**2. Related Works**

In the literature, researchers have been attracted by new technologies of data mining. Therefore, they have utilized them for security breaches and botnet attacks in IoT in an efficient way. In [14], neural network (NN) and the negative selection algorithm were used to predict intrusions in IoT. However, in this study, the performance of the IDs was limited. Mehmood [15], used a multi-agent system to detect DDoS attacks. Another study [16] classified the machine learning methods used for security in IoT. In [17], the authors used and compared a set of classifiers to determine their performance in detecting malicious activities. The results showed that NB achieved the worst performance among RF and GB. Principal component analysis (PCA) and fuzzy clustering were used to detect intrusions in IoT. The yielded efficiency of the proposed IDS was promising. However, the system suffered from the scalability problem, so it became inefficient when the amount of data increased [18].

Rathore, in [19], proposed an extreme learning machine (ELM) for attack detection in IoT. The new method outperformed other traditional machine learning methods in terms of accuracy. Moustafa [20] proposed an ensemble learning method for IoT security detection. The proposed method was used to detect mainly three kinds of attacks in IoT.

Several nature-inspired algorithms were used to deal with security issues by developing IDS for IoT. Hamamoto [21] proposed IDS based on a genetic algorithm. In [22], a genetic algorithm was used to detect insider threats. The authors in [23] developed an IDS using multilayer perception and an artificial bee colony algorithm to detect malicious patterns. Ali in [24] proposed IDS based on particle swarm optimization (PSO) to detect attacks. In [25], Bayesian networks and C4.5 were used with the firefly algorithm to perform FS and classify the data in the network. PSO, GA, and ant colony algorithms were proposed as a layered model in [26] along with five rule-based classifiers.

In all mentioned studies, the proposed IDSs were used to handle the data traffic in the traditional networks or typical wireless sensor networks (WSNs). This means that they were not specifically developed for IoT networks. Hence, they may be insufficient for the evolved IoT networks [27]. In the literature, there are few studies on the use of metaheuristic algorithms for detecting intrusions in IoT networks and using metaheuristic FS to enhance the detection of attacks.

In [28], RF and the bat algorithm (BA) were integrated to perform FS for IoT security. The achieved performance results were superior to those of other used methods such as SVM, AdaBoost, and decision tree (DT). Xue [29] applied a differential evolution algorithm. In [30], Popoola proposed a wrapper FS to detect intrusions in networks by using a differential evolution algorithm. Guendouzi developed an FS method to detect intrusions using the biogeography-based optimization (BBO) algorithm [31]. In [32], the author proposed a genetic IDS. There is no existing solution in the literature that uses the integration of SSA and ALO for FS in IDSs, especially to detect botnets in IoT networks. In [8], the authors proposed a deep multi-layer classification intrusion detection approach. They used two stages for detecting an intrusion and the type of intrusion. They also applied an oversampling technique to enhance the classification results. The experiments showed that the best settings of the proposed approach included oversampling by the intrusion type identification label (ITI), 150 neurons for the Single-Hidden Layer Feed-Forward Neural Network (SLFN), and 2 layers and 150 neurons for LSTM. The results showed that the proposed technique outperformed the other well-known techniques in terms of the G-mean having a value of 78% compared to 75% for KNN and less than 50% for the other techniques.

In [6], the authors proposed a new approach for intrusion detection. They integrated the unsupervised (clustering), supervised (classification) and oversampling methods for carrying the task. The used classifier in the proposed approach is the Single Hidden Layer Feed-Forward Neural Network (SLFN). The oversampling method was applied to generate balanced training data. The results showed that the SLFN with the Support Vector Machine and Synthetic Minority Oversampling (SVM-SMOTE), with a ratio of 0.9 and a k-means++ clustering with k value of 3 obtained better results than other values and other classification methods.
