3.1.1. Model description.

This model divides network nodes into five groups: susceptible (S), exposed (E), infected (I), recovered (R), and vaccinated (V).

S: Includes devices vulnerable to infection that can become part of a botnet. All new devices that are connected to the network but have not yet been infected are in this group.

S → E: When a vulnerable device communicates with an infected device and receives the infection, the device moves from the vulnerable state to the vulnerable state.

E: Includes devices that have been contaminated but do not exhibit abnormal behavior.

E → I: The device’s dormant phase has ended, and the device begins to behave maliciously through user interaction, making it contagious.

I: Infected devices that are active in spreading the infection to other devices.

I → R: When security measures (such as antivirus or network scanning) are applied to devices, the infected device is cleaned, and further infection is prevented.

R: Includes devices that are now protected and are resistant to re-infection for a period of time and are no longer considered a source of infection.

R → V: At this stage, the recovered devices are vaccinated and cleaned using more advanced security measures (such as intrusion detection systems).

V: It includes devices that are not only clean but also vaccinated with multiple layers of security and have the ability to detect and prevent new infections.

R → S: Devices can lose their immunity and become vulnerable again due to reasons such as delayed updates, infection development, and antivirus expiration.

E → V: In some cases, hidden infected devices can be prevented from spreading their infection by using specific security measures and moved directly to the vaccinated stage.

V → S: Over time or due to the development of new threats, vaccinated devices lose their strength and become vulnerable devices.

In the proposed model, two types of node dynamics are considered: node removal with an exit rate μ and node addition with a connection rate ʌ, which are based on the density of nodes of degree k. To maintain the structural stability of the network, the addition and removal of links through leaf connections is balanced, and all nodes remain stable over time. So, the number of connections is equal to the number of leaves, and both operations occupy a single edge in the network structure. Table 2 presents the symbols used in the SEIRVS model.

Download:

• PNG
  larger image
• TIFF
  original image

Table 2. Symbols of the model.

https://doi.org/10.1371/journal.pone.0345157.t002

During the process of botnet attacks spreading in the network, these nodes change their state using the following rules:

1. 1) All newly connected devices are immune to infection. Devices connect to the network at a constant positive rate ʌ and disconnect from the Internet at a rate μ, and newly connected devices are assumed to be immune to infection.
2. 2) A node in the susceptible state is attacked by infected devices, but is not immediately infected and can become an infected node at a rate λ.
3. 3) Once infected, devices are placed in two states: latent or spreading. Vulnerable nodes follow two possible paths: if they behave suspiciously, they are vaccinated at a rate α to protect themselves from infection and prevent further spread. If they are hidden, they are infected at a rate ε and transition to state I.
4. 4) At node I, infected devices recover partially through antivirus mechanisms at a rate σ and move to state R.
5. 5) Security measures such as antivirus software are designed to protect against a specific type of botnet attack, since this immunity is temporary due to the evolution of botnets over time. Recovered devices can be vaccinated at a rate of 𝛾, and by incorporating security measures such as an intrusion detection system (IDS), the speed and number of infected nodes can be reduced and their protection extended.
6. 6) If the antivirus protection expires before vaccination, the nodes can become susceptible again at a rate 𝛽. Similarly, due to the evolution of attacks, there is no permanent immunity. Therefore, recovered devices can have a temporary immunity period and become susceptible again at a rate τ.

Assumptions in modeling are a critical issue for simplification and problem solving. The following are the assumptions of the proposed model. In modeling, it is necessary to eliminate variables that have the least impact on the system, which can be of great importance in simplifying the equations. The assumptions of the proposed model are given below. The following can be considered in the proposed epidemic model:

1. It is assumed that many diverse and anonymous botnet attacks are generated.
2. The network topology is based on a Barabasi-Albert (BA) neural network, which is a heterogeneous network.
3. In this experiment, the number of nodes is assumed to be 1000.
4. The number of nodes is fixed over time; that is, the birth rate is balanced with death. The links are balanced by leaves, so ᴧ = μ, The parameter is defined as the ratio of the total number of nodes with degree k at time t over all states of susceptible, exposed, infected, recovered, vaccinated. Due to the uneven degree distribution in networks, all network members are divided into k groups based on the degree of the network members. The network members in the kth group have the same degree distribution and number of connections as the others. It is assumed that (t), (t), (t), (t) and (t) are the densities of network members with degree k in the states V, S, E, I, R for k = 1, 2,..., n. The sum of these ratios in each degree class is equal to 1, in other words:
5. The death rate μ is considered the same and constant for all nodes.
6. At the start, 100 nodes are infected, which act as seeds, and the rest of the nodes are susceptible.
7. How the infected nodes are initially selected determines the malware propagation method. Here, infected nodes are randomly selected for the propagation process.
8. We consider dangerous botnet attacks and consider any security measure to be ineffective over time due to the spread of attacks.
9. The recovery phase can provide a suitable time for vaccination, but sometimes new attacks prevent it from being vaccinated, and it becomes a susceptible node again.
10. To increase the accuracy of the simulations, all simulations are performed in 20 iterations.

3.1.2. Model formulation.

Here, the SEIRVS analytical model is introduced to investigate the dynamics of botnet attack propagation in heterogeneous networks based on differential equations. At the beginning of the botnet attack propagation process, there are 100 infected nodes, and the rest are sensitive nodes. The initial state of botnet attack propagation is described below.

The following is the formula for the spread of attacks in heterogeneous networks:

When a botnet attack occurs in a network, the number of nodes that were previously susceptible and are now latently infected due to contact with the infection and are at risk decreases with the attack propagation rate. Based on the rates of connection and leaving the susceptible state, it is calculated using equation (1).

(1)

In equation (1), the θ, parameter indicates how contamination spreads in a network and is calculated using equation (2).

(2)

Equation (2) formulates how contamination spreads in a network where nodes have different degrees. In this equation, the parameter k is the degree of the node, which is the number of direct connections of that node in the network, whose values vary between m (minimum degree) and z (maximum degree). The parameter P(k) is the degree distribution function, which indicates the probability that a node is randomly selected. is the density of infected nodes of degree k at time 𝑡, and (k) is the average number of connections per node, calculated using Equation (3).

(3)

In equation (3), the degree of each member of the Internet network is considered as m = 1 ≤ k ≤ n, where m is the lowest degree, and n is the highest degree. P(k) is the degree distribution of all members of the Internet network. And as a result, According to equation (1), the vulnerable nodes are attacked by infected nodes, leaving the infected node and adding it to the vulnerable nodes. The vulnerable nodes, after the end of the incubation period, show infection and infect neighboring sensitive devices at a rate ε. Nodes at risk are vaccinated at a rate of α if they exhibit suspicious behaviors. This is calculated using equation (4).

(4)

When a node is infected, infected nodes are removed from the vulnerable node at a rate of ɛ and added to the infected nodes at time t. And when an infected node is recovered, it uses temporary security methods to provide time for vaccination. Infected nodes are removed from the infected nodes at a rate of σ and added to the recovered nodes. This is done using equation (5).

(5)

When nodes are infected, infected nodes are recovered at a rate of σ using temporary methods to provide time for vaccination. During recovery, if for reasons such as the spread of a stronger attack or the expiration of the antivirus time, it is possible for the detected node to be transferred to a sensitive node at a rate of β, otherwise, the node is vaccinated at a rate of γ using intrusion detection system methods. This is done using equation (6).

(6)

Of course, due to the spread of attacks, no security method can be permanent, so over time, the vaccinated nodes at a rate of τ become sensitive nodes again. This is done using the equation (7).

(7)

3.2.1. Preprocessing.

In preprocessing, raw data is prepared for model analysis, which consists of 3 steps. This step includes 1) Data cleaning: replacing missing data using the mean of numerical data, identifying outliers using the Z-score method, and removing them. 2) Converting non-numeric data to numerical data. Here, using the Min-Max method, all features are transformed in the range [0, 1] using equation (8).

(8)

By preparing the dataset, it is divided into two parts: training and testing. Here, 70% is considered for training, and the other 30% is considered for testing.

3.2.2. Feature selection.

All elements in nature have a similar pattern in different shapes and sizes, and each of them follows a constant physical ratio called the Golden Ratio Optimization (GRO). In IDS, the dataset contains hundreds of features, but not all of these features are needed. The number of features increases the computational cost. The goal of using the GRO algorithm is to find a suitable subset of features that increases the detection accuracy and reduces the computational cost. In GRO, instead of searching randomly, the search space is scanned numerically between [0,1] based on the golden ratio, and each position is a subset of features. This ratio was introduced by Fibonacci. This ratio consists of a series of numbers that are the sum of the two numbers before them. Equation (9) describes this property.

(9)

In equation (9), the parameter φ is the ratio between two consecutive numbers. Here, each solution is a vector that is first updated by the population mean and then the fit value to determine the worst and best solution. To increase the convergence speed, the mean value is updated. Second, a random population is generated, and the effect of the movement on the best and worst vectors is shown to move one step forward towards the optimization. To detect the overall position of the population, the population mean is calculated. This substitution is done using equations (10) and (11).

(10)

(11)

Each solution vector 𝑋 = [] is a subset of features in the dataset. In equation 20, parameter X represents the position of a solution in the search space. In the proposed IDS, each 𝑋 is a subset of selected features, and parameter F in equation 10 represents the fitness value of each 𝑋. This value evaluates the quality of the selected feature subset. To create variety in order to reach the global solution and avoid local optima, a random move is added. This move is calculated using equation (12).

(12)

The rand parameter is a random number drawn from a uniform distribution over the time interval [0,1], i.e., r and ∼U(0,1), and is a control factor that adjusts the influence of the attack-induced disturbance on the state update. In random walk, if is small, the coefficient becomes large and the influence of on increases, meaning the walk moves towards the best solution. If F is large, the part becomes more important and the random variation increases with respect to the current solution. The rand part causes a different value of the input vector to be combined each time the equation is executed, thus preventing getting stuck in a local optimum.

Now, by examining the boundary conditions, a new solution is substituted.

(13)

Now, the golden ratio is used to approximate the best answer, which is calculated using equation (14).

(14)

Fig 5 shows the proposed algorithm for feature selection, and Algorithm 1 shows the code of the proposed method.

Download:

• PNG
  larger image
• TIFF
  original image

Fig 5. The flowchart for the GRO algorithm.

https://doi.org/10.1371/journal.pone.0345157.g005

Algorithm 1: GRO

Input: Data set

Output: Best features

1. Preprocessing the dataset

2. Initialize population

3. While T<=maxiter

4.  Calculation fitness

5.  Based on the fitness function X_meduim, the average value of all solutions and the worst fit X_worst are obtained.

6.  if Fit (X_meduim) <Fit (X_worst) then

7.  X_meduim = X_worst

8.  Generate random population

9.  Compare all populations and update X_best

10.  Check the constraints and substitute the new solution with the old one

11. Return best features

3.2.3. Attack detection.

The main feature of bats is their eyesight, which has a high ability for echolocation. The Bat Algorithm (BA) is a metaheuristic algorithm that simulates bat echolocation, which was presented by Xin Shiyang [37] in 2010. Bats use the reflection of a long and short sound pulse to their ears, and the time difference between the transmission and reflection of these signals helps bats determine their distance to an object. Using this method, bats can distinguish between an obstacle and prey, and can even hunt in complete darkness. The algorithm works according to the following rules: 1) Bats can sense the distance and distinguish between prey and obstacles using echolocation. 2) Bats move randomly at a speed v at a position x. 3) They send signals with different wavelengths and heights of a fixed frequency range. Based on their proximity to the target, they determine the pulse propagation rate r ∈ [0.1] and vary the wavelength of the pulses. 4) The loudness can be changed using several methods; the loudness is reduced from maximum to minimum. The performance of the bat algorithm is shown in Fig 6.

Download:

• PNG
  larger image
• TIFF
  original image

Fig 6. Bat algorithm performance.

https://doi.org/10.1371/journal.pone.0345157.g006

Initially, the velocity and frequency are initialized. At each iteration for the i-th bat, their velocity and position are calculated using equations (15) and (16).

(15)

(16)

In equation (15), the expression x* represents the global bat (best solution) at the current moment. The speed update is done by multiplying , which is calculated using equation (17).

(17)

In equation (17), the parameter β is a random vector in the interval [0,1] that can set the value of the parameter randomly between and . This variation causes the algorithm to obtain different values of f in each iteration or for each member of the population and helps in exploring the search space. Local search is a random search around the current optimal solutions, calculated using equation (18).

(18)

In equation (18), where the parameter represents the updated position of the solution (a bat) in the current iteration, the parameter represents its position in the previous iteration. The parameter ε is a random number drawn from a uniform distribution on the interval ([0,1]) that ensures moderate step sizes and also reduces the risk of premature convergence to local optima. The expression represents the average loudness of the bat population at iteration (t). In this algorithm, to represent the balance between exploration and exploitation, the loudness of the bats decreases and the pulse propagation rate increases as they approach the prey. The update rules for loudness and pulse propagation rate are defined in equation (19).

(19)

In equation (19), the values of the parameters β and γ are constant, with the parameter γ being greater than 0 and the parameter β between 0 and 1.

The K-NN algorithm is used to detect attacks.

Fig 7 shows the proposed algorithm for attack detection, and Algorithm 2 shows the code of the proposed method.

Download:

• PNG
  larger image
• TIFF
  original image

Fig 7. The flowchart for the BA algorithm.

https://doi.org/10.1371/journal.pone.0345157.g007

Algorithm 2: BA

Input:Subset features

Output: Classiffication

1. Initialize of the parameters

2. While T<=maxiter

3.  For I = 1….N do

4.   Update frequency

5.   Update velocities

6.   Update positions

7.  If rand > r_i then

8.   Select best solution

9.   Local search

10.  End

11.  If rand < A_i and f(X_i) < f(X_best) then

12.   Accept new solution

13.  End

14. Classification attacks

Table 3 describes the parameters used by GRO-BA.

Download:

• PNG
  larger image
• TIFF
  original image

Table 3. Setting the parameters of the proposed method.

https://doi.org/10.1371/journal.pone.0345157.t003

The bat algorithm is based on an optimization algorithm where each bat moves through the search space to find the best solution and each solution contains the parameters of the KNN machine learning model. In other words, the bat algorithm is used to adjust the parameters of the KNN model. In the bat algorithm, the speed and position of the bats are changed to reach the most optimal solution in the search space. Here, position (X) represents the values of the KNN parameters, and velocity (v) represents the rate of change in the parameter settings per iteration. The Bat-K-NN hybrid method is an optimized version of the K-NN algorithm that uses the Bat algorithm to optimize the parameters of the K-NN algorithm and overcome the weaknesses of the classic K-NN algorithm. The reasons for choosing the Bat-K-NN method over other methods are: 1) Improving the performance of the K-NN algorithm because the simple K-NN is very sensitive to the value of 𝐾, which the Bat algorithm optimizes here, thereby increasing the accuracy and reducing the error. 2) This method can achieve a more balanced performance in the event of an imbalance between classes. 3) The Bat-K-NN method is simpler and faster than the SVM and Random Forest methods, and can achieve better accuracy than the mentioned methods. 4) The Bat algorithm is an intelligent algorithm for large spaces. This allows the Bat-K-NN method to find optimal parameters when faced with complex data.

5.2.1. The effect of the proposed feature selection method.

In this section, the proposed method for feature selection is evaluated using accuracy and fitness value, and several other algorithms that are explained below.

Differential Evolution (DE): This algorithm is based on the evolutionary behavior of the population. In each generation, the solutions are passed to the next generation using the process of combination, mutation, and selection. This method can find the best solution for complex and unknown objective functions. The main difference of this algorithm from other evolutionary algorithms is in the mutation process, which uses the differences between the population members [40].

Whale Optimization Algorithm (WOA): The Whale Optimization Algorithm (WOA) is based on the hunting behavior of the humpback whale, which creates bubbles by spinning around prey, which it uses to trap the prey. The main behaviors of this algorithm include random search, prey encirclement, and spiral attack [41].

Gray Wolf Optimization (GWO): The Gray Wolf Optimizer (GWO) algorithm is a swarm intelligence algorithm based on the social and hunting behavior of gray wolves, which has a hierarchy of α, β, δ, and ω for leader selection. This algorithm consists of three phases: prey encirclement, hunting, and attack. This algorithm is very fast and resistant to local optima [42].

Particle Swarm Optimization (PSO): The Particle Swarm Optimization (PSO) algorithm is based on the social behavior of birds in a flock that use their own and others’ experience to search for food, and its main feature is to create a balance between group and individual experience. This algorithm has a low number of parameters and a high convergence speed [43].

Firefly Algorithm (FA): The Firefly Algorithm (FA) is a swarm intelligence algorithm based on the behavior and glow of fireflies. In this algorithm, each firefly represents a solution, and its brightness is proportional to the value of the fitness function. The less luminous firefly moves towards the more luminous one. This algorithm is resistant to local optima [44].

Accuracy is one of the most common metrics for evaluating the performance of machine learning and metaheuristic algorithms. This metric represents the percentage of correct predictions out of all predictions. This metric is calculated using equation (28). In Table 6, the accuracy value of the proposed method in feature selection is compared with other methos include Differential Evolution (DE) [35], Whale Optimization Algorithm (WOA) [28], Gray Wolf Optimization (GWO) [36], Particle Swarm Optimization (PSO) [30], Firefly Algorithm (FA) [33]. This Table shows the average accuracy of the proposed model along with the standard deviation and the 95% confidence interval. The average accuracy reflects the overall performance of the model across multiple test runs, while the standard deviation indicates the dispersion and stability of the results, with a lower standard deviation signifying greater model stability. The 95% confidence interval is also included, which indicates the reliability of the obtained results. According to this Table, the proposed method has selected a better subset of features with values (0.982, 0.988, and 0.966) than other methods. In Table 5, the training dataset was trained by the proposed method and the mentioned methods, and then all methods were classified using the nearest neighbor algorithm, and their performance accuracy was evaluated. To create the same conditions for all models for comparison, a fixed and identical experimental setup was used. In all datasets, a fixed ratio of 30%−70% of the dataset was randomly divided into training and testing subsets, and the classifier with a fixed value of k and the distance criterion in the k-NN algorithm were the same in all experiments. In Fig 17, the accuracy curve is shown in 100 iterations. The figures show the convergence speed of the methods to the desired solution. Based on these figures, three important aspects can be concluded: 1) convergence rate, 2) final accuracy, and 3) stability.

Download:

• PNG
  larger image
• TIFF
  original image

Table 5. Feature selection accuracy of GRO compared with other algorithms.

https://doi.org/10.1371/journal.pone.0345157.t005

Download:

• PNG
  larger image
• TIFF
  original image

Table 6. Comparison Min fitness of compared algorithms.

https://doi.org/10.1371/journal.pone.0345157.t006

Download:

• PNG
  larger image
• TIFF
  original image

Fig 17. The accuracy of the feature selection curve of the GRO method compared to another algorithm.

https://doi.org/10.1371/journal.pone.0345157.g017

(28)

To evaluate the proposed method in feature selection, the fitness criterion is used. This criterion is an evaluation criterion to evaluate the performance of a method to show the optimality of that method. The lower its value, the better the subset of selected features. Table 6, shows the minimum fitness value over 100 iterations. According to this Table, the proposed method with fitness values (0.022, 0.017, and 0.033) has selected a better subset of features.

5.2.2. The effect of the proposed detection attack method.

In this section, the proposed method for detecting attacks is presented with several other evaluation criteria that are briefly explained below.

• BA-DE: This method is based on a combination of two methods, Bat algorithm (BA) and Differential Evolution (DE). In this method, feature selection is first performed using the BA algorithm, then training is performed using the DE algorithm, and finally, attack detection is performed using the decision tree algorithm.
• PCA-BA: This method is based on a combination of the Bat algorithm (BA) and Principal Component Analysis (PCA) algorithms. First, feature selection is performed using the PCA algorithm, second, training is performed using the BA algorithm, and finally, attack detection is performed using the decision tree algorithm.
• MQBHOA: This method is a combination of the Horse Herd Optimization Algorithm (HOA) with quantum computing concepts in a multi-objective manner. In this method, first, the behaviors of the horses in the herd are used to select features, which are converted into a discrete algorithm using the floor function, then optimized using quantum computing concepts, and finally, attacks are identified using the decision tree algorithm.
• FA-K-Means: This method is a combination of the Firefly Algorithm (FA) and K-Means algorithms. In this method, first feature selection is performed using the Firefly Algorithm (FA), then attack detection is performed using the K-Means algorithm.
• WOA-BA-K-NN: This method is a combination of the whale optimization algorithm (WOA) and the Bat algorithm (BA). First, feature selection is performed using the whale optimization algorithm (WOA), second, training is performed using the Bat algorithm (BA), and in the final stage, attack detection is performed using the nearest neighbor algorithm.
• GWO-PSO-K-Means: This method is a combination of Gray Wolf Optimization (GWO) and Particle Swarm Optimization (PSO) algorithms. First, the feature selection process is performed using the GWO algorithm, then the Particle swarm optimization (PSO) algorithm, and finally, the attack detection is performed using the K-Means algorithm.
• FCM-SWA: The FCM-SWA method combines the fuzzy C-mean (FCM) algorithm with a sperm whale algorithm (SWA). In this method, the SWA optimization algorithm is used to increase the performance of the FCM and provide effective defense against attacks.
• HHO‐SCA: The HHO-SCA method is based on the Sine-Cosine (SCA) algorithm and the Harris-Hawks (HHO) algorithm. Using this method, the parameters of the SVM algorithm are optimized and the SVM algorithm is used to classify attacks.
• LOFSGWO: The LOFSGWO method is based on the Lion Optimization Algorithm (LOA) and, in particular, the Gray Wolf Optimizer (GWO). In this method, the Lion Optimization Algorithm (LOFS) and Gray Wolf GWO are used to reduce hazardous parameters.
• BGWO-EESNN: A hybrid method based on deep learning algorithms was proposed. In this method, feature selection is performed using Binary Grey Wolf Optimization (BGWO), and an Elemental Enhanced Spiking Neural Network (EESNN) is used for attack detection.

Accuracy is an evaluation criterion for evaluating the performance of a prediction method that determines the number of correct predictions out of all predictions, which is suitable for a balanced data set. If the performance is unbalanced, it will have a negative impact. This criterion is calculated using equation (28). According to Table 7, the proposed method with values (0.938, 0.931, and 0.928) has been able to predict more correct cases better than other methods incudes Bat algorithm (BA) and Differential Evolution (DE) (BA-DE) [31], Bat algorithm (BA) and Principal Component Analysis (PCA) (BA-PCA) [27], MQBHOA [25], Firefly Algorithm (FA) and K-Means algorithms (FA-K-Means) [3], whale optimization algorithm (WOA) and the Bat algorithm (BA)(WOA-BA-K-NN) [32], Gray Wolf Optimization (GWO) and Particle Swarm Optimization (PSO) (GWO-PSO-K-Means) [26], fuzzy C-mean (FCM) algorithm with a sperm whale algorithm (SWA) (FCM-SWA) [17], Sine-Cosine (SCA) algorithm and the Harris-Hawks (HHO) (HHO‐SCA) [29], Lion Optimization Algorithm (LOA) and, in particular, the Gray Wolf Optimizer (GWO) (LOFSGWO) [24], Binary Gray Wolf Optimization (BGWO) Element Enhanced Spike Neural Network (EESNN) (BGWO-EESNN) [16]. According to this Table, the proposed method has achieved the highest average accuracy with the lowest variance (0.938, 0.931, and 0.928). In Fig 18, the accuracy curve is shown in 100 iterations.

Download:

• PNG
  larger image
• TIFF
  original image

Table 7. Classification accuracy of GRO-BA-K-NN compared with other algorithms.

https://doi.org/10.1371/journal.pone.0345157.t007

Download:

• PNG
  larger image
• TIFF
  original image

Fig 18. The accuracy curve of the GRO-BA-K-NN method compared to another algorithm.

https://doi.org/10.1371/journal.pone.0345157.g018

The MSE (Mean Squared Error) metric measures the mean squared difference between the predicted values and the actual values. It shows the amount of deviation of the predicted data points from the actual data points. The lower it is, the better the method performed. This metric is calculated using equation (29). According to Table 8, the proposed method with values (0.061, 0.068, and 0.1) had a prediction close to the actual classes compared to other methods.

Download:

• PNG
  larger image
• TIFF
  original image

Table 8. Compare the error of the GRO-BA-K-NN method.

https://doi.org/10.1371/journal.pone.0345157.t008

(29)

In Tables 9, 10 and 11, the proposed method is evaluated using important metrics such as Precision, Recall, F-Measure, Specificity, and G-Measure. The Decision metric includes the positive samples that are correctly predicted, and the higher it is, the lower the false positive rate will be. The Recall metric shows the rate of true positives predicted by the model; the higher it is, the lower the number of false negatives. The F-Measure strikes a balance between Precision and Recall. The Specificity metric includes the rate of correct identification of negatives. G-Measure: The average between sensitivity and specificity that can handle unbalanced datasets well. These metrics are calculated using the following equations. According to these Tables, the proposed method with values of (0.953, 0.938, and 0.962) in the F-criterion has been able to reduce the false positive and negative rates and increase the true negative and positive rates. Specifically, in Table 10, the MQBHOA algorithm has obtained a Specificity value of 0.889 on the BOT-IOT dataset, which indicates that it has a high ability to reduce the false positive rate and increase the overall accuracy of detecting attacks. This value indicates that the proposed method and the MQBHOA algorithm have been able to minimize the false positive rate and have a significant performance in correctly classifying negative samples.

Download:

• PNG
  larger image
• TIFF
  original image

Table 9. Comparison of the Confusion Matrix values in BOT-IOT.

https://doi.org/10.1371/journal.pone.0345157.t009

Download:

• PNG
  larger image
• TIFF
  original image

Table 10. Comparison of Confusion Matrix values in UNSW-NB15.

https://doi.org/10.1371/journal.pone.0345157.t010

Download:

• PNG
  larger image
• TIFF
  original image

Table 11. Comparison of Confusion Matrix values in NLS-KDD.

https://doi.org/10.1371/journal.pone.0345157.t011

(30)

(31)

(32)

(33)

(34)

MCC (Matthews Correlation Coefficient) is a comprehensive performance measure that is evaluated using the parameters of true positives (TP), false positives (FP), true negatives (TN) and false negatives (FN). This measure can handle unbalanced data sets well and is a value between −1 and +1. If MCC is equal to +1, it means perfect prediction; if it is equal to 0, it means random prediction, and if it is equal to −1, it means reverse prediction. This measure is calculated using equation (35). In Fig 19, the performance of the proposed method with other methods has been investigated. According to this Fig, the proposed method with values (0.829,0.859,0.866) can make predictions more completely than other methods.

Download:

• PNG
  larger image
• TIFF
  original image

Fig 19. Compare the proposed method with the MCC criterion value.

https://doi.org/10.1371/journal.pone.0345157.g019

(35)

In Table 12, the proposed method is evaluated with other methods using the training time criterion. These criteria are in seconds. According to this Table, the proposed method was able to reduce the execution time by times of 320, 331, and 325.

Download:

• PNG
  larger image
• TIFF
  original image

Table 12. Compare the proposed method with the training time criterion value.

https://doi.org/10.1371/journal.pone.0345157.t012

Area Under the Curve (AUC) is a numerical measure used to evaluate the performance of detection methods. This measure is between 0 and 1. If AUC = 0.5, the method has a random performance and is not able to make any distinction. If AUC is close to 1, the method has a high ability to make distinctions. If AUC is close to 0, the method has performed inversely. This measure can measure the performance of the model to make distinctions using a comprehensive view across all thresholds. This measure can also handle unbalanced data better than other measures and will still have stable performance if there are changes in the data distribution. In Fig 20, the performance of the proposed method using this measure is compared with other methods. According to this Fig, the proposed method has performed better with values of (0.773, 0.929, and 0.94). According to Fig 20, the proposed method has the best performance in all datasets. In the NLS-KDD dataset, the performance of the proposed method was weaker than some of the comparative methods due to reasons such as unbalanced class distribution, different traffic patterns, and sensitivity of the AUC criterion to changes in the false positive rate. However, this method had competitive and stable performance in other datasets and criteria, which indicates the overall capability of the model in detecting attacks.

Download:

• PNG
  larger image
• TIFF
  original image

Fig 20. Compare the proposed method with the AUC criterion value.

https://doi.org/10.1371/journal.pone.0345157.g020

In Table 13, the performance of different methods in detecting types of network attacks has been evaluated using the BOT-IOT dataset. In this Table, each row corresponds to a method, and the performance of that method for each type of attack is given below it. The attacks examined include Normal, DOS (Denial of Service), DDoS (Distributed Denial of Service), Reconnaissance, Theft attacks. In this Table, the average Precision and average Recall criteria have been used for comparison. According to this Table, the GRO-BA-KNN method, with the highest Precision and Recall values, has performed very well in detecting types of attacks. This indicates that it is the ideal method for an IDS with the lowest error.

Download:

• PNG
  larger image
• TIFF
  original image

Table 13. Comparison of methods in terms of Precision and Recall for each attack class.

https://doi.org/10.1371/journal.pone.0345157.t013