Fig 1.
System architecture diagram illustrating the proposed intrusion detection framework.
It depicts fog nodes at the network edge that collect and preprocess IoT sensor data using stacked autoencoders. The compressed analytic features from the fog are relayed to the cloud for detection using an optimized deep-learning ensemble model. The framework combines localized real-time anomaly detection in fog with holistic intrusion analysis in the cloud.
Fig 2.
Feature engineering pipeline using stacked autoencoders and CatBoost: The pipeline starts with the input data, which is processed by a stacked autoencoder for nonlinear dimensionality reduction.
The encoded features from the autoencoder are then input into CatBoost, which computes feature importance scores and selects the top N most predictive features.
Table 1.
Selected features for the AWID dataset.
Table 2.
Selected features for the UNSWB15 dataset.
Table 3.
Selected features for the KDD dataset.
Fig 3.
Ensemble neural network architecture integrating transformers, CNNs, and LSTMs.
It shows the parallel application of the Transformer, CNN, and LSTM branches to the input sequence data. Their outputs were concatenated to ensemble global, local, and temporal patterns in the data for robust sequence modelling and intrusion detection.
Fig 4.
A flowchart diagram of the iterative optimization process used by the adaptive grey wolf optimization algorithm to tune the hyperparameters of the ensemble model.
It depicts the steps of initializing the grey wolf population, evaluating ensemble models, updating wolf positions, re-evaluating models, and adaptively adjusting the optimization vectors to hone in on the optimal hyperparameters.
Fig 5.
Loss reduction over epochs in stacked autoencoder training vs validation on NLS-KDD for multi-classification: It illustrates the training and validation loss over epochs during the training of a stacked autoencoder on the NLS-KDD dataset for multi-classification.
The blue line represents the training loss, and the orange line represents the validation loss. Both the losses decreased over time, indicating the effectiveness of the training process.
Fig 6.
Loss reduction over epochs in stacked autoencoder training vs validation on Unswb15 for multi-classification.
Fig 7.
Loss reduction over epochs in stacked autoencoder training vs validation on AWID for multi-classification.
Table 4.
Results of binary and multi-classification on NLS KDD using SAE.
Table 5.
Results of binary and multi-classification on Unswb15 using SAE.
Table 6.
Results of binary and multi-classification on AWID using SAE.
Fig 8.
Top 20 features with highest reconstruction error for NSL-KDD dataset: A bar graph displaying the top 20 features from the NSL-KDD dataset according to their reconstruction error when analyzed using a stack autoencoder.
The rebuilding mistake is shown on the y-axis, while each feature is shown on the x-axis.
Fig 9.
Top 20 features with highest reconstruction error for UNSW-NB15 dataset: This bar graph displays the top 20 features from the UNSW-NB15 dataset, ranked according to their reconstruction error when analysed using a stack autoencoder and CatBoost.
The y-axis corresponds to the reconstruction error, whereas the x-axis corresponds to each individual feature. The vertical length of each bar represents the magnitude of the reconstruction error linked to each characteristic.
Fig 10.
Top 20 features with highest reconstruction error for AWID dataset: The top 20 features from the AWID dataset were analyzed using a stack autoencoder and CatBoost, and their reconstruction error is shown in this figure’s bar graph.
On one side, we have each characteristic, and on the other, we have the reconstruction error. The amount of the feature-specific reconstruction error is shown by the height of the corresponding bar.
Table 7.
Equivalent model descriptions.
Fig 11.
Display the confusion matrices for binary classification across the NSL-KDD (a), UNSW-NB15 (b), and AWID (c) datasets. The diagonal elements, predominantly high, reflect the accurate classification of normal and attack traffic by the ensemble model.
Fig 12.
Displays the confusion matrices for multi-class classification across the NSL-KDD (a), UNSW-NB15 (b), and AWID (c) datasets. The matrices exhibit strong diagonal elements, each exceeding 99%, indicating the precise classification of diverse attack types. This underscores the ensemble model’s accuracy in distinguishing intricate malicious behaviors such as denial-of-service, remote access, probing, injections, impersonation, flooding, and worm attacks.
Table 8.
NLS KDD multiclass classification performance.
Table 9.
NLS KDD binary classification results.
Fig 13.
ROC curves for binary classification of normal vs. attack traffic.
This figure presents the ROC curves for binary classification between normal and attack traffic across three datasets: (a) NSL-KDD, (b) UNSW-NB15, and (c) AWID. Each subplot demonstrates near-perfect classification performance with Area Under the Curve (AUC) values of 1.00. The ROC curves, represented by the orange lines, closely follow the top-left corner of the plots, indicating excellent discrimination ability between normal and attack instances. This performance is characterized by high true positive rates achieved while maintaining very low false positive rates across all discrimination thresholds. The consistency of these results across different datasets underscores the robustness and generalizability of the ensemble intrusion detection model, suggesting its potential effectiveness in real-world deployments for IoT and fog computing settings.
Fig 14.
ROC Curves for multi-classification illustrating multi-class intrusion detection performance across three datasets.
(a) NSL-KDD dataset: near-perfect classification for Normal, DoS, Probe, Privilege, and Access classes. (b) UNSW-NB15 dataset: varied performance across multiple attack types, with high AUC values for classes like Fuzzers (0.93), Generic (0.98), and Reconnaissance (0.90), and lower values for others such as Analysis and Backdoors (both 0.51). (c) AWID dataset: excellent discrimination capability for flood, impres, and inject attacks (AUC: 0.99, 0.98, 1.00 respectively) and Normal traffic (0.99). These results demonstrate the efficacy of the proposed ensemble learning approach with advanced feature selection for optimized intrusion detection in IoT and fog computing environments.
Fig 15.
Displays the training and testing accuracy over 100 epochs for binary classification across three datasets: (a) NSL-KDD, (b) UNSW-NB15, and (c) AWID. The graphs illustrate the performance of the ensemble model in distinguishing between normal and attack traffic, demonstrating consistent improvement in accuracy over the training period.
Fig 16.
Display the training and testing accuracy of the ensemble model for multi-class classification over 100 epochs across three datasets: (a) NSL-KDD, (b) UNSW-NB15, and (c) AWID. The plots illustrate the model’s ability to accurately classify multiple attack types, demonstrating its robust performance in handling diverse malicious behaviors.
Table 10.
UNSWB15 multi-classification results.
Table 11.
Unswb15 binary classification results.
Table 12.
AWID multi-classification results.
Table 13.
AWID binary classification results.
Table 14.
Benchmarking against other classification methods.
Table 15.
Comparison with other methods.