Journal Pre-proof

HIIDS: Hybrid intelligent intrusion detection system empowered with

machine learning and metaheuristic algorithms for application in IoT
based healthcare

Sohail Saif , Priya Das , Suparna Biswas , Manju Khari ,

Vimal Shanmuganathan

PII: S0141-9331(22)00159-4
DOI: https://doi.org/10.1016/j.micpro.2022.104622
Reference: MICPRO 104622

To appear in: Microprocessors and Microsystems

Received date: 20 January 2021

Revised date: 22 March 2021
Accepted date: 14 July 2022

Please cite this article as: Sohail Saif , Priya Das , Suparna Biswas , Manju Khari ,
Vimal Shanmuganathan , HIIDS: Hybrid intelligent intrusion detection system empowered with
machine learning and metaheuristic algorithms for application in IoT based healthcare, Microproces-
sors and Microsystems (2022), doi: https://doi.org/10.1016/j.micpro.2022.104622

This is a PDF file of an article that has undergone enhancements after acceptance, such as the addition
of a cover page and metadata, and formatting for readability, but it is not yet the definitive version of
record. This version will undergo additional copyediting, typesetting and review before it is published
in its final form, but we are providing this version to give early visibility of the article. Please note that,
during the production process, errors may be discovered which could affect the content, and all legal
disclaimers that apply to the journal pertain.

© 2022 Elsevier B.V. All rights reserved.

 1

HIIDS: Hybrid intelligent intrusion detection

system empowered with machine learning and
metaheuristic algorithms for application in IoT
based healthcare
Sohail Saif1, Priya Das2, Suparna Biswas3, Manju Khari4*,Vimal Shanmuganathan5*
1,2,3
Department of Computer Science & Engineering, Maulana Abul Kalam Azad University of Technology, West Bengal, India
Email [email protected], [email protected], [email protected]
4
.Netaji Subhas University of Technology, East Campus, Delhi, India Email: [email protected] (Corresponding Author)
5
National Engineering College,K.R.Nagar, Kovilpatti,Tamilnadu,India Email: [email protected] (Co-Corresponding Author)

Abstract
This paper presents machine learning and metaheuristic algorithms based hybrid intelligent Intrusion Detection System
(HIIDS) for Internet of Things based applications such as healthcare. In IoT based smart healthcare, biomedical sensors
sense vital health parameters which are sent to the cloud server for storage and analysis. Health data saved as Electronic
Health Record (EHR) is privacy and security sensitive. This work focuses on the detection of security attacks on cloud
servers through anomaly based intrusion detection. Popular NSL-kDD dataset containing 41 features with 125,973
samples have been utilized for performance evaluation of proposed HIIDS.To reduce computation cost, metaheuristic
algorithms such as Particle Swarm Optimization (PSO), Genetic Algorithm (GA), and Differential Evaluation (DE) are
used for best feature selection and supervised learning algorithms such as Known Nearest Neighbor (kNN), Decision
Tree (DT) are used for accurate classification of normal and attack class based on selected features. Also a hybrid
approach has been presented for feature selection and classification. After dataset pre-processing using python,
MATLAB 2019b is used to implement six variants of proposed hybrid algorithms combining GA, PSO, DE with kNN,
DT. Performance evaluation has been done based on accuracy, execution time, memory usage and CPU utilization. GA-
DT variant gives highest accuracy of 99.88%, 86.40%, 95.39%, 96.90%, 100% of accuracy for DoS, U2R,R2L, Probe
and Normal class with the help of 8-10 features compared to other variants such as GA-kNN, PSO-kNN, PSO-DT, DE-
kNN, DE-DT. Also outperforms similar state-of-the-art works in terms of classification accuracy, simulation results are
given in support. Finally an IoT based healthcare architecture is designed using best performing hybrid GA-DT variant
based HIIDS to detect and prevent malicious traffic.

Keywords
Intrusion Detection System; Internet of Things; Genetic Algorithm; Decision Tree ; kNN; Healthcare;

1 Introduction
Internet of things plays a pivotal role in transforming almost all applications in smart ones whereas machine
learning adds intelligence to them for efficient data handling [1]. Several applications associated with daily human life
have been converted to smart applications redefining the quality of living such as smart healthcare, smart surveillance,
smart transportation, smart home, etc. Smart applications have layered architecture, the lowest one is the sensing layer to
acquire data, the next layer is the communication layer to transmit data to the processing layer which consists of several
 2

processing elements such as local or cloud server. This also acts as a storage of raw or processed data and knowledge
extracted to be accessed by legitimate users. To handle big sensor data in IoT-based smart applications, the concern is
twofold mainly: i) Efficient data handling ensuring higher accuracy in analysis, knowledge building along with low
resource consumption-here machine learning and meta-heuristic algorithms have a significant role to play. ii) To detect
any security attack or threat on data being transmitted to cloud server through open wireless link-Intrusion detection
system (IDS) plays an important role. Traditional cryptographic techniques are computationally intensive hence not
suitable for resource-constrained sensors. Also cryptographic measures cannot protect the system from insider attacks. In
these kinds of attacks, sensor devices are compromised. Here Intrusion Detection System (IDS) plays a significant role.
This mechanism is widely used to monitor a network for the detection of malicious activities [2].

Fig.1. AI empowered cloud medical server in IoT based smart healthcare

Heterogeneous data being transferred to the cloud server from different smart applications such as smart
healthcare, smart energy, smart traffic management or smart surveillance, etc., are equally likely to be compromised by
the possible security attacks. All application data are important and need to be protected. Specifically, in healthcare, any
unauthorized forgery causing any modification or alteration of health data may be fatal for human life hence to be
protected with utmost priority. Patient health vitals sensed using Medical Body Sensor Network (BSN) [3] and
transmitted to medical servers for processing and storage through the internet are vulnerable to security attacks and
threats as shown in Figure 1. Due to security attacks on communication channels or malware in the sensor devices, it can
lead to incorrect data collection by devices which can result in wrong diagnosis and treatment. So the security of health
data is of utmost concern which needs to be handled carefully. Recently, security attacks in healthcare have grown
exponentially [4]. Due to open and shared communication medium, data transmission is vulnerable to a range of attacks
such as interception, fabrication, modification, etc. For example, when data is sent through a public network,
unauthorized entities in the network can get access to those sensitive data of the patients. The absence of security
measures in these types of health monitoring systems may not only lead to breach of patients’ privacy but also may prove
to be life-threatening for the patient by allowing cybercriminals to put deceptive data or by altering actual data, which
can result in wrong diagnosis or treatment. Security requirements of Internet of things data (IoT-Data) stored in cloud
server are defined by confidentiality, integrity, authentication, and access control as described below:
Confidentiality: Due to the open nature of communication channels, eavesdropping by eavesdroppers while IoT in
transit data can lead to breach of confidentiality.
 3

Authentication: It is important that access to application specific IoT-data should be given to authorized entities only.
For example, it could be very dangerous if intruders get access and alter the health data collected through health sensors.
So authentication factors are needed to prevent unwanted access from intruders.
Integrity: Integrity of IoT-data is of major concern in any application. This becomes of high importance in case of any
critical applications like healthcare where data correctness leads to an effective solution to be exerted.
Access Control: IoT applications may consist of several networks and groups of stakeholders working in different
sectors and hence IoT-data needs to be accessed by several entities. Only authentic entities should be given data access
permission according to their roles and responsibilities. For example, a doctor and a medical staff should not get the same
access role for the same patient data. A compromised entity in the system can steal important health data of a patient if a
proper access control mechanism is not present.
The main objective is to design a machine learning based Intrusion Detection System which can detect the insider attacks
in cloud server. For this purpose NSL-KDD dataset with selected features has been used to train the IDS model. Well-
known metaheuristic approaches have been employed to select the features for which the maximum accuracy can be
obtained.

1.1Motivation
IoT-based smart applications generate both way network traffic-from data acquisition unit to cloud server and
from the cloud server to authorized entities through the internet. For example, in IoT-based healthcare, all patient vitals
acquired through WBAN sensors are forwarded to a sink device which sends data to a medical cloud server from where
extracted knowledge, generated advice or alert are sent to patients, relatives, insurers, pharmacists, etc. Hence IDS is
essential to detect normal or malicious traffic so that malicious ones can be prevented from being saved into a cloud
server [5-7]. Malicious traffic may prove to be fatal in many smart applications and can be life-threatening in healthcare.
This motivates to design and implementation of intelligent IDS (HIIDS). Novel solutions are needed in this area to
provide better security with reduced computation cost and increased accuracy. This motivates us to generate a model
applying machine learning and meta-heuristics based techniques to detect normal and malicious traffic efficiently.
Widely acknowledged NSL-KDD [8] dataset which is basically traffic data has been considered for training, since the
attacks present in the dataset are familiar with the attacks found in cloud-based medical servers. Training dataset contains
41 features with 125,973 samples. This will require a lot of memory space and time for processing in classification
algorithms also irrelevant, redundant, and noisy features can affect the accuracy. Hence we need to reduce the number of
features by selecting the most appropriate ones.There could be nCd possibilities to make a reduced set of features, where n
is the number of features in the dataset and d is the number of features in the subset. So optimization techniques are
needed to identify most appropriate features. Features should be selected in an efficient way so that the features can
achieve maximum accuracy in the classification process with minimum cost. Meta Heuristic algorithms help for effective
feature selection.

1.2 Contribution
Followings are the major contributions of our work:
i) Various security threats in healthcare and proposed machine learning based framework for intrusion detection.
 4

ii)Meta Heuristic algorithms such as Genetic Algorithm (GA), Particle Swarm Optimization (PSO) and Differential
Evaluation (DE) and Machine Learning algorithms [9] such as known Nearest Neighbor (kNN), Decision Tree (DT) have
been combined together to build six hybrid algorithms.
iii) Hybrid algorithms have been implemented using Matlab and performance in terms of accuracy has been evaluated.
iv) Maximum accuracy has been obtained with the reduced number of features applying the feature selection [10]
method.
v) Comparison of accuracy with state-of-the-art works has been conducted.
vi) Based on the results, best ML model with less number of features has been identified.
vii) Finally, architecture has been proposed for application in medical servers with the help of ML model.

2 Need for Intrusion Detection Systems (IDS)

Researchers have proposed several security architectures to address security issues in BSN based healthcare
systems [11-13]. Most of them have considered cryptographic approaches like encryption of health data to fight various
security attacks which creates additional delay. But to handle the emergency situation of patients, data needs to be
delivered quickly and in that case encryption of data is not a good choice. Encryption and Authentication can protect the
system from several security attacks such as man-in-the-middle, sniffing attacks, etc. but these mechanisms are unable to
secure the medical storage server from attacks like flooding, probing, brute force DoS, DDoS, etc. The system can be
compromised to launch these attacks which can degrade the performance of the entire healthcare system. Here Intrusion
Detection Systems (IDSs) has the ability to identify these security attacks and send alert to the system administrator. IDS
can be broadly classified into three categories such as Network Intrusion Detection System (NIDS), Host Intrusion
Detection System (HIDS), and Hybrid Intrusion Detection System. Based on popularity three detection techniques are
widely used such as Signature Based Detection, Anomaly Based Detection, Hybrid Detection Technique, etc. as
explained below in brief.
2.1 Signature Based Detection Technique:
In Signature based intrusion detection, a set of rules or signatures are defined at first and that is used to verify
whether a given pattern is of an intruder. These detection systems provide high true positive rates and less false negative
numbers in detecting intrusions. If the system is not configured properly then little variation in data may result in wrong
analysis [14]. Hence these kinds of detection systems are not effective for unknown attacks and varying attacks. One of
the major advantages of signature based detection systems is the difficulties in updating and maintaining prewritten rules.
Signatures or rules are formed by a set of several features. For instance, SNORT [15] is a popular NIDS based intrusion
detection system where headers (source address, destination address, ports) are used as a signature. Its options (Payload,
metadata) are used to detect where the network traffic belongs to a specific signature.
2.2 Anomaly Based Detection Technique:
Anomaly based detection mechanism deals with the identification of activities that are anomalous with respect
to normal activities. Data mining, markov models, statistical modeling based techniques are often used as a methodology
in Anomaly detection problems. In this approach behavioral data of legitimate users are collected for a duration and
statistical tests are applied which decides whether that behavior is normal or not. The major advantage of this approach is
it can detect attacks that are not found earlier. For the efficient performance of this model, rules need to be designed in
such a way that it can reduce the false detection rate for all kinds of known and unknown attacks. Anomaly based
detection schemes can be a good choice for medical servers since it can detect unknown attacks at different levels.
 5

2.3 Hybrid Detection Technique:

The hybrid detection technique is the combination of anomaly and signature based detection technique. The
technique can be effective to detect both known and unknown attacks. Since it includes the property of both anomaly
based and signature based detection technique, this method has high detection rate. This approach has less False Positive
and False Negative rates.

2.4 Implementation Strategies:

Implementation strategy is essential for to build an efficient IDS. Several implementation strategies are available
for sensor network based healthcare applications such as hierarchical, distributive and collaborative, voting, reputation,
cross layer, mobile agent, game theory, statistical detection, and machine learning based schemes. However, these
strategies are not completely independent. For example, reputation and voting based IDS are special forms of distributive
and collaborative IDS. Similarly, machine learning and statistical detection based IDS are related. In [16], authors have
explored a scheme called knowledge-based IDS. Such scheme can be implemented with the help of Artificial Intelligence
(AI). But these AI based schemes need high computational ability, thus it is not suitable for resource-constrained IoT
applications such as healthcare. Here machine learning along with meta-heuristic algorithms play a pivotal role to design
intelligent IDS ensuring low computation cost. Machine Learning-Based IDS is very much effective for anomaly-based
detection. Supervised, Unsupervised, Semi-supervised learning techniques are used to train the system regarding
malicious activities or patterns. These training models are frequently updated to improve detection accuracy. Some
common Machine learning techniques used to build effective IDS are Bayesian Networks, Markov Models, Fuzzy Logic,
Neural Network etc.
3 Related Works
In this section, few works on Machine Learning based approach to handle security issues have been discussed.
Ukil et al. [17] discussed about anomaly detection in Internet of Things (IoT) based healthcare. They have proposed an
anomaly detection scheme for cardiac data using a smartphone. Medical image analysis, physiological signal analysis,
and predictive analysis were used in their method. Farrukh et al. [18] presented an anomaly based intrusion detection
system for electrocardiogram (ECG) signals using Wireless Body Area Network (WBAN). They have considered
machine learning based Markov model method to detect the abnormalities in the data. Author G.Thamilarasu [19]
discussed regarding various security threats in WBANs and based on the threats, the author proposed an intrusion
detection system using multi-objective genetic algorithm. Genetic Algorithm is used to ensure only specific features out
of many features that are sufficient for the detection of a specific attack. In [20], Authors R.Mitchell and I.R.Chen
analyzed behavioral rule specification-based technique and finally, they proposed an Intrusion Detection system for
Medical Cyber-Physical System. They used a methodology to transform behaviors rules into a state machine. To
demonstrate the effectiveness they also implemented their scheme in a health monitoring device. Christy et al. [21]
discussed outlier (anomaly) detection in healthcare data. Two algorithms namely Distance-based outlier detection and
Cluster-based outlier detection are proposed by them for the detection and removal of outlier from healthcare data. They
have shown that cluster-based algorithm provided better accuracy than distance based algorithms. Liu et al. [22]
proposed a detection scheme for On and Off attacks in industrial IoT sites. They explored that an IoT network could be
attacked by an intruder when it is in ON or Active state. They considered the trust calculation of each neighbor node to
develop a light probe routing mechanism for anomaly detection. Pahl et al. [23] used K-means clustering method to
develop anomaly detection for IoT micro service. An online learning technique was used to update the clustering model.
 6

By implementing their scheme they obtained 96.3% accuracy. Anthi et al. [24] developed Machine learning based
detection of probing and DoS attacks. They have used Wireshark to collect the traffic data and used that as a dataset.
Lastly, they applied several classification algorithms to obtain better detection rate. Diro et al. [25] described an attack
detection model for fog-to-things architecture. Authors used an open source dataset and applied swallow and deep neural
network to detect four kinds of attacks. During the comparative analysis of the experimental result, they observed that
deep neural network based model achieved 98.27% accuracy where the shallow neural network achieved 96.75%
accuracy. Angelo et al. [26] presented a network anomaly detection model using supervised machine learning. They used
batch relevance-based fuzzy-fied learning algorithm (U-BRAIN) in their scheme. Experimental results show that their
scheme performed well than other classification algorithms such as J48, SVP, Naive Bayes, and MLP. They used well-
known data set NSL-KDD and obtained 94.1% accuracy using U-BRAIN. Yang et al. [27] proposed an intrusion
detection model using Machine learning techniques based on the human-in-loop principle for IoT systems. Authors made
a combination of machine and human intelligence which can efficiently detect malicious devices in the network more
accurately. Li et al. [28] enhanced the performance of AI based two-layer intrusion detection system for IoT applications.
They used BAT algorithm with Swarm Division for feature selection. Liu et al.[29] used Fuzzy clustering and Principal
Component Analysis to build an efficient IDS. Authors used simulation to classify the data into low and high risk. Lopez
et al. [30] proposed a novel network based intrusion detection scheme for IoT systems. Their proposed scheme is based
on a Conditional Variational Autoencoder (CVAE) where they integrated malicious labels inside the decoder layer. That
proposed scheme also supports feature reconstruction which can be used in network monitoring systems. Quamar et al.
[31] presented an intrusion detection framework using self-taught deep learning method where an unsupervised feature
learning technique was applied to training data. They used NSL-KDD dataset for the performance evaluation of their
proposed model. Intruder Node Detection and Isolation Action scheme for Mobile Ad Hoc Network has been proposed
by Kavita et al. [32]. Feature optimization technique has been used applied here to choose the best features. PSO has
been used for this purpose, for classification between Trusted and Malicious nodes, Neural Network has been used.
Experimental results show that with feature optimization, packet delivery ratio can be increased, latency can be reduced
and energy consumption is less. Table.I show a comparative study based on various implementation strategies as
discussed earlier.
 7
Authors, Year Implementation Strategy Detection Strategy Attacks Considered

Jadidoleslamy et al. Hierarchical Signature Nil

[33],2011
Mamun and Kabir Hierarchical Hybrid Nil
[34], 2010
Kasinathan et al. [35], Distributed and Collaborative Anomaly Denial of Service (DoS)
2013
Krontiris et al. [36], Distributed and Collaborative Signature Selective Forwarding
2009
Feng et al. [37], 2011 Reputation-Based Signature Selective Forwarding
Chen et al. [38],2012 Reputation-Based Signature Sinkhole, Sybill, Jamming,
Denial of Service (DoS)
Khan et al. [39],2009 Cross Layer Signature Hello Flooding
Boubiche et al.[40], Cross Layer Signature Spoofing, Battery Exhaustion,
2012 Sinkhole
Zhang et al. [41], 2003 Mobile Agent-Based Anomaly Packet Dropping, Routing
Misdirection
Lee et al. [42],2000 Mobile Agent-Based Anomaly Denial of Service (DoS)
Shamshirband et al. Game Theory-Based Anomaly Distributed Denial of Service
[33], 2014 (DDOS)
Agah et al. [44], 2004 Game Theory-Based Signature Nil
Abraham et al. [45], Statistical Detection-Based Signature Unauthorized Access, Probing,
2007 DoS
Lyu et al. [46],2006 Statistical Detection-Based Anomaly Sinkhole
Agarwal et al. Machine Learning-Based Anomaly Blackhole
[47],2003
Mbida et al. [48],2015 Machine Learning-Based Hybrid Nil
Abbas et al. [49],2016 Machine Learning-Based Signature Distributed Denial of Service
(DDoS
Verner and Butvinik Machine Learning-Based Anomaly Sensor Data Modification
[50],2017
Hou et al. [51],2018 Statistical Detection-Based Anomaly DoS,Replay,Jamming
Alrashdi et al. Machine Learning-Based Anomaly Distributed Denialof Services
[52],2019 (DDoS), Man-in-the-Middle,
Sybil, Jamming, etc.
Hady et al. [53],2020 Machine Learning-Based Anomaly Man-in-the-Middle

Table I. Comparative analysis of implementation strategy

5 Proposed HIIDS Framework

5.1 Attack Model:
This work focuses on the detection of security attacks on cloud servers through Anomaly based intrusion
detection. Some of the security attacks possible in the IoT and cloud based applications also found commonly in
healthcare applications [54] are discussed below:
Satan is a kind of probing attack on medical servers to exploit some well-known vulnerabilities. Ipsweep attacks
are performed to ping multiple medical servers to find the victim server IP address. Portsweep is similar to ipsweep
where ports in the medical server are scanned to identify the services running on the particular port. Warezmaster is an
illegal software that is usually uploaded to the server through FTP and Warezclient is used to change the file access
 8

permissions. Brute Force Attacks are performed through telnet to guess passwords. Imap is illegal access of user account
using vulnerabilities.FTP Write attack is another well-known attack on medical servers, where rhost file is created
anonymously to get local access.CGI script such as phf is enabled to execute arbitrary commands on a misconfigured
server.Rootkit is a malware attack, presence of this malware can give cyber criminals remote access to the server. Smurf
is a kind of Denial of Service(DoS) attack where the host is flooded with bogus ICMP echo packets. Neptune is also
flooding of SYN acknowledgments. Mis-fragmented UDP packets can lead to server crash or reboot, this is called
teardrop.
Here, methodologies have been designed for the selection of the most appropriate features applying Meta
heuristics, sample classification and statistical analysis. Three Meta heuristic algorithms, namely Genetic Algorithm
(GA), Particle Swarm Optimization (PSO), and Differential Evolution (DE) have been used. Two classifier kNN and
Decision Tree have been embedded in each algorithm for classification purpose. Finally, Six hybrid algorithms namely
GA-kNN, GA-DT, PSO-kNN, PSO-DT, DE-kNN, DE-DT have been implemented to perform comparative performance
analysis.
Several independent processes have been combined in this work. First, Dataset has been collected and observed
meticulously to find out the various features. Then Data preprocessing has been done on the dataset for data splitting and
normalization. Training dataset has been used in feature selection and classification algorithm.

5.2 Dataset Observation:

NSL-KDD training and testing dataset contains 125,973 and 22,544 samples approximately. List of the features
has been given in Table II. 41 features are present in both datasets which can be categorized in four categories.
•Basic features: These features are extracted from TCP/IP connection data which leads to an implicit delay in detection.
•Content features: It uses domain knowledge to get the payload of the original TCP packets.
•Time-based traffic features: Timing analysis is done to retrieve the features which are mature over a 2 second
temporal window.
•Host-based traffic features: These features can help to detect attacks which span over more than 2 seconds interval
also have the same destination host as the original.
There are 22 attacks in training set and 17 additional attacks are present in test set. All these attacks are categorized in
four classes which are shown in Table III. Frequency distribution of attack and normal class has been shown in Table IV.
No. Name No. Name
1 Duration 22 is-guest-login
2 protocol-type 23 Count
3 Service 24 srv-count
4 Flag 25 serror-rate
5 src-bytes 26 srv-erroro-rate
6 dst-bytes 27 rerror-rate
7 Land 28 srv-rerror-rate
8 wrong-fragment 29 same-srv-rate
9 Urgent 30 diff-srv-rate
10 Hot 31 srv-diff-host-rate
11 num-failed-logins 32 dst-host-count
12 logged-in 33 dst-host-srv-count
13 num-compromised 34 dst-host-same-srv-rate
14 root-shell 35 dst-host-diff-srv-rate
15 su-attempted 36 dst-host-same-src-port-rate
 9

16 num-root 37 dst-host-diff-src-port-rate
17 num-file-creations 38 dst-host-serror-rate
18 num-shells 39 dst-host-srv-serror-rate
19 num-access-files 40 dst-host-rerror-rate
20 num-outbound-cmds 41 dst-host-srv-rerror-rate
21 is-host-login

Table II.List of features in the dataset

Class Attacks Considered

Train set Additional attacks in Test set
DoS smurf, teardrop, pod , land, Neptune, back udpstorm, mailbomb, processtable, apache2
U2R loadmodule,rootkit,perl, Bufferoverflow, xterm,snmpguess, sqlattack, worm, ps
R2L ftp_write, spy, warezclient, imap, multihop, Snmpgetattack,ttptunnel, named, sendmail,xlock, xsnoop
phf, warezmaster, guesspasswd
Probe satan, ipsweep, nmap, portsweep Mscan, saint
Normal Nil Nil

Table III. Attacks categorization

Class Frequency Count % of total data

Train Test Train Test
DoS 45927 7458 36.46% 33.09
U2R 52 200 0.05% 0.89
R2L 995 2754 0.79% 12.3
Probe 11656 2421 9.25% 10.74
Normal 67343 9711 53.45% 43.07
Total 125973 22544 100% 100%

Table IV. Distribution of attack and normal classes

5.3 Dataset Preprocessing:
NSL-KDD dataset is heterogeneous in nature, it consists of 41 features and a class label. Most of the data values
are discrete and continuous. All non-numeric values have been converted to numeric values. For example, there are 3
categorical value (tcp, icmp, udp) in Protocol_type feature are replaced with 1,2,3 respectively. After that based on class,
the dataset has been split which results 5 separate test dataset containing attack and normal data samples.

5.4 Feature Selection and Classification:

First, a subset (Fset) of features and their respective samples have been randomly selected from the Train and Test dataset
(Dtrain, Dtest) and fed to the classifier. If the classified class of a sample in D sub matches its original class in Dtest, then the
sample is called as a properly classified sample. Here classification accuracy (CA) specifies the appropriateness of the
selected subset (Fset) and it has been calculated using Eq. 1 where the number of accurately classified samples are divided
 10

by randomly selected samples from Test dataset (Dtest) and multiplied by 100 to get percentage of accuracy. In a similar
way 20 subsets (Fset) is generated and their classification accuracy has been calculated. Out of those 20 subsets, the best
subset having maximum classification accuracy is considered as the best set of features. To improve the classification
accuracy we have conducted this experiment 200 times (iterations), thus a more appropriate set of features can be
achieved. We have also varied the number of features to be selected such as 8, 10, 15, 20, 25, 30 to generate the subset
(Fset). For better understanding, a flowchart has been given in Figure 1.

Number of accurately classified samples

CA   100%
Total number of samples in D test

(1)

Fig.2. Hybrid Framework for feature selection and classification

Algorithm 1 depicts the combination of GA with kNN and Decision Tree, algorithm 2 depicts the combination
of PSO with kNN and Decision Tree, algorithm 3 is the combination of DE with kNN and Decision Tree. Algorithm 4
and 5 are for kNN and Decision Tree respectively. Parameters used in these algorithms and their values are given in
Table V and Table VI.
Algorithm 1: GA-kNN or GA-DT
initialize the parameters N, Cn, Mn,En
mu = cr = 0
for i = 1 to N
 11

create a fset(chromosome) in present generation

Genp having dimensions d with randomly chosen
feature(column) index
create a sub matrix subm
use fitckNN or fitcTree to calculate the fitness value
(accuracy) of subm
end for

for it = 1 to maxit
sort Nin dsc order
copy En from subm to Gennew
while (cr<Cn)
use rowlette wheel selection to select a pair of fset
generate two child fset and move to Gennew
cr = cr + 1
end while
while (mu <Mn)
select a random fsetfromGenp
finda random position(Rij) and replace with valid
featureindex
mu = mu + 1
end while
updated subm based on Genp
usefitckNN or fitcTree to evaluate the fitness
end for
return bestfset

Algorithm 2:PSO-kNN or PSO-DT

initialize parameter N, W, c1, c2, ts= 0
for i = 1 to N
create a fset(position of particle) in present
generation Genp having dimensions d with randomly chosen
feature(column) index
set velocity vei
create a sub matrix subm
use fitckNNorfitcTree to calculate the fitness value (accuracy) ofsubm
end for
for it = 1 tomaxit
for i =1 to N
update the velocity of the each fset
vei(ts+1) = W*vei(ts) + c1*rand()*(lbesti- Pi)+
c2*rand()*(gbest-Pi)
Pi(ts+1) = Pi(ts) + vei(ts+1)
use fitckNN or fitcTreeto evaluate the fitness
if(fitness(Pi(ts+1))> fitness(lbesti))
lbesti = Pi(ts+1)
elseif(fitness(Pi(ts+1)) > fitness(gbest))
gbest = Pi(ts+1)
end if
end for
updated subm based on Genp
 12

use fitckNN or fitcTree to evaluate the fitness

end for
return best fset

Algorithm 3: DE-kNN or DE-DT

initialize the parametersN,pcr,F
for i= 1 to N
create a fset (vector) in present generation
Genp having dimensions d with randomly chosen
feature(column) index
create a sub matrix subm
use fitckNN or fitcTree to calculate the fitness value (accuracy) of subm
end for
for it = 1 to maxit
for i = 1 to N
select three random fset from search space for mutation
Mi = Rr1 + F*(Rr2-Rr3)
generate a random number (integer)jr
Jr∈{1, 2, 3, …..d}
forj = 1 to d
generate another random number rand ∈{0,1}
if ((rand<=pcr) || ( j = jr))
uij = mij
Else
uij = rij
end if
end for
if (fitness(Ut)>fitness(Xt))
Xt = U t
end if
end for
updatesubm based on Genp
use fitckNN or fitcTree to evaluate the fitness
end for
return best fset
Algorithm 4:kNN
initialize parameter fitness = 0
features = {f1,f2,f3……f41}
train = randomly select a fset from all features
test = select same features which are selected in train
for i = 1 to n_test
for j = 1 to n_train
calculate Euclidian distance between xi and xj
end for
sort n_train according to distance in ascending order
select top 3 neighbors and find their class
if (major class of xj == class of xi)
count = 1
Else
count = 0
 13

end if
fitness = fitness + count
end for
return fitness

Algorithm 5:Decision Tree

Decision_tree(instance,feature,target_feature)
if all instance are of same category then
return a leaf node with corresponding class
else
find a feature B and create a decision feature for that
node
instance_p = subset of instance with B = P
end if
For each possible value P in B
add a new edge from that node
if instance is empty
add a leaf node with edge E most common value of
target_feature in all instances
Else
Decision_tree(instance_p,feature – {B},target_feature)
end if
end for
return fitness

Parameters Description
N Number of feature set
Pe Elite probability
Pc Crossover probability
Pm Mutation probability
Cn Number of crossover ( )
Mn Number of mutation ( )
En Number of elite( )
Maxit Maximum number of iteration
W Inertia weight factor
c1 Cognitive parameter
c2 Social parameter
Pcr Crossover rate
F Scaling factor
n_test Number of rows in test dataset
n_train Number of rows in train dataset
Xi Rows in test dataset
Xj Rows in train dataset

Table V. Description of the parameters

 14

6 Implementation and Result Analysis

31 experiments have been conducted where 6 hybrid algorithms have been executed with 8,10,15,20,25,30
number of features for each class as mentioned in Table III. Another experiment is executed with all (41) features
without applying any Meta heuristic approach. Experimental setup, parameter setting, and results have been described in
following the sections.

6.1 Experimental setup:

All the experiments have been conducted on the same computer Intel Core i5 Processor with a clock speed of
3.2 GHZ and 4GB of RAM. MATLAB 2019b has been used to implement all the hybrid algorithms, fitckNN and
fitcTree module has been used from MATLAB machine learning toolbox. For preprocessing of dataset Python is used.
Following Table VI shows the parameters setting for all the algorithms during experiments.

Algorithms Parameters value

GA-kNN Maxit = 200,N = 20, Pe= 0.1,Pc =0.7, Pm =0.1
GA-DT
PSO-kNN Maxit = 200, N = 20,w = 0.9,c1=c2=2
PSO-DT
DE-kNN Maxit = 200, N = 20, F=0.63, Pcr =0.8
DE-DT

Table VI. Parameters settings

6.2 Result Analysis:

At first basic kNN and GA has applied with 41 features and it is observed that Decision Tree performs better than kNN
for all classes. To enhance performance more, hybrid algorithms have been employed and some fixed number of features
such as 8,10,15,20,25,30 has been provided as input. For DoS class, classification accuracy of 98.89%,99.88%, 97.80%,
99.78%, 98.51%,99.78% have been obtained by GA-kNN, GA-DT, PSO-kNN, PSO-DT,DE-kNN, DE-DT respectively.
So it is clear from the results that 99.78% is the highest accuracy obtained by GA-DT with 10 features. In a similar way
all hybrid algorithms have been applied to U2R class. Experimental results show that 82.30%, 86.46%,82.90%,82.33%,
81.34%,85.49% have been acquired by GA-kNN, GA-DT, PSO-kNN, PSO-DT,DE-kNN, DE-DT respectively. Here it
also observed that GA-DT performs best with 10 features. For R2L class it is found 87.68%, 95.39%, 85.69%, 91.47%,
86.79%, and 93.99% have been obtained by GA-kNN, GA-DT, PSO-kNN, PSO-DT,DE-kNN, out of them 95.39% is the
highest that is achieved by GA-DT with 10 features. Similarly, for Probe class it is observed that 94.22%, 96.90%,
93.82%, 96.32%, 92.81%, 96.53% has been obtained by GA-kNN, GA-DT, PSO-kNN, PSO-DT, DE-kNN, DE-DT.
Here best accuracy achieved is 96.90% by GA-DT with 10 features. Lastly, the same methodology has been applied to
the normal class and it is found that 100% accuracy has been achieved by most of the algorithms with only 8 features.
Detailed results have been given in Table VII. Best results of each class have been marked as bold. For better
representation results are also plotted graphically.
 15

Class No. of GA-kNN PSO-kNN DE-kNN GA-DT PSO-DT DE-DT kNN DT

Features
DoS 8 98.88809 97.8 98.5113 99.38305 99.4903 99.72 - -
10 97.01 94.7157 96.24 99.88223 99.78 99.383 - -
15 89.09 96.98 89.4984 93.81412 94.5681 93.6964 - -
20 89.1094 88.9485 88.28 92.98552 93.01 92.48 - -
25 89.0692 87.9 88.74 92.60998 92.4877 92.39 - -
30 88.22 87.84 88.6668 92.66363 92.2881 92.1942 - -
41 - - - - - - 75.12 88.83
U2R 8 82.30693 82.9 81.336 83.90099 83.3267 85.495 - -
10 80.30693 80.92 80.3168 86.40594 80.3168 83.4851 - -
15 79.802 76.8317 79.3069 84.88 78.7921 81 - -
20 78.78218 74.396 78.8119 81.38614 74.31 81.5248 - -
25 73.27723 73.91 71.5842 81.3861 73.3069 80.0198 - -
30 70.32673 71.3861 70.3168 80.38 72.8119 93.998 - -
41 - - - - - - 50.96 58.973
R2L 8 86.47785 84.8446 85.4 93.36601 91.09 93.098 - -
10 87.67611 85.6935 86.79 95.3885 91.24 86.9644 - -
15 86.20407 82.862 85.6652 92.78 91.467 81.5105 - -
20 85.94771 82.1881 82.9194 89.56282 91.207 76.31 - -
25 85.1262 80.31 82.3384 88.0537 88.09 73.6659 - -
30 84.2992 79.9194 80.3747 80.42 87.63 93.998 - -
41 - - - - - - 61.34 63.65
Probe 8 94.21596 93.8216 92.8129 96.61297 96.3238 96.5325 - -
10 93.14333 93.5564 92.1933 96.90211 95.2912 96.4 - -
15 92.17 91.5151 92.5651 96.8195 95.81 96.1673 - -
20 92.11596 91.5564 91.739 96.57166 94.3651 95.7869 - -
25 90.88 90.55 90.4172 96.8608 92.5304 95.2804 - -
30 90.74762 87.88 86.6997 92.52375 91.613 94.8282 - -
41 - - - - - - 62.08 66.74
Normal 8 100 100 100 100 100 99.9794 - -
10 98.72 100 99.9897 99.94851 100 100 - -
15 97.85 100 99.413 99.42327 100 99.3615 - -
20 97.57 99.9279 98.6509 98.1874 99.9279 99.1143 - -
25 97.49 99.9176 98.34 98.311 99.2276 98.3007 - -
30 97.41 97.5489 97.9094 98.29042 99.0216 98.08 - -
41 - - - - - - 96.17 96.91

Table VII. Classification accuracy of all hybrid algorithms

 16

Fig.2. Performance comparison between kNN and Decision Fig.3 (a). Classification accuracy of DoS class using
Tree kNN and Meta Heuristic algorithms

Fig.3 (b). Classification accuracy of DoS class using Decision Fig.4 (a). Classification accuracy of U2R class using
Tree and Meta Heuristic algorithms kNN and Meta Heuristic algorithms

Fig.5 (a). Classification accuracy of R2L class using

Fig.4 (b). Classification accuracy of U2R class using Decision
kNN and Meta Heuristic algorithms
Tree and Meta Heuristic algorithms
 17

Fig.5 (b). Classification accuracy of R2L class using Decision Fig.6 (a). Classification accuracy of Probe class using
Tree and Meta Heuristic algorithms kNN and Meta Heuristic algorithms

Fig.6 (b). Classification accuracy of Probe class using Decision Fig.7 (a). Classification accuracy of Normal class
Tree and Meta Heuristic algorithms using kNN and Meta Heuristic algorithms

Fig.7 (b). Classification accuracy of Normal class using

Decision Tree and Meta Heuristic algorithms Fig.8 Increase of accuracy with increment of iteration

Figure 2 shows the comparison of accuracy obtained by kNN and GA with all features. Figure 3 (a) and 3 (b)
shows the classification accuracy obtained by the hybrid algorithms for DoS class usingkNN and Decision Tree. Figure 4
(a) and 4 (b) shows the accuracy of U2R class detection. Similarly, classification accuracy of R2L, Probe and Normal
class have been shown in Figure. 5(a), 5(b), 6(a), 6(b), 7(a), 7(b) respectively. Figure 8 shows the growth of fitness after
each generation. There we can see that accuracy has been increased significantly after 200 iterations. From Table VII we
can clearly see that GA-DT outperforms all other variants with 10 features for DoS, U2R, R2L, Probe class 8 features for
Normal Class. Comparison with similar state-of-art works in terms of accuracy has been provided in Table VIII and
 18

Table IX shows the feature numbers selected by GA and classified by DT for which the highest accuracy has been
obtained.

Authors, Year Method DoS U2R R2L Probe Normal

Proposed Hybrid 99.88 86.40 95.38 96.9 100
Pajouh et al., 2015 [55] Two-tier 84.68 67.16 34.81 79.76 94.56
Kim and Kim, 2014 [56] HFR-MLR 89.70 80.02 34.20 80.2 93.7
Toosi and Kahani, 2007 [57] Neuro-fuzzy classifiers 99.5 14.1 31.5 84.1 98.2
Zhang et al.,2006 [58] Association rule 74.9 0.79 0.38 96.8 99.5
Sabhnani et al., 2003 [59] Multi-classifier 97.3 29.8 0.96 88.7 Nil
Table VIII. Comparison of results with other work

Class Feature Numbers

DoS 15,18,20,13,2,19,14,26,20,31
U2R 30,8,36,3,10,24,15,17,18,39
R2L 29,26,36,39,34,11,34,3,36,28
Probe 23,6,3,5,4,20,34,30,33,5
Normal 19,7,9,16,15,22,25,20

Table IX. List of best selected features

7 Secure Healthcare Architecture Design using HIIDS

As discussed earlier that IDS is essential for medical servers since many stakeholders use or view health data
saved as Electronic Health Record (EHR). Thus to ensure legal access to those data, malicious users must be identified.
Anomaly detection is a very efficient method to identify potential security attacks and threats [60]. For this purpose,
network data are usually given to a Machine Learning model present in IDS. Hence effective model selection is very
much important.
7.1 Model Selection:
Several experiments have been conducted in this work to identify the appropriate features and classifier. For
model selection accuracy, computation time (time to obtain accuracy on a given data) and resource utilization (CPU and
Memory usage during computation) are considered for performance evaluation. It has been observed that features
selected by GA are most appropriate and Decision Tree is capable to obtain more accuracy. Now to calculate the
computation time and resource utilization, the best features selected by GA for each class have been used as input
features in Decision Tree and kNN separately. For example, first, all 41 features are used as input for all classes, and time
to calculate the accuracy has been recorded. Then the set of 30,25,20,15,10,8 features out of 41 has been given as input.
Computation time in seconds, CPU and Memory usage in percentage for Decision Tree and kNN has been given in Table
X. For better representation computation time has been plotted in Figure 9 (a), (b). Here Decision Tree performs better
than kNN in terms of computation time, CPU and memory usage for all class. Hence, Decision Tree based ML model
can be selected for deployment.
DoS All 41 features Best 10 features
DT Exec.Time Accuracy CPU Memory Exec.Time Accuracy CPU Memory
19
130.22 88.83 58% 72% 10.48 99.88 21% 39%
DoS
kNN 84.14 75.12 60% 73% 8.77 97.01 28% 44%
U2R
DT 6 58.97 46% 68% 1.22 86.40 20% 35%
U2R
kNN 9.87 50.96 47% 66% 5.12 80.30 21% 41%
R2L
DT 33.19 63.65 50% 73% 2.82 95.38 16% 44%
R2L
kNN 53 61.34 51% 76% 9.38 87.67 22% 49%
Probe
DT 36.28 66.74 55% 68% 5.21 96.90 23% 32%
Probe
kNN 45.21 62.08 63% 64% 22.19 93.14 28% 37%
Normal Best 8 features
DT 95.55 96.91 63% 70% 5.47 100 27% 44%
Normal Best 8 features
kNN 147 96.17 67% 73% 16.17 100 33% 51%

Table X. Comparison of execution time, CPU usage and memory usage for all and reduced features

Fig.9 (a). Computation time for Decision Tree Fig.9 (b).Computation time for kNN

7.1 Modeling Healthcare Architecture using HIIDS:

Here we propose an architecture of a healthcare system utilizing HIIDS model as shown in Figure 11 to detect
malicious traffic generated by various stakeholders. The traffic can be of data access or store request. For example, a
pathologist can try to retrieve some health information of a patient, an IoT device can try to store sensed patient vitals.
Thus different stakeholders are linked with this medical server. Here in the architecture, Decision tree based training
model along with the 10 best features of NSL-KDD training dataset has been considered. First, the network traffic goes
to the internal firewall, where a data log (Test Data) is prepared. Then the traffic along with its log is sent to the HIIDS,
where Decision tree based Machine Learning model classifies the traffic as malicious or normal. Next, the traffic is sent
to the internal firewall, where malicious traffic is prevented and system administrator is alerted regarding this
abnormality. Normal traffic is forwarded to the medical server to handle the request. The proposed architecture ensures
low overhead intrusion detection in terms of time, computational complexity also achieves high accuracy, thus suitable
for application in IoT based healthcare.
 20

Fig.10. Proposed architecture modeling of healthcare application with HIIDS

8 Conclusion
In this paper, an intelligent Intrusion Detection System (HIIDS) based on machine learning and meta-heuristic
algorithms is designed and implemented for application in IoT based healthcare system. Meta heuristic algorithms such
as GA, PSO, DE have been combined with Machine Learning algorithms such as kNN and Decision Tree using the
hybrid framework. This hybrid approach is used to obtain maximum accuracy using the minimum number of features.
This feature reduction process ensures reduced time and storage requirements thus making it suitable for time-critical
applications like healthcare. Experimental results show that GA-DT variant of hybrid approach has obtained 99.88%,
86.40%, 95.39%, 96.90%, 100% of accuracy for DoS, U2R,R2L, Probe and Normal class with the help of 8-10 features
thus outperforms similar state-of-the-art works in terms of classification accuracy. Hence Decision Tree based model is
more effective to identify similar kinds of traffic. We have explored the best features for each class based on the highest
classification accuracy obtained by GA-DT hybrid variant algorithm. So using those features, Decision Tree based ML
model has been built with the help of NSL-KDD training dataset. Finally to evaluate the model experiments have been
executed to record execution time, CPU usage and memory usage. Experimental results prove that this model can
classify attack and normal traffic in less time with high accuracy, also CPU usage and memory usage are relatively low
thus making it suitable for application in resource-constrained IoT based smart healthcare system.
Acknowledgement
This work has been carried out with partial support from the grant received from WBDST sanctioned research project on
secure remote healthcare with project sanction no. 230(Sanc)/ST/P/S&T/6G-14/2018.
Conflict of Interests: On behalf of all authors, the corresponding author states that there is no conflict of interest.
References
1. D. Thakur, S. Biswas, “Smartphone based human activity monitoring and recognition using ML and DL: a
comprehensive survey”, J Ambient Intell Human Comput, Springer, 2020.
2. Al-Obeidat, F., El-Alfy, E.M. Hybrid multicriteria fuzzy classification of network traffic patterns, anomalies,
and protocols.PersUbiquitComput23, 777–791 (2019).https://doi.org/10.1007/s00779-017-1096-z.
 21

3. S.Saif, S.Biswas, “ Secure data transmission beyond Tier 1 of medical body sensor network”, in proceedings of
International Ethical Hacking Conference (eHacon ) , Chapter no. 33, Chapter DOI: 10.1007/978-981-13-
1544-2_33, ISBN 978-981-13-1544-2, Springer, 2018.
4. M. Wazid, S. Zeadally, A.K. Das, V. Odely, Analysis of Security Protocols for Mobile Healthcare, Journal of
Medical Systems, Vol. 40,2016.
5. G Thamilarasu, A Odesile, A Hoang,An Intrusion Detection System for Internet of Medical Things.,IEEE
Access,8,181560-181576,2020
6. Saurabh Deya,Qiang Yea, Srinivas Sampallia,A machine learning based intrusion detection scheme for data
fusion in mobile clouds involving heterogeneous client networks,Information Fusion,49,205-215,2019
7. Jaber, A.N., Rehman, S.U. FCM–SVM based intrusion detection system for cloud computing environment.
Cluster Comput 23, 3221–3231,2020
8. M. Tavallaee, E. Bagheri, W. Lu, and A. Ghorbani, “A Detailed Analysis of the KDD CUP 99 Data Set,”
Submitted to Second IEEE Symposium on Computational Intelligence for Security and Defense Applications
(CISDA), 2009.
9. M. H. Ali, M. Fadlizolkipi, A. Firdaus and N. Z. Khidzir, "A hybrid Particle swarm optimization -Extreme
Learning Machine approach for Intrusion Detection System," 2018 IEEE Student Conference on Research and
Development (SCOReD), Selangor, Malaysia,pp. 1-4,2018
10. Zhang, Ge, et al. Feature Selection for Microarray Data Classification Using Hybrid Information Gain and a
Modified Binary Krill Herd Algorithm,Interdisciplinary Sciences, Computational Life Sciences, 2020.
11. S.Saif,S.Biswas,Secure Data Transmission Beyond Tier 1 of Medical Body Sensor Network, Proceedings of
International Ethical Hacking Conference 2018,405-417,2019
12. S.Saif,R.Gupta,S.Biswas, Implementation of Cloud-Assisted Secure Data Transmission in WBAN for
Healthcare Monitoring,Advanced Computational and Communication Paradigms. Springer, Singapore,665-674,
2019.
13. S.Saif,,S.Biswas,On the Implementation and Performance Evaluation of Security Algorithms for
Healthcare,Proceedings of the 2nd International Conference on Communication Devices and Computing,629-
640, 2020
14. D. J. Brown, B. Suckow& T. Wang.A Survey of Intrusion Detection Systems.Technical report Department of
Computer Science, University of California, San Diego, 2002.
15. M.Bhatia, M.K. Rai, Identifying P2P traffic: A survey. Peer-to-Peer Netw. Appl. 10, pp.1182–1203,2017
16. P. Garc´ıa-Teodoro, J. D´ıaz-Verdejo, G. Macia-Fern ´ andez, and E. ´Vazquez, Anomaly-based network
intrusion detection: tech- ´niques, systems and challenges, Computers & Security, vol. 28, no. 1-2, pp. 18–28,
2009
17. A. Ukil, S. Bandyoapdhyay, C. Puri and A. Pal, "IoT Healthcare Analytics: The Importance of Anomaly
Detection," 2016 IEEE 30th International Conference on Advanced Information Networking and Applications
(AINA), Crans-Montana, pp. 994-997,2016.
18. F. A. Khan, N. A. H. Haldar, A. Ali, M. Iftikhar, T. A. Zia and A. Y. Zomaya, A Continuous Change Detection
Mechanism to Identify Anomalies in ECG Signals for WBAN-Based Healthcare Environments, IEEE Access,
vol. 5, pp. 13531-13544, 2017.
19. G.Thamilarasu, iDetect: an intelligent intrusion detection system for wireless body area networks, International
Journal of Security and Networks, Vol.11, pp. 82-93, 2016.
20. R. Mitchell, I.R. Chen, Behavior Rule Specification-Based Intrusion Detection for Safety Critical Medical
Cyber Physical Systems, IEEE Transactions on Dependable and Secure Computing, Vol.12, No.1, pp.16–
30,2015.
21. A.Christy,G.M. Gandhi,S. Vaithyasubramanian, Cluster based outlier detection algorithm for healthcare data,
Procedia Computer Science, Vol.50,pp.209-215,2015.
22. X. Liu, Y. Liu, A. Liu and L. T. Yang, Defending ON–OFF Attacks Using Light Probing Messages in Smart
Sensors for Industrial Communication Systems, IEEE Transactions on Industrial Informatics, Vol. 14, No. 9,
pp. 3801-3811, 2018.
23. M.O.Pahl , F.X. Aubet , All eyes on you: distributed multi-dimensional IoTmicroserviceanomalydetection, in:
Proceedings of the 2018 Fourteenth International Conference on Network and Service Management
(CNSM)(CNSM 2018), Rome, Italy,2018.
24. E.Anthi,L.Williams,P.Burnap,Pulse:an adaptive intrusion detection for the internet of things,Living in the
Internet of Things: Cybersecurity of the IoT - 2018, London, pp. 1-4, 2018.
25. A.A Diro, N.Chilamkurti, Distributed attack detection scheme using deep learning approach for Internet of
Things, Future Generation Computer Systems, Vol. 82,pp. 761-768,2018.
26. G.Angelo, F.Palmieri, M. Ficco, S.Rampone, An uncertainty-managing batch relevance-based approach to
network anomaly detection, Applied Soft Computing, Vol. 36,pp. 408-418,2015.
 22

27. K.Yang,J.Ren,Y.Zhu,andW.Zhang,Active learning for wireless IoT intrusion detection, IEEE Wireless
CommunicationsMagazine,vol.25,no.6,pp.19–25,2018.
28. J. Li, Z. Zhao, R. Li, H. Zhang, AI-based two-stage intrusion detection for software definedIoT networks,
IEEEInternet of Tings Journal,vol.6,no.2,pp.2093–2102,2019.
29. L. Liu, B. Xu, X. Zhang, and X. Wu, An intrusion detection method for internet of things based on suppressed
fuzzy clustering, EURASIP Journal on Wireless Communications and Networking,vol.2018,no.1,2018.
30. M.L.Martin, B. Carro, A.S. Esguevillas, J. Lloret, Conditional VariationalAutoencoder for Prediction and
Feature Recovery Applied to Intrusion Detection in IoT. Sensors, Vol.17, 2017.
31. Q. Niyaz, W.Sun, A.Y. Javaid,M. Alam, Deep Learning Approach for Network Intrusion Detection System,
ACM 9th EAI International Conference on Bio-inspired Information and Communications Technologies, New
York,2016.
32. T. Kavitha, K. Geetha, & R. Muthaiah, India: Intruder Node Detection and Isolation Action in Mobile Ad Hoc
Networks Using Feature Optimization and Classification Approach. Journal of Medical System 43, 179, 2019.
33. HosseinJadidoleslamy, A hierarchical intrusion detection architecture for wireless sensor networks, International
Journal of Network Security & Its Applications, vol. 3, no. 5, p. 131, 2011.
34. M. S. I. Mamun, A. S. Kabir, “Hierarchical design based intrusion detection system for wireless ad hoc sensor
network,” International Journal of Network Security & Its Applications, vol.2, no. 3, pp. 102–117, 2010.
35. P. Kasinathan, C. Pastrone, M. A. Spirito, M. Vinkovits,Denial-of-service detection in 6LoWPAN based
internet ofthings, in Proceedings of the 2013 IEEE 9th International Conference on Wireless and Mobile
Computing, Networking andCommunications (WiMob ’13), pp. 600–607, IEEE Computer,Lyon, France,
October 2013.
36. Krontiris, Z. Benenson, T. Giannetsos, F. C. Freiling, T. Dimitriou, “Cooperative intrusion detection in wireless
sensor networks,” in Proceedings of the 6th European Conference on Wireless Sensor Networks (EWSN
’09),Lecture Notes in Computer Science vol. 5432,pp. 263–278,2009
37. C. Wang, T. Feng, J. Kim, G. Wang,W. Zhang, Catching packet droppers and modifiers in wireless sensor
networks, in Proceedings of the 6th Annual IEEE Communications Society Conference on Sensor, Mesh and Ad
Hoc Communications and Networks, Rome, Italy, June 2009.
38. F. Bao, I. Chen, M. Chang, J. Cho, “Hierarchical trust management for wireless sensor networks and its
applications to trust-based routing and intrusion detection,” IEEE Transactions on Network and Service
Management, vol. 9, no. 2, pp. 169–183,2012.
39. S. Khan and K.K. Loo, Real-time cross-layer design for a large scale food detection and attack trace-back
mechanism in IEEE 802.11 wireless mesh networks,” Network Security, vol. 2009, no.5, pp. 9–16, 2009.
40. D. E. Boubiche and A. Bilami, “Cross layer intrusion detection system for wireless sensor network,”
International Journal of Network Security & Its Applications, vol. 4, no. 2, p. 35, 2012.
41. Y. Zhang, W. Lee, and Y.A. Huang, “Intrusion detection techniques for mobile wireless networks,” Wireless
Networks,vol. 9, no. 5, pp. 545–556, 2003.
42. Y. Zhang and W. Lee, “Intrusion detection in wireless adhoc networks,” in Proceedings of the 6th Annual
International Conference on Mobile Computing and Networking (MobiCom ’00), pp. 257–283, ACM, Boston,
Mass, USA, August 2000.
43. S. Shamshirband, A. Patel, N. B. Anuar, M. L. M. Kiah, A. Abraham, Cooperative game theoretic approach
usingfuzzy Q-learning for detecting and preventing intrusions in wireless sensor networks, Engineering
Applications of Artifcial Intelligence, vol. 32, pp. 228–241, 2014.
44. A. Agah, S. K. Das, K. Basu, and M. Asadi, Intrusion detection in sensor networks: a non-cooperative game
approach,in Proceedings of the 3rd IEEE International Symposium on Network Computing and Applications
(NCA ’04), pp. 343–346,IEEE Computer, Cambridge, Mass, USA, September 2004.
45. A.Abraham, C. Grosan,C. Martin-Vide, Evolutionary design of intrusion detection programs, International
Journal of Network Security, vol. 4, no. 3, pp. 328–339, 2007.
46. E. C. Ngai, J. Liu, and M. R. Lyu, “On the intruder detection for sinkhole attack in wireless sensor networks,” in
Proceedings of the IEEE International Conference on Communications (ICC ’06), vol. 8, pp. 3383–3389, IEEE
Computer, Istanbul, Turkey,June 2006.
47. H. Deng, Q.A. Zeng, and D. P. Agrawal, SVM-based intrusion detection system for wireless ad hoc networks, in
Proceedings of the 2003 IEEE 58th Vehicular Technology Conference, VTC2003-Fall, vol. 3, pp. 2147–2151,
IEEE Computer, Orlando, Fla, USA,October 2003.
48. Y. Maleh, A. Ezzati, Y. Qasmaoui, and M. Mbida, A global hybrid intrusion detection system for wireless
sensor networks,Procedia Computer Science, vol. 52, pp. 1047–1052, 2015.
49. Abbas H, Latif R, Latif S, Masood A,Performance evaluation of Enhanced Very Fast Decision Tree (EVFDT)
mechanism for distributed denial-of-service attack detection in health care systems,Annals of
Telecommunications,71,477-487,2016
 23

50. A. Verner and D. Butvinik, "A Machine Learning Approach to Detecting Sensor Data Modification Intrusions in
WBANs," 2017 16th IEEE International Conference on Machine Learning and Applications (ICMLA), Cancun,
Mexico, pp. 161-169,2017.
51. Xuyang Hou, Jingjing Wang, Chunxiao Jiang, Sanghai Guanand Yong Reni,A sink node assisted lightweight
intrusion detection mechanism for WBAN,2018 IEEE International Conference on Communications (ICC),1-6,
2018.
52. I. Alrashdi, A. Alqazzaz, R. Alharthi, E. Aloufi, M. A. Zohdy and H. Ming, "FBAD: Fog-based Attack
Detection for IoT Healthcare in Smart Cities," 2019 IEEE 10th Annual Ubiquitous Computing, Electronics &
Mobile Communication Conference (UEMCON), New York, NY, USA, pp. 0515-0522, 2019.
53. A. A. Hady, A. Ghubaish, T. Salman, D. Unal and R. Jain, "Intrusion Detection System for Healthcare Systems
Using Medical and Network Data: A Comparison Study," in IEEE Access, vol. 8, pp. 106576-106584, 2020
54. Q. Chen, J. Lambright and S. Abdelwahed, "Towards Autonomic Security Management of Healthcare
Information Systems," 2016 IEEE First International Conference on Connected Health: Applications, Systems
and Engineering Technologies (CHASE), Washington, DC, pp. 113-118,2016.
55. H. H. Pajouh, G. Dastghaibyfard, and S. Hashemi, Two-tier network anomaly detection model: a machine
learning approach, J. Intell. Inf. Syst., pp. 1–14, 2015.
56. E.Kim,S.Kim, A Novel Anomaly Detection System Based on HFR-MLR Method, Mobile Ubiquitous and
Intelligent Computing, Vol. 274, pp.279–286,2014.
57. A.N.Toosi,M.Kahani, A new approach to intrusion detection based on an evolutionary soft computing model
using neuro-fuzzy classifiers, Computer and Communications, Vol.30, No.10, pp.2201–2212,2007
58. J.Zhang, M.Zulkernine, Anomaly based network intrusion detection with unsupervised outlier detection, In
IEEE International Conference on Communications, ICC06,Vol. 5, pp. 2388–2393,2006.
59. M.R.Sabhnani,G.Serpen, Application of Machine Learning Algorithms to KDD Intrusion Detection Dataset
within Misuse Detection Context, International Conference on Machine Learning: Models, Technologies, and
Applications, pp. 209–215, 2003.
60. S Manimurugan, Al-qdahMajdi, MustaffaMohmmed, C Narmatha, R Varatharajan, Intrusion detection in
networks using crow search optimization algorithm with adaptive neuro-fuzzy inference system,
Microprocessors and Microsystems, Volume 79,103261,2020.

AUTHORS’ BIOGRAPHY AND PHOTO

Sohail Saif is working as a Full Time Ph.D. Research Scholar at Maulana Abul Kalam Azad
University of Technology, West Bengal, India. He completed his B.Tech in Computer
Science and Engineering and M.Tech in Software Engineering from Maulana Abul Kalam
Azad University of Technology, WB in 2014 and 2018, respectively. His areas of research
interests are internet of things, network security and remote healthcare.

Priya Das
 24

Priya Das worked as Research Scholar at Jadavpur University, Kolkata, India. She
completed her B.Tech in Information Technology and M.Tech in Computer Science &
Engineering from Government College of Engineering And Ceramic Technology and
Maulana Abul Kalam Azad University of Technology, WB in 2016 and 2018, respectively.
Her areas of research interests are soft computing, machine learning, network security and
IoT based healthcare.

Dr. Suparna Biswas is an Associate Professor and Head in the Department of Computer
Science and Engineering in Maulana Abul Kalam Azad University of Technology, India.
She completed her ME and Ph.D. from Jadavpur University, India. She had been an
ERASMUS MUNDUS Post Doctoral Research Fellow in cLINK project in Northumbria
University, Newcastle, UK during 2014 -15. She has authored a number of research papers
in reputed journals, conferences, book chapters of international repute. She is currently
 25

executing two funded research projects on IoT based remote healthcare in the capacity of
principal and co-principal investigator. She has been lead editor in edited volumes of reputed
publishers such as springer, general chair, session chair in International conferences,
resource person at International Conference, webinars, workshop, FDP etc. She is a member
of IEEE and IAENG. Her areas of research interests include wireless networks, IoT,
security, healthcare.

Dr. Manju Khari an Assistant Professor in Ambedkar Institute of Advanced

Communication Technology and Research, Under Govt. Of NCT Delhi affiliated with
Guru Gobind Singh Indraprastha University, Delhi, India. She is also the Professor- In-
charge of the IT Services of the Institute and has experience of more than twelve years in
Network Planning & Management. She holds a Ph.D. in Computer Science &
Engineering from National Institute Of Technology Patna and She received her master's
degree in Information Security from Ambedkar Institute of Advanced Communication
Technology and Research, formally this institute is known as Ambedkar Institute Of
Technology affiliated with Guru Gobind Singh Indraprastha University, Delhi, India. Her
research interests are software testing, information security, optimization, Image
processing and machine learning. She has 70 published papers in refereed
National/International Journals & Conferences (viz. IEEE, ACM, Springer, Inderscience,
and Elsevier) and 10+ edited books from reputed publishers. She is also co-author of two
books published by NCERT of Secondary and senior Secondary School.

Dr.S.Vimal is working in Department of Information Technology, National

Engineering College, Kovilpatti, Tamilnadu, India. He has around Thirteen years of
teaching experience, EMC certified Data science Associate and CCNA certified
 26

professional too. He holds a Ph.D in Information and Communication Engineering

from Anna University Chennai and he received Masters Degree from Anna
University Coimbatore. He is a member of various professional bodies and
organized various funded workshops and seminars. He has wide publications in the
highly impact journals in the area of Data Analytics, Networking and Security issues
and published 04 book chapters. He has hosted two special session for IEEE
sponsored conference in Osaka, Japan and Thailand. He has acted as Session chairs,
organizing committee member, advisory committee and outreach committee member
in various international conferences in IEEE and Other prestiguos Conferences. His
areas of interest include Game Modelling, Artificial Intelligence, Cognitive radio
networks, Network security, Machine Learning and Big data Analytics. He is a
Senior member in IEEE and holds membership in various professional bodies. He
has served as reviewer for Springer, Elsevier and Wiley journals. He has hosted 2
special issues in CMC

Declaration of interests

☒ The authors declare that they have no known competing financial interests or personal relationships that
could have appeared to influence the work reported in this paper.

☐The authors declare the following financial interests/personal relationships which may be considered as
potential competing interests: