Wireless Personal Communications (2023) 128:1543–1566

https://doi.org/10.1007/s11277-022-10009-4

Network Based Detection of IoT Attack Using AIS‑IDS Model

R. Sabitha1 · S. Gopikrishnan2 · B. J. Bejoy3 · V. Anusuya4 · V. Saravanan5

Accepted: 29 August 2022 / Published online: 12 October 2022

© The Author(s), under exclusive licence to Springer Science+Business Media, LLC, part of Springer Nature 2022

Abstract
In recent days Internet of Things attained more familiarity. Although it is a promising tech-
nology, it tends to lead to a variety of security issues. Conventional methods such as IoT
ecosystem based solutions were not suitable to give dilemmas to the system. A new system
model called adaptive and intelligent Artificial Immune System (AIS) imitates the process
of human being an immune system that consists of eligible properties of this varying envi-
ronment. Therefore, it enhanced IoT security. Conventionally classifiers such as Random
Forest Classifier, Recurrent Neural Network and K-nearest neighbours are used to clas-
sify the signals as normal or abnormal and predict malicious attacks. But unfortunately,
these classifiers generated a high false alarm rate. Thus, a framework with maximum accu-
racy and minimum false alarm rate was required. In this work, the AIS model adopts the
benefits of the Hopfield Neural Network (HNN) for classification. HNN classifier has a
fixed weight, as it cannot be changed for its backpropagation property. This work optimally
selects the fixed weight using Fast- Particle Swarm Optimization (F-PSO) and helps to
enhance the accuracy of the HNN classifier. This classifier model then differentiates IoT
attacks with a high detection rate and normal signal. Three datasets are taken to execute
the proposed model and define its accuracy. The proposed Artificial Immune system using
HNN for Intrusion Detection System (AIS-IDS) model exhibits 99.8% accuracy for the
first dataset and minimum error value. The false alarm rate was minimized using danger
theory and its high activation function; thus, the false alarm rate was minimized by up to
8% more than previous classifiers.

Keywords Artificial immune system (AIS) · Hopfield neural network (HNN) · Fast-
particle swarm optimization (F-PSO) · IoT attack · False alarm rate

* R. Sabitha
sabithadachu@gmail.com
1
Hindusthan College of Engineering and Technology, Coimbatore, India
2
School of Computer Science and Engineering, VIT-AP University, Amaravati, India
3
Department of Computer Science and Engineering, CHRIST (Deemed to Be University,
Bangalore, India
4
Ramco Institute of Technology, Rajapalayam, India
5
Department of Computer Science, College of Engineering and Technology, Dambi Dollo
University, Dambi Dollo, Ethiopia

13
Vol.:(0123456789)
1544 R. Sabitha et al.

1 Introduction

In recent times, industrial and academic circles have selected the Internet of Things (IoT)
as an active area of development [1]. This IoT technology has shown guaranteed develop-
ment in various sectors such as intelligent transportation, health care, smart power grid
and smart homes. However, they have developed to as high flow but undergone different
issues such as security risks. IoT devices’ tremendous propagation and easy accessibility
generated an environment for cyber-attacks [2]. Devices used for these technologies remain
small, with limited memory and inexpensive calculated capacity to execute existing secu-
rity software.
Moreover, manufacturers of original equipment are utilizing commercial embedded and
real-time operating systems like OpenRTOS and Free RTOS to reduce the cost that made
end devices to be selected as vulnerable [3]. Due to increased sophistication, IoT attacks
are continuing at steady levels. Some conventional methods, such as Ransomware of
Things (ROT) and Mirai, have become ineffective and were unable to provide strong secu-
rity solutions, and it was not left decentralized [4]. Security issues get increased; hence,
urgent requirements for a model with security commensurate with changes have been pro-
vided [5].
There are many attacks that get increased with respect to new attacks that are emerg-
ing in the network environment. Multiple solutions were applied to overcome the security
threats in the IoT environment to provide privacy, availability, authentication, integrity and
confidentiality [6]. Here, an Artificial Immune System (AIS) is a bionic system model that
works similar to the biological immune system to secure the IoT environment from severe
intruders or hackers. Conventionally, AIS has been found to be effective in TCP/IP net-
works, Ad-hoc mobile networks and Wireless Sensor networks. This was due to the AIS
property of having a dynamic environment of IoT, and the properties of the human immune
system were similar in working on analyzing the often changes that occur in IoT security
[7].
AIS has an ability of self-learning, robustness, dynamic structure, adaptability and
resource optimization helped to make it adapted towards computer security. Some of its
helpful tasks are anomaly detection, pattern recognition, data analysis, intrusion detec-
tion and computer security applications [8]. Moreover, AIS techniques were appropriately
used to solve multi-objective optimization problems, and robotics and control engineering
were enhanced due to this AIS system. In order to avoid infection, a technique of summing
up IoT passwords for IoT devices was disabled with some manufacturers and ports that
consumers consume more secure physical devices [9]. Anyway, these security devices are
more effective than giving immune community to their application that is strictly prohib-
ited in the means of security management and also interactions with humans. Additionally,
one issue that happens in the case of known ones for software issues is a delay in down-
loading the patches in the meantime. With the help of different algorithms, AIS predict
various attacks in the next generation. These attacks are named as Dendric Cell Algorithm
(DCA) as it intrudes with danger to calculate port-scan attacks with respect to wired con-
nections [10].
Nevertheless, issues are still left unsolved, such as intruders’ hacking internally or exter-
nally. AIS consists of gene library evolution, clonal selection and negative selection proce-
dure [11]. Conventional work like I-Iofmeyr and scaling IDs were stated as gene libraries,
and clonal selection type creates immature detectors [12]. An immense amount of net-
work traffic data with the random search feature for selecting negative feeds tends to fail in

13
Network Based Detection of IoT Attack Using AIS‑IDS Model 1545

selecting different network intrusions [13]. This has been found to be used only in a limited
number of intrusions in networks. In order to overcome these issues, AIS with an unlimited
number of intrusion detections were proposed in this paper. The main objective of this
paper can be given as.

• Design an Intrusion Detection System that composite categorization of signals with an

Artificial Immune System (AIS).
• To present the signal extraction step, the notion of a self-normalizing neural network is
used that finds features for classification and minimizes the complexity to automate this
phase to preserve its highest level of classification accuracy.
• Implementing an optimization technique enhances the negative selection procedure and
permits them to perform unlimited network intrusions.
• Implement the proposed AIS framework on datasets such as Botnet Dataset, IoT dataset
and DDOS. The performance of a dataset and its computation are based on a number of
AIS performance indicators.

The rest of the paper is organized as follows. Section 2 provides a literature review of
AIS’s previous methods and their limitations briefly. Section 3 describes the proposed
frame structure of AIS and Sect. 4 shows the experimental results, and Sect. 5 concludes
the paper.

2 Literature Review

Kumar et al. [14] have presented an approach to detect anomalous activity in the network
with the help of detectors. It was done by generating a genetic algorithm and by testing the
Minkowski distance function with respect to Euclidean distance for the process of detec-
tion. Additionally, formal concept analysis was applied to the dataset that contains only
the selective features utilized to visualize the correlation between highly effective features.
However, this model failed to balance sensitivity and specificity parameters that, in turn,
minimized accuracy. Verma et al. [15] have investigated the prospects of using a machine
learning classification algorithm against Dos attacks in order to secure IoT. Classifiers are
analyzed to measure the development of anomaly based intrusion detection systems (IDS).
Datasets such as CIDDS-001, UNSWNB15, and NSL-KDD were used to statistically con-
duct Nemenyi and Friedman tests. It used Raspberry Pi to compute the response time of
classifiers. However, it failed due to its incapability to detect new attacks.
Alves et al. [16] presented a classification rule discovery algorithm that integrates arti-
ficial immune systems and fuzzy systems. This algorithm contains two sections rule evo-
lution procedure and a sequential covering procedure. With the help of every antibody
that works with respect to a classification rule and its antigens consists of fitness of fuzzy
rule depending on training set rather its affinity between rules. It resulted that the process
of calculating the threshold for each rule with different datasets undergoes an issue of
addressing.
Kotov et al. [17] have presented an intrusion detection system using AIS. It used trace
sequences in the application system layer that called and used a negative selection pro-
cedure for detection. It showed a high range of performance, especially in the local area
networks, while AIS on every station work unitedly. However, this research exhibits a few
result analysis that was done for the selected data representation model. It failed to provide

13
1546 R. Sabitha et al.

the required accuracy range as a classification result. Anand et al. [18] have explored the
vulnerabilities in IoT and detected them using the multidimensional model. It provided
an IoT architecture and a task force protocol that suits open-source tools with the data-
set for the proliferation of research growth rate. This multidimensional model operated in
assessment techniques that followed a sustainability case and smart agriculture. However,
resource limitations lead to a low robust crypto algorithm.
Aldhaheri et al. [19] have developed a deep hybrid learning and dendritic cell algorithm
in the context of IDS. Adopting this framework of dendroid cells and a self-normalizing
neural network, it classified the IoT intrusion and attempted to minimize false alarm gener-
ation. However, it performed only signal categorization using SNN but unfortunately failed
to classify them due to noisy data and missing data. Raza et al. [20] have designed an IDS
for IoT that targeted over routing attacks as altered or spoofed data, selective-forwarding
and sinkhole data. However, it extended to find other attacks that were implemented in the
Contiki OS and attempt to find malicious nodes. It used sinkhole and selective forwarding
techniques to compute attacks. However, severe logic was added to every node, increasing
memory consumption.
Aziz et al. [21] have presented IDS to detect anomalous activity in the network using
detectors of genetic algorithms. It used Minkowski distance and Euclidean distance to give
better results using the crowding niching technique applied on the NSL-KDD IDS test data
set under the selective category. It used threshold values that gave various results in vari-
ous cases as the used detectors produced bigger populations with maximum threshold val-
ues was a severe drawback. Lopez Martin [22] et al. have presented a technique for NTC
depending on the deep learning model combination utilized for IoT traffic. By training the
models using high-level header based data extracted from packets. It is required to rely
on IP address and payload data that are probably confidential and encrypted using deep
learning architectures with a source of a wide range of models. However, it required vari-
ants of classifiers to perform better. Sudqi Khater et al. [23] have presented a lightweight
that exploits the attacks based on these datasets. However, these applications still require
improvements in the field of backpropagation to attain the required performance measures.

3 Proposed Model

AIS-based model integrates the upcoming signal in the network, pre-processes the signal,
and categorizes them into normal and danger-based signals. These danger based signals
are categorized in the network layer, whereas in the application layer, these signals are ana-
lyzed for positive or negative selection values. An optimal solution is developed as a multi-
objective optimisation model by detecting any abnormal behaviour related to delaying the
performance of consuming resources. This framework consists of three main steps termed
feature selection: signal categorization and false positive alarm rate through optimization.
The overall architecture of AIS based IR model is given in Fig. 1, as shown below.
The proposed model uses Machine learning techniques to classify online network data
based on a set of essential features. Features are used for classification in the AIS approach,
as it is the most effective one over ICPA attack in IoT, and thus it predicts the intruder
packets by adaptive learning, and it has a robust set of parameters for initialization. The
research methodology works in three phases: pre-processing, classification, and protection.
In the case of IoT security, isolating industrial networks and IT networks have emerged
to fill the gap between IT technologies in the free space model. In order to increase the

13
Network Based Detection of IoT Attack Using AIS‑IDS Model 1547

Fig. 1  Schematic diagram of Proposed AIS-IDS model

accessibility between this limited connection area and abuse these models in an easier and
wide range. Scale and accessibility caused a major concern due to the operational field
and also its properties. Some basic security elements of network security are Network
resources are always required to be available for the utilization of authorized persons. They
are secured from any threat with respect to their presence in the network, By ensuring that
the data could be accessible only by the respective system or admin, ensuring that consist-
ency and accuracy of the data were utilized only by authorized persons. Similarly, they
were secured against threat upon requirement. Every element is the base of one require-
ment: ensuring that the system must avoid a single point of failure due to attacks in the
network and fortifies that the unique info will not be exposed to other persons.

3.1 Artificial Immune Systems

AIS was developed as inspiration from the Human immune system. It was error tolerant,
decentralized, adaptive and robust. It has assigned cells that undergo various tasks, which
results in mimic algorithms to give various levels of differing complexity which accom-
plished a task range. Various AIS models were used for pattern recognition, computer
security, fault detection, and other applications. In order to design the AIS system model, a
number of algorithms were used. In this proposed model negative selection approach was
used. T-cells are being selected with their maturation in the system. In the human immune
system, T-cells are blood cells with white blood cells termed lymphocytes, and by generat-
ing T-cells, an immature period to study antigen recognition resulted in death. Regarding
T-cells, they require activation for developing the ability to eliminate pathogens excited to
a sample of its own antigens. They were analyzed or tested in defence of self-antigens and
non-self-antigens get eliminated until they are mature. While dangerous cells get within
the organism, its immune system gets activated and also executes the immune response.

13
1548 R. Sabitha et al.

By medicating with Lymphocytes, adaptability for the response of the immune system that
is responsible for removing and predicting the pathogenic agents. The capacity of lympho-
cytes is their ability to defend against foreign cells. Rather it starts to eliminate lympho-
cytes. This execution is termed negative selection, which inspired the negative selection
algorithm detailed here.

3.1.1 Negative Selection Algorithm

It was developed by the inspiration of the acquired immune system in mammals due to
its self-non-self-discrimination behaviour. In this proposed model, the negative selec-
tion algorithm was used as a fundamental objective between non-self and self-objects S,
within analogy that does not give importance to the mechanism and its detectors emulate it
regarding T-cells that is a function of the theory of censoring. A selection of lymphocytes
designed in the thymus eliminated T cells as they are blind at the severe stage or mostly
self-major. By including the steps in the negative selection scheme that acts as a censoring
mechanism that created objects termed as receptor strings referred to as rc and it interfered
in repertoire set termed as R. Conducting this negative selection algorithm that leads to
consideration with respect to rules that failed in matching for various objects in P. In the
second step, this function was monitored, and its whole set R was calculated by the selec-
tion of strings S from P, completed by a stochastic technique.
By defining the probability with respect to two string matches within a probability to
calculate maximum failure of detection rather than errors that are selected as a false nega-
tive, in order to choose improper estimation for the number of receptor strings and also
count of detectors. The basic idea behind a negative determination calculation is to gen-
erate a few identifiers in the corresponding set N and then use these locators to classify
new knowledge as self or non-self. Negative option equations are commonly used in AIS
research and have had a few improvements over time. The negative choice approximation
is seen here to help the whole negative choice work.
Given a shape–space ΣL and a self-set S ⊂ ΣL define the non-self-set N ⊂ ΣL to be the
complement N = ΣL�S, so that ΣL = S ∪ N and S ∩ N = �.

3.1.1.1 Pre‑processing phase In this phase, the packet information between the source and
destination of the network is captured and pre-processed to find any intrusion actions. The
signals are captured within a certain period of time within the header and stored as a record.
The received package and its credentials are processed in this phase. In this pre-processing
phase, the framework consists of two processes: feature selection and signal categorization.

13
Network Based Detection of IoT Attack Using AIS‑IDS Model 1549

Feature selection can be adapted to Information Gain (IG) as a measure for after a value for
a feature has been seen, learning archives a reduction in the entropy of variable F. It was
then used to rank features. The feature that has high IG is ranked with a higher power in the
classification process. It can be obtained by (1)
∑ |Fv |
| | ∗ E (F )
IG(S) = E(F) − (1)
v∈values(S)
|F| v

In this equation, IG is the gain, and values (S) symbolize all possible values of an attrib-
ute S. Additionally, Fv is subset produced by portioning S depend on feature F , and given
E(F) is entropy calculated as given in Eq. (2)

∑
i=2
∏
Entrophy (F) = 𝜋 ∗log (2)
i=1 2

Each module is assigned to select an attribute for the specific signal category. Signal
categorization can be done as follows Safe Signal is a Signal that indicates the presence of
normal behaviour or non-attack situations, and a Danger signal is a signal that indicates the
presence of anomalous or attack situations. To classify these signals based on the behav-
iour of signals, a neural network was implemented and executed for signal classification
purposes termed as Hopfield Neural Network (HNN), discussed in the next section below.

3.1.1.2 HNN signal Classification phase HNN is the simplest and shortest neural network.
HNN has a fully interconnected one-layer self-associating network and is connected to a
single layer without any hidden layers on each neuron. HNNs typically use problems of
binary vector grading. The Hopfield network generates data or pattern vectors that match
the various groups. These vectors are, therefore, class models. In this classification phase,
each recorded data is classified as normal or attack data. Pre-processed data are classified
using Hopfield Neural Network (HNN) in order to enhance the classification via optimizing
weights, and Fast Particle Swarm Optimization (F-PSO) is used. By applying conditions to
classify the data as normal and attack data. HNN must be trained using an anomaly amount
of data for the appropriate classification. Classification can be done based on features or
conditions according to the attacks that ruin the routing packets’ disruption. HNN classifies
the signals as shown in the following steps.

• HNN operates with binary values, and all the obtained packet values are converted to a
one-dimensional array and binarized.
• By initializing the range to the array and setting the threshold value, this binarisation
takes place.
• The resulting binary one-dimensional vectors generate patterns to calculate the weight
matrix.
• The weight matrix is optimally selected using the F-PSO optimization technique.
• Classification in HNN is an iterative process of changing the state of network neurons,
and the classified vector must be in the closest form obtained from the training set.

By applying the set of specific conditions or training using a large set of features, on the
testing side, classification is done. The result from the classification that results in normal is
saved to the log file and sent to the protection phase. Attack packets are classified and elimi-
nated using a blocking strategy. In this training phase, a training unit built from HNN has

13
1550 R. Sabitha et al.

supervised learning with the optimal fixing of weight to improve its performance. HNN
behaves as a classifier and was then marked with attack types ( DDOS, BotNet, IoTBot and
Normal). Extracted features are then given as data patterns to compute which data pattern
contains labels. Checking whether the marked data pattern is normal or anomalous, send this
signal that was classified as normal to the HNN unit and anomalous are left over. Data pattern
that was labelled anomalous is used to train the HNN unit. The output of the training phase
is collected anytime to expand them as a set of vectors of intrusion detection. The network of
HNN consists of fully connected neurons along with zero self-connection, while every neuron
is linked with other ones (n − 1) rather than with self-connections.
Having a symmetric net connection given as Wij as their interconnection with neuron i and
neuron j is similar to this weight value, and its elimination for self-connection is termed as
permanent feedback for its self-value. Analyzing neurons with n, HNN conducts i number of
values xi, {1, ..., n}. Learning patterns for HNN are stated as X1, ...xk gives K patterns. Each
neuron is linked with another neuron via symmetric weight matrix W of dimension n.In the
primary stage of a network, weight is set to a minimum value of zero. For every presenta-
tion, the patterns that were read are termed as Xu by updating the weights with the help of
the F-PSO optimization algorithm. Every neuron of HNN undergoes activation function F(x)
stated as

⎧1 Λh > 0
⎪
y(t) = F(h) = sgn(h) = ⎨ y(t − 1) Λh = 0 (3)
⎪0 Λh < 0
⎩

In Eq. (3), h is the activity of the neuron, and it was defined as a weighted sum of inputs. In
a distorted pattern, the network hopefully converges at any one of the learned patterns through
this activation function. In this function h = WeT .

xi𝜇 xj𝜇
Weight evaluation Wij ← Wij + , i, j = {1, … , n} and i ≠ j (4)
n
In Eq. (4), xi𝜇 and xj𝜇 denoted ith and jth component respectively of the 𝜇 th pattern X 𝜇, k
pattern, the weight can be represented in matrix form as
1( T )
W= XX − kI (5)
n
Equation (5) is the matrix form of the weight equation here, I is the identity matrix of
dimension n × n, and the term kI represents all self-connection terms. To optimize weights,
F-PSO optimization was included to enhance the performance of HNN. Since W has been
fixed due to the optimization so that each x(m) is a local minimum of the energy, the output
of the Hopfield network is ideally one of the trained activation patterns. The utility of such a
memory system is clear, and the Hopfield network has been directly employed.
The energy of a neuron i at time t as
1
E(i, t) = − u(i, t)y(i, t) (6)
2

13
Network Based Detection of IoT Attack Using AIS‑IDS Model 1551

( )
∑
N
=− 𝜔ij y(j, t) − 𝜃i y(i, t) (7)
j=1

Total energy is

�
N
⎫
E(t) = E(i, t) ⎪
i=1 ⎪
�N � ⎪
� 1 �
N
⎪
= − wij y(j, t) − 𝜃i y(i, t) ⎬ (8)
i=1
2 j=1 ⎪
⎪
1 �� �
N N N
⎪
=− wij y(j, t)y(i, t) + 𝜃i y(i, t)⎪
2 i=1 j=1 i=1 ⎭

A network has a global energy function, and an aropriate network has rules that make
this energy function converge to a minimum value. Updation was done through rules. This
HNN training facilitates a lot of improvement to enhance the system intrusion detection. It
was also optimized using the F_PSO algorithm; thus, back-propagating properly recogniz-
ing the malicious signals is guaranteed.

3.1.1.3 F‑PSO Optimization algorithm PSO was viable for the low dimension work
streamlining problem because the introductory molecule in PSO circulated equally in
looking through the area. However, because of the mutual constraint of each dimensional
element, the estimation for certain high measurement job advancement issues can be
stuck in neighbourhood minima, and a person’s best place may not alter more than a few
projects. The equation has a tough time getting away from the local minima, so the solu-
tion cannot be found. The fundamental PSO can merge quickly, but it is unable to col-
lapse through neighbouring minima without difficulty. To address this concern, an effort
has been made in this paper with the accompanying enhancements.
Particle swarm updates from the t generation to t + 1 far from following pbest and
gbest , this particle might follow Pmdi that is chosen from particle swarm. Third param-
eter Pmd of ith particles and velocity equations are generated using the mean dimension
of N particles.
( )
Pmd = X 1 + X 2 + .... + X k ∕k (9)

Velocity Vij is represented by

( )
Vij (t + I) = wVij (t) + c1 .rand1 pbestij (t) − xij (t)
( ( )) (10)
+ c2 .rand2 gbestj (t) − xij (t) + c3 .rand3 Pmdi (t) − xij (t)

In Eq. (10), the average best learning factors are c1,c2 and c3 and rand1,rand2 and
rand3 are the random vectors within the range of [0,1] By involving Pmdi to the velocity
formula, pbest and gbest are able to provide details to the next generation together and
maximize the details amount. Hence, the optimal solution was quickly reached. Simi-
larly proposed weight coefficient is small, equal to shared information that increased
particle diversity.
Algorithm steps:

13
1552 R. Sabitha et al.

• Generate random initial weight values with respect to position and velocity for each parti-
cle.
• Evaluate fitness functions for each weight value matrix, and fitness is analyzed to be
smaller than the previous best fitness. If not, then update the weight value.
• For each iteration, do Generate a new particle t with respect to Eq. (8)
• Update the weight values with respect to Eq. (9)
• Compare t with the best fitness value and select one with smaller fitness to be offspring.
• Generate the next generation according to the above evolutionary selection strategy and
terminate the iteration; if the condition is satisfied or unsatisfied, repeat iterations again
until weight values are obtained.

Particles move in the search space to reach the best solution and are connected to their
neighbours. Generally, the particle velocity update is given through equations below

Xit+1 = Xit + Vij (t + I) (11)

In Eq. (10), Xit are the new position achieved by the particle, and I is the position of the
particle it reached before computing. Detectors are generated and trained to detect intrusions
during the detector-generation step. In the detector’s training process, the proposed algorithm
employs PSO.

3.1.1.4 Detection phase This phase consists of HNN as a classifier to enhance intrusion detec-
tion, and it maximizes the average classification rate and reduces the false positive rate. Vector
samples were obtained from the environment and compared to the collection of vectors from
the training and clustering phases. In the detection phase, the following steps are comparing
new vectors from test data with a group created by the union of key cluster vectors and are done
by F-PSO based HNN model and Identifying the type of current attack by the major training
types of attack. Phases of these attacks gave required data in the essential form to similarly other
phases that were together to reach the main goal, and it predicts the type of intrusion. It was then
updated using the F-PSO model due to its portioned form. During the processing of a signal,
combined signals generate intermediate output values termed K and csm. Value K is a measure
of attack or any abnormal behaviour of the algorithm. On the other way, csm is the value of the
concentration of the whole signal that a cell exposes in its lifetime. In AIS, a cell exhausts its
own life that would move and be ready to categorize all antigens gathered throughout its previ-
ous existence; categorization was done as normal or abnormal during this time period. Further-
more, safe signals are compared against risk signals in order to arrive at a conclusion that gives
csm value. Hence, K is obtained by eliminating danger signals twice. It can be given as
K = DSi − 2SSi (12)
In Eq. (12), D represents the danger signal, and S represents the safe signal. With respect
to the term lifespan of a classifier to collect all the signal environments and analyze them in
pre-processing phase, it was done in the migration of lymph nodes. The total of concentrations
is smaller than the value of lifetime by stopping and subtracting the signals over time. The life-
time of the network gets decreased as shown in the following equation
( )
NL = NL DSi + SSi (13)

Once all data has been collected, the metric T, or mature background antigen value,
can be calculated using the cell production from the run-time procedure. The value is

13
Network Based Detection of IoT Attack Using AIS‑IDS Model 1553

determined for each antigen of type a, where the symbol a represents a group of antigens
that all have the same value. With respect to antigens generated, the measure of malicious
nodes are mature content antigen value obtained from the output of the cell, and it can be
given as
AM
AT =
Ag (14)

In this Eq. (14), AT represents antigen of collection, AM is the number of mature anti-
gens and Ag is the total quantity of antigen presented for the collection of antigen. Probabil-
istic metric values between zero and one are calculated for cell increase, and the classifica-
tion rule was applied as given in Eq. (12)
{
Malicious, if AT > normal
f (x) =
Safe, Otherwise (15)

To make a determination during the identification process, input traffic must be matched
to usual and irregular records. This method produces two major groups of antibodies to
decrease the amount of memory available to hold normal and aberrant data. There are two
sorts of data to differentiate in general: regular and harmful data. As a consequence of
comparing input traffic to examples from all classes, standard documents must be saved.
Positive antibodies are recommended as a way to minimize the amount of memory needed
to retain normal samples while also speeding up detection. In the dataset, each positive
antibody replaces multiple regular samples, and each negative antibody replaces several
attack samples.

3.1.1.5 Protection Phase In the protection phase, the stored data classified as normal is
analyzed for its sender IP address. In the same way, the attacker’s IP address is found and
blocked; additionally, it drops all the packets received from the attacker’s IP. As the criteria
used to create the AIS detectors, the final answer was a collection of rules expressed as peo-
ple with low and high limits for each dimension. This phase finally enhances the security
level and decrease the risk level of intruder putting a hand over data during transmission.
Detectors, after undergoing the maturation phase, by presenting them with normal links
towards identifying them with any match as they are denoted as malicious signals that get
broken towards other elements that get permanent and leftover as deactivated. While analyz-
ing their future lifetime, these mature detectors are got to find any match as they exceed a
threshold value for malicious signals to be activated. Anomaly detection then gives human
error as if their upcoming signals were true anomaly found or not. Whether declared as yes,
then the detectors promote memory values with long lifetime value that has lower contrast.
The idea of bogus alerts along with negative deficient choices indicated as bogus nega-
tives rather than left with interruptions as positive selections were identified as bogus posi-
tive alerts. The inclination between the two for this situation is probably going to be issue
explicit. A danger sign may then be deciphered as a vital piece of information that has been
discovered. As a result, those antibodies that fit information that is close to this important
snippet of data are activated.
Taking this idea a little forward, consider the hazard signal as a sign of client premium.
Based on this description, various scenarios in which the peril sign may be useful have
been calculated. Animated antibodies transform into effectors, and the resistant system
works out how to turn into a good medium when searching for other intriguing records.

13
1554 R. Sabitha et al.

Fig. 2  Flowchart of proposed

AIS-IDS Model
Negative Selection Algorithm

Signal Capturing
Pre-processing
Information Gain

HNN F-PSO Classification

AIS-IDS Model

Intrusion Detection Phase

Recommendation
Protection Phase

The basic part isn’t relevant here. However, fascinating records could be brought to the
client’s attention. The basic part isn’t relevant here. However, fascinating records could be
brought to the client’s attention. Interestingly, the actual consumer ’interesting’ repository
may evolve over time, so it is critical that the security system changes in a timely manner
to an especially evolving sense of non-self. The flowchart of the proposed AIS-IDS model
is given in Fig. 2.

4 Experimental Results

In this section, simulation results for the performance of the evaluation are presented. The
proposed AIS-HNPSO model and existing classifiers are implemented in the python plat-
form of Intel ® core ™ i-5 33330S version of CPU@ 2.70GHZ processor with 8.00 GB
memory and 64-bit operating system. The proposed AIS-HNPSO model and previous
methods such as Recurrent Neural Network (RNN), Random Forest (RF) and K-Nearest
Neighbours (KNN) were executed, and the comparative results are presented.

4.1 Datasets

The proposed model is analyzed with three datasets upon its efficiency, and datasets are
described as.
The first dataset is a Bot-IoT dataset [24] that incorporates legitimate IoT network
traffic, including different types of attacks. Similarly, it presented a realistic test bed
environment for perusing complete network information, and accurate labelling was
enabled. The second dataset [25] has captured pcap files that are 69.3 GB in size
with higher than 72,000,000 records. Here, extracted flow traffic is in csv format that
was 16.7 GB in size. This dataset consists of DDoS, DOS and OS service scans, data

13
Network Based Detection of IoT Attack Using AIS‑IDS Model 1555

Table 1  Features from dataset

Feature Description

TnBPSrcIP Total Number of bytes per source IP

TnBPDstIP Total Number of bytes per destination IP
TnP_PSrcIP Total Number of packets per source IP
TnP_PDstIP Total Number of packets per destination IP
TnP_PerProto Total number of packets per protocol
TnP_Per_Dport Total number of packets per dport
AR_P_Proto_P_SrcIP Average rate per protocol per Source
IP.(calculated by pkts/dur)
AR_P_Proto_P_DstIP Average rate per protocol per destination IP
N_IN_Conn_P_SrcIP Number of inbound connections per source IP
N_IN_Conn_P_DstIP Number of inbound connections per destination IP

exfiltration and keylogging attacks, along with DOS and DDoS attacks depending on
the protocol used. Datasets [26] were collected as many cyber-attack events and normal
events from IoT networks. Testbed that was developed at the IoT lab to link many virtual
machines, hacking platforms, fog platforms and physical systems. IoT sensors reflect the
complexity of industrial IoT and Industry 4.0 networks. Various hacking methods such
as DoS, DDOS and ransomware were launched against web applications, computer sys-
tems and IoT gateways.

4.2 Feature Selection

Feature selection is a critical step in improving the AIS-IDS performance by lowering

the computing cost and increasing the system’s accuracy. Table 1 shows a selection of
the best characteristics from the provided datasets. In this paper, the top ten charac-
teristics are used to gather data and to make a decision over the features that are most
important. Features such as TnBPSrcIP, TnBPDstIP, TnP_PDstIP and TnP_PerProto,
furthermore are the most discriminative attribute. Others are considered as maximum
data gain of information that has little contribution to intrusion detection.

4.3 AIS‑IDS Model Based Classification

In this phase, initialization of population cell size up to a limit of 100 cells is included.
Antigens are a size array used to store antigens per iteration. Finally, the output set-
tings are set. For binary classification, build an input layer with six neurons equal to the
number of input characteristics, one hidden layer, and one output neuron. The model
was trained for 125 epochs, and the hidden layer contains neurons that encode thresh-
old decisions and translate characteristics into normalized interval signals. Thus hidden
layer might take decisions for threshold and sign for every feature, output neurons select
weight and sign per signal and thus yield signals within the interval. Once pre-process-
ing is completed, the model then performs the classification procedure (Table 2).

13
1556 R. Sabitha et al.

Table 2  Statistics of attacks in datasets

Information gathering Service scanning nmap, hping3 1,463,364

OS Fingerprinting nmap, xprobe2 358,275
Denial of Service DDoS hping3 19,547,603
hping3 18,965,106
golden-eye 19,771
DDoS hping3 12,315,997
hping3 20,659,491
golden-eye 29,706
Information theft Keylogging Metasploit 1469
Data theft Metasploit 118

4.4 Evaluation Criteria

The performance of the classification model is evaluated from the confusion matrix that
depends on True Positive (TP), True Negative (TN), False Positive (FP) and False Negative
(FN). The efficiency of the proposed AIS-IDS system is evaluated based on performance
attained by feature extraction, classification rate, and similarity measurement. In this sub-
section, some of the major evaluation metrics like accuracy, precision, recall, and F-meas-
ure are adopted not only to validate the effectiveness of the proposed methodology but also
to show the stability of results. In order to demonstrate the effectiveness of the proposed
system clearly, different test metrics like Accuracy, precision, F1_Score, and Recall are
evaluated. The mathematical expressions are illustrated as follows.
TP + TN
Accuracy = (16)
TP + FP + FN + TN

TP
Precision = (17)
TP + FP

TP
Recall = (18)
TP + FN

2 × (precision.recall)
F1 − Score = (19)
Precision + recall
Based on the above mathematical notation (16–19), the performance of the proposed
and existing techniques is evaluated. Therefore, its performance analysis is offered in the
subsequent sections.
The proposed AID-IDS is evaluated by evaluating performance indicators in various
assault scenarios (see Table 3). The results showed that AID-IDS worked well in recog-
nizing various attack types, with DDoS/DoS assaults performing better, which might be
attributed to the quantity of data on this attack in the BoT-IoT dataset (Table 4).
From the graph, as shown in Fig. 3, it was visible that the proposed AIS-IDS model
performs better classification results compared to other classifiers. The recurrent network
exhibits better accuracy values but not up to the level of requirements, RF and KNN exhibit
less accuracy value due to their traditional classification sounds. The proposed model used

13
Network Based Detection of IoT Attack Using AIS‑IDS Model 1557

Table 3  Performance evaluation metrics of attacks

Attack Accuracy (%) Precision (%) Recall (%) F-Measure (%)

Dos 99.8 99.5 98.53 99.012

DDoS 99.9 100 100 100
Key logging 99.10 98.88 98.22 98.54
Normal 98.8 99.01 98.9 98.95

HNN based F-PSO optimized classification to enhance the performance of AIS in the IoT
network. From the above figure, it is clearly understandable that the accuracy obtained for
the AIS-IDS model is 98%. In contrast, existing techniques like Recurrent Neural Network
(RNN), Random Forest (RF) and K-Nearest Neighbours (KNN) attained lesser accuracy
measures such as 87%, 82% and 72%, respectively, for the IoT Bot dataset that was not
up to the desired level for the appropriate classification. Hence the proposed framework
achieves higher classification measures than existing approaches. Likewise, other measures
like F-measure, precision, and recall are evaluated for the AIS-IDS system, and it’s graphi-
cally shown in the below graphs.
Error or loss function is measured by taking a number of irrelevant images obtained for
query input accessed from database images. As low error values are attained by the pro-
posed AIS-IDS, the proposed system was able to classify the most appropriate malicious
signals with respect to environmental signals. The present occurrence of the loss function
is 0.02 for the proposed method. It is more for previous models, and it can be given as 0.15
for RNN, 0.48 for KNN, and 0.26 for RF; hence proposed method leads to low error clas-
sification values.
From Fig. 4, it is understandable that error values for the AIS-IDS model are more min-
imum than other previously existing methods as an optimization technique was used to
select an optimal weight value for HNN in order to increase accuracy and minimize loss
values. While measuring False Positive Rate, the loss function is measured up to a value of
1.5 and KNN receipts high loss function measured during classification.
Measurement of retrieved safe signals to the test of the total signals is termed precision.
The graphical outcome of the precision measure is depicted in Fig. 5. Figure 5 examines
the outcome measure of the AIS-IDS model that gives 0.78 and existing RNN, RF and
KNN techniques 0.75. HNN technique evaluates 0.3 value, and KNN gives 0.72 value. RF
method exhibits a 0.75 value, and KNN shows a 0.39 value of precision. Hence, the com-
paratively proposed methodology exhibits high precision value than others.
The recall in intrusion detection classification can be defined as the measurement of
retrieved signals to the total obtained signals. The graphical representation of the recall
measure obtained is plotted in Fig. 6. Figure 6 deliberates the outcome of recall measures
attained by both proposed and existing methods. While recall obtained for the proposed
methodology is 0.85, that was comparatively higher than existing RNN, RF and KNN clas-
sifiers as they attain 1.8, 0.41, 0.6 and 0.35, respectively. Thus proposed model shows high
recall values than other previously existing methods.
Determining the statistical phase of the system and its measurement provides accu-
racy with the model given through the F1 score. With maximum probability value of this
measurement by terming that recall and precision functions that were completed perfectly.
However, it is converted to 0 as there are leftover values in the recall and precision; by
measuring the combination of recall and precision, a specifically positive class that has

13
 1558

13
Table 4  Evaluation metrics result for classifiers
AIS-IDS RNN RF KNN AIS-IDS RNN RF KNN AIS-IDS RNN RF KNN

Accuracy 99.80% 87% 82 72 99.80% 83.67% 84 71 99.80% 89.40% 78 70

Precision 99.50% 91 85 76 99.50% 89 86 73 99.50% 87 74 71
Recall 98.53% 85 77 66 98.53% 87 71 63 98.53% 86 68 61
Error 0.01% 0.12 0.213 0.33 0.01% 0.22 0.234 0.41 0.02% 0.155 0.22 0.3
F1 Score 99.80% 71 61 56 99.80% 71 61 56 99.80% 68 61 51
R. Sabitha et al.
Network Based Detection of IoT Attack Using AIS‑IDS Model 1559

Fig. 3  Accuracy evaluation for

three datasets comparison with
classifiers

Fig. 4  Error evaluation for three

datasets comparison with clas-
sifiers

Fig. 5  Precision value for three

datasets comparison with clas-
sifiers

an interference as an average value for F1 score value that reached 1 and least as zero.
By measuring precision, as stated above, recall is computed as the ratio between values
of True Positives (TP) and False Negatives (FN). Measurement of a complete dataset is
termed recall which denotes the performance measure of the model specified in Figs. 7

13
1560 R. Sabitha et al.

Fig. 6  Recall value for three

datasets comparison with clas-
sifiers

Fig. 7  F1_Score value for three

datasets comparison with clas-
sifiers

Fig. 8  F1 measures the value for

three datasets in comparison with
classifiers

13
Network Based Detection of IoT Attack Using AIS‑IDS Model 1561

and 8. Decreasing the F measure value denoted the decreasing self-measure value and also
increased the false positive rate. However, it is important to pick the nearest point to the
ideal, and the result is the best experiment with an efficient value in a radius of 0.03 and
also selecting the attack randomly along with normal data that create detectors. By con-
ducting a test of an algorithm for a corrected bot IoT dataset, one more parameter cre-
ates detectors, as this is the number of detectors present. Euclidean distance for the spotted
points from 0 and 1 is presented in Table 3. A number of detectors for the effect of the false
and true positive rate. Measuring the specificity is termed as the rate of true negative for
the proportion range. By measuring the specificity that is denoted as the true negative rate
in the proportion rate of negatives that are predicted properly similar to the percentage of
normal signals that are selected as not specifying abnormal behaviour rules, and it has a
complementary ratio for true negative and true positive value as shown in Fig. 9 gives vari-
ation in the specificity compared to the conventional ones that give maximum performance.
From the figure, it was understandable that for all the three datasets, the specificity of
the proposed model remains higher due to its optimal weight matrix convolution. At this
stage, RNN exhibits a specificity of 10% less than the AIS-IDS model. Similarly, the RF
classifier, due to its traditional classification property, exhibits a specificity value of 70%
to decrease up to 60% value for all three datasets. KNN classifier undergoes a specificity
value of 50–60% value that was due to its conventional theorem of classification.
Negative predictive value = d/(c + d) = 43,123/(32 + 4323) * 100 = (43,123/43155)*100
= 99.9%. That means that if you took this particular test and received a negative result, the
probability that it was not the malicious signal is 99.9%, as shown in Fig. 10.
From Fig. 10, it was understandable that NPR exhibited to high value for all three data-
sets than other conventional classifiers. AIS-IDS model proposed a high NPR value due to
its accurate classification principles. By implementing HNN as a classifier and selecting an
optimal weight using F-PSO, this NPR value reached high space. RNN classifier gives a
0.6–0.7 range of NPR, and RF gives a range of 0.6–0.5 for all three datasets. KNN classi-
fier accurately measured malicious signals with NPR values of 0.5–0.6 values.
From Fig. 11, it was understandable that FNR exhibited to high value for all three data-
sets than other conventional classifiers. AIS-IDS model proposed a high FNR value due to
its accurate classification principles. By implementing HNN as a classifier and selecting

Fig. 9  Specificity measure-

ment of proposed and previous
techniques

13
1562 R. Sabitha et al.

Fig. 10  Negative predictive value

measurement of proposed and
previous techniques

Fig. 11  False Negative Rate

measurement of proposed and
previous techniques

an optimal weight using F-PSO, this NPR value reached high space. RNN classifier gives
a 0.570–0.754 range of FNR, and RF gives a range of 0.100–0.150 for all three datasets.
KNN classifier accurately measured malicious signals with FNR values of 0.150–0.175
values.
From Fig. 12, it was understandable that for minimum FPR value, AIS-IDS classifies the
signals accurately; thus, for all the three datasets, the FPR value obtained was that ranges
from 0.05–0.06, RNN classifier classifies with an accuracy of FPR rate of 0.08–0.10, RF
classifier with an accuracy of classifying malicious signals was a very low minimum of
appropriate level 0.15–0.17 value. KNN classifier values are very much high that decreas-
ing the accuracy of the system to a range of 0.15–0.25 values.

4.5 Overview of three classifiers and discussion of results

Overall, both binary and multiclass categorization is extremely accurate, according

to the findings. The data exfiltration measures were the smallest of all. The amount
of records used to train the model determines the training time; the more records, the
longer the training period; the datasets that took the longest to train were BoT IoT,

13
Network Based Detection of IoT Attack Using AIS‑IDS Model 1563

Fig. 12  False Positive Rate

measurement of proposed and
previous techniques

Keylogging, DDoS, and Normal traffic. Furthermore, fall-out values in binary classi-
fication were extremely high, with the exception of the RNN and KNN models for the
fully-featured version of the dataset. This might be due to a number of factors, including
poor model optimization and the relatively small number of epochs utilized to speed
up the process. Table 3 shows the parameters that were selected for the three models.
The findings show that the proposed AIS-IDS can be used to train correct classifiers,
outperforming Recurrent Neural Networks and their permutation implementation. Fur-
thermore, models trained on the dataset’s 10-best attribute variant performed better than
the complete version.

5 Conclusion

AIS-IDS model initializes three datasets and then performs pre-processing to categorize
the signal into normal and abnormal signals. After pre-processing phase, the signals are
categorized using a trained HNN classifier. HNN classifier is trained in such a way that
of using backpropagation methodology with optimally selected weights with the help
of the F-PSO algorithm. This weight was then normalized and given to the neurons of
HNN, and HNN started classifying the signal as a normal or malicious one. This mali-
cious signal activates the function of the firewall to generate a false alarm rate. To mini-
mize this false alarm rate, a danger theory based model has been implemented, and thus
this model increased the activation function threshold and made the false alarm rate
to be minimum. Thus, the AIS-IDS model was suitable for real time applications with
99.8% accuracy and minimum error.

Funding There is no funding provided to prepare the manuscript.

Data availability statement There is no availability of data or materials available or report for the
manuscript.

Code availability No code is available for this manuscript.

13
1564 R. Sabitha et al.

Declarations
Conflict of interest There is no conflict of Interest between the authors regarding the manuscript preparation
and submission.

Ethical Approval This article does not contain any studies with human participants or animals performed by
any of the authors.

Consent to Publish There is no consent or any copyright needed to get concerns in the manuscript.

Consent to participate There is no consent to participate or any concerns in the manuscript.

Informal Consent Informed consent was obtained from all individual participants included in the study.

References
1. Verma, A., & Ranga, V. (2020). Machine learning based intrusion detection systems for IoT applica-
tions. Wireless Personal Communications, 111(4), 2287–2310.
2. Mrabet, H., Belguith, S., Alhomoud, A., & Jemai, A. (2020). A survey of IoT security based on a lay-
ered architecture of sensing and data analysis. Sensors, 20(13), 3625.
3. Kolias, C., Kambourakis, G., Stavrou, A., & Voas, J. (2017). DDoS in the IoT: Mirai and other botnets.
Computer, 50(7), 80–84.
4. Antonakakis, M., April, T., Bailey, M., Bernhard, M., Bursztein, E., Cochran, J., Durumeric, Z., Hal-
derman, J.A., Invernizzi, L., Kallitsis, M. and Kumar, D. (2017) Understanding the mirai botnet. In
26th {USENIX} security symposium ({USENIX} Security, 17:1093–1110.
5. Vysakh, S. and Binu, PK (2020, August) IoT based Mirai Vulnerability Scanner Prototype. In 2020
Third International Conference on Smart Systems and Inventive Technology (ICSSIT), IEEE, pp.
97–101.
6. Meidan, Y., Bohadana, M., Mathov, Y., Mirsky, Y., Shabtai, A., Breitenbacher, D., & Elovici, Y.
(2018). N-baiot—network-based detection of iot botnet attacks using deep autoencoders. IEEE Perva-
sive Computing, 17(3), 12–22.
7. Kambourakis, G., Kolias, C. and Stavrou, A. (2017) The mirai botnet and the iot zombie armies. In
MILCOM 2017–2017 IEEE Military Communications Conference (MILCOM) (2017, October),
IEEE, pp. 267–272.
8. Geenens, P. IoT Botnets. Botnets: Architectures, Countermeasures, and Challenges, pp.33
9. Qureshi, N.M.F., Siddiqui, I.F., Abbas, A. and Bashir, A.K. (2019) Pseudo diversion onto persistent
IoT-botnet connectivity through data analytics. KSII The 14th Asia Pacific International Conference on
Information Science and Technology(APIC-IST), 2019, 264–267.
10. Wang, Y., & Li, T. (2020). Local feature selection based on artificial immune system for classification.
Applied Soft Computing, 87, 105989.
11. Li, D., Liu, S., Gao, F., & Sun, X. (2020). Continual learning classification method with new labeled
data based on the artificial immune system. Applied Soft Computing, 94, 106423.
12. Li, J., Liu, Z. M., Li, C., & Zheng, Z. (2020). Improved artificial immune system algorithm for Type-2
fuzzy flexible job shop scheduling problem. IEEE Transactions on Fuzzy Systems., 29(11), 3234–3248.
13. Li, D., Liu, S., Gao, F., & Sun, X. (2021). Continual learning classification method with constant-sized
memory cells based on the artificial immune system. Knowledge-Based Systems, 213, 106673.
14. Kumar, D.V., & Ramasamy, V. (2020). Improved intrusion detection classifier using cuckoo search
optimization with support vector machine. ICTACT Journal on Soft Computing, 10(2), 2029–2034.
15. Verma, A., & Ranga, V. (2020). CoSec-RPL: Detection of copycat attacks in RPL based 6LoWPANs
using outlier analysis. Telecommunication Systems, 75, 43–61.
16. Alves, M.R., Delgado, Lopes, H.S. and Freitas, A.A. (2004, September) An artificial immune system
for fuzzy-rule induction in data mining. In: International Conference on Parallel Problem Solving from
Nature ,Springer, Berlin, Heidelberg., pp. 1011–1020.
17. Kotov, VD and Vasilyev, VI (2009, October) Artificial immune system based intrusion detection sys-
tem. In: Proceedings of the 2nd international conference on Security of information and networks ,pp.
207–212.

13
Network Based Detection of IoT Attack Using AIS‑IDS Model 1565

18. Anand, P., Singh, Y., Selwal, M., Alazab, T. S., & Kumar, N. (2020). IoT vulnerability assessment for sus-
tainable computing: Threats, current solutions, and open challenges. IEEE Access, 8, 168825–168853.
19. Aldhaheri, S., Alghazzawi, D., Cheng, L., Alzahrani, B., & Al-Barakati, A. (2020). Deepdca: Novel net-
work-based detection of iot attacks using artificial immune system. Applied Sciences, 10(6), 1909.
20. Raza, S., Wallgren, L., & Voigt, T. (2013). SVELTE: Real-time intrusion detection in the Internet of
Things. Ad hoc networks, 11(8), 2661–2674.
21. Aziz, S., Hassanien, M. A., & Hanafi, S. E. O. (2012). Artificial immune system inspired intrusion detec-
tion system using genetic algorithm. Informatica, 36(4), 347–357.
22. Lopez-Martin, M., Carro, B., Sanchez-Esguevillas, A., & Lloret, J. (2017). Network traffic classifier with
convolutional and recurrent neural networks for internet of things. IEEE Access, 5, 18042–18050.
23. Sudqi Khater, B., Wahab, A. W. B. A., Idris, M. Y. I. B., Hussain, M. A., & Ibrahim, A. A. (2019). A light-
weight perceptron-based intrusion detection system for fog computing. Applied Sciences, 9(1), 178.
24. Nour Moustafa. The BOT-IOT Dataset. https://​doi.​org/​10.​21227/​r7v2-​x988
25. External Data Source. The BoT-IoT Dataset, DS-1296. https://​doi.​org/​10.​23721/​100/​15043​38
26. BrunoSous, TiagoCruz, VascoPereira and MiguelArieiro. Denial Of Service And Man In The Middle
Attacks In Programmable Logic Controllers. https://​doi.​org/​10.​21227/​mewp-​g646

Publisher’s Note Springer Nature remains neutral with regard to jurisdictional claims in published maps and
institutional affiliations.

Springer Nature or its licensor holds exclusive rights to this article under a publishing agreement with the
author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is
solely governed by the terms of such publishing agreement and applicable law.

Dr. R. Sabitha completed B.E( ECE) and M.E (COMMUNICATION

SYSTEMS) in Sri Krishna College of Technology, Coimbatore and
Kumaraguru college of Technology, Coimbatore in 1998 and 2004
respectively. She has 20 years of experience in teaching and research.
Currently she is working as Professor at Hindusthan college of Engi-
neering and technology, Coimbatore. And her areas of Interest inclue
Wireless networks, IOT traffic distribution, Cognitive Radio Net-
works and bandwidth slicing.

S. Gopikrishnan received his Ph. D from Anna University in Infor-

mation and Communication Engineering and he is currently working
as Assistant Professor in School of Computer Science and Engineer-
ing, VIT-AP University, Amaravathi. He received BE and ME degree
in Computer Science and Engineering from Anna University, Chen-
nai. His current research interests include algorithm design and analy-
sis for wireless ad hoc networks, wireless sensor networks, internet of
things and cyber physical system.

13
1566 R. Sabitha et al.

B. J. Bejoy is currently working as an Assistant Professor in the

Department of Computer Science and Engineering at CHRIST
(Deemed to be University) Bangalore. He completed his Ph.D. in
Banking Technology (An interdisciplinary in CSE and Banking) in
thesis titled “Co-operative framework for distributed intrusion detec-
tion using Artificial Immune System” from Pondicherry University in
2019. He completed his ME in Computer Science and Engineering
and BTech in Information Technology from Anna University Chennai
in 2008 and 2006 respectively. He is a Life Member of ISTE and a
member of IEEE. He has thirteen years of teaching and research expe-
rience. His current research areas include Artificial Immune System,
Intrusion Detection System, Wireless Sensor Networks, Hardware
Trojans Detection, Big Data Analytics and Software Defined
Networking.

Dr. V. Anusuya working as Associate Professor in the Department of

Computer Science and Engineering, Ramco Institute of Technology,
Rajapalayam, Tamilnadu, India. She received her Bachelor degree in
Computer Science and Engineering from Dr. Sivanthi Aditanar col-
lege of Engineering in 1999 and her Master’s Degree from Govern-
ment College of Engineering, Tirunelveli in 2006 and she received
Ph.D degree in Medical Image Processing from Anna University,
Chennai in 2020. She has Published over 30 Technical papers in
International Journals, International/ National Conferences. Her Cur-
rent research includes Data Science, Augmented Reality, Deep Learn-
ing. She is a Life member of Indian Society for Technical
Education(ISTE) and Annual member of ACM.

Dr. V. Saravanan is currently working as an Associate Professor in

the department of Computer Science, College of Engineering & Tech-
nology, Dambi Dollo University, Oromia Region, Ethiopia. He was
born on March 15th 1983 at Krishnagiri, Tamilnadu, India. He
obtained his Master of Engineering degree in Computer Science and
Engineering from Anna University, Chennai with Distinction. He
received his Ph.D degree from Anna University, Chennai, in Mobile
Communication. His areas of specialization include Mobile Comput-
ing, Wireless Networks and IOT, Web Usage Mining, Data Struc-
tures, Design and Analysis of Algorithm. He has published
30 + papers in International Journals and Conferences. He has more
than 15 years of Teaching and Research Experience.

13