**3. Preliminaries**

#### *3.1. Salp Swarm Optimization*

The salp swarm algorithm (SSA) is a swarm intelligence algorithm that was developed in [33]. It inspiration is from animals called salps that live in the sea as a chain. The chain starts with a leader salp that leads other salps. Other salps are followers of the leader salp. Figure 1 shows the swarm of salps and the individual salp.

**Figure 1.** The chain of salps and the single salp.

The population *X* of *n* salps can be represented using a 2D matrix as shown in Equation (1). *F* is the food source. The matrix represents the population of salps. Each line in this matrix represents a single salp (solution). This solution or salp consists of a number of elements. The length of the salp represents the dimension of the problem (d). Actually, this is the number of dimensions or features in a dataset. The number of salps (n) represents the size of the population. Therefore, the first line in the matrix represents the first salp in the swarm, which is the leader salp, and the last line in the matrix is the follower salp number (n) in the swarm. Equation (2) explains the position relation of the leader salp (which is the first solution in the swarm of salp) and the food source.

$$X\_i = \begin{bmatrix} \mathbf{x}\_1^1 & \mathbf{x}\_2^1 & \cdots & \mathbf{x}\_d^1\\ \mathbf{x}\_1^2 & \mathbf{x}\_2^2 & \cdots & \mathbf{x}\_d^2\\ \vdots & \vdots & \vdots & \vdots\\ \mathbf{x}\_1^n & \mathbf{x}\_2^n & \cdots & \mathbf{x}\_d^n \end{bmatrix} \tag{1}$$

The position of the leader salp is formulated as in Equation (2)

$$X\_{j}^{1} = \begin{cases} F\_{j} + c\_{1}((ub\_{j} - lb\_{j})c\_{2} + lb\_{j}) \ , \quad c\_{3} \gg 0.5\\ F\_{j} - c\_{1}((ub\_{j} - lb\_{j})c\_{2} + lb\_{j}) \ , \quad c\_{3} < 0.5 \end{cases} \tag{2}$$

where *x*1 *j* and *Fj* are the positions of leaders and food source in the *j*th dimension, respectively. *c*1 is a gradually decreasing parameter across iterations, and calculated as in Equation (3), where *l* and *L* are the current iteration and the maximum iterations, respectively. The other *c*2 and *c*3 parameters in Equation (2) are randomly selected from [0, 1]. The parameters *c*2 and *c*3 are very important to direct the next position in the *j*th dimension towards + ∞ or − ∞ and determine the step size. The *ubj* and *lbj* are the bounds of the *j*th dimension.

$$C\_1 = 2\mathcal{e}^{-(\frac{4l}{L})^2} \tag{3}$$

$$X^i\_{\rangle} = \frac{1}{2} (\mathbf{x}^i\_{\rangle} + \mathbf{x}^{i-1}\_{\rangle}) \tag{4}$$

In Equation (4), *i* - 2 and *xi j* represents the position of the *i*th follower at the *j*th dimension. SSA is presented in Algorithm 1.



*3.2. Ant Lion Optimization*

Ant lion optimization (ALO) was developed in 2015 [34]. ALO mimics the ant lions' strategy for hunting in nature. Ant lions begin to hunt when they are larvae, while they reproduce when they become adults. Ant lion larvae build a hole in the land. This hole

is the trap for insects such as ants. Ant lion larvae hide in the hole and wait for the ants. When the ant lion recognizes ant, it throws the sand out of the hole, in an attempt to catch it. Thus, the ant is captured and is unable to ge<sup>t</sup> out from the hole. After the ant lion consumes the prey, it tries to fix the trap for the next prey.

In the ALO algorithm, the ants move within the search space in a random way. Ants are affected by the traps that are built by ant lions. The trap size depends on the fitness value of the ant lion so that a large hole indicates the high fitness of the ant lion. Hence, the ant lion with a higher fitness value has a greater chance of catching prey. In each iteration, prey can be hunted by an ant lion. In ALO, the random walks of ants decrease in adaptive way across iterations to reflect the situation of sliding ants in the direction of the ant lion. If the ant is hunted by the ant lion and pulled towards the bottom of the trap, this is described in terms of the ant having higher fitness than the ant lion. The ant lion updates its position to the last hunted prey and builds another hole in preparation for the next hunt. Figure 2 shows the ants and the ant lion in nature. ALO is formulated in Algorithm 2.

**Figure 2.** The ants and the ant lion.

#### **Algorithm 2** ALO algorithm pseudo-code.

Input: Search space, fitness function, # ants and ant lions, # iterations (*MaxIter*), *ai*,*bi*. Output: The best ant lion and its fitness.

1. Initialize a random *n* ant positions and *n* ant lion positions.

2. Compute the fitness of all ants and ant lions.

3. Find the best ant lion

4.

#### **while** *t* ≤ *MaxIter* **do**

**for all** *anti* **do**

> (i) Use a roulette wheel to select an ant lion (building trap); as in Equations (9) and (10).

(ii) Slide ants towards the ant lion; as in Equations (11) and (12).

(iii) Create a random walk for anti and normalize it; as in Equation (14).

**end for**




**end while**

5. Select the optimal ant lion position.

• *t*: the current iteration



 • *I*: *I* is a ratio defined based on *w* using the equation

$$I = 10^w \times \frac{t}{T} \tag{5}$$

• *ai*: minimum random walk of *i*thvariable.

• *bi*: maximum random walk of *i*thvariable.

> Random walks of ants are all based on Equation (6):

$$X(t) = [0, 
ewsum(2r(t\_1) - 1); 
ewsum(2r(t\_2) - 1); \\\dots; \\
cumsum(2r(t\_T) - 1)],$$

where cumsum is the cumulative sum, *T* is the maximum # iterations, *t* shows the step of random walk, and *r*(*t*) is a function in Equation (7)

$$r(t) = \begin{cases} 1, & \text{if } rand > 0.5\\ 0, & \text{if } rand \le 0.5 \end{cases} \tag{7}$$

with *rand* being a random number in [0; 1].

To keep the random walks inside the search space, the minmax normalization is applied:

$$X\_{i}^{t+1} = \frac{(X\_{i}^{t} - a\_{i}) \times (d\_{i} - c\_{i}^{t})}{(b\_{i}^{t} - a\_{i})} + c\_{i} \tag{8}$$

 Trapping of ants in the ant lion's hole is expressed in Equations (9) and (10)

$$c\_i^t = c^t + A n t l i n\_j^t \tag{9}$$

$$d\_i^t = d\_l + 
Autlim\_j^t \tag{10}$$

Ant lions release sand outside the hole as soon as an ant is in the trap. This behavior is mathematically modeled in Equations (11) and (12)

$$
\varepsilon^t = \frac{\varepsilon^t}{I} \tag{11}
$$

$$d^t = \frac{d^t}{I} \tag{12}$$

The last step is to catch the prey and rebuild the hole. It is assumed that the hunting of ants occurs when ants have higher fitness values than their corresponding ant lions. An ant lion is then expected to update its position regarding the latest position of the hunted ant to improve its chance of catching new prey, modeled by Equation (13)

$$Antlion^t\_j = Ant^t\_i \operatorname{If\, f}(Ant^t\_i) \text{ is } better \, than \, f(anthion^t\_j) \tag{13}$$

Elitism is used to reserve the best solution(s) across iterations. The random walk of an ant is led by the selected ant lion and the elite ant lion and, therefore, the new position of an ant is formulated as in Equation (14)

$$Ant\_i^t = \frac{R\_R^t + R\_E^t}{2} \tag{14}$$

where *R<sup>t</sup> A* is the random walk around the ant lion selected by the roulette wheel, and *R<sup>t</sup> E* is the random walk around the elite ant lion.

#### **4. The SSA–ALO Hybrid Model for Feature Selection**

The SSA algorithm has many promising features that make it favorable for global optimization, particularly for FS problems. In general, SSA has a simple structure, is efficient, and has an implementable methodology. Furthermore, SSA has one parameter for balancing the global search and local search. It adaptively decreases across the iterations of the optimization process. Thus, the algorithm explores several regions at the beginning of the optimization process and focuses on promising regions later on. As a bonus, follower salps update their positions gradually according to other salps in the swarm, which prevents the optimizer from falling into local minima. The SSA maintains the best-found individual so that it is reserved even if agents become weakened. In the SSA, the leader salp moves according to the food source position. This is the best salp found so far. Therefore, the leader always is able to search globally and locally around the food source in the search space.

ALO has two types of individuals: ants and ant lions. Ant lions are the best solutions found so far. Their positions are replaced whenever a fitter ant is found. Ants are moving around in the search space continuously. The positions of ants are changed based on the positions of ant lions. The position update strategy of ants is based on selecting an ant lion using a roulette wheel in combination with the best solution. Thus, a given ant updates its position based on these two agents. The selection of an agen<sup>t</sup> randomly using a roulette wheel encourages diversification in the search space. Therefore, ants can move randomly in the search space and explore more regions without stagnating in local minima. The avoidance of local minima is a significant merit of ALO, which gives it superiority against other methods such as PSO. Moreover, it has few parameters compared to PSO and GA.

The exploration/exploitation capability of a particular algorithm depends directly on how the swarm leader is announced. In SSA, the swarm leader is chosen to be the agen<sup>t</sup> with the highest fitness value. Hence, the agents of low fitness values have no chance of leading the swarm. This decreases the exploration capability of the algorithm and supports its exploitative power. In contrast, ALO keeps track of all agents in the swarm and uses a roulette wheel together with the current best agen<sup>t</sup> to lead the swarm. This indicates that low-fitness agents can participate in guiding other agents in the swarm besides the best-found agent. This supports the exploratory behavior of the ALO. Integrating the principles of ALO and SSA into one algorithm can support the exploration/exploitation trade-off. The proposed hybrid algorithm keeps the ants' and ant lions' swarms in motion. However, it uses the ideas of leadership assignments from both ALO and SSA to provide more trade-offs between global search and local search. The proposed SSA–ALO algorithm takes the merits of ALO by updating low-fitness agents (ants) using ALO principles. On the other hand, it uses the merits of SSA by updating the high-fitness agents (ant lions) using SSA principles that have to maintain faster convergence. The SSA–ALO is formally given in Algorithm 3. The overall botnet detection system is represented by the flowchart in Figure 3.

The proposed SSA–ALO algorithm has sufficient exploration capabilities because:



Furthermore, the SSA–ALO has exploitation power:


The proposed SSA–ALO algorithm represents a wrapper-based FS framework. The main issue related to implementing the wrapper approach is using a learning (classification) algorithm. In the proposed algorithm, we have used the K-nearest neighbor (KNN) technique to determine the feature subsets' goodness. The fitness function in the wrapper approach can be formulated as in Equation (15) and will be used to assess the quality of individual *i* at iteration *t* (*Iti*). The main objective is to minimize *FPR* and 1 − *TPR*.

$$Fitness\_{i}^{t} = FPR\_{i}^{t} \times \left(1 - TPR\_{i}^{t}\right) \tag{15}$$

In the wrapper framework, evaluating a single solution is costly because it requires a training–testing process using the classification algorithm. For this reason, the choice of an efficient search algorithm is necessary. In this paper, the integration of ALO and SSA is applied to perform an adaptive search in the feature search space. The main target is to increase the classification performance to the maximum and reduce the number of features to the minimum simultaneously. Iteratively, the ALO selects an ant lion randomly using a roulette wheel mechanism. Furthermore, the ants implement a random walk around the best ant lion (elite). Based on the latest two random walks, the ants adjust their positions. If the ant has higher fitness than the ant lion, the ant lion eats it and adjusts its position to the ant's position. Ant lions adjust their positions based on SSA principles, where the leader salp is selected among ant lions. This algorithm is applied iteratively and depends on the exploration rate, which decreases throughout the optimization process.

As mentioned previously, the solution is limited by two values, 0/1. Therefore, a continuous solution with real values needs to be mapped into a binary solution using Equation (16)

$$y\_{ij} = \begin{cases} 0, & \text{if } (\mathbf{x}\_{ij} < 0.5) \\ 1, & \text{otherwise} \end{cases} \tag{16}$$

where *xij* is the continuous value of solution *i* in dimension *j*, and *yij* is the binary representation of solution vector *x*.

**Figure 3.** The proposed methodology diagram.

#### **5. Experiments, Results, and Discussion**

N-BaIoT dataset [35] is a benchmark dataset that was downloaded from the machine learning repository [36] at UCI (the University of California Irvine). This dataset represents IoT traffic generated after implementing two common botnet families called BASHLITE and Mirai, in addition to the implementation of the network's normal behavior.

A test bed was built to run BASHLITE and Mirai botnets consisting of nine devices connected wirelessly via Wi-Fi. Their access point was connected wired-based with the attacker side (mainly C&C server). The types of devices included were two doorbells, a thermostat, a baby monitor, four security cameras, and a webcam.

The main attack executed by these botnets was the DoS attack. DoS attacks or distributed DoS attacks target mainly the availability security requirement of the IoT applications. DoS takes advantage of the resource constraint of the IoT devices, including energy, memory, processing capabilities, and bandwidth, to initiate or inject attacks that drain the devices and network resources and make their services unavailable to the concerned users. Table 1 shows the types of attacks that both botnet families carry out. Both BASHLITE and Mirai botnets execute an auto-scanning phase to scan the IoT and discover the vulnerable devices to inject them with malicious code (malware). The attacker's C&C (command and control) servers can control this malware remotely. The main purpose of this phase is to propagate the malware and enlarge the botnet.

**Table 1.** N-BaIoT dataset main attack categories and record distribution.


Moreover, both the TCP and UDP transport layers' protocols were utilized to flood the IoT by sending too many fake packets too fast in order to deplete the device and network resources. Since TCP is a connection-oriented protocol, specific TCP packets were created and transmitted, including synchronization (SYN) and acknowledgement (ACK) packets.

Additionally, the BASHLITE botnet implemented spamming attacks, whether through sending spam data (junk) or opening fake connections with specific ports and IP addresses (COMBO) to book them just for DoS purposes. The total records per attack category are shown in Table 1.

Table 2 presents the 23 recorded features. Table 3 presents the number of normal and abnormal packets for each IoT device in the N-BaIoT Dataset. Table 4 presents a new N-BaIoT dataset that resulted from combining the data based on object type and the numbers of packets that were utilized in different stages. The new version of the N-BaIoT dataset is called the NN-BaIoT dataset. This is the one used for evaluating the proposed method.




**Table 3.** N-BaIoT dataset records according to IoT device and attack class.


**Table 4.** The division of NN-BaIoT dataset into training, optimization, and testing stages.

All optimization algorithms were implemented using the EvoloPy-FS framework [13]. This is a publicly available FS swarm intelligence framework coded in Python. EvoloPy-FS consists of several metaheuristic algorithms, which can be downloaded from (www.evoml.com) (accessed on 28 March 2021). All results were recorded based on population size and maximum number of iterations equal to 10 and 100, respectively.

The proposed SSA–ALO algorithm was assessed using three evaluation measures that are widely used for testing the capability of attack detection; in the following equations, *TP* indicates true positives, *FN* indicates false negatives, *FP* indicates false negatives, *TN* indicates true negatives, *TPR* indicates the true positive rate as in Equation (17), *FPR* indicates the false positive rate as in Equation (18), and G-mean indicates the square root of of *TPR* multiplied by 1 − *FPR* as in Equation (19).

$$TPR = \frac{TP}{TP + FN} \tag{17}$$

$$FPR = \frac{FP}{FP + TN} \tag{18}$$

$$G - mean = \sqrt{TPR \times (1 - FPR)}\tag{19}$$

These evaluation measures were applied to the testing part of the dataset. The best anomaly detection was achieved when larger values of *G* − *mean* and *TPR* were obtained. Moreover, lower values of *FPR* were required to increase the robustness of the anomaly detection approach. Consequently, the perfect anomaly detection occurred when both *G* − *mean* and *TPR* equaled one and *FPR* equaled zero. Table 5 shows the *TPR* and *FPR* values for the SSA, ALO, and the proposed SSA–ALO algorithms. In addition, we compared the results with other anomaly detection algorithms from the literature. These are IF, LOF, OCSVM, and GWO-OCSVM. All the algorithms were applied over the NN-BaIoT dataset at the testing stage. TPR for anomaly detection means predicting the attack whenever it occurs. *FPR* means predicting benign data as malicious. Therefore, higher values of *TPR* and lower values of FPR are preferable.

**Table 5.** TPR and FPR results.


In addition, and as seen in Table 6, SSA–ALO achieved the best G-mean values across all types of IoT devices. In this context, it is worth mentioning that the *TPR* and *FPR* could not clearly indicate the performance because the dataset was imbalanced. Therefore, we used the *G* − *mean* measurement, which is commonly used to measure the performance of imbalanced datasets. The average G-mean value of the proposed SSA–ALO was 0.984, which is better than SSA, ALO, GWO-OCSVM, OCSVM, and IF. In addition, it is much higher than LOF. This means that SSA–ALO has a better ability to balance *TPR* and *FPR*.

**Table 6.** G-mean results.


To visually describe the comparisons between these algorithms, Figure 4 shows boxplots of the information in Tables 5 and 6. As shown in Figure 4, LOF has deficient performance since the *TPR* and *FPR* values are the same. This is close to the random classifier, where the TPR and *FPR* are equal. On the other hand, the proposed SSA–ALO shows different behavior, with a significant difference between the *TPR* and *FPR* values. This can be explained by the fact that the hybridization between SSA and ALO can optimize the FS problem better than other algorithms. Moreover, the feature subset found by the SSA–ALO is the best, so it results in the best classification results.

**Figure 4.** Boxplots to represent clearly the results in Tables 5 and 6. (**a**) TPR, (**b**) FPR, (**c**) G-mean.

The algorithms were also compared in terms of the running time of the algorithm (detection time) as seen in Table 7. It is clearly shown that the detection time of the SSA– ALO is the lowest among all the algorithms. On average, the SSA–ALO algorithm needs 5 s to detect an attack. This implies that if the IoT devices are attacked, then their functionality will be restored within 5 s. Thus, the time duration of the attack is reduced.


**Table 7.** Average time for detecting attack on NN-BaIoT dataset.

On the other hand, Figure 5 shows that the SSA–ALO algorithm obtains the best convergence behavior. Figures 6–9 present the radar charts, which demonstrate the overall performance results in terms of evaluation measures across the various IoT devices. It can be seen that the best feature subset that is found by the SSA–ALO algorithm enhances the results in terms of all the used evaluation measures. In summary, the proposed SSA–ALO demonstrated superior behavior for IoT attack detection in comparison with the other six anomaly detection algorithms.

**Figure 5.** The convergence curves for SSA–ALO algorithm.

**Figure 6.** G-mean results for the SSA–ALO and other algorithms.

**Figure 7.** TPR results for the SSA–ALO and other algorithms.

**Figure 8.** FPR results for the SSA–ALO and other algorithms.

**Figure 9.** Time results for detecting attacks for the SSA–ALO and other algorithms.

#### **6. Analysis of the Most Relevant Features**

This section presents the most relevant features selected by the proposed SSA–ALO algorithm over the NN-BaIoT dataset during the optimization process. The results show that SSA–ALO obtained the best results in terms of the studied metrics using these relevant subsets of features. As mentioned before, the NN-BaIoT dataset has 115 features. The number of selected features by SSA–ALO to detect a threat to a security camera, baby monitor, doorbell, webcam, and thermostat is eleven, seven, twelve, eleven, and five, respectively. This implies that there is a dimensionality reduction of (90–96%). The following list shows the most relevant features necessary to detect an attack on each type of device:

	- 1. H\_L1\_mean
	- 2. HH\_L5\_radius
	- 3. HH\_L3\_weight
	- 4. HH\_L3\_magnitude
	- 5. HH\_L3\_radius
	- 6. HH\_L1\_mean
	- 7. HH\_L0.1\_mean
	- 8. HH\_L0.1\_magnitude
	- 9. HH\_L0.1\_radius
	- 10. HH\_iit\_L0.1\_variance
	- 11. HH\_iit\_L0.1\_mean
	- 1. HH\_L3\_pcc
	- 2. HH\_L0.1\_magnitude
	- 3. HH\_L0.1\_radius
	- 4. HH\_L0.1\_pcc
	- 5. HH\_iit\_L1\_weight
	- 1. HH\_L3\_magnitude
	- 2. HH\_L1\_std
	- 3. HH\_L1\_radius
	- 4. HH\_L0.1\_weight
	- 5. HH\_L0.1\_mean
	- 6. HH\_L0.1\_pcc
	- 7. HH\_L0.01\_std
	- 8. HH\_iit\_L3\_mean
	- 9. HH\_iit\_L1\_weight
	- 10. HH\_iit\_L0.1\_variance
	- 11. HpHp\_L0.1\_radius
	- 12. HpHp\_L0.01\_magnitude
	- 1. MI\_dir\_L0.1\_mean
	- 2. MI\_dir\_L0.01\_mean
	- 3. H\_L5\_variance
	- 4. H\_L0.1\_mean
	- 5. HH\_L3\_mean
	- 6. HH\_L3\_pcc
	- 7. HH\_L0.1\_pcc
	- 8. HH\_L0.01\_radius
	- 9. HpHp\_L1\_magnitude
	- 10. HpHp\_L0.1\_radius
	- 11. HpHp\_L0.01\_std
	- 1. HH\_L3\_weight
	- 2. HH\_L0.1\_weight
	- 3. HH\_L0.1\_radius
	- 4. HH\_iit\_L1\_weight
	- 5. HpHp\_L3\_mean

#### **7. Conclusions and Future Work**

IoT botnet attacks are brutal due to several reasons, such as the rapid increase in the number of connected IoT devices, the vulnerability of these objects to security breaches, and the fact that the attacked devices may not show any symptoms of threat. This study aims to detect IoT botnet breaches by utilizing ant lion optimization, salp swarm optimization, and the proposed hybrid SSA–ALO algorithm. The results on the NN-BaIoT dataset demonstrated the efficiency of the SSA–ALO. The new hybrid algorithm proved its efficiency compared to six other algorithms in terms of the studied evaluation metrics for all IoT device types under study. In addition, it needed the least time to detect an attack. Meanwhile, it reduced the number of selected features. The hybrid SSA–ALO algorithm has an excellent trade-off between the global search and the local search. The algorithm can increase the solutions' diversity and avoid premature convergence. For future work, we have a few ideas that can be investigated:


**Author Contributions:** These authors contributed equally to this work. All authors have read and agreed to the published version of the manuscript.

**Funding:** This research received no external funding.

**Institutional Review Board Statement:** Not applicable.

**Informed Consent Statement:** Not applicable.

**Data Availability Statement:** Not applicable.

**Acknowledgments:** The authors would like to acknowledge the support of Prince Sultan University for paying the Article Processing Charges (APC) of this publication.

**Conflicts of Interest:** The authors declare no conflict of interest.
