ARLHNIDS-IoT: An accurate and robust lightweight hybrid-NIDS for IoT network security

The rapid growth of IoT networks has heightened vulnerabilities in IoT devices, making them targets for sophisticated attackers. These vulnerabilities compromise sensitive user data and disrupt services for legitimate users. Therefore, securing IoT devices is a crucial research area to protect against cyber-attacks and fully realize the benefits of IoT technologies. Various solutions have already been proposed, including firewalls, antivirus software, and intrusion detection systems (IDS). Firewalls and antivirus software provide only some level of security by filtering known threats and blocking unauthorized access; they primarily rely on predefined rules and filter the packet according to rules without monitoring its behavior in the network. The firewall functions in either inline mode or transparent mode at the network boundary. In contrast, IDS offers more comprehensive protection by continuously monitoring network traffic and system activities, employing both signature-based and anomaly-based detection techniques to identify previously unseen threats (or zero-day attacks). It typically functions in monitoring mode rather than inline with the traffic flow. However, designing an effective IDS for IoT environments presents significant challenges. The limited computational resources of IoT devices make it difficult to process high-dimensional IDS datasets efficiently. On the other hand, dataset imbalance is another major hurdle (as it hinders the accurate identification of intrusive activities, leading to biased detection performance) in the design of efficient intrusion detection systems. To address these challenges, this paper proposes a novel hybrid network intrusion detection system that integrates advanced oversampling, feature selection techniques, and intelligent detection models to enhance the attack detection accuracy and reduce the processing time of intrusion detection in IoT networks. Firstly, the imbalanced IDS dataset is balanced with the help of the modified generative adversarial minority oversampling (GAMO) and fuzzy C-means clustering techniques. In the proposed framework, the existing GAMO model is modified by integrating the attention mechanism to focus on significant patterns in the network traffic and achieve efficacious performance. Hyperparameters of the fuzzy C-means clustering algorithm are optimized using the OPTUNA technique. Secondly, feature selection is performed using the modified Grey Wolf Optimization (GWO) technique by integrating the correlation coefficient in the initialization stage and introducing a novel objective function. This modified feature selection approach reduces the resource constraint and is compatible with IoT networks. Signature-based IDS (SIDS) is designed using the majority voting classifier to detect known attacks. The voting classifier ensembles seven tree-based models, which are optimized using the OPTUNA technique. On the other hand, anomaly-based IDS (AIDS) is proposed, which utilizes the double deep Q-network for unknown DoS attack detection. The proposed “ARLHNIDS-IoT” model integrates SIDS and AIDS in such a way that the incoming IoT-based network traffic is first analyzed by SIDS, which compares it to a database of known attack signatures. When a match is found, the attack is promptly classified, facilitating rapid detection of known threats. If SIDS fails to recognize an attack, the traffic is forwarded to AIDS for further assessment. AIDS inspects any deviations from normal behavior to identify new attacks. The proposed strategy enhances accuracy, minimizes false alarms, and bolsters IoT security. The effectiveness of the proposed “ARLHNIDS-IoT” model is evaluated using three IoT-based datasets: UNSW-NB15, BoT-IoT, and CICIoT2023. Experimental findings from the UNSW-NB15, BoT-IoT, and CICIoT2023 datasets indicate that the proposed method lessens resource limitations by decreasing prediction time by 5.917, 13.523, and 37.751 s, respectively. Additionally, it tackles the imbalanced data challenge by improving recall by 6.06 %, 8.12 %, and 3.86 % while enhancing the F1-score by 5.69 %, 7.95 %, and 2.65 % on UNSW-NB15, BoT-IoT, and CICIoT2023 datasets, respectively. The accuracy of the SIDS model is observed as 92.89 %, 99.19 %, and 98.31 % on UNSW-NB15, BoT-IoT, and CICIoT2023 datasets, respectively, and the accuracy of the AIDS model is observed as 89.56 %, 90.92 %, and 94.74 % on UNSW-NB15, BoT-IoT, and CICIoT2023 datasets, respectively. The proposed model is evaluated against recent state-of-the-art techniques, demonstrating that the “ARLHNIDS-IoT” model surpasses other contemporary methods.