Hindawi

International Journal of Intelligent Systems Volume 2023, Article ID 2039217, 16 pages

https://doi.org/10.1155/2023/2039217

Research Article
Optimization Enabled Deep Learning-Based DDoS Attack Detection
in Cloud Computing
S. Balasubramaniam, C. Vijesh JoeT. A. Sivakumar, A. Prasanth, K. Satheesh Kumar, V. Kavitha,5and
Rajesh Kumar Dhanaraj 1 Department of Futures Studies, University of Kerala, Thiruvananthapuram, Kerala, India 2 School of
Computer Science and Engineering, Vellore Institute of Technology, Vellore, Tamilnadu, India 3 Faculty of Engineering and Technology,
Villa College, Male’, Maldives 4
Department of ECE, Sri Venkateswara College of Engineering, Sriperumbudur, Tamilnadu, India 5
Department of Computer Science and Engineering, University College of Engineering, Kanchipuram, Tamil Nadu, India 6
Department of Computer Science and Engineering, Galgotias University, Greater Noida, Utter Pradesh, India

Correspondence should be addressed to S. Balasubramaniam; baluttn@gmail.com and T. A. Sivakumar;

sivakumar.thankaraj@villacollege.edu.mv

Received 8 November 2022; Revised 1 February 2023; Accepted 4 February 2023; Published 20 February 2023

Academic Editor: Lianyong Qi

Copyright © 2023 S. Balasubramaniam et al. This is an open access article distributed under the Creative Commons Attribution
License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly
cited.

Cloud computing is a vast revolution in information technology (IT) that inhibits scalable and virtualized sources to end users
with low infrastructure cost and maintenance. They also have much flexibility and these resources are supervised by various
management organizations and provided over the Internet by known standards, formats, and networking protocols. Legacy
protocols and underlying technologies consist of vulnerabilities and bugs which open doors for intrusion by network attackers.
Attacks as distributed denial of service (DDoS) are one of most frequent attacks, which impose heavy damage and affect
performance of the cloud. In this research work, DDoS attack detection is easily identified in an optimized way through a novel
algorithm, namely, the proposed gradient hybrid leader optimization (GHLBO) algorithm. This optimized algorithm is
responsible to train a deep stacked autoencoder (DSA) that detects the attack in an efficient manner. Here, fusion of features is
carried out by deep maxout network (DMN) with an overlap coefficient, and augmentation of data is carried out by the
oversampling process. Furthermore, the proposed GHLBO is generated by integrating the gradient descent and hybrid
leaderbased optimization (HLBO) algorithm. Also, this proposed method is assessed by various performance metrics, such as
the true positive rate (TPR), true negative rate (TNR), and testing accuracy with values attained as 0.909, 0.909, and 0.917,
accordingly.
1. Introduction various online resources that are in the form of services. In
cloud computing, organizations or users pay only for
Cloud computing is an Internet-enabled platform for service time based on duration in accordance to the pay-
delivering computing facilities, including networking, as-you-use policy. This service availability is very important
servers, and databases to users or employers in and beneficial to users or organizations; else they have to
organizations at huge scale, and helps companies with cost tolerate big financial issues with or without reputation loss
reduction for a particular organization [1]. Nowadays, [3]. Default keys are used by cloud devices that have no
cloud computing is growing as the standard platform for roles on security on acoustics which make them
distributing large data pool that provides various user- susceptible for negotiation. Cloud system contamination is
friendly features. Most services related to cloud computing frequently ignored by the user, and without proper
are of pay on demand type in which each and every user is awareness of owners in service, hundreds to thousands of
allocated by discrete pool of devices used for data mining. devices are theoretically mistreated by the attacker for
Services of cloud computing are classified as IaaS, SaaS, large-scale attack [4]. Technology advancement also has
and PaaS [2]. Cloud computing helps organizations or users serious issues in the cloud and one of these threats is DoS.
to reduce the cost of infrastructure by supplementing DoS creates unavailability of network services; however,
2 International Journal of Intelligent Systems
this unavailability of services is the result of various other self-learning and analyzing. Web attack detection within
reasons, such as faults in software or cloud component [5]. URLs from attackers and normal users by DL is a
DDoS attack is a common category of cyber-attack, challenging task, and major problems include the
which creates unauthorized and disturbed services to following: (i) an effective way for transforming every kind
network users [6] that is utilized by attackers to avoid of URL into representations is very important in view of
authentic users from retrieving services [1, 7]. Attackers multiple ways as various attacks hide in respective URLs, (ii)
use these DDoS attacks not to be available for authentic various attacks show various signatures in URLs, and thus
users [8]. Here, attackers put heavy load on network selecting a feature is not much easy, and (iii) most DL
services provided by target server on public. Network applications in cyber security have one model to do
known botnet of numerous hosts in Internet is used for detection, and it is difficult to update the system [14].
distributing traffic to victim or user. Amplification and This work is concentrated in detecting DDoS attacks in
reflection techniques lead this DDoS attack to a much cloud computing using the DL method, trained by an
destructive state [3]. These attacks are carried out by optimized algorithm. Here, the proposed optimization
compromising and exploiting hundreds to thousands of algorithm is named as GHLBO, which is generated by
hosts, termed zombies, which execute attack against the incorporating gradient descent with HLBO algorithm.
machine of target. They disturb regular and normal traffic Different stages involved for model detection are feature
on a network via sudden exponential upsurge in traffic and fusion, data augmentation, and finally attack detection.
lastly prevent regular traffic from attaining its terminus. Here, process of fusion of features is carried out by DMN
DDoS is considered as a type of malicious attack on cloud using an overlap coefficient, which is then followed by
servers that creates many severe problems [9]. These using data augmentation carried out by oversampling. Next
attacks generate large network traffic containing packets to augmentation of data, the DDoS attack is detected by
sent on the network, making regular users in trouble who DSA that is trained by proposed GHLBO.
want to obtain services that not respond to their The main contributions of this article are as follows:
requirements [6, 7]. Packets are categorized as normal or
(i) developed GHLBO algorithm enabled DSA:
malicious based on DDoS defense methods, and these
estimating a DDoS attack is carried out using
methods fall under two major types, (1) the signature-
designed GHLBO, created by the collaboration of
based method and (2) the anomaly-based method.
the gradient descent and HLBO algorithm. This
Signature-based methods use many attack signatures
GHLBO trains DSA for estimating or detecting a
situated in the knowledge database to detect attacks and
DDoS attack in cloud computing.
effectively find known attacks. In the meantime, anomaly-
based techniques analyse regular normal traffic The remaining parts of this article include the
behavioural patterns in a particular period for detecting following: Section 2 represents the literature review of
deviation in the steady action and analyse the zero-day attack detection and Section 3 represents the elaborate
attack [2]. particulars of the proposed GHLBO-based DSA. Section 5
The DL system is very efficient in discriminating traffic represents discussions with results of the developed
of DDoS from benign traffic by extracting representations model, and this article is concluded in Section 6.
of traffic of the high-level feature from traffic of the low
level [10]. Efficient disposition of technologies under 2. Motivation
security, including access control, cloud encryption,
malware identification, and secure uploading is achieved DDoS attack detection is much needed for helping the
by DL and computers [4]. It is suited for modelling a legitimate users to carefully access to network services.
nonlinear complex relationship by learning various stages Multiple techniques are available for this detection; but
of representation that correspond to multiple stages of those techniques are hard to trace back to attacker and not
abstraction. DNN has a cascade of multiple layers of effective to mitigate these attacks. To overcome these
processing units, which is nonlinear for transformation and problems, there is a need to adopt a best detection
extracting features, that is, a promising technique for method. Hence, this proposed GHLBO-enabled DSA
identifying attacks in social network [11]. Detecting a represents an optimal way for DDoS detection. This section
cyber-attack shares the feature that is common with the also enhances literature reviews regarding current
recognition of image, which harnessed new features of DL. detection techniques along with uses, drawbacks, and
Small changes in the pixel tend to identify image changes challenges.
where attack is detected in the same way as more than 99
percentage of novel attacks are minor mutants of previous
attacks. This reinforces efficiency of DL for detecting minor 2.1. Literature Assessment. Assessment of reviews from
changes in patterns of attacks [12]. literature of various researchers regarding DDoS detection
Unsupervised SA in DL learns representations from an in cloud computing is given as follows: Velliangiri et al. [2]
unbalanced dataset that uses DT as the binary classifier for proposed TEHO-enabled DBN, which was used to identify
detecting attacks from newly merged representations [13]. attacks at earlier stages itself. But this method followed
DL is applied to cyber security because of the capability of more iterations, TEHO-DBN for updating weights of input
International Journal of Intelligent Systems 3
and hidden units of the MLP layer that tend to have more ensure the obligatory level of protection against
computational time. This drawback was overcome by Arul DDoS attacks without making delays to services.
and Punidha [4], where SD-LVQ was developed; here, the (ii) In method [1], MI feature selection only was
cloud-mounted computer function was evaluated to utilizedas this required much time with increased
reduce detection strategies of the DDoS-encrypted cross- data dimensions for detecting an attack, whereas
site attack. However, the challenge by deep-supervised other feature selection techniques, such as
methods over the hybrid cloud data centre remained. wrapper and sequential feature selection, were
Challenge in [4] was eradicated in [10]. Doriguzzi-Corin et not adopted for detecting DDoS and various other
al. [10] designed LUCID model architecture, which followed attacks.
the lightweight application with less overhead processing (iii) The ensemble approach in [9] utilized decision
and minimal time of detection. But time of convergence trees, naive Bayes, K-NN, and SVMs as base
and accuracy was low in this method. This low convergence classifiers for detecting DDoS in cloud computing
was removed in [15]. Agarwal et al. [15] developed FS- with high accuracy; however, other classifiers
WOA, in which DDoS attack entry in the big-scale industry used in this method, performed less in detection.
was avoided. However, this method lacks in generating
(iv) CIC-DDoS2019 dataset used in [6] was converted
individual instantiations to detect novel attacks.
into dual various formats for efficient classification
Kushwaha and Ranga [3] proposed SaE-ELM-Ca.
and detection of DDoS, but this method had a
Although this method was designed to inevitably
challenge in detecting real-time DDoS attacks and
determine the appropriate hidden neurons number to
failed to check recording network traffic from IoT
improvise model’s learning capability, this method failed to
and VMs.
utilize multiple connections for testing and instead used
single connection. This drawback was hopefully eradicated (v) Cloud computing services are usually used as a
in [1]. Alduailij et al. [1] proposed MI and RFF, which was private or public data forum depending on
helpful to reduce misclassification errors by using various request by humans, and its increased utilization
classifiers. However, this method failed to examine with DL- led to various security concerns. Informative data
based detection and this DL-based detection was enhanced in cloud comes under problematic threat due to
in [9]. Alqarni [9] introduced the ensemble approach for network hackers, and still, it is a challenging task
DDoS detection that limited the size of the feature and to detect attacks because unauthorized users can
dataset producing higher performance. Here, drawbacks also access cloud systems, which is a weakest
prevailed in its time of execution, which lasted for more point of security.
time. Usage of time was limited by Cil et al. [6], where feed
forward-based DNN was designed. This method attained 3. Cloud Model
accurate and fast results within a shorter period of time.
But this method preferred the compulsory training process Services of cloud computing [2] have a vast number of
as a large number of packages were contained in the resource pool for data mining services and allow millions of
dataset, which was not preferred in other existing users to store, modify, and edit data. Cloud computing
approaches. Bovenzi et al. [16] implemented the exhibits environment for storage of more amount of data.
MultiModal Deep AutoEncoder (M2-DAE) model for The cloud model consists of two important devices, known
identifying the intrusions in IoT. This approach was fitted as VM and PM. The control environment in cloud
for privacypreserving and distributed methods with high computing is considered as the cloud server. Moreover, the
efficiency and flexibility. However, the attack classes were cloud model has the resource scheduler and allocator for
not evaluated in this approach. Guarino et al. [17] resource allocations. Based on request of a user, the
implemented a machine learning approach for classifying resource scheduler assigns available resources for
the attacks in the network. Here, an advanced set of processing data. PM controls multiple VM operations, and
features were considered for the early classification. This VM computes devices for storing and processing data.
approach obtained high F-measure, but more datasets Scheduler controls various requests and connections by
were not considered. providing resources consequently in an orderly manner.
The review on existing methods is shown in Table 1. The DDoS attack defence system is directly linked to the
resource scheduler, as this monitor presence of behaviour
of anomaly in the system in a continuous manner. While
2.2. Challenges. Some challenges confronted by the the request of the user happens inside system, then the
predominant DDoS attack in cloud computing techniques defence strategy checks the network of traffic and
are described as follows: announces sensible request or delivers it as an attack.
(i) Probable challenge in [10] is providing When this defence strategy finds the DDoS attack, then this
properbalancing among usages of the LUCID notifies cloud server directly.
resource including preprocessing and traffic
collection, with detection accuracy that means to
4 International Journal of Intelligent Systems
4. Developed GHLBO-Enabled DSA for environment. Goal of this research is finding DDoS in cloud
computing based on DL. Initially, simulation on cloud is
DDoSAttack Detection carried out, and it creates a log file, which has abrupt
DDoS attacks are most serious issue among security in the information and this information is directed for further
network and cause risks in the cloud computing feature fusion. This feature fusion is carried out using DMN
International Journal of Intelligent Systems 5
LUCID(i)Lessoverheadprocessingandminimaltimeofdetection(i)Timeofconvergenceandaccuracywerelow

i)Thismethodlacksingeneratingindividualinstantiationsto
i)Itpreferredthecompulsorytrainingprocessasthelarge

i)Itfailedtoutilizemultipleconnectionsfortesting
numberofpackageswascontainedinthedataset
i)ItfailedtoexaminewithDL-baseddetection
i)Difficulttoprocessalargeamountofdata

i)Theattackclasseswerenotevaluated
i)Itrequiredmorecomputationaltime
(
i)Moredatasetswerenotconsidered
(
(
i)Timeofexecutionwashigh
(
(
( (
(

detectnovelattacks (

i)Itattainedaccurateandfastresultswithinashorterperiodof
i)Itdeterminedappropriatehiddenneuronsnumbertoimprovise
Disadvantages i)Limitedthesizeofthefeatureanddatasetproducinghigher
i)ItreducedthedetectionstrategiesoftheDDoS-encrypted
Velliangirietal.[2]TEHO-DBN(i)Itidentifiedtheattackatearlierstagesitself
FS-WOA(i)ItavoidedDoSattackentryinabig-scaleindustry

Reviewonexistingmethods.

M2-DAE(i)Ithadhighefficiencyandflexibility
Guarinoetal.[17]Machinelearning(i)ItobtainedhighF-measure
MIandRFF(i)Itreducedmissclassificationerror
1: ( ( (
(

model’slearningcapability

Table

cross-siteattack
MethodsAdvantages
performance

KushwahaandRanga[3]SaE-ELM-Ca
time
ArulandPunidha[4]SD-LVQ
Feedforward-based
Ensembleapproach

DNN

Doriguzzi-Corinetal.
Agarwaletal.[15] Bovenzietal.[16]
Alduailijetal.[1]

Ciletal.[6]
Alqarni[9]
References

[10]

[18] with the overlap coefficient. After the process of oversampling. Next to data augmentation, DDoS attack
fusion of features, the data are augmented by detection is carried out using DSA [19], which is trained
6 International Journal of Intelligent Systems
using the proposed optimization algorithm, named GHLBO. b

The GHLBO will be designed newly by integrating the z

gradient descent [20] and HLBO algorithm [21]. Figure 1 F 􏽘 pa , (3) d
shows the block diagram for the proposed GHLBO enabled a1

feature fusion for DDOS attack detection in cloud where F denotes the fusion of features expressed in the
computing. vector form, b is the maximum feature range, and d
indicates the full feature account. Furthermore, the
generation of F is carried out based on the following
4.1. Log File Creation. The initial phase of designed DDoS formula for a as
detection on attacks is creating a log file that is indicated as
K
A. Users of the cloud system access to the model of cloud
via the allocator or resource scheduler. The resource a b− , (4) d
allocation model consists of data regarding free devices where d is the first obtained based on K and t, which is
that allocates the device to a user based on their formulated as
necessities. The resource scheduler identifies every
K
information on the log file of each user to generate A.
d ; 1 ≤ s ≤ t, (5) t
Abrupt information is available in the log file that is unable
to be directly utilized for training [2]. The log file contains where K is for full amount of features and t indicates the
the IP address and its log information that is considered as features selected. Here, the feature size is changed to Fo×k
features. The original data size obtained from datasets like from the initial size Fo×b.
BOTIoTis in the size of 100000 × 48 and NSL-KDD is of
10000 × 42. The representation of the log file with features 4.2.3. Generating z Using the Deep Maxout Network. The
is given as fractional coefficient z is generated for finding the feature
A 􏼈f1, f2, ... , fn􏼉, (1) fusion depending on the overlap coefficient and data
records. DMN is trained to find the fractional coefficient
where f1 and f2 represent the features in the log file and n and the architecture of DMN is explained as follows:
represents the complete account of features. (1) Architecture of DMN.DMN [18] is one of the neural
network’s types, which has many numbers of layers that
create hidden activations via the maxout function. Here,
4.2. Feature Fusion Based on DMN with the Overlap functions on activation are exemplified by the nth layer,
Coefficient. After the construction of A, the next step is where hidden units are characterized to various disjunct
feature fusion based on DMN [18] with the overlap groups. In DMN, the activation function is replaced by
coefficient. Features that are taken from the log file are MMN weights and maxout units. Maxout is a common
fused before the detection of DDoS as this may lead to category of ReLU which achieves the maximum operation
identification of attack easily. on altered linear representations. The maxout unit-based
result [22] is formulated as
4.2.1. Arranging Features Based on Overlap Coefficient.
Features are to be arranged based on the relativeness of Cz􏼁E∇ e∈max[1, m] Ize, (6)
their closeness character for making data in the readable
format and for optimizing the rate of detection. The
where Ize EA∇Β....ze + GGze is the parameter that is trained and
arrangement of features is carried out by the overlap
m is the total number of units of subhidden linear terms.
coefficient that arranges features based on their measured
Feature maps are formed by layering conv filters along
closeness features. The overlap coefficient is represented
the MMNs activation function above the local patch, and
as
this is fed into further higher layers. Here, every hidden
􏼌􏼌􏼌􏼌f1∩f3􏼌􏼌􏼌􏼌 neuron is the maxout unit, which is denoted as multilayer
generalization guarding maxout behavior, while improving
Oc􏼁f1, f3 􏼌􏼌􏼌􏼌f1􏼌􏼌􏼌􏼌􏼌􏼌􏼌􏼌f3􏼌􏼌􏼌􏼌􏼑 , (2) construction capability of various distributions of latent
min 􏼐 ideas. This MMN is a kind of a activation function for
training. Assuming input as E∇, which is the hidden layer
where f1 and f3 represent features with the same closeness raw input vector, activation function is expressed as
character. follows:

Χ1z,e max EA∇Β·····ze + Ggze, e∈[1, m1]

4.2.2. Fusion. After the arrangement of features according
to the same measured closeness, they are fused so that Χ2z,e Ggze, e∈[1,
independent features are converted to a unique feature in
m2]
order to process easily. Fusion formula is expressed as
h i−1A
International Journal of Intelligent Systems 7
Χz,e e∈max[1, mi Hz,e Β·····ze + Ggze, (7) After feature fusion, the size of features varies from Fo×b
] to Fo×k. The fused features are of sizes from BOT-IoT 100000
j j−1A × 41 to NSL-KDD 100000 × 31. Figure 2 represents the
Χz,e max Χz,e Β·····ze + Ggze, e∈􏼂1, mj􏼃 architecture of DMN.

R∇ max Χjz,e, e∈􏼂1,

mj􏼃
4. 3.DataAugmentation. Fused features F are

Original
log fileA

Cloud simulation

Deep Maxout Network

Feature fusionF (DMN) with overlap
coefficient

Oversampling
Data augmentation

Proposed Gradient Hybrid

Autoencoder (DSA)

Leader Optimization
GHLBO) algorithm
Deep stacked

DDoS attack
detection
(

Hybrid Leader
Gradient descent Based Optimization
Detected
(HLBO)
output

Attack Normal

Figure 1: Block diagram for the proposed GHLBO enabled feature fusion for DDoS detection on the attack in cloud computing.
augmented for increasing data diversity by excluding
where mi is the overall number of units in the ith layer and j
uneven balance of datasets. For eliminating imbalanced
signifies the overall number of layers in MMN.
number of data, the dimensionality of the database is
Conventional activation functions that are nonlinear, such
increased by the augmentation process. This data
as the absolute value rectifier and ReLU are well
augmentation process is carried out using the
approximated using MMN. Thus, feature fusion F is
oversampling technique. Here, the size of fused data with
undergone by DMN training, from which the fractional
(o × b) is incremented to (o × q). For example, if the size of
coefficient is obtained based on the overlap coefficient
data after fusion is (10 × 5), then the size of data after
that is indicated as
augmentation is (10, 000 × 5) that generates 99, 990
z Oc􏼁dr, χr , (8) samples based on the oversampling method. Here, the
augmented data is indicated as Faug with size (o × q). The
where z is the fractional coefficient, Oc is the overlap augmented data are
coefficient, dr is the data record, and χr is the average of dr
belonging to the class.
8 International Journal of Intelligent Systems
hidden, input, and output layers are present. The input fed
to DSA is Faug. Here, the training process is carried out by
two sections such as the encoder and decoder. An encoder
utilizes input data mapping to convert into the hidden
illustration and a decoder reconstructs input data from the
derived hidden illustration. For the presented unlabeled
input data, 􏼈 􏼉l∆ ∆1D, where l∆ ∈ QI×J, α∆ indicates the vector
of the hidden encoder taken from β∆ and the vector of the
output layer∧ decoder is represented by l∆ . Thus, the
encoding process is formulated by
β∆ α􏼁Ε1l∆ + Η1 , (9)

where the function of encoding is indicated by α, the

matrix of encoder weight is Ε1, and Η1 is the bias vector.
The decoder process is stated by
∧

l∆ P􏼁Ε2β∆ + Η2 , (10)

where the function of decoding is represented using P, the

weight matrix of the decoder is Ε 2, and the bias vector is
given as Η2.
For minimization of the reconstruction error, an
autoencoder parameter set is optimized as

1∆ ∧ ∧r

ε(Ο) argmin′ ∆ r􏽘1 M l􏼠 , l 􏼡, (11)

φ,φ
∧ ∧

where M is the loss function M(l, l) ||l − l|| . 2

Hence, SAE is carried out using three steps. First, the

input data trains an autoencoder and thus attains the
learned feature vector. Second, input for the following
layer is taken as the previous layer’s feature vector and this
iteration is continued until training completion. Finally,
hidden layer training is carried out and the
backpropagation method is used for minimization of the
cost function and weights are updated by the labelled
tuning group for obtaining best training. Hence, output
obtained from DSA is Zd. Figure 3 exhibits structural
Figure 2: Structural architecture of DMN. architecture of DSA with 90% of training data.

with sizes of 1000000 × 41 from the BOT-IoT dataset and

1000000 × 31 from the NSL-KDD dataset.

4.4. DDOS Attack Detection. After the process

of data augmentation, the augmented data is fed
to the next process of attack detection, where the
DDoS attack is detected by DSA [19] that is trained
by the proposed GHLBO. The architecture of DSA
followed and the training procedure carried out is
explained below.

4.4.1. Architecture of the Deep Stacked Autoencoder. An

auto encoder [19] is an unsupervised learning
configurationbased type, where three layers such as
International Journal of Intelligent Systems 9
4.4.2. Training of DSA Using Developed GHLBO. Training of lu⋮⋱⋮⋱⋮
DSA [19] is carried out by the developed GHLBO algorithm L⋮⋮u
⋮⋱⋮⋱⋮1 ·
for the detection of DDoS attacks. GHLBO is formed by ⎥⎥⎥⎥⎥⎥⎥⎥⎥⎥⎥⎥ · · luy · · · luv
integration of the gradient descent [20] and HLBO
⎥⎥ ⎥ ⎥
algorithm [21]. Gradient descent is one of the most famous ⎥⎥ ⎥⎥⎥ ⎥⎥ ⎥
algorithms that perform optimization of neural networks.
Various behaviours of algorithms tend to optimize this ⎥⎥⎤⎥⎥⎥⎥⎥⎥⎥⎥⎥
gradient descent for brief summarization to resolve ⎥⎥⎥⎥⎥⎥⎦⎥⎥⎥ lY1 · · · lYy · · · lYv
challenges in those algorithms. HLBO is an optimization
algorithm introduced to guide population under hybrid
leader guidance where this leader is generated depending
on three members, such as one random member, the next
L
corresponding member, and the last best member. HLBO is Y Y×v
followed by two stages, namely, exploitation and where the HLBO algorithm is denoted as L, Lu is the uth
exploration. Here, each member in population is a candidate solution, luy is the yth variable determined by the
searcher to solve issues corresponding to the space search uth candidate solution, Y is the HLBO population size, and v
and hence the global search forms the main criterion in is the count
Normal of problem
variables.

(2) Fitne
Output Z d
Input layer F aug ss
(900000x47)

Dense layer Attack

3 (900000x2)
Dense layer
Dense layer 2 (900000x6)
1 (900000x7)

Figure 3: Structural architecture of DSA.

HLBO. The feature of gradient descent for exaggerating the Computation. Better optimal solution is generated by
optimization features of algorithms tends HLBO to more computing the fitness factor and is expressed as
prominently improve its performance for enhancing the
1κ
detection rate of DDoS attacks using newly developed and
κ
integrated GHLBO. The procedure regarding attack Fitness 􏽘 􏼂Do − Zd􏼃, (13) ϖ1
detection is given as follows.
where Do is the output aimed, the DSA output result is
represented by Zd, κ is the number of training samples
(1) Initialization. In HLBO, every member in
taken for the training process, and ϖ is the number of
population is a searcher in threat eradicating space, and
processed samples.
hence, all followers in population are able to enhance their
own position for finding the best solution. The updating
(3) Exploration Stage. Exploration is a feature,
process of population is carried out based on the best
enabling members of the population to scan various
member and worst member prevent algorithm from the
sources of the search space for finding the original optimal
global search in the problem eradicating space. Consider
area. The best member in the population reduces time for
HLBO population modelled in the matrix form as
exploration of the search space; however, the hybrid
L1 l11 · · · l1y · · · ⎥⎤⎥⎥⎥⎥⎥⎥⎥⎥⎥⎥ ( leader tends to update the position of members in the
l1v ⎥⎥⎥⎥⎥⎥⎥⎥⎥⎥⎥⎥ 1 population. In constructing the random leader, three
⎥⎥⎥⎥⎥⎥⎥⎥⎥⎥⎥⎥ 2 populations, such as random, corresponding, and best
⎥⎥⎥⎥⎥⎥⎥⎥⎥⎥⎦ ) members are considered. Quality of each population
L , member is represented as
⎡⎢⎢⎢⎢⎢⎢⎣⎢⎢⎢⎢ ⎢⎡⎢⎢⎢⎢⎢⎢⎢⎢⎢
⎢⎢⎢⎢⎢⎢⎢⎢⎢⎢⎢⎢ ⎢⎢ Tu − Tworst , u ∈ {1, 2, · · · , Y}. (14)
⎢ ⎢ ⎢⎢⎢⎢⎢⎢⎣⎢⎢
⎢⎢⎢⎢⎢⎢⎢⎢ ⎢ ⎢ ⎢⎢ wu Y

⎢ ⎢ ⎢⎢⎢⎢⎢⎢⎢⎢⎢ Y×v 􏽐y1􏼐Ty − Tworst􏼑

⎢ ⎢⎢⎢⎢⎢⎢⎢ ⎢⎢⎢⎢⎢⎢⎢⎢⎢⎢⎢
⎢⎢⎢
10 International Journal of Intelligent Systems
Participation coefficients of each member are lu, y(S + 1) − lu, y(S + 1)(1 + U. Ζ)
expressed based on equation (14) as
Zlf l􏼐 u, y(S)􏼑(1 + U. Ζ) + U. ΜXu, y,
wu
WVu , (15) (25)
wu + wbest + wϑ
lu,y(S + 1)[1 − 1 − U.Ζ] Zlf l􏼐 u,y(S)􏼑(1 + U.Ζ)+ U.ΜXu,y,
w (16)
best , (26)
WVbest wu + wbest + wϑ

WVϑ wu + wbest + wϑ (17) lu,y(S + 1) 􏽨Zlf l􏼐 u,y(S)􏼑(1 + U.Ζ) + U.ΜXu,y􏽩,

wϑ ,
(27)
where u, ϑ ∈
{1, 2, ... , Y}, ϑ ≠ u, wu is the quality of theuth candidate 1 lu,y(S + 1) 􏽨Zlf l􏼐 u,y(S)􏼑(−1 − U.Ζ) −
solution, wbest is the objective function of the best solution, U.ΜXu,y􏽩,
and Tworst is the objective worst candidate function’s U.Ζ
solution. At each repetition, the hybrid leader is created for (28)
each member of the population that is represented as
where the position of the yth dimension in the uth solution is
lu,y(S + 1), iteration is (S + 1), the randomly created real
ΜXu WVu. Lu + WVbest. Lbest + WVϑ. Lϑ, (18)
number is U from the interval (0, 1), the integer that is
randomly selected is Ζ within the set 1{ , 2}, the hybrid
where ΜXu is the hybrid leader for the uth member and Lϑ is leader of the uth solution is ΜXu,y, and ℏ is a parameter,
the population member selected randomly. which scales the gradient.

(4) Updating Position. The position is updated by the (6) Exploitation Stage. Ability to make the algorithm
hybrid leader for the optimal search space and this update population enable for searching locally is termed as the
position is only accepted when the objective function exploitation phase. This brings out the best solution
value is improved from the previous position. This update nearby obtained solutions. This is created by the
condition is expressed as neighbourhood member around each and every member
of the population that makes the particular member to
lu, y(S +1) lu, y(S)+ U. 􏼐ΜXu, y +Ζ. lu, y􏼑, when TΜXu < Tu, change the position and supports to find the best value for
the objective-based function. Equation for exploration
(19)
which is expressed as
lu, y(S + 1) lu, y(S) + U. ΜXu, y + U. Ζ. lu, y, S
lu,y(S + 1) lu,y(S) +(1 − 2U).ζ􏼒1 − 􏼓.lu,y, (29)
(20)
R
lu, y(S + 1) lu, y(S)[1 + U. Ζ] + U. ΜXu, y, (21)
Lu(S + 1), Tu(S + 1) < Tu,
where lu,y(S + 1) is the position of the uth solution in the yth Lu 􏼨 (30) Lu else,
dimension at the iteration (S + 1), U is a randomly formed where ζ is the constant value equal to 0.2, Lu(S + 1) is the
real number from the interval (0, 1), then Ζ is an integer newly formed position of the uth member, lu,y(S + 1) is its jth
randomly selected with the set 1{ , 2}, and ΜXu,y indicates dimension, Tu(S + 1) is the objective function depending on
the hybrid leader of the uth solution. the exploitation phase, S denotes the iteration counter,
and R is maximum iteration numbers.
(5) Updating Parameter for the Training Sample.
Gradient descent updates a parameter to every training (7) Repetition. The iteration process is continued by
implementing exploration and exploitation phases. The
data for improving its performance and is formulated as algorithm follows the next iteration stage and the process
lu,y(S + 1) lu,y(S) − Zlf l􏼐 u,y(S)􏼑, (22) lu,y(S) Zlf l􏼐 u,y(S)􏼑 + lu,y(S + is updated and continued based on the exploration and
exploitation phases. Finally, the best member solution is
1). (23) formed as the solution to issue.

By substituting equation (23) in equation (21), (8) End. Till obtaining the proper optimal solution,
the process gets repeated to find DDoS detection on an
lu, y(S + 1) 􏽨Zlf l􏼐 u, y(S)􏼑+ lu, y(S + 1)􏽩(1 + U. Ζ)+ U. ΜXu,y,
attack in cloud computing. Table 2 predicts explanative
(24) pseudocode of the GHLBO algorithm.
International Journal of Intelligent Systems 11
Hence, the developed GHLBO-based DSA is very 5.2.2. BOT-IoT. The BoT-IoT dataset was generated to
efficient in DDoS attack detection in cloud computing to design accurate environment of the network in Cyber
find whether attacked or not. Range Lab of Center of UNSW Canberra Cyber. The source
file is provided in various formats, such as csv files, original
5. Discussion with Results pcap files, and argus files. These files are parted,
depending on the category and subcategory of attacks, to
Results regarding DDoS attack detection depending on support the process of labelling. Captured pcap files are of
evaluation metrics are deliberated in this section. 69.3 GB size, with more than 72,000,000 record files.

5.1. Experimental Assessment. The developed model is 5.3. Assessing with Performance Metrics. Performance
setup in the MATLAB tool in a PC with the Intel i3 core measures utilized in this developed model is TPR, TNR, and
processor, along with Windows 10 OS and 2 GB RAM. testing accuracy. Metrics used are described as follows:
(a) TPR: TPR determines the proportion of the
DDoSattack that is identified appropriately from
5.2. Dataset Description. Input data for the processing of
the original file. It is indicated by using the
DDoS attack detection is taken from a dataset [23, 24] that
following formula:
has various data corresponding to attack detection.
t
pr
5.2.1. NSL-KDD. NSL-KDD is updated sort of KDD cup99 that TPR . (31) tpr + fnr
forms an efficient benchmark for researchers to compare
various types of the IDS dataset. They provide 21 (b) TNR: this gives ratio of authentic data
predicated labels with fifty thousand information. They identifiedapproximately from the overall number of
have superfluous records in the train set with best data that is classified as true or reliable and is
detection rates on all frequently used records. presented as
Simultaneously, evaluation
Table 2: Proposed GHLBO’s pseudocode. tnr
TNR t nr + fpr . (32)
Initiate GHLBO
Input: l
(c) Testing accuracy: it is most important measure
Adjust Y and R
forfinding effectiveness of the developed DDoS
Start with member position and evaluating objective function
For u 1 to Y For S
detection approach. This gives the overall
1 to R proportion of correctly identified data either attack
Computation of fitness using equation (13) or normal from total count of data provided and is
Stage 1: exploration formulated as
Calculation of quality by equation (14)
tpr + tnr
Calculation of participation coefficients by equations (15)–(17)
Creating hybrid leader by equation (18)
Acc . (33) tpr + tnr + fpr
Calculating new position of uth member by equation (19) + fnr
Updating gradient parameter for training sample by equation
(22) New position of uth solution in yth dimension is obtained by Here, tpr indicates the number of manipulated
equation (28) images that are found, tnr is the number of
Stage 2: exploration authentic data, fpr indicates the number of
Calculation of novel position of uth member using equation (29) authentic data categorized as fake and fnr specifies
Updating uth member by equation (30) the total forged data detected as reliable.
End if;
Recalculating best optimal solution using equation (13)
Concluded 5.4. Algorithmic Assessment. The proposed GHLBO-
Outcome: best member solution is generated enabled DSA is assessed algorithmically in comparison with
End GHLBO various other optimization techniques, such as GA [25]
enabled DSA, PSO algorithm [26] enabled DSA, CS
algorithm [27] enabled DSA, and HLBO enabled DSA with
varying learning data in percentage. Here, the DSA is
training with other optimization algorithms, such as GA,
results of various research works are provided, that is, PSO, the CS algorithm, and HLBO and the performance is
consistent and comparable. compared with the proposed GHLBO.
12 International Journal of Intelligent Systems
5.4.1. Algorithmic Analysis Based on algorithmic analysis from the BOT-IoT dataset is indicated
BOT-IoT. in
BOT-IoT-based algorithmic analysis with varying Figure 4(c). If learning data percentage is 70, TNR values
percentages of learning data for various methods is are 0.786, 0.816, 0.783, 0.856, and 0.865 for GA + DSA,
discussed and represented in Figure 4. For this analysis, the PSO + DSA, CS + DSA, HLBO + DSA, and proposed GHLBO +
learning data varies from 50% to 90% and the maximum DSA. The improvement in performance values of TNR is
performance is attained at 90% of learning data. Testing 9.081%, 5.660%, 9.443%, and 0.990%.
accuracy based the algorithmic assessment for the BOT-
IoTdataset is indicated in Figure 4(a). If learning data is 5.4.2. Algorithmic Analysis Based on NSL-KDD. The
50%, the testing accuracy value is 0.798 for GA + DSA,

Figure 4: The algorithmic assessment based on BOT-IoT, (a) testing accuracy, (b) TPR, and (c) TNR.
0.779 for PSO + DSA, 0.824 for CS + DSA, 0.878 for HLBO + algorithmic assessment with change in the
DSA, and 0.896 for proposed GHLBO + DSA with percentage of learning data from NSL-KDD is given
performance improvement of 10.957%, 13.021%, 8.049%, in Figure 5. Testing accuracybased analysis for the
and 1.961%. Figure 4(b) shows the TPRbased algorithmic algorithm is depicted in Figure 5(a). If learning
analysis for the BOT-IoT dataset. Here, GA + DSA shows the data is 80%, then the testing accuracy value for
TPR value of 0.794, PSO + DSA shows the proposed model is 0.894, whereas other
0.828, CS + DSA gives the value of 0.848, HLBO + DSA gives methods show lesser values of 0.726 for GA + DSA,
0.869, where the proposed method attains TPR of 0.879 0.834 for PSO + DSA, 0.874 for CS + DSA, and
when learning data is 60%. The performance improvement 0.891 for HLBO + DSA. The value of testing
in the TPR value with the proposed model is 9.589%, accuracy is improved with the ranges of 18.789%,
5.773%, 3.462%, and 0.990%. The TNR variation with 6.689%, 2.171%, and 0.310%. The TPR-based
algorithmic assessment for NSL-KDD is depicted in
International Journal of Intelligent Systems 13
Figure 5(b). Here, when percentage of learning
data 90, TPR is 0.847 for GA + DSA and increases
with values of 0.883, 0.887, 0.896, and 0.909 for
PSO + DSA, CS + DSA, HLBO + DSA, and developed
method. This shows improvement in performance
with the proposed model with values of 6.803%,
2.905%, 2.509%, and 1.542%. Figure 5(c) gives the
TNR variation of algorithmic analysis with respect
to NSL-KDD. When learning data 50%, the TNR
value for the proposed method is 0.896, and it
changes for PSO + DSA, GA + DSA, CS + DSA, and
HLBO + DSA with values of 0.885, 0.873, 0.879,
and 0.842, accordingly with performance
improvement of 2.603%, 1.251%, 1.848%, and
5.982%.

5.5.ComparativeAssessment. Developed model is

compared with various methods, such as TEHO-DBN [28],
LUCID [10], the ensemble approach [29], DNN [30], SD-LVQ
[4], and FS-WOA [15] by changing learning data.

5.5.1. Comparative Analysis Based on BOT-IoT. Figure 6

depicts comparative assessment of various methods in
terms of BOT-IoT. Testing accuracy based comparative
analysis is indicated in Figure 6(a). When learning data
percentage 60, then values of testing accuracy are 0.788,
0.799, 0.833, 0.879, 0.883, 0.886, and 0.897 for TEHO-DBN,
LUCID, the ensemble approach, DNN, SD-LVQ, FS-WOA,
and the proposed method. Improvement in performance
with developed model for testing accuracy is 12.159%,
10.920%, 7.184%, 1.961%, 1.56%, and 1.23%. Figure 6(b)
shows the TPR-based comparative assessment in terms of
BOT-IoT. For, 70% learning data, values of TPR are 0.802,
0.829, 0.844, 0.883, 0.889, 0.892, and 0.901 for TEHO-DBN,
LUCID, the ensemble approach, DNN, SD-LVQ, FS-WOA,
and the proposed method. This shows improvement in
performance with 10.997%, 7.936%, 6.367%, 1.961%,
1.33%, and 1%. Figure 6(c) depicts TNR-based comparative
analysis in terms of BOT-IoT. When learning data 80%, TNR
values of TEHO-DBN is 0.809, LUCID is 0.836, the ensemble
approach is 0.841, DNN is 0.890, SD-LVQ is 0.902, FS-WOA
is 0.903, and the proposed method is 0.908. Performance
improvement with the developed model in terms of TNR is
10.915%, 7.889%, 7.367%, 1.961%, 0.66%,
14 International Journal of Intelligent Systems

0.90

Figure 5: The algorithmic assessment based on NSL-KDD, (a) testing accuracy, (b) TPR, and (c) TNR.
and 0.55%. The ROC analysis in terms of ensemble approach, 0.896 for DNN, 0.898
BOT-IoT is shown in Figure 6(d). When TPR for SD-LVQ, 0.908 for FSWOA, and 0.914 for
3, FPR value of TEHO-DBN is the proposed method. Improvement in
0.701, LUCID is 0.817, ensemble approach is performance with the developed model for
0.832, DNN is 0.833, SD-LVQ is 0.836, FS- testing accuracy is 9.378%, 7.167%, 3.851%,
WOA is 0.839, and the proposed method is 1.961%, 1.75%, and 0.66%, respectively.
0.867. Figure 7(b) shows the TPR-based
comparative assessment in terms of NSL-
KDD. For, 50% learning data, values of TPR
5.5.2. Comparative Analysis Based on NSL- are 0.799, 0.813, 0.834, 0.869, 0.872, 0.877,
KDD. Figure 7 depicts the comparative and 0.887 for TEHO-DBN, LUCID, the
assessment of many methods in terms of ensemble approach, DNN, SD-LVQ, FS-WOA,
NSL-KDD. Testing accuracy based and the proposed method. This shows
comparative performance is depicted in improvement in performance with 9.895%,
Figure 7(a). When learning data 90%, then 8.416%, 5.954%, 1.961%, 1.69%, and 1.13%.
testing accuracy values are 0.828 for TEHO- Figure 7(c) depicts TNRbased comparative
DBN, 0.848 for LUCID, 0.878 for the analysis in terms of NSL-KDD. When learning
International Journal of Intelligent Systems 15

0.90
data 60%, TNR values are TEHO-DBN 0.782,
LUCID 0.771, the ensemble approach 0.782,
DNN 0.841, SD-LVQ 0.844, FS-WOA 0.849,
and the proposed method 0.857. The
performance improvement with the
developed model in terms of TNR is 8.817%,
10.078%, 8.746%, 1.961%, 1.52%, and
0.93%. The ROC analysis in terms of NSL-KDD
is shown in Figure 7(d). When TPR 3, FPR
values of TEHO-DBN is 0.880, LUCID is 0.876,
the ensemble approach is 0.881, DNN is
0.853, SD-LVQ is 0.860, FS-WOA is 0.869, and
the proposed method is 0.894.

5.6. Discussion with Comparison.

Comparison is carried out for three
evaluation metrics with respect to dual
datasets, such as BOT-IoTand NSL-KDD for
90% learning data that is depicted in Table 3.
For 90% learning data, data taken from the
BOT-IoT dataset shows the maximum testing
accuracy value of 0.917, the TPR value of
0.908, and the maximum
16 International Journal of Intelligent Systems

0.90

Figure 6: Comparative analysis in terms of BOT-IoT, (a) testing accuracy, (b) TPR, (c) TNR, and (d) ROC.

TNR value of 0.909. Hence, proposed GHLBO-enabled DSA Table 4 shows the computational
analysis of the GHLBOis a very efficient method with high ranges of testing ac- based DSA and
TEHO-DBN, LUCID, the ensemble apcuracy, TPR, and TNR, when compared with other existing
proach, DNN, SD-LVQ, and FS-WOA. The minimum methods. computational time of the
GHLBO-based DSA is 2.676 sec.
Figure 7: Comparative assessment based on NSL-KDD, (a) testing accuracy, (b) TPR, (c) TNR,
and (d) ROC.

Table 3: Discussion with comparison of the proposed technique with existing

techniques.
Proposed
Classification Methods/ Ensemble
TEHO-DBN LUCID DNN SD-LVQ FS-WOA GHLBO-based
types metrics approach
DSA
Testing accuracy 0.824 0.846 0.873 0.899 0.902 0.905 0.917
BOT-IoT with 90% learning data TPR 0.819 0.840 0.866 0.891 0.896 0.900 0.909
International Journal of Intelligent Systems 17

0.90
TNR 0.842 0.860 0.891 0.903 0.905 0.909
0.831
Testing accuracy 0.828 0.848 0.878 0.896 0.898 0.848 0.908 0.914
NSL-KDD with 90% learning data TPR 0.828 0.871 0.891 0.894 0.899 0.909
TNR 0.816 0.827 0.866 0.883 0.886 0.892 0.901
Bold values show higher performance compared to other methods.

Table 4: Computatio nal time analysis.

Methods TEHO-DBN LUCID Ensemble approach DNN SD-LVQ FS-WOAProposed GHLBO-based DSA
Computational time (sec) 7.325 6.895 4.366 3.636 5.532 4.321 2.676
Bold values show higher performance compared to other methods.
18 International Journal of Intelligent Systems

6. Conclusion machine with crossover adaptation

MI: Mutual information
Cloud computing transforms the IT infrastructure into
RFF: Random forest feature
utility and its characteristics such as utilising virtualisation,
relying on the Internet for services, and multiple tenants K-NN: k-nearest neighbour
inherently making the security of the network a major and SVM: Support vector machine
unpredictable obstacle. The insider DDoS attack is a CIC- Canadian Institute for Cybersecurity-DDoS
primary challenge for any cloud operational environment DDoS:
because it deactivates the service completely, and hence, IoT: Internet of Things
DDoS attack should be completely eradicated as they vary VM: Virtual machine
the performance of cloud. In this article, DDoS attacks are PM: Physical machine
detected easily in an optimized way by the proposed BOT-IoT: Robot-Internet of Things
GHLBO algorithm. This optimized algorithm is helpful in IP: Internet protocol
training DSA that finds attacks in an efficient manner. Here,
MMN: Multimaxout network
DMN with the overlap coefficient is responsible for the
ReLU: Rectified linear unit
feature fusion process, and augmentation of data is carried
out by oversampling technique. Also, the proposed GHLBO IDS: Intrusion detection system
is generated by integrating gradient descent with the HLBO GA: Genetic algorithm
algorithm. Moreover, this proposed method is analyzed by PSO: Particle swarm optimization
three performance metrics such as TPR, TNR, and testing CS: Cuckoo search
accuracy with values of 0.909, 0.909, and 0.917. However, DNN: Deep neural network.
the overhead analysis was not considered in the proposed Data Availability
method. This will be considered in the further extension of
the devised approach. Also, the advanced optimization The data used to support the findings of this study are
method will be included in this approach for better available from the corresponding author upon request.
performance and more performance metrics will be
considered for the performance evaluation. Conflicts of Interest
The authors declare that they have no conflicts of interest.
Nomenclature
IT: Information technology Authors’ Contributions
DDoS: Distributed denial of service
Balasubramaniam S contributed to conceptualisation,
GHLBO: Gradient hybrid leader optimization
investigation, data curation, formal analysis, and writing
DSA: Deep stacked autoencoder the original draft; Vijesh Joe C contributed to writing and
DMN: Deep maxout network formal analysis; Siva Kumar T A contributed to
HLBO: Hybrid leader-based optimization conceptualisation and project administration; Prasanth A
TPR: True positive rate contributed to project administration and writing;
TNR: True negative rate Satheesh Kumar K contributed to project administration,
IaaS: Infrastructure-as-a-service supervision, and writing, reviewing, and editing; Kavitha V
SaaS: Software-as-a-service contributed to supervision and writing, reviewing, and
PaaS: Platform-as-a-service editing; and Rajesh Kumar Dhanaraj contributed to –the
DoS: Denial of service final review and verification.
DL: Deep learning
DNN: Deep neural network References
SA: Stacked autoencoder [1] M. Alduailij, Q. W. Khan, M. Tahir, M. Sardaraz, M. Alduailij,
DT: Decision tree and F. Malik, “Machine-learning-based DDoS attack
URL: Uniform resource locator detection using mutual information and random forest
feature importance method,” Symmetry, vol. 14, no. 6, p.
DBN: Deep belief neural network
1095, 2022.
TEHO: Taylor-elephant herd optimization [2] S. Velliangiri, P. Karthikeyan, and V. Vinoth Kumar,
MLP: Multilayer perceptron “Detection of distributed denial of service attack in cloud
SD-LVQ: Supervised deep learning vector quantization computing using the optimization-based deep networks,”
FS-WOA: Feature selection-whale optimization Journal of Experimental and Theoretical Artificial
algorithm Intelligence, vol. 33, no. 3, pp. 405–424, 2021.
SaE-ELMCa: Self-adaptive evolutionary extreme learning
International Journal of Intelligent Systems 19

[3] G. S. Kushwah and V. Ranga, “Optimized extreme learning detection,” in Proceedings of the IEEE International
machine for detecting DDoS attacks in cloud computing,” Symposium on Measurements and Networking (M&N), IEEE,
Computers and Security, vol. 105, Article ID 102260, 2021. Padua, Italy, June 2022.
[4] E. Arul and A. Punidha, “Supervised deep learning vector [18] W. Sun, F. Su, and L. Wang, “Improving deep neural
quantization to detect MemCached DDOS malware attack networks with multi-layer maxout networks and a novel
on cloud,” SN Computer Science, vol. 2, no. 2, pp. 85–12, initialization method,” Neurocomputing, vol. 278, pp. 34–40,
2021. 2018.
[5] J. K. Seth and S. Chandra, “An effective DOS attack detection [19] G. Liu, H. Bao, and B. Han, “A stacked autoencoder-based
model in cloud using artificial bee colony optimization,” 3D deep neural network for achieving gearbox fault diagnosis,”
Research, vol. 9, no. 3, pp. 44–13, 2018. Mathematical Problems in Engineering, vol. 2018, Article ID
[6] A. E. Cil, K. Yildiz, and A. Buldu, “Detection of DDoS attacks 5105709, 10 pages, 2018.
with feed forward based deep neural network model,” [20] S. Ruder, “An overview of gradient descent optimization
Expert Systems with Applications, vol. 169, Article ID algorithms,” 2016, https://arxiv.org/abs/1609.04747.
114520, 2021. [21] P. Trojovsky and M. Dehghani, “Hybrid leader based
[7] Q. Yan and F. R. Yu, “Distributed denial of service attacks in optimization: a new stochastic optimization algorithm for
software-defined networking with cloud computing,” IEEE solving optimization applications,” Scientific Reports, vol. 12,
Communications Magazine, vol. 53, no. 4, pp. 52–59, 2015. 2022.
[8] Y. Mirsky, D. Tomer, Y. Elovici, and A. Shabtai, “Kitsune: an [22] G. Castaneda, P. Morris, and T. M. Khoshgoftaar, “Evaluation
ensemble of autoencoders for online network intrusion of maxout activations in deep learning across several big
detection,” in Proceedings of the Network and Distributed data domains,” Journal of Big Data, vol. 6, no. 1, pp. 72–35,
Systems Security Symposium (NDSS), Beijing China, October 2019.
2018. [23] B. Ritu and R. Nagpal, “A review on kdd cup99 and nsl
[9] A. A. Alqarni, “Majority vote-based ensemble approach for nslkdd dataset,” International Journal of Advanced Research
distributed denial of service attack detection in cloud in Computer Science, vol. 10, 2022.
computing,” Journal of Cyber Security and Mobility, vol. 12, [24] J. M. Peterson, L. L. Joffrey, and M. K. Taghi, “A review and
pp. 265–278, 2022. analysis of the bot-iot dataset,” in Proceedings of the 2021
[10] R. Doriguzzi-Corin, S. Millar, S. Scott-Hayward, J. IEEE International Conference on Service-Oriented System
Martinezdel-Rincon, and D. Siracusa, “LUCID: a practical, Engineering (SOSE), Oxford, United Kingdom, July 2021.
lightweight deep learning solution for DDoS attack [25] M. Kumar, D. Husain, N. Upreti, and D. Gupta, “Genetic
detection,” IEEE Transactions on Network and Service algorithm: review and application,” Journal of Information
Management, vol. 17, no. 2, pp. 876–889, 2020. and Knowledge Management, vol. 2, no. 2, pp. 451–454,
[11] F. Jiang, Y. Fu, B. B. Gupta et al., “Deep learning based 2010.
multichannel intelligent attack detection for data security,” [26] D. Wang, D. Tan, and L. Liu, “Particle swarm optimization
IEEE transactions on Sustainable Computing, vol. 5, no. 2, algorithm: an overview,” Soft Computing, vol. 22, no. 2, pp.
pp. 204–212, 2020. 387–408, 2018.
[12] A. Abeshu and N. Chilamkurti, “Deep learning: the Frontier [27] M. Mareli and B. Twala, “An adaptive Cuckoo search
for distributed attack detection in fog-to-things computing,” algorithm for optimisation,” Applied computing and
IEEE Communications Magazine, vol. 56, no. 2, pp. 169–175, informatics, vol. 14, no. 2, pp. 107–115, 2018.
2018. [28] S. Velliangiri and H. M. Pandey, “Fuzzy-Taylor-elephant herd
[13] A. Al-Abassi, H. Karimipour, A. Dehghantanha, and R. M. optimization inspired Deep Belief Network for DDoS attack
Parizi, “An ensemble deep learning-based cyber-attack detection and comparison with state-of-the-arts
detection in industrial control system,” IEEE Access, vol. 8, algorithms,” Future Generation Computer Systems, vol. 110,
pp. 83965–83973, 2020. pp. 80–90, 2020.
[14] Z. Tian, C. Luo, J. Qiu, X. Du, and M. Guizani, “A distributed [29] X. Dong, Z. Yu, W. Cao, Y. Shi, and Q. Ma, “A survey on
deep learning system for web attack detection on edge ensemble learning,” Frontiers of Computer Science, vol. 14,
devices,” IEEE Transactions on Industrial Informatics, vol. 16, no. 2, pp. 241–258, 2020.
no. 3, pp. 1963–1971, 2020. [30] R. Miikkulainen, J. Liang, E. Meyerson et al., “Evolving deep
[15] A. Agarwal, M. Khari, and R. Singh, “Detection of DDOS neural networks,” Artificial intelligence in the age of neural
attack using deep learning model in cloud storage networks and brain computing, vol. 32, pp. 293–312, 2019.
application,” Wireless Personal Communications, vol. 127,
pp. 419– 439, 2021.
[16] G. Bovenzi, G. Aceto, D. Ciuonzo, V. Persico, and A. Pescape,´
“A hierarchical hybrid intrusion detection approach in IoT
scenarios,” in Proceedings of the GLOBECOM 2020 - 2020
IEEE Global Communications Conference, Taipei, Taiwan,
April 2020.
[17] I. Guarino, G. Bovenzi, D. Di Monda, G. Aceto, D. Ciuonzo,
and A. Pescape, “On the use of machine learning
approaches´ for the early classification in network intrusion