**1. Introduction**

A set of connected devices that use a wireless connection to communicate, sense, compute, process, share, and store information over the Internet defines the new technology trend Internet of Things (IoT). IoT is a set of connected devices, including electronic, physical objects, and embedded objects, that communicate through the Internet without human intervention (machine-to-machine). Recently, there has been a massive proliferation in the number of connected devices in IoT. The expected number of connected objects in 2021 is 13.8 billion, and it is expected to jump to 30.9 billion by 2025 (https:// www.statista.com/statistics/1101442/iot-number-of-connected-devices-worldwide/ (accessed on 8 March 2021)). IoT applications are strongly connected to humans' daily lives, including the areas of health, agriculture, fleet management, hospitality, and many others.

IoT is characterized by low computational memory, battery, streaming bandwidth, and processing unit. Due to these characteristics, IoT becomes more susceptible to security breaches. The plug-and-play facility of IoT devices and the original passwords from their manufacturers make them more attractive to brute-force and botnet attacks. Other issues

**Citation:** Abu Khurma, R.; Almomani, I.; Aljarah, I. IoT Botnet Detection Using Salp Swarm and Ant Lion Hybrid Optimization Model. *Symmetry* **2021**, *13*, 1377. https:// doi.org/10.3390/sym13081377

Academic Editor: Ming-Chin Chuang

Received: 7 July 2021 Accepted: 23 July 2021 Published: 28 July 2021

**Publisher's Note:** MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations.

**Copyright:** © 2021 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https:// creativecommons.org/licenses/by/ 4.0/).

that increase the vulnerability of IoT to software and hardware security threats are the heterogeneity and scalability with other interconnected networks.

IoT devices attacked by malicious software are compromised by a botnet. This botnet is created by brute-forcing techniques or weak credential exploitation to compromise the victim device [1]. Once the device is compromised, the attacker gains control by downloading malicious binaries to enrol into the IoT botnet [2,3].

In general, three main layers encompass IoT: perception, transportation, and the application layers. Each layer applies different standards, making it easier to be attacked by different security breaches. Specifically, the transportation layer includes several technologies for communication, so it can be attacked by denial-of-service (DoS) or distributed denial-of-service (DDoS) attacks. Five years ago, a remarkable DDoS attack occurred involving the Dyn (https://www.kaspersky.com/blog/attack-on-dyn-explained/13325/ (accessed on 26 October 2016)) domain name service provider. This attack launched the Mirai botnet to flood the servers, disrupt many functionalities, and stop the services of many websites, including Twitter, CNN, PayPal, and Netflix. Intrusions threaten mainly the system's confidentiality, integrity, availability, and authenticity. Traditional security countermeasures, including authentication protocols and encryption techniques, might not be sufficient to provide acceptable security levels for the highly scalable and interconnected IoT. Many emergen<sup>t</sup> protection technologies work against these intrusions, such as blockchain, fog, and cloud computing technology. However, these technologies still have shortcomings related to time latency and scalability issues [4]. Intrusion detection systems (IDSs) are essential and crucial for IoT. In this solution, hardware and software are used to monitor the network and discover malicious behaviors. Typically, there are different types of IDSs, which could be based on statistics, machine learning, or others [5–11].

IDSs consist of three primary components: the sensing component to gather the information from the environment and the analysis and reporting components. In the analysis components, different intelligent data mining techniques help to process the massive volume of monitored data and capture the abnormal and malicious patterns. Therefore, the analysis component is the smart component in IDS that deploys smart and lightweight security models to protect the network.

IoT involves many connected devices with a high amount of collected high-dimensional data. Such colossal data need data mining techniques to process them, including feature selection (FS) [12].

FS is a data mining technique used to distinguish irrelevant and symmetrical features that may reduce the classifier's performance. FS contributes to reducing the dimensionality, enhancing the classification performance, and even reducing the training time. Using traditional search techniques, such as exhaustive search, yields exponential running time. Thus, if a dataset has *N* features, the size of the entire feature space is 2 *N*. This is practically impossible, especially with a medium and large number of features. Different search methods have been investigated in recent years, but most of them have suffered from the local minima. Recently, metaheuristic algorithms have been applied widely and efficiently for the optimization of the FS problem and have achieved promising results [13].

This work proposes a hybrid model using a salp swarm algorithm (SSA) and ant lion optimization (ALO). The new model is called SSA–ALO, which integrates the power points of both algorithms into one method. The hybridization exploits the ability to search globally (exploration) of the ALO and the ability to search locally by the SSA, consequently achieving a balance between global search and local search of feature space and increasing the opportunity to reach the optimal solution (best asymmetrical features subset) and alleviate the local minima problem. The SSA algorithm has one parameter that adaptively decreases across the iterations of the optimization process. Thus, the algorithm explores several regions at the beginning of the optimization process and focuses on promising regions later on. As a bonus, follower salps update their positions gradually according to other salps in the swarm, which prevents the optimizer from falling into local minima. The SSA maintains the best-found individual so that it is reserved even if agents become

weakened. In the SSA, the leader salp moves based on the position of the food source only, which is the best salp found so far, so the leader always is capable of searching globally and locally around the food source in the search space.

ALO has two types of individuals: ants and ant lions. Ant lions are the best solutions found so far. Their positions are replaced whenever a fitter ant is found. Ants are moving around in the search space continuously. The positions of ants are changed based on the positions of ant lions. The position update strategy of ants is based on selecting an ant lion using a roulette wheel in combination with the best solution. Thus, a given ant updates its position based on these two agents. The selection of an agen<sup>t</sup> randomly using a roulette wheel encourages diversification in the search space. Therefore, ants can move randomly in the search space and explore more regions without stagnating in local minima. The avoidance of local minima is a significant merit of ALO, which gives it superiority against other methods such as PSO. Moreover, it has few parameters compared to PSO and GA. In SSA, the swarm leader is chosen to be the agen<sup>t</sup> with the highest fitness value. Hence, the agents of low fitness values have no chance of leading the swarm. This decreases the exploration capability of the algorithm and supports its exploitative power. In contrast, ALO keeps track of all agents in the swarm and uses a roulette wheel together with the current best agen<sup>t</sup> to lead the swarm. This indicates that low-fitness agents can participate in guiding other agents in the swarm besides the best-found agent. This supports the exploratory behavior of the ALO. Integrating the principles of ALO and SSA into one algorithm can support the exploration/exploitation trade-off. The proposed hybrid algorithm keeps the ants and ant lion swarms in motion. However, it uses the ideas of leadership assignments from both ALO and SSA to provide more trade-offs between global search and local search. The proposed SSA–ALO algorithm takes the merits of ALO by updating low-fitness agents (ants) using ALO principles. On the other hand, it uses the merits of SSA by updating the high-fitness agents (ant lions) using SSA principles that have to maintain faster convergence.

The remaining parts of the paper are as follows: Section 2 introduces a related studies review. Sections 3 and 4 present details regarding the proposed techniques. Section 5 analyzes the results. Finally, Section 7 provides a paper summary and suggests the future works.
