Enhanced botnet detection in IoT networks using zebra optimization and dual-channel GAN classification

Abstract

The Internet of Things (IoT) permeates various sectors, including healthcare, smart cities, and agriculture, alongside critical infrastructure management. However, its susceptibility to malware due to limited processing power and security protocols poses significant challenges. Traditional antimalware solutions fall short in combating evolving threats. To address this, the research work developed a feature selection-based classification model. At first stage, a preprocessing stage enhances dataset quality through data smoothing and consistency improvement. Feature selection via the Zebra Optimization Algorithm (ZOA) reduces dimensionality, while a classification phase integrates the Graph Attention Network (GAN), specifically the Dual-channel GAN (DGAN). DGAN incorporates Node Attention Networks and Semantic Attention Networks to capture intricate IoT device interactions and detect anomalous behaviors like botnet activity. The model's accuracy is further boosted by leveraging both structural and semantic data with the Sooty Tern Optimization Algorithm (STOA) for hyperparameter tuning. The proposed STOA-DGAN model achieves an impressive 99.87% accuracy in botnet activity classification, showcasing robustness and reliability compared to existing approaches.

Introduction

Background

The digitization of computing and the widespread use of AI have yielded numerous benefits¹. Countries now rely more on the Internet of Things, software-defined networks (SDNs), and digitization². The most significant issue facing us in the digital age is cybersecurity³. Cyberattacks occasionally result in irreversible damage and can affect various sectors of the digital economy. Cyberattacks, malfunctioning military equipment, theft, fraud, extortion, blackouts, and leaks of classified information are just a few of the potential consequences. These could also lead to the theft of priceless personal information, such as private medical records. Additionally, they might bring down systems, which could have disastrous effects. According to the Outpost24 study mentioned in⁴, over 3800 large businesses experienced significant data breaches in 2019⁵. Despite the frequency of attacks, system security has not received much attention, and few significant research discoveries have resulted in effective countermeasures against malware attacks. The Internet of Things (IoT) refers to a physical device or object network with integrated software, electronics, and network connectivity that enables it to collect, process, and sporadically share data⁶. Request-Response Ratios: An odd pattern in device communication can be identified by comparing the number of outgoing requests to the number of arriving responses. These scores, which are derived from models trained on regular behaviour, show departures from the usual ways that IoT devices operate. Type of Device and Functionality: Features unique to an IoT device (such as cameras or sensors) and their typical usage patterns might help identify abnormalities brought on by botnet infections. Versions of Firmware and Software: Botnets can abuse outdated or unpatched firmware and software, so it's important to look for these characteristics. An illustration of feature analysis used to detect botnets Take a look at a dataset that was gathered from an IoT network that included a variety of devices as an example. One could select features using the ZOA in the manner shown below:

• First Feature Extraction: Gather a wide range of information from network traffic, such as protocol kinds, inter-arrival periods, packet and byte counts.

• Feature Evaluation: In the context of botnet identification, assess each feature's significance using metrics like information gain or mutual information.

• Use the Zebra Optimisation Algorithm (ZOA) to reduce dimensionality while preserving important information by choosing a subset of the most discriminative characteristics.

• Examine the chosen features in order to determine their importance. A high inter-arrival time entropy and a high frequency of DNS requests, for example, could be powerful markers of botnet activity within the dataset.

Challenges

Identifying botnets on the internet is a challenging task due to the vast array of features and the low processing power of Internet of Things (IoT) devices. The dynamic behavior of botnets makes detection even more challenging⁷. Conventional network infrastructures are ill-suited to handle these challenges because they lack the agility and scalability necessary to react to evolving threats in real-time⁸. Moreover, it is challenging to differentiate between malicious and legitimate IoT traffic in the chaotic data that these devices produce. The sheer volume and diversity of IoT devices exacerbate these issues, necessitating the development of innovative solutions⁹. Advanced technologies such as Deep Learning (DL) and Software-Defined Networking (SDN) may need to be used to enhance detection capabilities. By leveraging the capabilities of SDN and DL to analyze massive datasets, identify patterns that indicate botnet activity, and dynamically adjust detection mechanisms, IoT ecosystems can be strengthened against cyberattacks^10–12.

Role of deep learning

Utilizing Deep Learning (DL) techniques offers a robust approach to addressing the complex challenges of IoT botnet detection. Deep learning algorithms excel in analyzing extensive datasets, enabling the detection of subtle patterns indicative of botnet activities. These algorithms enhance detection mechanisms by adaptively improving in response to real-time extraction of nuanced features from raw network traffic data. This capability allows for faster and more accurate identification of anomalous behavior associated with IoT botnet interactions^13–15. Deep learning algorithms enable the analysis of large datasets and the detection of minute patterns that might indicate botnet activity^16,17. Moreover, detection mechanisms can be adaptively improved through DL in response to the real-time extraction of subtle features from unprocessed network traffic data, allowing for quicker and more precise identification of unusual behavior connected to IoT botnet interactions¹⁸. One of the key strengths of deep learning in this context is its ability to continuously learn and adapt to new threats, thereby reducing the risks posed by sophisticated botnet attacks. Techniques such as Convolutional Neural Networks (CNNs) and Recurrent Neural Networks (RNNs) can be employed to process sequential data and capture temporal patterns in network traffic, further improving detection accuracy. Moreover, the use of Generative Adversarial Networks (GANs) can simulate potential attack scenarios, enabling the system to prepare for and mitigate future threats¹⁹. Deep learning's dynamic adaptability makes it an indispensable tool for enhancing IoT security infrastructures, providing resilience against evolving cyber threats. As the IoT ecosystem continues to expand, the importance of deep learning techniques in maintaining network integrity and user confidence in connected devices will only grow. By leveraging the continuous learning capabilities of DL, IoT networks can be fortified against increasingly sophisticated botnet attacks, ensuring robust and reliable security measures.²⁰.

Motivation

To address this, we will include discussions on significant works such as "Block Hunter: Federated Learning for Cyber Threat Hunting in Blockchain-based IIoT Networks," which demonstrates the integration of federated learning with blockchain for enhanced threat detection and privacy; "Secure Intelligent Fuzzy Blockchain Framework: Effective Threat Detection in IoT Networks," showcasing the combination of fuzzy logic with blockchain technology for robust security; "Exploring Privacy Measurement in Federated Learning," which provides insights on balancing data utility and privacy in federated learning environments; and "Hybrid Privacy-Preserving Federated Learning Against Irregular Users in Next-Generation Internet of Things," highlighting strategies to maintain privacy and security against irregular users. These studies will enrich our discussion on advanced blockchain technologies and privacy-preserving techniques, providing a comprehensive overview of the current state of decentralized data sharing models and searchable encryption in IoT networks.

The growing danger that botnets pose to the Internet of Things underscores the urgent need for sophisticated detection mechanisms. A successful botnet attack might have catastrophic repercussions on important businesses, individuals, and infrastructure, including interrupted essential services, monetary losses, and data breaches. Thus, in order to safeguard user privacy, network integrity, and the dependability of IoT ecosystems, it is imperative to develop robust IoT botnet detection techniques that make use of SDN and DL. This paper explores various methods for measuring privacy in federated learning, emphasizing the need to balance data utility and privacy. It discusses metrics and frameworks to evaluate privacy-preserving techniques in federated learning environments. Relevance: Understanding privacy measurement in federated learning is crucial for developing secure and effective data sharing models. This paper's insights will help us enhance our discussion on privacy concerns and the implementation of federated learning in secure data sharing frameworks.

Objectives/contribution of the work

The research paper aims to achieve the following objectives:

Improve Dataset Quality and Consistency:

Employ techniques to eliminate discrepant data and apply data smoothing during the pre-processing stage, thereby establishing a robust foundation for subsequent analysis.

Enhance Feature Selection Efficiency:

Apply the Zebra Optimization Algorithm (ZOA) to effectively identify discriminative features while reducing dimensionality, thus improving the efficiency of feature selection.

Utilize Graph Attention Network (GAN) Technologies:

Construct a Dual-channel Graph Attention Network (DGAN) using Graph Attention Network (GAN) Graph Neural Networks, including Semantic and Node Attention Networks. This innovative approach captures intricate relationships among IoT device interactions, enhancing detection accuracy by exploiting both structural and semantic information within the data.

Optimize Hyper parameters:

Use the Sooty Tern Optimization Algorithm (STOA) to optimize the hyperparameters of the DGAN model, ensuring optimal parameter settings for maximal detection efficacy.

Organization of the paper

The manuscript is organized into several divisions. Division 1 serves to introduce the reader to the overview of the topic. Division 2 follows with an analysis of current models, including problem declarations. Division 3 describes the materials and techniques utilized in the research work. Division 4 offers a brief synopsis of the anticipated model to be developed. The experimental comparison of the proposed design with available models is presented in Division 5. Finally, Division 6 provides the conclusion and suggestions for additional research.

Related work

Chaganti et al.²¹ proposed a long short-term memory (LSTM)-based intrusion detection system supported by SDN for Internet of Things (IoT) networks. Two datasets focusing on SDNIoT were utilized to conduct a comprehensive assessment of the performance of deep learning (DL) and machine learning (ML) models. Additionally, an effective multiclass classification scheme for network attacks in IoT networks was developed using an LSTM-based architecture. Upon evaluation, the suggested model achieved 97.1% accuracy in classifying different types of attacks and successfully identifying them.

The study by de Caldas Filho et al.²² focused on creating a model operating closer to the point of attack to mitigate DDoS assaults on local corporate networks. The model employed network-based intrusion detection techniques, such as host intrusion detection systems (HIDS) to recognize anomalous behavior in IoT devices, and network intrusion detection systems (NIDS) for comprehensive attack identification. Furthermore, to enable accurate and real-time attack detection, a fog computing infrastructure was equipped with a Host Intrusion Detection and Prevention System (HIDPS). By combining federated learning and NIDS, devices could analyze their data locally, aiding in the identification of unusual traffic and enhancing security. This study improved the defenses of IoT networks against malicious traffic and advanced cybersecurity in local network environments. By reducing the impact of a federated training or detection procedure using deep learning, this work demonstrated the effectiveness of single points of failure (SPOF) while reducing the workload of each device, resulting in an accuracy of 89.753%.

The paper by Al-Fawa’reh et al.²³ presented MalBoT-DRL, a powerful deep reinforcement learning malware botnet detector. MalBoT-DRL was engineered to identify botnets at every stage of their existence, providing enhanced generalizability and robust countermeasures against model drift. This model combined an attention rewards mechanism with damped incremental statistics, an approach not previously fully explored in the literature. MalBoT-DRL was able to dynamically adapt to the ever-changing malware patterns in IoT environments due to this integration. Utilizing MedBIoT and N-BaIoT, two representative datasets, trace-driven experiments were conducted to validate the performance of MalBoT-DRL. The results demonstrated remarkable average detection rates of 99.80% and 99.40% at the beginning and end of detection, respectively.

The paper by Jmal et al.²⁴ examined DDoS attacks in detail in the context of SDN and IoT. A review of various methods for mitigation and detection was conducted, incorporating the use of blockchain, SDN, and machine learning models. An all-encompassing, secure IoT system using multiple controllers and SDN was proposed. Blockchain was suggested to guarantee security in distributed SDN-IoT networks, while artificial neural networks (ANN) were proposed to enhance detection and mitigation capabilities.

The paper by Ma et al.²⁵ merged the concepts of edge computing and distributed computing. Initially, an algorithm for detecting DDoS attacks was proposed, employing the random forest algorithm and heterogeneous integrated feature selection. Then, using the remaining processing power of switches, Distributed edge parallel computing was made possible by implementing this DDoS attack detection algorithm on SDN edge equipment switches for quick and precise DDoS attack detection. Finally, simulation experiments were conducted using the CIC-DDoS2019 dataset in the SDN environment to evaluate the feasibility and effectiveness of the proposed approach. The experimental results demonstrated that the F-value, accuracy, precision, and recall of this solution were all 99.99% in terms of performance evaluation metrics.

The study by Alosaimi and Almutairi²⁶ proposed a novel method for promptly and accurately detecting attacks in IoT networks by integrating three-level algorithms with deep learning. The suggested strategy was assessed using the Bot-IoT dataset, and the findings demonstrated appreciable gains in comparison to cutting-edge methods in terms of detection performance. The proposed method has the potential to further strengthen the security of various IoT applications.

The research focused on the detection model for deep learning concepts by Kayyidavazhiyil²⁷. Three main procedures were involved: preprocessing, feature extraction, and classification. Enhanced data normalization was initially performed for preprocessing the input data. Numerous features, including those based on the Tanimoto coefficient and improved differential holoentropy, were extracted from the preprocessed data. An ensemble classification model that combined models such as Bidirectional Gated Recurrent Unit (Bi-GRU), Long Short-Term Memory (LSTM), and Deep Belief Network (DBN) was then completed. The ensemble results were generated by summing DBN, LSTM, and Bi-GRU. The Self Improved Blue Monkey Optimization (SIBMO) Algorithm was used to train Bi-GRU by selecting appropriate weights, thus enhancing the detection precision. The overall performance of the proposed work was evaluated using different methodologies and compared to existing models. The developed ensemble classifier, when trained at a 90% rate, achieved the highest accuracy (93%) compared to the existing methods.

The aim of the paper by Habibi²⁸ was to apply the most advanced Generative Adversarial Networks model, the GAN model, to the modeling and generation of tabular data in order to surpass all previously stated limitations. The outcomes were encouraging. Following the use of GAN for data augmentation, the MLP demonstrated 98.93% accuracy, an F1-Score of 0.9907, a Geometric-Score of 0.9874, and respective values of 0.9893 and 0.9856 for sensitivity and specificity.

The paper by Woodiss-Field et al.²⁹ examined experiments involving the acquisition of several standard tools for detecting botnets, such as BotMiner, BotProbe, and BotHunter, in order to assess their effectiveness with IoT-based botnets. Several simulation environments were built using in-house network traffic generation software to test these methods on conventional and IoT networks. The scenarios varied in terms of the overall number of hosts, the number of compromised hosts, the type of botnet command and control (CnC), and the presence of anomalous behavior. Additionally, external datasets were used to validate and enhance the effectiveness of each botnet detection method. Contrary to expectations, the results demonstrated that BotMiner and BotProbe were capable of identifying IoT-based botnets, despite some operationally specific limitations.

Kalakoti et al.³⁰ aimed to use explainable artificial intelligence (XAI) techniques to select explanations of higher quality, thereby improving the interpretability and transparency of high-performance machine learning models for IoT botnet detection. Three datasets were used to generate binary and multiclass classification models to identify IoT botnets. The feature selection technique employed was sequential backward selection. LIME and SHAP, two post hoc XAI techniques, were subsequently applied to explain the model behavior. Metrics for faithfulness, monotonicity, complexity, and sensitivity were used to evaluate the quality of explanations produced by XAI techniques. The machine learning models employed in this research yielded incredibly high detection rates with a small set of features. The results demonstrated how effectively XAI techniques enhance the transparency of models for detecting IoT botnets using machine learning, which are transparent and easy to interpret. In particular, the XGBoost model generated explanations with high faithfulness, low complexity, low sensitivity, and high consistency when LIME and SHAP were applied.

Wardana et al.³¹ developed an Intrusion Detection System (IDS) by combining data from different IoT devices. According to this study, a deep neural network (DNN) model was created for each heterogeneous IoT device. Subsequently, traffic was predicted using every available training model for each type of IoT device. The ensemble averaging method was then employed to average the prediction outcomes of each training model to obtain the final result. The proposed IDS model was validated using the N-BaIoT dataset. Experimental results showed that ensemble averaging DNN could identify botnet attacks with a mean F1-score of 88.48, recall of 87.31, accuracy of 97.21, and precision of 91.41 in heterogeneous IoT devices.

The aim of the research by Vajrobol et al.³² was to create a robust defense against attacks by the Mirai botnet. The best results were achieved with an accuracy score of 97.7% when XGBoost and Long Short-Term Memory (LSTM) were combined. The purpose of this combination was to strengthen cyber defenses against intelligent, dynamic Mirai botnets and enhance digital sphere protection.

The paper by Mumtaz et al.³³ investigated how botnet attacks impact IoT devices and proposed a network-based system for identification and prevention using anomaly- and signature-based techniques. The approach went beyond simple detection and focused on actively preventing bot creation. Preprocessing, rule-based intrusion detection system, network security monitoring, and analysis were the four main stages of the approach. Security Information and Event Management (SIEM) tools, a distributed system built on Linux, and customized rules were utilized. The effectiveness of custom rules was demonstrated in experimental results using various PCAP files, significantly increasing alert counts for several security-related topics, such as network trojan identification and privacy violations. Notably, the integration of custom rules led to a notable increase in alert counts in the case of the 1.1 GB PCAP file, where the number of networks trojans detected increased from 585 to 988, indicating the enhanced effectiveness of rule-based defenses. Significant increases in privacy violations and problematic traffic alerts were also observed, demonstrating the system's increased sensitivity and responsiveness. The summary of related work is shown in Table 1.

Table 1.

The summary of the related work.

Authors (reference)	Methodology	Merits	Demerits
Chaganti et al.21	LSTM-based intrusion detection system with SDN support for IoT networks	Achieved 97.1% accuracy in classifying various types of attacks	Lack of detailed discussion on the limitations or challenges faced during the implementation of the proposed system
de Caldas Filho et al.22	Model focusing on mitigating DDoS assaults on local networks using HIDS and NIDS	Improved defenses against malicious traffic and cybersecurity in local networks. Demonstrated effectiveness in reducing SPOF. Achieved 89.753% accuracy	May require substantial computational resources due to the implementation of multiple intrusion detection systems (HIDS and NIDS) simultaneously. Potential complexity in managing and maintaining the fog computing infrastructure and HIDPS
Al-Fawa’reh et al.23	Introduced MalBoT-DRL, a deep reinforcement learning botnet detector	Achieved remarkable detection rates of 99.80% and 99.40%. Dynamically adapted to changing malware patterns. Combined attention rewards mechanism with incremental statistics	May face challenges related to model interpretability due to the complexity of deep reinforcement learning algorithms. Potential computational overhead during the training phase, especially with large datasets
Jmal et al.24	Proposed a secure IoT system with SDN and blockchain integration	Emphasized security in distributed SDN-IoT networks. Proposed ANN for enhanced detection	Integration of blockchain may introduce overhead in terms of computational resources and network latency. Potential complexity in managing and updating the blockchain network
Ma et al.25	Developed algorithm for DDoS detection using random forest and edge computing	Achieved F-value, accuracy, precision, and recall of 99.99%	Potential challenges in scaling the edge computing infrastructure for large-scale deployments. Risk of false positives or false negatives in DDoS detection, particularly in dynamic and complex network environments
Alosaimi and Almutairi26	Integrated three-level algorithms with deep learning for IoT attack detection	Demonstrated improved detection performance compared to existing methods	Potential challenges in integrating and fine-tuning multiple algorithms, leading to increased complexity in the detection system. Risk of overfitting due to the complexity of deep learning models and the limited size of training datasets
Kayyidavazhiyil27	Ensemble classifier using Bi-GRU, LSTM, and DBN for feature extraction	Achieved highest accuracy of 93% compared to existing methods	May require significant computational resources during training and inference phases, especially with large-scale datasets. Potential challenges in fine-tuning the ensemble model and managing the integration of multiple neural network architectures
Habibi28	Applied GAN model for data augmentation resulting in high MLP accuracy	Demonstrated high accuracy, F1-Score, and other performance metrics	May face challenges in data augmentation using GANs, including mode collapse and generation of realistic synthetic data. Risk of overfitting when training MLPs on augmented data, especially with limited diversity in the generated samples
Woodiss-Field et al.29	Assessed effectiveness of BotMiner, BotProbe, and BotHunter in detecting IoT botnets	Demonstrated capability of BotMiner and BotProbe in identifying IoT-based botnets	Limited evaluation of the effectiveness of the detection methods in diverse network environments or against sophisticated botnet attacks. Potential dependence on specific features or characteristics of IoT-based botnets, leading to reduced generalizability
Kalakoti et al.30	Utilized XAI techniques to improve ML model interpretability for IoT botnet detection	Demonstrated effective enhancement of model transparency	May introduce computational overhead during the explanation process, especially with complex ML models. Risk of producing misleading or inaccurate explanations, affecting the trustworthiness of the detection system
Wardana et al.31	Developed IDS using ensemble averaging DNNs for identifying botnet attacks in IoT devices	Identified botnet attacks with high F1-score, recall, accuracy, and precision	Potential challenges in training and maintaining multiple DNN models for heterogeneous IoT devices. Risk of over-reliance on ensemble averaging, which may obscure individual model performance or contribute to model bias
Vajrobol et al.32	Created defense against Mirai botnet using XGBoost and LSTM	Strengthened cybersecurity against Mirai botnet and enhanced digital sphere protection	Potential challenges in integrating and fine-tuning multiple ML models, leading to increased complexity in the detection system. Risk of model bias or overfitting, especially with limited diversity in the training data
Mumtaz et al.33	Proposed network-based system for botnet detection using anomaly- and signature-based techniques	Demonstrated increased system sensitivity and responsiveness	Potential limitations in scalability, particularly with large-scale networks or high traffic volumes. Risk of false positives or false negatives in botnet detection, especially in dynamic network environments or due to the reliance on signature-based methods

Research gaps

The cited studies exhibit several research gaps, including inadequate exploration of scalability issues, challenges associated with real-world deployment, and evaluation across diverse network environments. Many studies focus on specific aspects of IoT botnet detection, overlooking comprehensive strategies that integrate multiple detection methods. Additionally, the lack of standardized evaluation metrics hampers comparative analysis. Furthermore, research often fails to adequately address the dynamic nature of IoT environments and emerging threats. Bridging the gap between theoretical advancements and real-world deployment of IoT botnet detection systems requires more extensive testing with real-world datasets and careful consideration of practical implementation challenges.

Materials and methods

Materials

Dataset

As shown in Table 1, the dataset utilized in this study comprises five classes obtained through various IoT device-targeting attacks. These attacks include DDoS, fuzzing, OS fingerprinting, port scanning, and DoS, resulting in a total of six classes when including normal instances. The percentage shares of each class and their size distributions are provided in megabytes³⁴. Additional information about the dataset is presented in Tables 2 and 3, along with descriptions of each attack type:

Table 2.

Categorization of datasets and their size and percentage distribution.

Category	Size (M)	Share in %
Normal	$2.67$	$8.84$
DoS	$0.49$	$1.67$
DDoS	$0.18$	$0.60$
Port scanning	$22.44$	$74.23$
OS and service detection	$3.39$	$11.20$
Fuzzing	$1.05$	$3.48$

Table 3.

The features of the dataset and their description.

Feature type	Description
$\mathit{srcMAC}$	Source MAC address
$\mathit{Category}$	Attack category
$\mathit{dstMAC}$	Destination MAC address
$\mathit{Attack}$	0 for Normal traffic, 1 for Attack Traffic
$\mathit{srcIP}$	Source IP address
$N\_IN\_Conn\_P\_SrcIP$	Number of inbound connections per source IP
$\mathit{dstIP}$	Destination IP address
$N\_IN\_Conn\_P\_DstIP$	Number of inbound connections per destination IP
$\mathit{srcPort}$	Source port number
$TnP\_PDstIP$	Total number of packets per destination IP
$last\_seen$	Last time flow was active
$TnP\_PerProto$	Total number of packets per protocol
$\mathit{Protocol}$	Textual representation of transaction protocol
$TnP\_Per\_Dport$	Total number of packets per dport
$\mathit{dstPort}$	Destination port number
$proto\_number$	Numerical representation of protocol
$\mathit{TnBPSrcIP}$	Total number of bytes per source IP
$\mathit{Mean}$	Average duration of flows
$\mathit{TnBPDstIP}$	Total number of bytes per destination IP
$\mathit{Stddev}$	Standard deviation of flows
$TnP\_PSrcIP$	Total number of packets per source IP
$\mathit{Dur}$	Flow duration
$\mathit{Dbytes}$	Destination-to-source byte count
$\mathit{Max}$	Maximum duration of flows
$\mathit{Srate}$	Source-to-destination packets per second
$\mathit{Bytes}$	Total number of bytes matched with flow rules
$\mathit{Drate}$	Destination-to-source packets per second
$\mathit{Min}$	Minimum duration of flows
$\mathit{Dpkts}$	Destination-to-source packet count
$\mathit{Pkts}$	Total number of packets matched with flow rules
$\mathit{Spkts}$	Source-to-destination packet count
$\mathit{Sbytes}$	Source-to-destination byte count

Denial of Service (DoS): DoS attacks were conducted using Hping3, launched by a malevolent host against the server or an IoT device using false IP addresses and other methods. Fake IP addresses increase resource usage as each attack packet initiates a new flow regulation. Various payload sizes (100, 500, and 1000 bytes) and packet transmission rates (6000, 8000, 10,000, and 5000 bytes) were combined.

Distributed DoS (DDoS): DDoS attacks, prevalent in IoT networks facilitating SDN, deplete system resources, reducing system availability. These attacks utilize communication protocols employed by authorized users to deplete network computational resources, subjected to the same conditions as DoS.

Port scanning: Attackers employ Nmap software for port scanning, with a rogue host initiating the attack against IoT devices or servers, scanning all port numbers from 0 to 65,535.

OS fingerprinting: OS fingerprinting attacks also utilize Nmap, scanning for open ports at the beginning of the attack and then launching the attack using these ports, employing one rogue host to target the server.

Fuzzing attacks: Boofuzz program is used for fuzzing attacks, targeting victim weaknesses with random data until failure. HTTP and FTP-based attacks were launched using one compromised host, with randomly generated input fields aware of the expected input format for both FTP and HTTP connections. For example, HTTP version details and random request URLs were fuzzed using connect, options, trace, put, delete, and head methods.

Data pre-processing

An initial step in the current study was to analyze and remove inconsistent data that could have caused the learning algorithms to converge more slowly, ensuring that the data fed into the machine learning models is of high enough quality. Two techniques were employed: the first utilized linear regression for smoothing and involved the removal of lower and upper extreme values³⁵.

Eliminating discrepant data

The theory behind the process of removing inconsistent values is that extreme values are often indicative of misinterpreted data. Such outliers commonly stem from issues with data acquisition, malfunctioning sensors, or communication interference. Consequently, erroneous samples can find their way into the dataset, such as zero readings when the machine is idle or readings that exceed the predicted sensor ranges. To prevent these samples from impeding machine learning processes, they are typically eliminated.

In the current study, the limits for each variable were established, and samples falling outside the defined boundaries were replaced with values within the acceptable range. The boundaries were determined using the equation below:

$$Q_{\frac{1}{4}}=\frac{1}{4}\left(n,+,1\right)$$ 1

$$Q_{\frac{3}{4}}=\frac{3}{4}\left(n,+,1\right)$$ 2

$$IQR=Q_{\frac{1}{4}}-Q_{\frac{3}{4}}$$ 3

$${\text{Down}}_{\text{limit}}=Q_{\frac{1}{4}}-K\times IQR$$ 4

$$U{p}_{\text{limit}}=Q_{\frac{3}{4}}+K\times IQR$$ 5

The variable's acceptable lower limit is known as the "down limit," which is determined by deducting the IQR multiplied by the constant k to $Q_{\frac{1}{4}}$. The variable's upper limit, or "up limit," is determined by multiplying the constant "k" by the IQR to $Q_{\frac{3}{4}}$, wherein k is the limits' variation constant. It computes the limits for every variable. Examples of data points with values outside of the range $\left[D,o,w,n_{\text{limit}},,,U,p_{\text{limit}}\right]$ are substituted with the average.

Data smoothing

Cleveland invented Localised weighted/estimated scatterplot smoothing, or LOWESS/LOESS, is a nonparametric regression method. Using robust locally weighted regression, variables can be made smoother, $\left(x_i,,,y_i\right),i=1,\cdots ,n$, where the fitted value is at $z_k$ is the result of applying weighted least squares weight for the polynomial that is fitted to the data $\left(x_i,,,y_i\right)$ is high if $x_i$ is close to $x_k$ and little in case it's not. The quantity of samples $(n)$ every local approximation that is utilised $\left(z_k\right)$ is the model's parameter. Another model parameter is the polynomial function's degree. Since the polynomial degree is frequently 1, a linear regression is carried out.

Methods

ZOA for hyper parameter tuning

This introduces and describes mathematically the nature-inspired optimisation technique (ZOA) that is applied to choose the best features.

1. Idea and Concept

Equine species indigenous to eastern and southern Africa are called zebras. These animals are widely recognized for their distinctive stripes of black and white fur. The stripes on zebras' bodies and necks, usually arranged vertically, serve two functions: they camouflage the animals from potential predators and deter biting flies from feeding on them. The conditions and corresponding specifications for zebras are as follows: their bodies range in length from 2.1 to 3 m, their tails from 0.41 to 0.81 m, the height of their shoulders from 1.1 to 1.6 m, and they weigh between 175 and 450 kg. Despite their large size and weight, zebras can sprint quickly, when necessary, thanks to their remarkably long and slender legs. Zebras, being related to rambunctious equids, have long necks, only one toe on each foot, and a head shape that facilitates grazing on grass from the ground³⁶.

Foraging and defending against attackers are two behaviors crucial to zebras' social lives in the wild. The zebra leader guides the rest of the pack in their search for food, enabling them to approach food sources more efficiently. Consequently, the pack follows the lead of this pioneering zebra as the herd migrates across the savanna³⁷.

The zigzag pattern that zebras use to flee serves as their first line of defense against predators. However, on rare occasions, they may group together in an attempt to intimidate or confuse the predator. The two aforementioned clever behavioral patterns of zebras serve as a major inspiration for the proposed ZOA architecture's mathematical models.

• 2.Initialization

Zebras are a key component of the population utilized in the population-based ZOA approach. From a mathematical perspective, each zebra represents a potential solution to the problem, and the habitat of zebras serves as a representation of the search space for the problem.

The position of each zebra within the decision factors' values is determined by the search space. Consequently, each zebra, as a distinct entity within the zebra optimizer, can be represented by a vector. This vector, constituting a component of the problem, comprises members representing the values of these variables. Viewing the vector in its entirety, the zebra optimizer can be comprehended. A matrix can serve as the data source for the population of zebras represented mathematically. The initial location of the zebras within the search area is determined through a completely random process. The qualifying parameters for the ZOA population matrix are delineated in Eq. (6).

$$\begin{array}{c}P={\left[\begin{array}{c}{P}_1\\ ⋮\\ P_i\\ ⋮\\ P_N\end{array}\right]}_{N\times m}={\left[\begin{array}{ccccc}{p}_{1,1}& \cdots & p_{1,j}& \cdots & p_{1,m}\\ ⋮& \ddots & ⋮& ·& ⋮\\ p_{i,1}& \cdots & p_{i,j}& \cdots & p_{i,m}\\ ⋮& \text{.}\text{.}\text{.}& ⋮& \ddots & ⋮\\ p_{N,1}& \cdots & p_{N,j}& \cdots & p_{N,m}\end{array}\right]}_{N\times m}\end{array}$$ 6

wherein $P$ represents the zebra population, $P_i$ indicates the $i$ th zebra candidate, $p_{i,j}$ represents the $j$th problem variable that the $i$th zebra candidate proposes, $N$ represents the quantity of variables that need to be adjusted, and m stands for the number of search agents. Every zebra represents a possible solution to the optimisation problem. As a result, by contrasting the recommended solutions from each zebra, we may evaluate the fitness function. Equation (7), which describes the fitness function values, can be used to.

$$\begin{array}{c}F={\left[\begin{array}{c}{F}_1\\ ⋮\\ F_i\\ ⋮\\ F_N\end{array}\right]}_{N\times 1}={\left[\begin{array}{c}F\left(P_1\right)\\ ⋮\\ F\left(P_i\right)\\ ⋮\\ F\left(P_N\right)\end{array}\right]}_{N\times 1}\end{array}$$ 7

where $F$ symbolises a column vector with the fitness function candidates in it, and $F_i$ is the figure assigned to the fitness function for the ith zebra. One can accurately evaluate the standard of the potential solutions that align with the current issue and evaluate the candidates that are found for the function of fitness to ascertain which viable solution is the best. The zebra with the lowest fitness function value is the best contender for solving minimization-related problems. Every time an iteration is performed, the optimal solution must be determined since the zebras' positions and, consequently, the fitness function's values vary.

Two of the zebras' natural behaviours have been used to keep members of the zebra optimizer current throughout each process iteration. These pursuits are:

• i.Foraging activity.
• ii.Defensive strategies against predators.
• 3.Stage I: Foraging activity

Applying zebra activity theories when foraging, individuals in the population are updated in the first stage. Zebras mostly eat grasses and sedges, but they will also eat buds, fruits, bark, roots, and leaves when these resources are in short supply. Zebras are able to spend between sixty and eighty percent of their time feeding, depending on the type and amount of vegetation. For animals that require shorter, more nutrient-dense grasses, the plains zebra serves as a leader grazer, clearing a canopy of taller, less nutrient-dense grasses for them to eat. The person who is deemed to be the most competent member of the population in a Zebra optimizer is referred to as the "zebra leader," and it is his responsibility to persuade other group members to work alongside him in the lab. The location updates of the zebras during the foraging season can be simulated by using Eqs. (8) and (9).

$$p_{i,j}^{\text{new},S1}=p_{i,j}+r·\left(Z,L_j,-,I,·,p_{i,j}\right)$$ 8

$$P_i=\left\{\begin{array}{cc}{P}_i^{\text{new},S1},\hfill & F_i^{\text{new},S1}<F_i\hfill \\ P_i,\hfill & \text{else}\hfill \end{array}\right)$$ 9

where $P_i^{\text{new ,}}_{}^{S1}$ shows the $i$th Zebra's updates based on the first stage, $p_{i,j}^{\text{new},S1}$ denotes its $j$ th dimension value, $F_i^{\text{new},S1}$ depicts its role in fitness, $\mathit{ZL}$ symbolises the zebra leader, or the most exceptional person, $Z{L}_j$ denotes its $j$ th dimension, $r$ shows a random value between 0 and 1, $I=$ round $(1+$ rand$)$, where a 0-to-1 random number is placed is represented by the rand. Therefore, I can have a value of one or two. When the value is two, there are noticeably more variations in population mobility.

• 4.Stage II: Anti-predators' defensive techniques

At this point, the search space's positions of ZOA population individuals are updated by mimicking the zebras' defensive strategies against intruders. One could argue that lions are the main predators of zebras. As zebras approach water, they run the risk of becoming crocodile prey. Zebras defend themselves differently from different kinds of predators. When a lion attacks, a zebra's best defence is to run away, making full speed, abrupt turns, and running in a zigzag pattern. Zebras become more aggressive in response to ambush by solitary, hyena- and dog-led small predators that confuse and terrify their prey. Every subsection that follows is assumed to have an equal probability of occurring inside the ZOA approach's framework.

Exploitation (defensive technique against lion)

This strategy helps zebras escape their current location when they are attacked by lions so they can stay out of harm's way. As a result, the lions are unable to devour the zebras. Because of this, Eq. (10) can be used to mathematically represent this method.

$$\begin{array}{c}{p}_{i,j}^{\text{new},S2}=p_{i,j}+R·(2r-1)·\left(1,-,\frac{t}{T}\right)·p_{i,j},P_s\le 0.5\end{array}$$ 10

where $p_{i,j}^{\text{new,}S2}$ indicates the second stage's $j$th dimension value of the $i$ th zebra, t the iteration that is currently underway, T the highest quantity of repetitions, R is the fixed amount of 0.01 and $P_S$ is the likelihood of choosing this course of action, which is randomly assigned and ranges from 0 to unity.

Exploration (defensive techniques against other predators)

When a hungry animal attack one of the zebras in the group, the others approach it and try to create a barrier of defence to frighten and confuse the attacker. Equation (11) serves as the mathematical representation of this zebra technique. Updated crowd positions allow the updated location of a zebra to be accepted if it improves the fitness function's outcome. This updating criterion can be represented by Eq. (12).

$$p_{i,j}^{\text{new},S2}=p_{i,j}+r·\left(A,Z_j,-,I,·,p_{i,j}\right),P_S>0.5$$ 11

$$P_i=\left\{\begin{array}{cc}{P}_i^{\text{new},S2},\hfill & F_i^{\text{new},S2}<F_i\hfill \\ P_i,\hfill & \text{else}\hfill \end{array}\right)$$ 12

where $P_i^{\text{new},S2}$ represents the $i$th Zebra's updates for the second stage, $F_i^{\text{new},S2}$ shows the value of its fitness function, $\mathit{AZ}$ symbolises the condition of the zebra that was attacked, and $A{Z}_j$ indicates its $j$th dimension value. The ZOA's pseudocode is explicable in Algorithm 1.

Algorithm 1.

ZOA Pseudocode.

Proposed methodology

Figure 1 shows the proposed work flow of the IoT BotNet detection.

Figure 1.

Block diagram.

DGAN classification

Analysis of GAN Models

The complex relationships between nodes in stock market network data require sophisticated techniques for efficient fraud identification in the world of stocks. Recognizing the intricate structure of IoT BotNets requires an understanding of and the ability to capture node information within the data. Graph Neural Networks (GNNs) prove to be a useful tool for this purpose due to their remarkable ability to record node associations and represent intricate relationships found in IoT BotNets. Graph Convolutional Neural Networks (GCNs) and Generative Adversarial Networks (GANs) are examples of interesting GNN models.

GCNs are designed to handle graph data, or the relationships between nodes, more accurately because they are based on convolutional operations. The propagation of knowledge using the graph structure is the fundamental concept of GCNs, facilitating each node's acquisition and integration of data from its neighboring nodes. Every node in a GCN collects information about adjusting weights to maintain important details about node relationships with neighboring nodes.

Nodes initiate the process of transmitting information layer by layer by sharing their feature information with neighboring nodes following the compilation of neighbor data. Nodes update their feature representations, and graph convolution operations are used at each layer to take neighboring nodes' contributions into consideration. Given that GCNs can capture nonlinear relationships and interactions between nodes in complex networks due to graph-based information propagation, they can powerfully model the IoT BotNet model.

Assume the following graph represents the IoT BotNet information graph $G=(V,E)$, where there are N vertices in the graph $v_i\in V$, with edge sets $e_{\mathit{ij}}\in \left(v_i,,,v_j\right)\in E$ as well as edge weight $w_{\mathit{ij}}$. First, vertex features $X={\left\{x_i\right\}}_{i=1}^{N}v$ are extracted, where $x_i$ represents the $i$ th vertex's feature vector $v_i$ in the image. These features are then fed into the GCN. Concerning the IoT BotNet diagram, $x_i$ can be explained using Eq. (13) as follows:

$$\begin{array}{c}{x}_i=concat\left(M_{\mathit{AB}},\left(v_i\right),,,M_{\mathit{AB}}^{\prime },\left(v_i\right)\right)\end{array}$$ 13

Equation (14) describes the GCN.

$$\begin{array}{c}{H}^{(l+1)}=\sigma \left({\overline{D}}^{-\frac{1}{2}},{\overline{\mathit{AD}}}^{-\frac{1}{2}},H^{(l)},W^{(l)}\right)\end{array}$$ 14

In Eq. (10), $H^{(l)}$ represents the $l$-th concealed layer; $\overline{A}=I_N+A$ speaks of the subject interaction graph's adjacency matrix; $I_N$ represents the identity matrix; ${\overline{D}}_{\mathit{ii}}={\sum }_j{\overline{A}}_{\mathit{ij}}$ is used to describe the degree matrix that has the interaction graph's coefficients of entry and departure for every vertex; $W^{(l)}$ indicates ReLU, is the activation function and the network learning parameter matrix. Feature propagation and aggregation are accomplished by the GAN using attention weights that are adaptively learned between every node and the nodes that surround it.

Traditionally, a GAN's graph attention layer's input and output are specified by Eqs. (15) and (16):

$$h_{\text{In}}=\left\{{\overrightarrow{h}}_1,,,{\overrightarrow{h}}_2,,,\cdots ,,,{\overrightarrow{h}}_n\right\},h\in R^{n\times InD}$$ 15

$$h_{\text{Out}}=\left\{{\overrightarrow{h}}_1,,,{\overrightarrow{h}}_2,,,\cdots ,,,{\overrightarrow{h}}_n\right\},h\in R^{n\times \text{OutD}}$$ 16

Here, n is the total amount of vertices in the data graph, which is followed by the feature dimensions of the input and output vertices, InD and OutD, respectively.

This is computed using a forward propagation neural network target node q's weight $e_{\mathit{qu}}$ of its neighboring nodes $N(q)$, in accordance with Eq. (17):

$$\begin{array}{c}{e}_{\mathit{qu}}=a\left(\left[W,h_q,\Vert ,W,h_u\right]\right),u\in N(q)\end{array}$$ 17

In Eq. (13), $\Vert$ alludes to the process of vector splicing, W is the mapping function, and a(⋅) is the learnable parameter matrix. $h_u$ and $h_q$ Please view the vectors of features. Equation (18) defines the softmax activation function, which is used to normalise the neighbourhood weight ${\alpha }_{\mathit{qu}}$ after the GAN has acquired the weights of the neighbouring nodes:

$$\begin{array}{c}{\alpha }_{\mathit{qu}}=softmax\left(e_{\mathit{qu}}\right)=\frac{\text{exp}\left(\text{LeakReLU},\left(e_{\mathit{qu}}\right)\right)}{{\sum }_{k\in N(q)}\text{exp}\left(\text{LeakReLU},\left(e_{\mathit{qu}}\right)\right)}\end{array}$$ 18

After GAN calculates the weight distribution ${\alpha }_{\mathit{qu}}$ For every neighbouring node of node q, the weighted sum of its features plus weight is calculated. The vector of features $h_q_{}^{\prime }$ of node $q$ is revised, as Eq. (19) demonstrates:

$$\begin{array}{c}{h}_q^{\prime }=\sigma \left({\sum }_{u\in N(q)},{\alpha }_{\mathit{qu}},W,h_u\right)\end{array}$$ 19

Furthermore, K independent attention heads are used by GAN to model node relationships in various subspaces. The vector features update $h_q_{}^{\prime }$ of node $q$ is shown by Eq. (20):

$$\begin{array}{c}{h}_q^{\prime }={\Vert }^{k=1}\sigma \left({\sum }_{u\in N(q)},{\alpha }_{\mathit{qu}}^k,W^k,h_u\right)\end{array}$$ 20

A more thorough depiction of the graph's node features is provided by multi-head attention, which is the result of concatenating the features from each head. Moreover, the average is the result of the GAN's final layer, or prediction layer of the results of multiple attention heads, as demonstrated by Eq. (21):

$$\begin{array}{c}{z}_q=\sigma \left(\frac{1}{K},{\sum }_{k=1}^K,{\sum }_{u\in N(q)},{\alpha }_{\mathit{qu}}^k,W^k,h_u\right)\end{array}$$ 21

The procedures for changing a node's features within a GAN are as follows. The first step is to determine the weights of "similarity" between the target node's features and the neighbouring nodes using a learnable function. Next, create the weight distribution of the neighbouring nodes by normalising the results using an activation function. Step 2: To create a comprehensive feature vector, each neighbouring node's feature vectors are weighed and added together. Step 3: Combine the feature vectors of the target node with this integrated feature vector. Step 4: Apply a non-linear transformation to update the feature of the target node.

This paper describes how the financial domain network's fraud data has less noise and redundancy thanks to a graph attention mechanism. Consequently, the mechanism can more accurately represent the semantic relationships between nodes and features. The Dual-channel Graph Attention Network (DGAN) module is designed by combining the simultaneous attention of the GAN's semantic channel and node channel. By eliminating irrelevant data, this algorithm sharpens the model's focus on identifying important features and raises the model's sensitivity and accuracy to data features.

Optimization of features using the STOA algorithm

The sooty tern optimisation algorithm (STOA) was employed to aid in the process of feature optimisation, which is described below³⁸. Its main purpose is to help improve diagnosis accuracy by classifying cancerous nodules according to their best features. In order to apply SHOA towards feature optimisation, the phases of attack and migration which stand for exploration and exploitation, respectively are used. Algorithm 2 provides STOA's feature optimisation functionality.

Migration (exploration)

When migrating, a ST must meet the following requirements.

Collision evasion: ' ${\text{M}}_{\text{SA}}$ ' explains the newly created position of search agent (SA), which is to prevent collisions between nearby Sas (STs).

$$\begin{array}{c}{\overrightarrow{\text{C}}}_{\text{ST}}^{\text{L}}={\text{M}}_{\text{SA}}\times {\overrightarrow{\text{P}}}_{\text{ST}}^{\text{L}}\end{array}$$ 22

where, ${\overrightarrow{\text{C}}}_{\text{ST}}^{\text{L}}$- SA's location that is independent of other SAs; ${\overrightarrow{\text{P}}}_{\text{ST}}^{\text{L}}$- Where SA is right now; ${\text{M}}_{\text{SA}}-$ SA movement in the presumptive search area.

$$\begin{array}{c}{\text{M}}_{\text{SA}}={\text{C}}_{\text{fac}}-\left(\text{i},\times ,\frac{{\text{C}}_{\text{fac}}}{{\text{Max}}_{\text{Iter}}}\right)\end{array}$$ 23

where, i-Present iteration, $i=\text{0,1},2,\cdots$ Max $_{\text{Iter}}^{}$; ${\text{C}}_{\text{fac}}$-Controlling factor (set to 2), that alters ' ${\text{M}}_{\text{SA}}$ ' linearly reduced to 0.

• Converge towards the best neighbour: after a collision is resolved, SAs follow the path of the most advantageous neighbour.

  $$\begin{array}{c}{\overrightarrow{\text{M}}}_{\text{ST}}^{\text{L}}={\text{C}}_{\text{Best}}\times \left({\overrightarrow{\text{P}}}_{\text{BST}}^{\text{L}},(\text{i}),-,{\overrightarrow{\text{P}}}_{\text{ST}}^{\text{L}},(\text{i})\right)\end{array}$$ 24

  where, ${\overrightarrow{\text{M}}}_{\text{ST}}^{\text{L}}$-Diverse positions of SA $\left({\overrightarrow{\text{P}}}_{\text{ST}}^{\text{L}}\right)$ towards the best, fittest SA $\left({\overrightarrow{\text{P}}}_{\text{BST}}^{\text{L}}\right)$; ${\text{C}}_{\text{Best}}-$ Using a random variable to enhance exploration.

  $$\begin{array}{c}{C}_{\text{Best}}=0.5\times Ran\end{array}$$ 25

  where, Ran — Random number that is in the range [0,1].

• Update conforming to best SA: Lastly, SA or ST adjusts its position in accordance with the best SA.where, ${\to }^{\text{L}}$ ${\overrightarrow{\text{G}}}_{\text{ST}}-\text{Gap}$ amid the SA and fittest SA.

  $$\begin{array}{c}{\overrightarrow{\text{G}}}_{\text{ST}}^{\text{L}}={\overrightarrow{\text{C}}}_{\text{ST}}^{\text{L}}+{\overrightarrow{\text{M}}}_{\text{ST}}^{\text{L}}\end{array}$$ 26

Attacking (exploitation)

STs adjust their angle of attack and velocity as they migrate. They use their wings to increase their altitude. When they strike their prey, they fly in spirals.

$$X^{\prime }=\text{Rad}\times \text{Sin}(a)$$ 27

$$Y^{\prime }=\text{Rad}\times \text{Cos}(\text{a})$$ 28

$${\text{Z}}^{\prime }=\text{Rad}\times \text{a}$$ 29

$$\text{r}=\text{u}\times {\text{e}}^{\text{kv}}$$ 30

where, Rad-Radius of every spiral turn; A-Range of $\left[0,\le ,\text{k},\le ,2,\pi \right];\text{u},\text{v}-$ Constants representing spiral, assumed to be ' 1 '; e-Natural algorithm's base.

The modified location of SA is obtained using Eqs. (10)–(12).

$${\overrightarrow{\text{P}}}_{\text{ST}}^{\text{L}}(\text{i})=\left({\overrightarrow{\text{G}}}_{\text{ST}}^{\text{L}},\times ,\left({\text{X}}^{\prime },+,{\text{Y}}^{\prime },+,{\text{Z}}^{\prime }\right)\right)\times {\overrightarrow{\text{P}}}_{\text{BST}}^{\text{L}}(\text{i})$$ 31

where, ${\overrightarrow{\text{P}}}_{\text{ST}}^{\text{L}}(\text{i})-$ Changes to the positions of other SAs while maintaining the optimal solution.

Algorithm 2.

STOA.

Ethics approval

The submitted work is original and has not been published elsewhere in any form or language.

Results and discussion

Experimental setup

With identical hardware and software configurations, every model was trained, verified, and tested. An Intel Core 10th generation i9-10900K processor, 64 GB DDR4 RAM, and an NVIDIA RTX 2070 GPU (8 GB dedicated memory) were used in a workstation running Windows 10 Pro in Redmond, Washington, USA. This study utilized Python 3.8.3, Wilmington, DE, USA; CUDA Toolkit 11.0, Santa Clara, CA, USA; cuDNN v8.2.0, Santa Clara, CA, USA; and Keras with TensorFlow 2.4.1, Santa Clara, CA, USA, operating at the backend.

Performance metrics

The degree of acceptance the proposed work receives serves as a barometer for its success.

$$Accuracy(ACC)=\frac{No.ofcorrectlyexpressions}{Totalno.ofimages}\times 100$$ 32

$$precision(PR)=\frac{\mathit{TP}}{TP+FP}\times 100$$ 33

$$F1-score(F1)=2\times \frac{Precision\times Recall}{Precision+Recall}\times 100$$ 34

$$Recall(RC)=\frac{\mathit{TP}}{TP+FN}\times 100$$ 35

$$Specificity(SP)=\frac{\mathit{TN}}{TN+FP}\times 100$$ 36

Feature selection validation

Table 4 provides the feature selection validation using various optimization models with the proposed ZOA optimization model.

Table 4.

Feature selection analysis using various optimization models.

Models	ACC	PR	RC	F1
Ant colony optimization (ACO)	91.68	92.13	93.15	92.23
Harmony search algorithm (HSA)	94.55	93.24	95.47	93.34
Firefly algorithm (FA)	96.36	94.57	96.33	95.26
Grey wolf optimizer (GWO)	97.64	96. 68	97.65	97.61
Zebra optimization (ZOA)	99.62	99.57	99.34	99.15

Table 4 and Fig. 2 present the evaluation of various feature extraction models for classification tasks. The Ant Colony Optimization (ACO) model achieved an accuracy (ACC) of 91.68%, with precision (PR), recall (RC), and F1-score values of 92.13%, 93.15%, and 92.23% respectively. The Harmony Search Algorithm (HSA) exhibited improved performance with an ACC of 94.55% and corresponding PR, RC, and F1-score values of 93.24%, 95.47%, and 93.34% respectively. The Firefly Algorithm (FA) further enhanced classification accuracy, yielding an ACC of 96.36% with PR, RC, and F1-score values of 94.57%, 96.33%, and 95.26% respectively. The Grey Wolf Optimizer (GWO) demonstrated even greater accuracy with an ACC of 97.64% and corresponding PR, RC, and F1-score values of 96.68%, 97.65%, and 97.61% respectively. Notably, the Zebra Optimization (ZOA) model displayed exceptional performance, achieving the highest ACC of 99.62% along with PR, RC, and F1-score values of 99.57%, 99.34%, and 99.15% respectively. These results highlight the efficacy of various optimization techniques, with ZOA standing out as particularly proficient. The existing optimization models are easily achieved the converge rate, which automatically minimized the accuracy of the results.

Figure 2.

Graphical analysis of feature selection models.

Classification

Table 5 provides the validation of the types of attacks like Normal, DoS, DDoS, Port Scanning, OS and service detection and Fuzzing using proposed DGAN model.

Table 5.

Types of attacks validation using proposed DGAN model.

Classes	Accuracy	Precision	Recall	F1
Normal	99.24	99.56	99.13	99.56
DoS	99.44	97.22	97.99	99.45
DDoS	99.87	99.86	99.67	99.44
Port scanning	99.11	99.89	99.22	99.32
OS and service detection	99.62	99.57	99.34	99.62
Fuzzing	99.56	98.96	98.76	98.92

The proposed Dual-channel Graph Attention Network (DGAN) model was validated in Table 5 and Fig. 3 for its effectiveness in classifying various types of attacks in a network environment. Across different attack classes, the DGAN model demonstrated high accuracy, precision, recall, and F1-score values.

Figure 3.

Types of attacks validation.

For normal network traffic, the model achieved an accuracy of 99.24%, with precision and recall values of 99.56% and 99.13%, respectively, resulting in an F1-score of 99.56%. Similarly, for Denial of Service (DoS) attacks, the model attained an accuracy of 99.44%, with precision, recall, and F1-score values of 97.22%, 97.99%, and 99.45%, respectively.

For Distributed Denial of Service (DDoS) attacks, the model exhibited exceptional performance with an accuracy of 99.87% and precision, recall, and F1-score values of 99.86%, 99.67%, and 99.44%, respectively. Additionally, the model demonstrated high accuracy and precision in classifying Port Scanning, OS and Service Detection, and Fuzzing attacks, highlighting its robustness in identifying various types of network intrusions.

Tables 6 and 7 presents the validation of various classification models in the ratio of 70–30 and 80–20 respectively. The existing techniques such as ANN²⁴, DBN²⁷, GAN²⁸ and RNN are considered from the literature review, where these techniques use different datasets such as CIC-DDoS2019, TON-IoT datasets, etc. However, these techniques are implemented on our considered dataset and results are averaged.

Table 6.

Classification analysis of 70–30 ratio.

Models	Accuracy	Precision	Recall	Specificity	F1
DBN	89.61	89.14	89.15	89.32	89.21
ANN	90.53	91.02	90.44	90.12	90.32
RNN	91.34	92.23	91.33	91.44	91.12
GAN	92.65	92.35	92.34	92.16	92.23
Proposed DGAN model	93.57	93.47	93.21	93.23	92.98

Table 7.

Classification analysis of 80–20 ratio.

Models	Accuracy	Precision	Recall	Specificity	F1
DBN	91.60	92.14	93.15	91.33	92.23
ANN	94.52	93.25	95.47	93.55	93.34
RNN	96.33	94.58	96.33	95.62	95.26
GAN	97.64	96. 68	97.65	97.56	97.61
Proposed DGAN model	99.87	99.86	98.22	98.45	98.56

Table 6 and Fig. 4 present the classification analysis results based on a 70–30 ratio for various models. The Deep Belief Network (DBN) achieved an accuracy of 89.61%, with corresponding precision, recall, specificity, and F1-score values of 89.14%, 89.15%, 89.32%, and 89.21%, respectively. The Artificial Neural Network (ANN) exhibited slightly improved performance with an accuracy of 90.53% and precision, recall, specificity, and F1-score values of 91.02%, 90.44%, 90.12%, and 90.32%, respectively.

Figure 4.

Graphical validation of 70–30 ratio.

The Recurrent Neural Network (RNN) further enhanced classification accuracy, reaching 91.34%, with precision, recall, specificity, and F1-score values of 92.23%, 91.33%, 91.44%, and 91.12%, respectively. The performance improved significantly with the Graph Attention Network (GAN), achieving an accuracy of 92.65%, along with precision, recall, specificity, and F1-score values of 92.35%, 92.34%, 92.16%, and 92.23%, respectively.

Notably, the proposed Dual-channel Graph Attention Network (DGAN) model demonstrated the highest accuracy of 93.57%, with precision, recall, specificity, and F1-score values of 93.47%, 93.21%, 93.23%, and 92.98%, respectively, showcasing its superior performance in classification tasks compared to the other models.

In Table 7 and Fig. 5, the classification analysis based on an 80–20 ratio showcases the performance of different models. The Deep Belief Network (DBN) achieved an accuracy of 91.60%, with corresponding precision, recall, specificity, and F1-score values of 92.14%, 93.15%, 91.33%, and 92.23%, respectively. The Artificial Neural Network (ANN) demonstrated improved performance with an accuracy of 94.52%, and precision, recall, specificity, and F1-score values of 93.25%, 95.47%, 93.55%, and 93.34%, respectively.

Figure 5.

Graphical validation of 80–20 ratio.

The Recurrent Neural Network (RNN) further enhanced classification accuracy to 96.33%, with precision, recall, specificity, and F1-score values of 94.58%, 96.33%, 95.62%, and 95.26%, respectively. The Graph Attention Network (GAN) displayed superior performance with an accuracy of 97.64%, along with precision, recall, specificity, and F1-score values of 96.68%, 97.65%, 97.56%, and 97.61%, respectively.

Notably, the proposed Dual-channel Graph Attention Network (DGAN) model outperformed all others, achieving an accuracy of 99.87%, with precision, recall, specificity, and F1-score values of 99.86%, 98.22%, 98.45%, and 98.56%, respectively, underscoring its exceptional performance in classification tasks.

Optimization validation

Table 8 provides the validation of optimization models for hyper parameter tuning with the proposed DGAN model.

Table 8.

Various optimization validation with proposed DGAN model.

Models	Accuracy	Precision	Recall	Specificity	F1
FPA-DGAN	92.64	89.15	90.07	89.60	90.40
WOA-DGAN	93.40	90.25	92.06	91.14	92.80
SSA-DGAN	95.40	93.46	94.29	93.87	94.53
GSO-DGAN	96.29	95.21	95.18	96.67	95.27
Proposed STOA-DGAN model	99.87	99.86	98.22	98.45	98.56

Table 8 and Fig. 6 present the validation results of various optimization models coupled with the proposed DGAN classification model. The Firefly Algorithm (FPA) integrated with DGAN achieved an accuracy of 92.64%, precision of 89.15%, recall of 90.07%, specificity of 89.60%, and F1-score of 90.40%. Similarly, the Whale Optimization Algorithm (WOA) combined with DGAN yielded an accuracy of 93.40%, precision of 90.25%, recall of 92.06%, specificity of 91.14%, and F1-score of 92.80%. The existing techniques easily converge and minimize the accuracy rate of DGAN, whereas the proposed methods are not converged and achieve maximum accuracy in just three stages.

Figure 6.

Graphical validation of optimization models for hyper parameter tuning.

Moreover, the Salp Swarm Algorithm (SSA) integrated with DGAN achieved notable performance, with an accuracy of 95.40%, precision of 93.46%, recall of 94.29%, specificity of 93.87%, and F1-score of 94.53%. Furthermore, the Glowworm Swarm Optimization (GSO) coupled with DGAN exhibited impressive results, with an accuracy of 96.29%, precision of 95.21%, recall of 95.18%, specificity of 96.67%, and F1-score of 95.27%.

However, the proposed model incorporating the Sooty Tern Optimization Algorithm (STOA) with DGAN outperformed all other models, achieving exceptional accuracy, precision, recall, specificity, and F1-score of 99.87%, 99.86%, 98.22%, 98.45%, and 98.56%, respectively. These results demonstrate the efficacy and superiority of the proposed STOA-DGAN model in accurately detecting and classifying botnet activities in Software Defined Network-Orchestrated IoT environments.

Conclusion

Ultimately, the suggested structure offers a comprehensive approach to the identification of Internet of Things botnets, overcoming major challenges in preprocessing, feature selection, classification, and model optimization. Utilizing cutting-edge methods such as data smoothing, the Dual-channel Graph Attention Network (DGAN), Graph Attention Network (GAN), Zebra Optimization Algorithm (ZOA), and Graph Attention Network (GAN), the model performs exceptionally well in capturing complex relationships between IoT device interactions. Moreover, the integration of the Sooty Tern Optimization Algorithm (STOA) guarantees ideal parameter tuning, boosting the overall efficacy of detection.

When compared to other models currently in use, the proposed STOA-DGAN model demonstrated exceptional performance metrics, including an accuracy of 99.87%, precision of 99.86%, recall of 98.22%, specificity of 98.45%, and F1 score of 98.56%. By precisely reducing the risks associated with malicious botnet activities, the framework has the potential to greatly improve IoT security, as demonstrated by experimental results on real-world IoT datasets. For reliable IoT security solutions, future research may concentrate on scalability, real-time detection, and adaptation to changing botnet behaviors.

Author contributions

All authors contributed equally.

Funding

The authors declare that no funds, grants, or other support were received during the preparation of this manuscript.

Data availability

The datasets used and/or analyzed during the current study available from the corresponding author on reasonable request.

Competing interests

The authors declare no competing interests.