the
most relevant features. The key features chosen for each data group are shown in Table 7.
Bot-IoT represents an IoT security system vulnerable to cyberattacks by data exfiltra-
tion, keylogging, OS/service scan, DDoS, and DoS. This data was selected because of its
significance in validating the robustness of the proposed EPOA-based detection system,
with an array of attack types depicted in Fig. 5.
NSL-KDD is a modified variant of the KDD99 dataset, containing 41 network traf-
fic features plus a label. The dataset includes four attack categories: user to root (U2R),
remote to local (R2L), probe, and DoS. This study focuses on normal flows and DoS, as
detailed in Fig. 6.
CICIDS2018 mimics real enterprise network traffic involving seven prevalent attack
types: DoS, DDoS, botnets, and infiltration attacks. It includes 420 machines, 30 vic-
tim servers, and 50 attacker machines, and it comprises 80 traffic flow features obtained
Chen et al. Journal of Engineering and Applied Science (2025) 72:69 Page 15 of 26

Table 5 Layer-wise output dimensions for the NSL-KDD dataset

Layer type Activation function Dropout applied Batch normalization Output size

Input LeakyReLU ✓ ✓ 23 × 1

✓
Dense Sigmoid - - 2

✓
Flatten - - 184
Dense - - 23 × 8

✓ ✓
LSTM - - - 23 × 16

✓ ✓
Convolution LeakyReLU 23 × 16

✓ ✓
Convolution LeakyReLU 23 × 16

✓ ✓
Convolution LeakyReLU 23 × 32

✓ ✓
Convolution LeakyReLU 23 × 64
Convolution LeakyReLU 23 × 64

Table 6 Layer-wise output dimensions for the CICIDS2018 dataset

Layer type Activation function Dropout applied Batch normalization Output size

Input LeakyReLU ✓ ✓ 20 × 1

✓
Dense Sigmoid - - 2

✓
Flatten - - 160
Dense - - 20 × 8

✓ ✓
LSTM - - - 20 × 16

✓ ✓
Convolution LeakyReLU 20 × 32

✓ ✓
Convolution LeakyReLU 20 × 32

✓ ✓
Convolution LeakyReLU 10 × 32

✓ ✓
Convolution LeakyReLU 20 × 32
Convolution LeakyReLU 20 × 64

Table 7 Selected features for each dataset

Dataset Selected features

Bot-IoT proto_udp, proto_tcp, N_IN_Conn_P_SrcIP, state_number, N_IN_Conn_P_DstIP, min, stddev, max,

mean, srate
NSL-KDD dst_host_rerror_rate, land, attack_type, protocol_type_icmp, srv_diff_host_rate, success_pred,
dst_host_srv_diff_host_rate, srv_count, dst_host_count, dst_host_same_src_port_rate, logged_in,
srv_serror_rate, serror_rate, dst_host_serror_rate, dst_bytes, dst_host_srv_serror_rate, dst_host_
srv_count, dst_host_same_srv_rate, dst_host_diff_srv_rate, count, same_srv_rate, diff_srv_rate,
src_bytes
CICIDS2018 Pkt Len Var, Pkt Len Std, Flow IAT Std, Pkt Len Max, Pkt Len Mean, Pkt Size Avg, Fwd Pkt Len Max,
Fwd Pkt Len Mean, Fwd Seg Size Avg, Subflow Fwd Byts, TotLen Fwd Pkts, Fwd Header Len, Flow IAT
Mean, Fwd IAT Mean, Flow Duration, Fwd Pkts/s, Fwd IAT Tot, Flow IAT Max, Init Fwd Win Byts, Fwd
IAT Max

through CICFlowMeter-V3. DDoS, botnet, and DoS attacks form the basis of the analy-
sis in this work and are outlined in Fig. 7.
The developed methodology is evaluated using four key classification indicators:
precision, recall, accuracy, and F1-score. These metrics assess the model’s potential to
Chen et al. Journal of Engineering and Applied Science (2025) 72:69 Page 16 of 26

Fig. 5 Sample distribution in the Bot-IoT dataset

Fig. 6 Sample distribution in the NSL-KDD dataset

differentiate normal traffic from malicious traffic, considering the confusion matrix,
illustrated in Fig. 8. The classification performance is quantified as follows:

TP
Recall = (32)
FN + TP

TP
Precision = (33)
FP + TP

TN + TP
Accuracy = (34)
FN + FP + TN + TP
Chen et al. Journal of Engineering and Applied Science (2025) 72:69 Page 17 of 26

Fig. 7 Sample distribution in the CICIDS2018 dataset

Fig. 8 Confusion matrix

2.Recall.Precision
F 1 − score = (35)
Recall + Precision

where true negative (TN) accounts for attack traffic samples accurately recognized as
attacks, whereas false positive (FP) denotes the number of entries mistakenly labeled
as normal, conversely, false negative (FN) refers to normal traffic samples incorrectly
Chen et al. Journal of Engineering and Applied Science (2025) 72:69 Page 18 of 26

classified as attacks, while true positive (TP) reflects the number of normal traffic sam-
ples categorized as non-attacks.
The model’s performance in tracking malware infections, particularly DoS and bot-
net attacks, depends on minimizing FP and FN values while maximizing TP and TN. A
higher F1-score indicates a balanced performance, especially when false classifications
could lead to security vulnerabilities.
EPOA was tested on the CICIDS2018, Bot-IoT, and NSL-KDD datasets to deter-
mine its efficiency in detecting and classifying threats. Figures 9, 10, 11, and 12 show
that the model using the suggested EPOA performs better than traditional approaches.
The improvement in classification performance is essentially due to the use of EPOA for
tuning hyperparameters and selecting features to optimize model learning and increase
detection accuracy.
Figures 13, 14, and 15 present loss and accuracy patterns for three datasets. Our
method, which was trained using EPOA for maximum optimization, converges after
epoch 10, reflecting a fast-learning rate. Moreover, comparisons of execution times
in Fig. 16 reveal that our model produces the lowest testing time among deep-learn-
ing-based techniques. Hyperparameter tuning through EPOA and feature selection
minimizes computational burden and makes our approach applicable to real-time
applications.
To make the proposed model reliable and generalizable, it was experimented with
three benchmark datasets: Bot-IoT, CICIDS2018, and NSL-KDD. Every model was
trained and tested for 10 independent runs using different random seeds, and the per-
formance metrics were reported as mean ± standard deviation. As presented in Tables 8,
9, 10, and 11, the proposed EPOA-CNN performed better in all datasets than traditional
classifiers and achieved maximum accuracy and lowest standard deviation. Such a per-
formance improvement is primarily due to incorporating EPOA, which efficiently tunes
the CNN hyperparameters and selects the best features through chaotic initialization,

Fig. 9 Accuracy comparison

Chen et al. Journal of Engineering and Applied Science (2025) 72:69 Page 19 of 26

Fig. 10 Precision comparison

Fig. 11 Recall comparison

adaptive mutations, and elite preservation. These features enhance the model’s capacity
to explore complex optimization spaces, escape local minima, and generalize to different
attack patterns and traffic types.
In contrast, LSTM, GRU, and ANN models exhibited lower performance and higher
variance, underscoring their sensitivity to training conditions. The narrow standard
deviations witnessed in EPOA-CNN outputs also attest to the model’s strength and sta-
bility for practical IoT threat detection applications. The primary performance metrics
presented in Table 12 also confirm the model’s lightweight nature. The results attest to
the efficiency and aptitude of the model for deployment on resource-limited IoT devices,
confirming its viability for real-time applications in resource-limited systems.
Chen et al. Journal of Engineering and Applied Science (2025) 72:69 Page 20 of 26

Fig. 12 F1-score comparison

Fig. 13 Accuracy and training loss trends for the Bot-IoT dataset

A comparison with the current leading cybersecurity detection frameworks is pre-

sented in Table 12 to confirm our proposed model further. Various studies have been
conducted on AI-powered intrusion detection, but most have high computational
complexity and poor optimization. For instance, AI-powered threat detection in [38]
designed a scheme, but its feature selection mechanism increased system complexity.
Similarly, in [37], a hybrid CNN with an evolutionary optimization algorithm for IoT
device attack detection was utilized. Still, it used a lot of computational power and
parameter tuning.
The study in [36] adopted PSO, genetic, and ACO algorithms for feature selection
and classification. Still, the algorithm consumed a lot of computational resources and
Chen et al. Journal of Engineering and Applied Science (2025) 72:69 Page 21 of 26

Fig. 14 Accuracy and training loss trends for the NSL-KDD dataset

Fig. 15 Accuracy and training loss trends for the CICIDS2018 dataset

expert expertise for its tuning. Likewise, in [35], PSO was adopted with LightGBM and
OCSVM for its optimization, and it adds computational loads and requires careful coor-
dination for model training and testing. The algorithm in [34] combines two standalone
optimization algorithms, which have high computational power and hyperparameters
and thus a high system complexity. In [33], Gated Recurrent Fully Connected Neural
Networks (GFRNN) and the application the sin-cos transfer function in optimization
were adopted, and significant work was involved in balancing feature selection, exploita-
tion, and exploration.
A mixture of PCA and GWO in [32] improved model performance but posed a dan-
ger of information loss and necessitated proper parameter optimizations. Another
Chen et al. Journal of Engineering and Applied Science (2025) 72:69 Page 22 of 26

Fig. 16 Execution time comparison

Table 8 Performance metrics of proposed and baseline models over 10 independent runs on the
Bot-IoT dataset (mean ± standard deviation)
Model Accuracy Precision Recall F1-score

EPOA-CNN 98.1 ± 0.13 98.3 ± 0.07 98.1 ± 0.7 98.5 ± 0.07

LSTM 94.5 ± 0.17 94.3 ± 0.16 94.1 ± 0.14 94.3 ± 0.11
GRU​ 95.8 ± 0.19 95.6 ± 0.09 95.3 ± 0.17 95.2 ± 0.10
RNN 95.6 ± 0.14 95.8 ± 0.15 94.6 ± 0.15 94.8 ± 0.14
ANN 92.6 ± 0.16 92.5 ± 0.17 92.4 ± 0.14 92.5 ± 0.15
SVM 91.9 ± 0.38 92.6 ± 0.19 92.3 ± 0.21 92.5 ± 0.13
LR 92.3 ± 0.31 92.8 ± 0.21 92.8 ± 0.24 92.9 ± 0.17

Table 9 Performance metrics of proposed and baseline models over 10 independent runs on the
CICIDS2018 dataset (mean ± standard deviation)
Model Accuracy Precision Recall F1-score

EPOA-CNN 97.9 ± 0.08 98.1 ± 0.06 98.1 ± 0.07 98.6 ± 0.07

LSTM 94.1 ± 0.19 94.4 ± 0.14 94.1 ± 0.12 94.3 ± 0.14
GRU​ 94.8 ± 0.25 95.3 ± 0.10 95.1 ± 0.16 95.5 ± 0.10
RNN 93.2 ± 0.23 93.8 ± 0.10 93.9 ± 0.11 94.1 ± 0.11
ANN 91.8 ± 0.17 92.1 ± 0.14 91.7 ± 0.14 91.8 ± 0.16
SVM 91.3 ± 0.26 91.6 ± 0.21 91.6 ± 0.18 92.1 ± 0.15
LR 91.5 ± 0.41 91.7 ± 0.13 91.9 ± 0.23 92.1 ± 0.21

algorithm in [31] blended the Gorilla Troops Optimizer with the Bird Swarm Algo-
rithm (GTOBSA), with sophisticated interdependency between a variety of tech-
niques for optimization, and, hence, is computationally expensive. Finally, the model
in [30] utilized Entropy-HOA for feature selection and a DL-based multilayer neural
Chen et al. Journal of Engineering and Applied Science (2025) 72:69 Page 23 of 26

Table 10 Performance metrics of proposed and baseline models over 10 independent runs on the
NSL-KDD dataset (mean ± standard deviation)
Model Accuracy Precision Recall F1-score

EPOA-CNN 97.4 ± 0.09 97.1 ± 0.08 97.2 ± 0.09 97.9 ± 0.07

LSTM 93.8 ± 0.11 93.6 ± 0.11 93.6 ± 0.19 93.9 ± 0.10
GRU​ 94.6 ± 0.10 94.9 ± 0.09 94.4 ± 0.19 94.9 ± 0.10
RNN 93.4 ± 0.15 93.8 ± 0.09 93.8 ± 0.16 93.9 ± 0.12
ANN 91.5 ± 0.21 91.3 ± 0.18 91.1 ± 0.14 91.6 ± 0.14
SVM 91.1 ± 0.33 91.8 ± 0.15 91.7 ± 0.29 91.9 ± 0.19
LR 90.5 ± 0.37 91.3 ± 0.18 91.5 ± 0.18 91.9 ± 0.19

Table 11 Model performance metrics for lightweight evaluation

Metric Value Description

Model size 8.5 MB Total size of the trained model (weights and architecture)
Memory footprint 14 MB Amount of memory required for model inference during deployment
Inference latency 25 ms Time taken for the model to process a single input and generate an output
Throughput 40 samples/s Number of samples processed per second during inference

Table 12 An examination of cyberattack detection approaches

Study Methodology Computational Hyperparameter Feature Accuracy F1-score
complexity tuning selection
approach

[30] DLMNN High ✗ Entropy-HOA 98.6 98.7

[31] ✔ High ✗ GTOBSA 95.5 N/A
[32] DNN High GW PCA 98.2 N/A
[33] GFRNN High ✗ Sn-Cos-bIAVOA 99.9 99.9
[34] RF High ✗ BAT and PSD 95.6 95.6
[35] SVM High ✗ PSO-LightGBM 86.6 N/A
[36] AI High PSO ✔ 97.1 98.8
[37] HCNN High ✗ EHOA 90.1 86.7
[38] DL Moderate ✗ TSODE 99.9 99.9
Our model CNN Low EPOA RF 98.1 98.6

network (DLMNN) for classification, both with high requirements for fine-tuning and
computational power for efficient and correct intrusion detection.
The comparative study indicates that although most contemporary cybersecurity
detection approaches have competitive accuracy, they have high computational com-
plexity, poorly chosen features, and difficulty in hyperparameter tuning. Our EPOA-
based CNN model eliminates these shortcomings by efficiently refining the task of
selecting the most essential features to keep and adaptively tuning hyperparameters
to improve classification accuracy and lower loss. Significantly, EPOA considerably
minimizes computational cost compared to conventional strategies, including typi-
cal POA, resulting in reduced execution times. This renders the proposed approach
Chen et al. Journal of Engineering and Applied Science (2025) 72:69 Page 24 of 26

highly applicable to real-time IoT security systems when there is a need for low
latency and minimal resource consumption.

Conclusions
This study presented an EPOA-based CNN model for IoT intrusion detection, focus-
ing on scalable, efficient, and lightweight cybersecurity solutions. With the increasing
expansion of the IoT domain and the complexity of attacks becoming more serious, con-
ventional ML- and DNN-powered systems are prone to being computationally intensive
and poorly adaptable to new attack trends. The EPOA-based model improved the pro-
cess of selecting features and hyperparameter tuning to achieve the highest detection
accuracy without increasing computation costs. Traditional systems handle complex
traffic and high-dimensional data poorly. In contrast, our system reduced the dimension
of the data without affecting classification performance. Experimental results on various
benchmark datasets proved that the new method outperformed traditional ML-based
and deep neural network-inspired classification models, achieving a remarkable accu-
racy of 98.1% in Bot-IoT, 97.4% in NSL-KDD, and 97.9% in CICIDS2018 while generat-
ing much smaller losses.
Despite the promising findings, a few limitations pave the way for future directions.
First, the model must be tested on diverse, large-scale IoT datasets to assess its gener-
alizability to real-world attack situations. Second, incorporating federated learning
would enhance data privacy by facilitating decentralized training on IoT devices without
exchanging raw data. Third, using CNNs with transformer-based models might better
model spatiotemporal attack patterns for 0-day or advanced threats. In addition, model
pruning or quantification techniques need to be investigated to compress the model for
execution on edge devices without jeopardizing real-time performance. These directions
can enhance next-generation IoT intrusion detection systems’ robustness, adaptability,
and scalability.

Abbreviations
IoT Internet of Things
CNN Convolutional neural network
EPOA Enhanced pelican optimization algorithm
ML Machine learning
FNN Forward neural network
SVM Support vector machine
DoS Denial of service
TP True positive
LR Logistic regression
PCA Principal component analysis
BGWO Binary grey wolf optimizer
RNN Recurrent neural network
GRU​ Gated recurrent unit
DT Decision tree
U2R User to root
IDS Intrusion detection system
RF Random forest
MCC Matthews correlation coefficient
BGSA Binary gravitational search algorithm
DBN Deep belief network
GJO Golden Jackal Optimization
R2L Remote to local
FP False positive
BiGRU​ Bidirectional gated recurrent units
CSNN Convolutional spiking neural network
Chen et al. Journal of Engineering and Applied Science (2025) 72:69 Page 25 of 26

LSTM Long short-term memory

CSSOA Chaotic crow-search optimization algorithm
DNN Deep neural network
TN True negative
SA_TDO Self-Adaptive Tasmanian Devil Optimization
ANN Artificial neural network
AOA Archimedes optimization algorithm
DL Deep learning
SWA Sperm whale algorithm
FCM Fuzzy c-means
FN False negative

Acknowledgements
Not applicable

Authors’ contributions
YC and YG contributed to writing the draft, editing the manuscript, and conceptualizing the research. YG was responsible
for conducting simulations, data analysis, and validation of results. BL provided supervision, reviewed the manuscript,
and contributed to the final revisions. All authors have read and approved the final version of the manuscript.

Funding
No funding was received for conducting this study.
Data availability
The datasets used and/or analyzed during the current study are available from the corresponding author on reasonable
request.

Declarations
Competing interests
The authors declare that they have no competing interests.

Received: 2 February 2025 Accepted: 22 May 2025

References
1. Valizadeh J et al (2024) An operational planning for emergency medical services considering the application of IoT.
Oper Manag Res 17(1):267–290
2. Mehbodniya A, Haq MA, Kumar A, Ismail ME, Dahiya P, Karupusamy S (2022) Data reinforcement control technique-
based monitoring and controlling of environmental factors for IoT applications. Arab J Geosci 15(7):620
3. Pourghebleh B, Hekmati N, Davoudnia Z, Sadeghi M (2022) A roadmap towards energy-efficient data fusion meth-
ods in the Internet of Things. Concurrency and Computation: Practice and Experience 34(15):e6959
4. Padmavathi V, Saminathan R (2025) “Security for the Internet of Things,” in Computer and Information Security Hand-
book: Elsevier, pp. 353–368. https://​doi.​org/​10.​1016/​B978-0-​443-​13223-0.​00019-9
5. Azadi A, Momayez M (2024) Review on constitutive model for simulation of weak rock mass. Geotechnics 4(3):872–
892. https://​doi.​org/​10.​3390/​geote​chnic​s4030​045
6. Ajmal AB, Khan S, Alam M, Mehbodniya A, Webber J, Waheed A (2023) Toward effective evaluation of cyber defense:
threat based adversary emulation approach. IEEE Access 11:70443–70458
7. Omolara AE, Alabdulatif A, Abiodun OI, Alawida M, Alabdulatif A, Arshad H (2022) The Internet of Things security: a
survey encompassing unexplored areas and new insights. Comput Secur 112:102494
8. Webber JL et al (2023) An efficient intrusion detection framework for mitigating blackhole and sinkhole attacks in
healthcare wireless sensor networks. Comput Electr Eng 111:108964
9. Pourghebleh B, Wakil K, Navimipour NJ (2019) A comprehensive study on the trust management techniques in the
Internet of Things. IEEE Internet Things J 6(6):9326–9337
10. Mehbodniya A, Bhatia S, Mashat A, Elangovan M, Sengan S (2022) Proportional fairness based energy efficient rout-
ing in wireless sensor network. Comput Syst Sci Eng. 41(3). https://​doi.​org/​10.​1007/​s00170-​024-​14741-y
11. Hosseinzadeh A, Shahin M, Maghanaki M, Mehrzadi H, Chen FF (2024) Minimizing wastevia novel fuzzy hybrid
stacked ensembleof vision transformers and CNNs to detect defects in metal surfaces. Int J Adv Manuf Tech-
nol. 1–26. https://​doi.​org/​10.​1007/​s00170-​024-​14741-y
12. Sharma P, Jain S, Gupta S, Chamola V (2021) Role of machine learning and deep learning in securing 5G-driven
industrial IoT applications. Ad Hoc Netw 123:102685
13. Ge M, Syed NF, Fu X, Baig Z, Robles-Kelly A (2021) Towards a deep learning-driven intrusion detection approach for
Internet of Things. Comput Netw 186:107784
14. Saheed YK, Abiodun AI, Misra S, Holone MK, Colomo-Palacios R (2022) A machine learning-based intrusion detec-
tion for detecting Internet of Things network attacks. Alex Eng J 61(12):9395–9409
15. Dey AK, Gupta GP, Sahu SP (2023) A metaheuristic-based ensemble feature selection framework for cyber threat
detection in IoT-enabled networks. Decision Analytics Journal 7:100206
16. Sagu A, Gill NS, Gulia P, Singh PK, Hong W-C (2023) Design of metaheuristic optimization algorithms for deep learn-
ing model for secure IoT environment. Sustainability 15(3):2204
Chen et al. Journal of Engineering and Applied Science (2025) 72:69 Page 26 of 26

17. Alrayes FS, Nemri N, Aljaffan N, Alshuhail A, Alhashmi AA and Mahmud A (2024) Distributed multiclass cyberat-
tack detection using Golden Jackal Optimization with deep learning model for securing IoT networks. IEEE Access
12:132434–132443. https://​doi.​org/​10.​1109/​ACCESS.​2024.​34432​02
18. Alserhani FM (2024) Integrating deep learning and metaheuristics algorithms for blockchain-based reassur-
ance data management in the detection of malicious IoT nodes. Peer-to-Peer Networking and Applications
17(6):3856–3882
19. Antonijevic M et al (2025) Intrusion detection in metaverse environment Internet of Things systems by metaheuris-
tics tuned two level framework. Sci Rep 15(1):3555
20. Elsedimy E, AboHashish SM (2025) An intelligent hybrid approach combining fuzzy C-means and the sperm whale
algorithm for cyber attack detection in IoT networks. Sci Rep 15(1):1005
21. Heidari A, Jabraeil Jamali MA (2023) Internet of Things intrusion detection systems: a comprehensive review and
future directions. Cluster Comput 26(6):3753–3780
22. Hayyolalam V, Pourghebleh B, Pourhaji Kazem AA (2020) Trust management of services (TMoS): investigating the
current mechanisms. Trans Emerg Telecommun Techn 31(10):e4063
23. El Hajla S, Maleh Y, Mounir S (2025) Security challenges and solutions in IoT: an in-depth review of anomaly detec-
tion and intrusion prevention. Mach Intell Appl Cyber Risk Manag 25–50. https://​doi.​org/​10.​4018/​979-8-​3693-​7540-
2.​ch002
24. Qi S, Chen J, Chen P, Wen P, Shan W, Xiong L (2023) An effective WGAN-based anomaly detection model for IoT
multivariate time series. Pacific-Asia Conference on Knowledge Discovery and Data Mining. Springer, pp 80–91
25. Mehbodniya A, Temma K, Sugai R, Saad W, Guvenc I, Adachi F (2015) Energy-efficient dynamic spectrum access in
wireless heterogeneous networks,” in 2015 IEEE International Conference on Communication Workshop (ICCW), IEEE,
London, pp. 2775–2780. https://​doi.​org/​10.​1109/​ICCW.​2015.​72475​99
26. Sharma S, Singh G (2023) Design and analysis of novel chaotic pelican-optimization algorithm for feature-selection
of occupational stress. Procedia Computer Science 218:1497–1505
27. Yan L et al (2022) Distributed optimization of heterogeneous UAV cluster PID controller based on machine learning.
Comput Electr Eng 101:108059
28. Trojovský P, Dehghani M (2022) Pelican optimization algorithm: a novel nature-inspired algorithm for engineering
applications. Sensors 22(3):855
29. Alamir N, Kamel S, Megahed TF, Hori M, Abdelkader SM (2023) Developing hybrid demand response technique
for energy management in microgrid based on pelican optimization algorithm. Electric Power Systems Research
214:108905
30. Duraisamy A, Subramaniam M, Robin CRR (2021) An optimized deep learning based security enhancement and
attack detection on IoT using IDS and KH-AES for smart cities. Stud Inf Control 30(2):121–131
31. Kareem SS, Mostafa RR, Hashim FA, El-Bakry HM (2022) An effective feature selection model using hybrid
metaheuristic algorithms for iot intrusion detection. Sensors 22(4):1396
32. Rm SP et al (2020) An effective feature engineering for DNN using hybrid PCA-GWO for intrusion detection in IoMT
architecture. Comput Commun 160:139–149
33. Sharifian Z, Barekatain B, Quintana AA, Beheshti Z, Safi-Esfahani F (2023) Sin-Cos-bIAVOA: a new feature selection
method based on improved African vulture optimization algorithm and a novel transfer function to DDoS attack
detection. Expert Syst Appl 228:120404
34. Gaber T, Awotunde JB, Folorunso SO, Ajagbe SA, Eldesouky E (2023) Industrial Internet of Things intrusion detection
method using machine learning and optimization techniques. Wirel Commun Mob Comput 2023(1):3939895
35. Liu J, Yang D, Lian M, Li M (2021) Research on intrusion detection based on particle swarm optimization in IoT. IEEE
Access 9:38254–38268
36. Alterazi HA et al (2022) Prevention of cyber security with the Internet of Things using particle swarm optimization.
Sensors 22(16):6117
37. Akshaya V, Mandala V, Anilkumar C, VishnuRaja P, Aarthi R (2023) Security enhancement and attack detection
using optimized hybrid deep learning and improved encryption algorithm over Internet of Things. Measurement
30:100917
38. Fatani A, Abd Elaziz M, Dahou A, Al-Qaness MA, Lu S (2021) IoT intrusion detection system using deep learning and
enhanced transient search optimization. IEEE Access 9:123448–123464

Publisher’s Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.