Received 3 June 2024, accepted 25 June 2024, date of publication 8 July 2024, date of current version 26 July 2024.

Digital Object Identifier 10.1109/ACCESS.2024.3424528

Efficacious Novel Intrusion Detection System for

Cloud Computing Environment
POOJA RANA 1 , ISHA BATRA 1 , ARUN MALIK1 , IN-HO RA 2, (Member, IEEE), OH-SUNG
LEE3 , AND A. S. M. SANWAR HOSEN 4
1 Schoolof Computer Science and Engineering, Lovely Professional University, Phagwara, Punjab 144401, India
2 Schoolof Computer, Information, and Communication Engineering, Kunsan National University, Gunsan 54150, South Korea
3 Schoolof Electronic and Information Engineering, Kunsan National University, Gunsan 54150, South Korea
4 Department of Artificial Intelligence and Big Data, Woosong University, Daejeon 34606, South Korea

Corresponding authors: In-Ho Ra (ihra@kunsan.ac.kr) and A. S. M. Sanwar Hosen (sanwar@wsu.ac.kr)

This work was supported in part by the National Research Foundation of Korea (NRF) Grant by Korean Government through the Ministry
of Science and Information and Communication Technology (MSIT) under Grant 2021R1A2C2014333; and in part by the Woosong
University Academic Research Fund, 2024, South Korea.

ABSTRACT Rife acceptance of Cloud Computing has made it bull’s eye for the hackers. Intrusion detection
System (IDS) plays a vibrant role for it. Researchers have done marvelous works on the development of a
competence IDS. But there are many challenges still exists with IDS. One of the biggest concerns is that the
computational complexity and false alarms of the IDS escalates with the increase in the number of features
or attributes of the dataset. Hence, the concept of Feature Selection (FS) contributes an all-important role for
the buildout of an efficacious IDS. New FS algorithm is put forward which is the modified Firefly Algorithm
in which Decision Tree (DT) classifier is used as the classification function. We have used the hybrid
classifier which is the combination of neural network and DT. We have used CSE CIC IDS 2018 dataset and
simulated dataset for performance assessment. Our examination pragmatic that the performance of proposed
architecture is better than the state-of-the-art algorithms.

INDEX TERMS Decision Tree, Firefly Algorithm, Fitness Function, Feature Selection, Genetic Algorithm,
Intrusion Detection System, K-nearest Neighbor, Particle Swarm Optimization, Support Vector Machine,
Neural Network, Random Forest.

I. INTRODUCTION The intrusions concoct the system capricious for the net-
Cloud Computing (CC) acquires countless value today. work traffic due to its nonlinear behavior. It is a proactive
It has on-demand and scalable services. It is satisfying the technology which monitors the malicious activities in the net-
demand of its users by reducing overall cost and complex- work and provides a protective mechanism. There is urgent
ities [1]. Diverse types of cloud provide diverse services need of providing good techniques for detecting attacks.
which fascinates sundry hackers. Intrusion Detection System It observes, collects and analyzes the network traffic, log files
(IDS) is very imperative. Due to huge traffic generation, and actions of users for discovering the malicious activities
cloud computing is becoming an eye-catching target for in the network. Figure 1 represents different IDSs. On the
the attackers. The foremost security concern in this domain basis of objective for the protection, there are two types of
is to protect it from different network attacks. IDS ranges IDSs that are Host-Based IDS and Network-Based IDS where
from anti-virus software to the well-developed monitoring former is monitoring specific hosts and latter is monitoring
system. Large data produced by the cloud is a biggest network for the detection of malicious activities. On the basis
concern [2]. of detection technique, there are two types of IDSs that are
Anomaly-based and Signature-based where former is for the
detection of attacks which are unknown or known and latter
The associate editor coordinating the review of this manuscript and is used for known attack detection. IDS related to cloud can
approving it for publication was Amjad Mehmood . be applied to mobile e-health and resource-limited devices.

2024 The Authors. This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 License.
VOLUME 12, 2024 For more information, see https://creativecommons.org/licenses/by-nc-nd/4.0/ 99223
 P. Rana et al.: Efficacious Novel Intrusion Detection System for Cloud Computing Environment

FS is aiming at retaining the relevant features which are

required for building a strong model. For developing an IDS,
it is vital to get rid of the irrelevant features so that the accu-
racy of the IDS increases. The highlights of our contributions
are as follows:
• Discerned the various FS techniques and IDSs linked
with the CC.
• Proposed a novel FS algorithm by modifying the
Firefly Algorithm.
• Proposed a novel architecture for the detection of
various attacks affecting CC.
• Latest intrusion detection dataset CSE-CIC-IDS 2018
and simulated dataset are used for the experiment and
evaluation.

II. LITERATURE REVIEW

In [12], a model called Game Theory-based Cloud Secu-
rity Deep Neural Network (GT-CSDNN) was proposed. This
model incorporates both defender and attacker techniques
using game theory principles. The main goal is to classify
a network administrator to be aware of the nature of such
FIGURE 1. Different types of intrusion detection system (IDS). traffic in order to effectively block and terminate any intru-
sive network connections. To achieve this, the Binary-Based
Particle Swarm Optimization (BPSO) technique was utilized
Data mining and Machine Learning (ML) are used by to identify the most relevant network features, while the
various researchers [3]. Machine classifiers are usually used Standard-Based Particle Swarm Optimization (SPSO) was
for binary classification into normal and attack packets [4]. used to fine-tune the control parameters of the Support Vector
Neural Networks (NNs) are widely used as they can per- Machine (SVM).
form very well on incomplete datasets [5]. While each service In [17], authors evaluated and presented a detector based on
model in CC has its own benefits, they also encounter par- Radial Basis Function Neural Network (RBF-NN) for detect-
ticular obstacles. In the case of Infrastructure as a Service ing DDoS attacks. However, the resulting network structure
(IaaS), virtualization is essential for infrastructure provision- can often be insufficient or unnecessarily complex, requir-
ing but has its limitations, and the value of IaaS services may ing manual configuration through a trial-and-error approach.
decrease over time. Platform as a Service faces challenges This study proposes the use of the Bat Algorithm (BA) to
related to interoperability, host sensitivity, confidentiality, automatically configure the RBF-NN network structure.
authorization, reliability, and extensibility. On the other hand, In [18], authors introduced a highly effective approach
Software as a Service deals with security concerns regarding called the Dragonfly-Improved Invasive Weed Optimizer-
authorization, authentication, data protection, reliability, and based Shepard CNN (DIIWO-based ShCNN) for detecting
network monitoring. Cloud companies need to tackle these intruders and mitigating attacks in the cloud paradigm.
security challenges head-on. Feature Selection (FS) is a basic This approach also enables the detection of intruders using
pre-processing step when the concept of Machine Learning ShCNN.
(ML) comes. FS is important for an IDS as it enhances the In another study [19], a powerful Intrusion Detection
performance and accuracy and it diminishes the number of System (IDS) was proposed using the Sailfish Dolphin
features of the dataset or the network record [6], [7]. With the Optimizer-based Deep RNN (SFDO-based Deep RNN) to
increase in the data accumulation in the databases and data identify anomalies in the cloud framework. The SFDO
warehouses, the dimensionality problem is becoming a big algorithm combines the Sailfish Optimizer (SFO) with the
expostulation for the ML chores [8]. Dolphin Echolocation (DE) technique. The ChicWhale tech-
For making an efficacious IDS, there is an exigency of nique can be utilized for Virtual Machine (VM) migration and
identification of the noteworthy features before the detection cloud data management.
of attacks in the network. But the recognition of the sig- In [20] conducted a study on an IDS (Intrusion Detec-
nificant features is a complicated task because the features tion System) using a Fisher Kernel-Based PCA dimensional
can be relevant, extraneous or excessive which hikes the reduction technique and a Grey Wolf Optimizer (GWO)-
computation complexity for the detection of the attacks or based weight dropped Bi-LSTM technique (FKPCA-GWO
intrusions [9], [10], [11]. Different techniques are used by WDBiLSTM). Firstly, they combined the data record with
researchers for developing good attack finding system in by PCA to achieve linearly separable dimensionality reduction
using neural networks. by using the fisher kernel with fisher score as input. Secondly,

99224 VOLUME 12, 2024

P. Rana et al.: Efficacious Novel Intrusion Detection System for Cloud Computing Environment

they employed the WDBiLSTM network to retain long-term that utilizes radial basis functions as activation functions in
dependencies while eliminating features from both forward its hidden layer functions convert the input data into the
and backward directions. hidden layer [33]. RBFNNs are highly effective when deal-
In another study [21], a novel Deep Learning (DL) ing with nonlinear problems and are especially suitable for
approach incorporating CNNs Convolutional Networks and tasks involving pattern recognition. They are well-suited for
Recurrent Neural Networks was developed for cloud security intrusion detection scenarios where attacks can be complex
in IDS. With this DL technique, technique, they were able to and nonlinear [33], [34]. The architecture of an RBFNN
prevent some detected but unauthorized traffic from access- allows it to efficiently approximate complex decision bound-
ing the server in the cloud. aries, resulting in improved performance in capturing the
The CC ecosystem includes three primary service models: underlying patterns in the data. Moreover, compared to tra-
IaaS, PaaS, and SaaS. These models are the essential building ditional feedforward neural networks, the training process
blocks of CC and can be deployed in different setups, such of an RBFNN is relatively faster, making it computationally
as community, private, hybrid, and public clouds [22]. Each efficient for large-scale intrusion detection tasks [33].
service model offers distinct features to meet the diverse From literature review, following research gaps are
requirements of users. observed:
IaaS, which forms the base level, furnishes virtualization, 1. Less work is done by researchers on the exploration of
servers, storage, and network resources. It provides users FFA.
with a versatile and expandable infrastructure for construct- 2. Most researchers have used old datasets for the valida-
ing and overseeing their applications [23]. PaaS builds on tion of their proposed work.
top of IaaS by presenting technical layers and instances of 3. Most researchers have used benchmark dataset.
management software, empowering developers to concen- 4. Hybridization in FS and classification module is found
trate on application development without concerns about rarely in research work.
the underlying infrastructure. Conversely, SaaS delivers fully Following points show the contribution of proposed work:
functional software applications accessible through the cloud, 1. FFA is used in modified form for
enabling users to run applications without requiring local 2. FS.
installations. 3. Latest attacks are detected by proposed work. Latest
The ever-changing threat landscape prompts individ- dataset is used for validation of dataset.
uals to continuously adapt their methods in order to 4. Simulated dataset is created for the checking the perfor-
exploit vulnerabilities in cloud environments [24]. Tradi- mance of the proposed work.
tional IDSs often require assistance in effectively identifying 5. Hybridization is done in FS module and classification
changes in network traffic patterns. In response, experts module for the development of an efficient IDS.
stress the significance of incorporating ML and DL tech-
niques to enhance the capabilities of IDSs [25]. They III. PROPOSED METHODOLOGY
have become increasingly important in various sectors, such This section describes the proposed architecture for various
as finance, government, scientific research, and security attacks detection in CC environment. The framework consists
[26], [27]. ML’s ability to cluster and classify data efficiently of three modules that are:
plays a crucial role in cybersecurity applications [28], [29].
An anomaly-based IDS examines real-time network traffic
by comparing it to previously recorded patterns of normal A. DATASET
behavior in order to identify new intrusions. While this This section of the paper is describing the datasets used for
approach is effective in detecting novel attacks, it can also the performance assessment of the proposed algorithm. The
generate false-positive alerts by mistakenly flagging regular objective of our proposed work is to assess the proposed work
packets as malicious [30], [31]. On the other hand, a misuse- on recent dataset instead of most commonly old datasets like
based IDS relies on a signature database to detect known KDDCup 1999, NSL-KDD dataset. We have used CSE CIC
attacks, which helps reduce the occurrence of false alarms. IDS 2018 dataset [35] which is Intrusion Detection Evalu-
However, this type of IDS may overlook new threats that do ation Dataset which was covered in 5 days. This dataset is
not have recognized signatures. having around 2 lakh records with 80 features.
Random Forest (RF), a method of ensemble learning, In [36], it is stated that real-time cloud infrastructures
is based on Decision Trees (DTs). During training, it con- are very expensive and complex. Also, it is very difficult to
structs multiple DTs and produces the class, which can be re-configure the cloud parameters on a large scale. Using the
the mode of the categories or the average prediction of the cloudsim toolkit helps to recreate the outputs in an easy and
individual trees [32]. RF is particularly well-suited for our controlled way. We have created our own dataset which is
IDS model because it effectively handles high-dimensional created by using the simulated dataset. We have used the
datasets with numerous features. A Radial Basis Function Eclipse IDE for Java Developers - 2023-09 for the creation
Neural Network (RBFNN) is a type of Neural Network of dataset and used the cloudsim 3.0.3 jar files.

VOLUME 12, 2024 99225

 P. Rana et al.: Efficacious Novel Intrusion Detection System for Cloud Computing Environment

TABLE 1. Proposed feature selection algorithm.

FIGURE 2. NSL-KDD dataset distribution.

Machine learning techniques only works on numerical data

which is cleaned. This module removes the null values from
the dataset. Strings are converted to numeral form which is
easily understood by the computer operating system.
Normalization is performed for putting all feature values
into a specific range. It is performed for scaling dataset.
FIGURE 3. UNSW-NB 15 dataset distribution.
It makes the values of the dataset in [-1, 1] interval. We have
used popular normalization technique Min-Max Normal-
ization. A linear transformation is done by the Min-Max
Normalization, refer to Eq. (1).
(A − min value of A)
A′ = ∗ (D − C) + C
(max value of A − min value of A)
(1)
where A is the having the Min-Max Normalized Data A if
predefined boundary belongs to [C, D].

C. FEATURE SELECTION MODULE

FS performs an important protagonist in the classification.
We have presented a modified Firefly Algorithm (FFA)
for the FS which is the modification in the original FFA.
The proposed FS algorithm has novelty as we have used the
FIGURE 4. CSE CIC IDS 2018 dataset distribution. decision tree (DT) classifier as the fitness function for the
FFA. FFA is chosen as it is very rarely used by researchers
B. PREPROCESSING MODULE for FS. Literature survey has proved that FFA is better than
This section of the paper describes the function of prepro- Particle Swarm Optimization (PSO) and Genetic Algorithm
cessing module. In lay man language, it cleans the data. The (GA) [37]. Some variants of PSO are the special cases of
raw dataset has categorical and numerical data. The data can FFA. Parameters of FFA can be adjusted which can improve
be irregular or skewed which may lead to find wrong results. convergence.

99226 VOLUME 12, 2024

P. Rana et al.: Efficacious Novel Intrusion Detection System for Cloud Computing Environment

FIGURE 5. Workflow diagram of the proposed method.

FFA is presented by Xin-She Yang in 2007 which mimics D. CLASSIFICATION MODULE

the behavior of the fireflies in the summer in the tropical This section of the paper describes the classification module
region. Fireflies search for food, communicate with each which is used for the detection of the attacks in the CC
other and search mates by using the bioluminescence with environment. Hybrid classifier is used for the classification
different patterns of flashlight. FFA is based on the flashing of the attacks. We used the hybridization of the NN with the
features of the fireflies which generates a firefly-based meta- DT for the detection of the attacks in the CC environment.
heuristic algorithm. The basic three principles of fireflies are: NNs serve as a metaphor for how the brain processes
1) Each and every firefly is having unisex. Hence, the information, drawing inspiration from biology rather than
attraction for mating is independent of the sex of the replicating its exact functions. They’ve proven highly promis-
fireflies. ing in various forecasting and business classification tasks
2) The power of attraction is proportional to the bright- by leveraging their capacity to learn from data. This article
ness of the fireflies. The firefly with less brightness seeks to offer a concise introduction to NN. These networks
will move towards the firefly with more brightness. learn by adjusting their architecture and connection strengths,
Attraction between fireflies is inversely proportional to enabling them to adeptly handle tasks. They acquire knowl-
the distance between the fireflies as more distance less edge either from provided training data or by autonomously
attraction. grasping patterns from input-output relationships and exam-
3) The cost function in the analytical form is linked with ples.
the brightness of the firefly. DTs offer a widely embraced and efficient method for
There is a question that why FFA is efficient algorithm. classification. They take the form of a flowchart-like struc-
FFA is a swarm-based algorithm so it has same advantages as ture, employing a tree model to visualize decisions and
other swarm-based algorithms has. Some variants of PSO are their potential outcomes. Constructed from existing train-
representing FFA as accelerated PSO. FFA can be adapted ing data, each internal node conducts a test on a particular
to control the randomness and iterations proceed. All these attribute, with each branch indicating the test outcome,
above advantages of FFA makes to handle clustering prob- while every leaf node signifies a class label or a definitive
lems, classification problems and continuous problems. decision.

VOLUME 12, 2024 99227

 P. Rana et al.: Efficacious Novel Intrusion Detection System for Cloud Computing Environment

FIGURE 7. Representation of neural network.

FIGURE 8. Representation of decision tree.

and ability to capture local patterns. By integrating DTs

into the hybrid model, it can help mitigate the risk of
FIGURE 6. Flowchart diagram of Feature Selection which is combination
of FFA and DT. overfitting, leading to more generalized and reliable
predictions.
2. Enhanced Feature Representation Learning: NNs
In the proposed work, the hybrid classification model com- excel at automatically learning feature representations
prising NN and DT components offers a promising approach from raw data, extracting hierarchical and abstract
to enhance the overall classification accuracy. By effectively features through successive layers of neurons. By pre-
combining the strengths of both models, it can overcome the processing the data using NN layers before feeding it
limitations of individual algorithms and provide more accu- into the DT classifier, the hybrid model can provide
rate and interpretable predictions for the given classification better feature representations, potentially leading to
task. improved discrimination between classes and higher
1. Improved Robustness to Overfitting: NNs, espe- classification accuracy.
cially deep architectures, have a tendency to overfit 3. Flexible Model Architecture: The hybrid model offers
the training data, particularly when dealing with small flexibility in designing the architecture and configu-
datasets or noisy input. DTs, on the other hand, are ration of both NN and DT components. Researchers
less prone to overfitting due to their inherent simplicity and practitioners have the freedom to experiment with

99228 VOLUME 12, 2024

P. Rana et al.: Efficacious Novel Intrusion Detection System for Cloud Computing Environment

TABLE 2. Following table shows the precision comparison.

TABLE 3. Following table shows the accuracy comparison.

different network architectures, activation functions, at hand. This flexibility enables fine-tuning and cus-
learning rates, and tree parameters to optimize the tomization to adapt the model to varying datasets and
model’s performance for the specific classification task application requirements.

VOLUME 12, 2024 99229

 P. Rana et al.: Efficacious Novel Intrusion Detection System for Cloud Computing Environment

TABLE 4. Following table shows the recall comparison.

TABLE 5. Following table shows the F-Measure comparison.

4. Adaptive Learning and Adaptability: NNs are inher- dient descent, allowing them to adapt to changes in
ently adaptive and can continuously update their the data distribution over time. DTs, although static
internal parameters through back propagation and gra- once trained, can be easily updated or retrained with

99230 VOLUME 12, 2024

P. Rana et al.: Efficacious Novel Intrusion Detection System for Cloud Computing Environment

FIGURE 9. (a) Precision comparison. (b) Accuracy comparison. (c) Recall comparison. (d) F-Measure comparison.

new data to accommodate concept drift or changes in In this experiment, cutting-edge machine learning evalua-
the underlying data characteristics. The hybrid model tion metrics have been employed to assess the effectiveness
can leverage this adaptability to maintain high perfor- of the proposed IDS. Through a review of existing literature,
mance in dynamic and evolving environments, making it’s evident that Precision, Accuracy, Recall, and F-Measure
it suitable for real-world applications where the data stand out as the most commonly utilized evaluation metrics
distribution may change over time. in machine learning.
5. Enriched Model Interpretability and Explain abil- Various test cases are created and presented the values
ity: While NN models are known for their black-box of performance metrics in the tabular form. The evaluation
nature and lack of interpretability, DTs offer trans- of performance is measured by the Precision, Accuracy,
parent and interpretable models that can provide Recall and F-Measure as in the following equations. The
insights into the decision-making process. By combin- main performance metrics for the detection of attacks is
ing both models in the hybrid architecture, it not only accuracy. Accuracy is describing that how perfectly attacks
improves classification accuracy but also enhances are being identified by the classifier. There are some basic
model interpretability and explain ability, allowing terms related to the performance metrics: True Positive (TP),
users to understand the rationale behind predictions and True Negative (TN), False Positive (FP) and False Negative
gain actionable insights from the model’s output. (FN). TP refers the rate of the packets that are correctly
identified as attack packets. TN value defines the rate of the
normal packets identified as normal packets. FP is the rate of
IV. PERFORMANCE EVALUATION the attack packets identified as normal packets. It is known
A. EXPERIMENT SETUP as Type I error. FN is the rate of the normal packets identified
Evaluation is one of the vital steps and this step measures as attack packets. It is known as Type II error. Evaluation
the performance of the proposed methodology and com- is one of the vital steps and this step measures the perfor-
pares with the existing ones. MATLAB software running mance of the proposed methodology and compares with the
on the Windows 10 operating system was utilized for this existing ones. MATLAB software running on the Windows
task, supported by 8 GB of RAM. The study employed 10 operating system was utilized for this task, supported
both the CSE CIC IDS 2018 dataset and a simulated by 8 GB of RAM. The study employed both the CSE CIC IDS
dataset. 2018 dataset and a simulated dataset. FFA is a nature-inspired

VOLUME 12, 2024 99231

 P. Rana et al.: Efficacious Novel Intrusion Detection System for Cloud Computing Environment

TABLE 6. Comparison of proposed feature selection algorithm with PSO and GA in terms of precision.

TABLE 7. Comparison of proposed feature selection algorithm with PSO and GA in terms of accuracy.

optimization method that mimics the behavior of fireflies (GA). This comparative assessment allows for a comprehen-
in their search for optimal lighting conditions. By applying sive understanding of the strengths and weaknesses of each
this innovative algorithm, we aim to enhance the effi- approach, enabling the identification of the most effective
ciency and accuracy of proposed intrusion detection system. method for intrusion detection within the context of this
Furthermore, the proposed work goes beyond mere research.
algorithm selection. It delves into a comparative anal- In this experiment, cutting-edge machine learning eval-
ysis by benchmarking the performance of the Firefly uation metrics have been employed to assess the effec-
Algorithm against two popular optimization techniques: Par- tiveness of the proposed intrusion detection system.
ticle Swarm Optimization (PSO) and Genetic Algorithms Through a review of existing literature, it’s evident that

99232 VOLUME 12, 2024

P. Rana et al.: Efficacious Novel Intrusion Detection System for Cloud Computing Environment

TABLE 8. Comparison of proposed feature selection algorithm with PSO and GA in terms of recall.

TABLE 9. Comparison of proposed feature selection algorithm with PSO and GA in terms of F-Measure.

Precision, Accuracy, recall, and F-Measure stand out as performance is measured by the Precision, Accuracy. Recall
the most commonly utilized evaluation metrics in machine and F-Measure would be as follows defined in Eq. (2)–(5).
learning. The main performance metrics for the detection of attacks
Various test cases are created and presented the values of is accuracy. There are some basic terms related to the per-
performance metrics in the tabular form. The evaluation of formance metrics: True Positive (TP), True Negative (TN),

VOLUME 12, 2024 99233

 P. Rana et al.: Efficacious Novel Intrusion Detection System for Cloud Computing Environment

TABLE 10. Following table shows the precision comparison.

TABLE 11. Following table shows the accuracy comparison.

False Positive (FP) and False Negative (FN). TP refers the rate of the normal packets identified as attack packets. It is known
of the packets that are correctly identified as attack packets. as Type II error.
TN value defines the rate of the normal packets identified as Precision is describing that how correctly the packets are
normal packets. FP is the rate of the attack packets identified identified by the classifier. Accuracy is describing that how
as normal packets. It is known as Type I error. FN is the rate perfectly attacks are being identified by the classifier. Recall

99234 VOLUME 12, 2024

P. Rana et al.: Efficacious Novel Intrusion Detection System for Cloud Computing Environment

TABLE 12. Following table shows the recall comparison.

TABLE 13. Following table shows the F-Measure comparison.

measure is similar to the detection rate measure. F-Measure The proposed work presented in this study repre-
is identified as the harmonic mean of the precision and recall sents a significant step forward in the field of intru-
measure. Eq. (2)–(5) are shown in the following section of the sion detection. Leveraging a substantial dataset compris-
paper. Performance metrics are described in equation forms ing 1.5 lakh (150,000) records, this research focuses
as Eq. (2)–(5). on the identification and classification of network-based

VOLUME 12, 2024 99235

 P. Rana et al.: Efficacious Novel Intrusion Detection System for Cloud Computing Environment

FIGURE 10. (a) Precision comparison. (b) Accuracy comparison. (c) Recall comparison. (d) F-Measure comparison.

attacks. Within this extensive dataset, five major cat- The ‘Total number of Samples’ column represents the
egories of attacks have been meticulously categorized, dataset sizes, ranging from 20,000 to 150,000 samples, sim-
serving as representative examples of common cyber ulating diverse network scenarios. Notably, the ‘Precision
threats. Proposed Firefly + Hybrid Classifier’ consistently stands
The fundamental objective of this research is to develop an out, achieving high precision scores exceeding 0.95 across
intrusion detection system that not only identifies attacks but all dataset sizes. This demonstrates its remarkable ability
also minimizes false positives, thus optimizing the precision to correctly identify attacks while minimizing false posi-
of detection. This is achieved through the comprehensive tives. In contrast, other classifiers, such as Levenberg Neural,
evaluation of detection performance metrics, including Pre- DT, RF, K-nearest Neighbor (KNN) with 10 Neighbors, and
cision, Accuracy, Recall, and F-Measure. These metrics Multi-SVM, exhibit varying precision scores with changing
collectively offer a holistic view of the system’s efficacy, dataset sizes. Moreover, the proposed Firefly Algorithm +
capturing both its ability to accurately identify attacks and Hybrid Classifier maintains its competitive edge in preci-
its capacity to minimize false alarms. What sets this research sion, even as the dataset size increases, underscoring its
apart is its utilization of a novel computational intelligence robustness and suitability for real-world intrusion detection
technique known as the FFA. scenarios. This data reinforces the algorithm’s effectiveness

True Positive
Precision = (2)
(True Positive + False Positive)
(True Positive + TrueNegative)
Accuracy = (3)
(True Positive + True Negative + False Positive + False Negative)
True Positive
Recall = (4)
(True Positive + False Negative)
(2 ∗ Precision ∗ Recall)
F − measure = (5)
(Precision + Recall)

99236 VOLUME 12, 2024

P. Rana et al.: Efficacious Novel Intrusion Detection System for Cloud Computing Environment

and reliability, making it a compelling choice for enhancing Neural’ classifier also emerges as a strong contender, high-
cybersecurity in networks of varying scales. lighting its suitability for this task.
Notably, the ‘Accuracy Proposed Firefly + Hybrid Classi- Simulated dataset using the cloudsim toolkit results in
fier’ consistently stands out, achieving high Accuracy scores the following results which are presented in the tabular and
exceeding 0.95 regardless of the data size. This demonstrates graphical forms.
its remarkable ability to correctly identify attacks while min- Precision values vary with sample size, indicating that
imizing false positives. The proposed algorithm performs model performance may be influenced by the amount of
better in terms of accuracy even when dealing with large or data available for training and testing. The ‘Precision Pro-
complex datasets. posed Firefly + Hybrid’ model consistently has the highest
The presented table offers a valuable glimpse into the precision across different sample sizes, making it a strong
recall performance of multiple classifiers across a spectrum performer in this dataset. Its important to consider not only
of dataset sizes, ranging from 20,000 to 150,000 samples, precision but also other evaluation metrics and practical con-
mirroring diverse network scenarios. Notably, the ‘Recall siderations when choosing a machine learning model for a
Proposed Firefly + Hybrid Classifier’ consistently emerges specific task.
as the top-performing classifier, achieving impressive recall The ‘Accuracy Proposed Firefly + Hybrid’ model con-
scores that steadily ascend from 0.8285 at 20,000 samples sistently has high accuracy across different sample sizes,
to an exemplary 0.9681 at 150,000 samples. This signifies making it a strong performer in terms of overall correctness
the algorithm’s remarkable effectiveness in identifying true The ‘Accuracy RF’, ‘Accuracy KNN with 10 Neighbors’,
positive instances, a pivotal aspect of intrusion detection. The and ‘Accuracy Multi-SVM’ models show the most signifi-
‘Recall Levenberg Neural’ classifier also demonstrates com- cant variability in performance, with lower accuracy values
petitive performance, gradually improving from 0.7690 to observed for some sample sizes.
0.9619 across the dataset sizes. The ‘Recall DT’ maintains The ‘Accuracy Neural’ and ‘Accuracy DT’ models perform
consistent recall scores, indicating its proficiency in attack competitively, with good accuracy values, although they may
detection, especially in larger-scale networks. While the exhibit some variability.
‘Recall RF’ exhibits competitive performance, it falls slightly The ‘Recall Proposed Firefly + Hybrid’, ‘Recall Neural’,
behind the top-performing classifiers. Similarly, the ‘Recall and ‘Recall DT’ models generally exhibit high recall val-
KNN with 10 Neighbors’ and ‘Recall Multi-SVM’ classifiers ues, making them strong performers in terms of correctly
prove their effectiveness, with the former demonstrating identifying relevant instances. The Recall RF model shows
significant improvement as the dataset size increases. In sum, the most variability in performance across different sample
this data underscores the robustness and reliability of the sizes, with lower recall values observed for some cases. The
‘Recall Proposed Firefly + Hybrid Classifier’ for intrusion ‘Recall KNN with 10 Neighbors’ and ‘Recall Multi-SVM’
detection, positioning it as a compelling choice for network models exhibit variability in recall values, indicating that their
security where accurate attack identification is paramount. performance may be influenced by the specific dataset or
Notably, the ‘F-Measure Proposed Firefly + Hybrid sample size.
Classifier’ consistently emerges as a top-performing classi- The ‘F-Measure Proposed Firefly + Hybrid’, ‘F-
fier, achieving F-Measure scores that steadily increase from Measure Neural’, and ‘F-Measure DT’ models consistently
0.8889 at 20,000 samples to a remarkable 0.9669 at 150,000 exhibit high F-measure values, indicating their effective-
samples. This signifies the algorithm’s proficiency in striking ness in achieving a balance between precision and recall.
a balance between precision and recall, a vital aspect of The ‘F-Measure RF’ model shows the most variability
intrusion detection. The ‘F-Measure Levenberg Neural’ clas- in performance, with lower F-Measure values for some sam-
sifier also demonstrates competitive performance, gradually ple sizes. The ‘F-Measure KNN with 10 Neighbors’ and
improving from 0.8417 to 0.9529 across the dataset sizes. ‘F-Measure Multi-SVM’ models also demonstrate variability
The ‘F-Measure DT’ maintains consistent scores, indicating in F-Measure values, suggesting that their performance may
its robustness in attack detection, particularly in larger-scale be influenced by the specific dataset or sample size.
networks.
While the ‘F-Measure RF’ exhibits competitive perfor- V. CONCLUSION AND FUTURE DIRECTIONS
mance, it lags slightly behind the top-performing classifiers. A unique approach for creating an intrusion detection system
Similarly, the ‘F-Measure KNN with 10 Neighbors’ and was presented in this study. The method involves combining
‘F-Measure Multi-SVM’ classifiers prove their effective- the hybrid firefly algorithm with the hybrid classifier. The
ness, with the former showcasing significant improve- recent CSE CIC IDS 2018 dataset and simulated dataset were
ment as the dataset size increases. In conclusion, this used to assess the effectiveness of the proposed architecture.
data underscores the robustness and reliability of the Novel feature selection algorithm is proposed which is the
‘F-Measure Proposed Firefly + Hybrid Classifier’ for intru- combination of the firefly algorithm with the decision tree.
sion detection, making it an enticing choice for network The proposed feature selection performs better than the PSO
security where achieving a balanced performance between and GA. We have studied in the literature review that FFA
precision and recall is crucial. The ‘F-Measure Levenberg is performing better than PSO and GA. Also we observed

VOLUME 12, 2024 99237

 P. Rana et al.: Efficacious Novel Intrusion Detection System for Cloud Computing Environment

this by performing practically that results are better with [14] P. Mishra, V. Varadharajan, E. S. Pilli, and U. Tupakula, ‘‘VMGuard: A
the proposed feature selection algorithm. Hybrid classifier is VMI-based security architecture for intrusion detection in cloud environ-
ment,’’ IEEE Trans. Cloud Comput., vol. 8, no. 3, pp. 957–971, Jul. 2020.
used which is the hybridization of neural network with the [15] Y. Aoudni, C. Donald, A. Farouk, K. B. Sahay, D. V. Babu, V. Tripathi,
DT. The proposed architecture outperforms the other state-of- and D. Dhabliya, ‘‘Cloud security based attack detection using transductive
the-art techniques for finding attacks in the cloud computing learning integrated with hidden Markov model,’’ Pattern Recognit. Lett.,
vol. 157, pp. 16–26, May 2022.
environment. [16] M. M. Sakr, M. A. Tawfeeq, and A. B. El-Sisi, ‘‘Network intrusion detec-
The future directions related to proposed work is itemized tion system based PSO-SVM for cloud computing,’’ Int. J. Comput. Netw.
below: Inf. Secur., vol. 11, no. 3, pp. 22–29, Mar. 2019.
[17] S. Velliangiri and J. Premalatha, ‘‘Intrusion detection of distributed
• Adaptive attack detection system is a good future
denial of service attack in cloud,’’ Cluster Comput., vol. 22, no. 5,
scope in the field of security of clouds. Dynamic con- pp. 10615–10623, Sep. 2019.
ditions can be controlled by developing an adaptive [18] S. S. Sathiyadhas and M. C. V. Soosai Antony, ‘‘A network intru-
sion detection system in cloud computing environment using dragonfly
detection system. Dynamic network condition include
improved invasive weed optimization integrated shepard convolutional
change in the environmental configurations, compu- neural network,’’ Int. J. Adapt. Control Signal Process., vol. 36, no. 5,
tation resources and different locations where attack pp. 1060–1076, May 2022.
detection systems are deployed. Dynamic conditions [19] B. V. Srinivas, I. Mandal, and S. Keshavarao, ‘‘Virtual machine migration-
based intrusion detection system in cloud environment using deep recurrent
can be controlled by developing an adaptive detection neural network,’’ Cybern. Syst., vol. 55, no. 2, pp. 450–470, Feb. 2024.
system. [20] T. V. Geetha and A. J. Deepa, ‘‘A FKPCA-GWO WDBiLSTM classifier
• Another future direction can be developing an IDS for intrusion detection system in cloud environments,’’ Knowl.-Based Syst.,
vol. 253, Oct. 2022, Art. no. 109557.
which expands or contracts according to the virtual [21] S. Hizal, Ü. Çavusoglu, and D. Akgün, ‘‘A new deep learning based
machines of the cloud. Vulnerabilities can be detected intrusion detection system for cloud security,’’ in Proc. 3rd Int. Congr.
by discovering an efficient detection system. Human-Computer Interact., Optim. Robotic Appl. (HORA), Istanbul,
Turkey, Jun. 2021, pp. 1–4.
[22] U. A. Butt, M. Mehmood, S. B. H. Shah, R. Amin, M. W. Shaukat,
REFERENCES S. M. Raza, D. Y. Suh, and M. J. Piran, ‘‘A review of machine learn-
[1] P. Rana, I. Batra, A. Malik, A. L. Imoize, Y. Kim, S. K. Pani, N. Goyal, ing algorithms for cloud computing security,’’ Electronics, vol. 9, no. 9,
A. Kumar, and S. Rho, ‘‘Intrusion detection systems in cloud comput- p. 1379, Aug. 2020.
ing paradigm: Analysis and overview,’’ Complexity, vol. 2022, pp. 1–14, [23] H. Hourani and M. Abdallah, ‘‘Cloud computing: Legal and security
Jun. 2022. issues,’’ in Proc. 8th Int. Conf. Comput. Sci. Inf. Technol. (CSIT), Amman,
[2] P. S. Bawa et al., ‘‘Enhanced mechanism to detect and mitigate economic Jordan, Jul. 2018, pp. 13–16.
denial of sustainability (EDoS) attack in cloud computing environments,’’ [24] J. Martínez Torres, C. Iglesias Comesaña, and P. J. García-Nieto, ‘‘Review:
Int. J. Adv. Comput. Sci. Appl., vol. 8, no. 9, pp. 51–58, 2017. Machine learning techniques applied to cybersecurity,’’ Int. J. Mach.
[3] P. Singh, S. Manickam, and S. U. Rehman, ‘‘A survey of mitigation Learn. Cybern., vol. 10, no. 10, pp. 2823–2836, Oct. 2019.
techniques against economic denial of sustainability (EDoS) attack on [25] M. Fouda, R. Ksantini, and W. Elmedany, ‘‘A novel intrusion detection
cloud computing architecture,’’ in Proc. 3rd Int. Conf. Rel., INFOCOM system for Internet of Healthcare Things based on deep subclasses disper-
Technol. Optim., Oct. 2014, pp. 1–4. sion information,’’ IEEE Internet Things J., vol. 10, no. 10, pp. 8395–8407,
[4] F. Kuang, W. Xu, and S. Zhang, ‘‘A novel hybrid KPCA and SVM with GA May 2023.
model for intrusion detection,’’ Appl. Soft Comput., vol. 18, pp. 178–184, [26] F. Elghaish, S. T. Matarneh, and M. Alhusban, ‘‘The application of ‘deep
May 2014. learning’ in construction site management: Scientometric, thematic and
[5] V. Balamurugan and R. Saravanan, ‘‘Enhanced intrusion detection and pre- critical analysis,’’ Construct. Innov., vol. 22, pp. 580–603, Jun. 2022.
vention system on cloud environment using hybrid classification and OTS [27] A. Halbouni, T. S. Gunawan, M. H. Habaebi, M. Halbouni, M. Kartiwi,
generation,’’ Cluster Comput., vol. 22, no. 6, pp. 13027–13039, Nov. 2019. and R. Ahmad, ‘‘Machine learning and deep learning approaches for
[6] D.-S. Huang and H.-J. Yu, ‘‘Normalized feature vectors: A novel CyberSecurity: A review,’’ IEEE Access, vol. 10, pp. 19572–19585, 2022.
alignment-free sequence comparison method based on the numbers of [28] N. Chaabouni, M. Mosbah, A. Zemmari, C. Sauvignac, and P. Faruki,
adjacent amino acids,’’ IEEE/ACM Trans. Comput. Biol. Bioinf., vol. 10, ‘‘Network intrusion detection for IoT security based on learning tech-
no. 2, pp. 457–467, Mar. 2013. niques,’’ IEEE Commun. Surveys Tuts., vol. 21, no. 3, pp. 2671–2701,
[7] H. Abusamra, ‘‘A comparative study of feature selection and classification 3rd Quart., 2019.
methods for gene expression data of glioma,’’ Proc. Comput. Sci., vol. 23, [29] A. A. Hady, A. Ghubaish, T. Salman, D. Unal, and R. Jain, ‘‘Intrusion
pp. 5–14, Jan. 2013. detection system for healthcare systems using medical and network data:
[8] K. Zhang, Y. Li, P. Scarf, and A. Ball, ‘‘Feature selection for high- A comparison study,’’ IEEE Access, vol. 8, pp. 106576–106584, 2020.
dimensional machinery fault diagnosis data using multiple models and [30] M. Almseidin, M. Alzubi, S. Kovacs, and M. Alkasassbeh, ‘‘Evaluation
radial basis function networks,’’ Neurocomputing, vol. 74, no. 17, of machine learning algorithms for intrusion detection system,’’ in Proc.
pp. 2941–2952, Oct. 2011. IEEE 15th Int. Symp. Intell. Syst. Informat. (SISY), Avadi, India, Sep. 2017,
[9] T. W. Rauber, F. de Assis Boldt, and F. M. Varejão, ‘‘Heterogeneous feature pp. 000277–000282.
models and feature selection applied to bearing fault diagnosis,’’ IEEE [31] A. L. Buczak and E. Guven, ‘‘A survey of data mining and machine
Trans. Ind. Electron., vol. 62, no. 1, pp. 637–646, Jan. 2015. learning methods for cyber security intrusion detection,’’ IEEE Commun.
[10] A. Khotanzad and Y. H. Hong, ‘‘Rotation invariant image recognition using Surveys Tuts., vol. 18, no. 2, pp. 1153–1176, 2nd Quart., 2016.
features selected via a systematic method,’’ Pattern Recognit., vol. 23, [32] M. Albahar, A. Alharbi, M. Alsuwat, and H. Aljuaid, ‘‘A hybrid model
no. 10, pp. 1089–1101, Jan. 1990. based on radial basis function neural network for intrusion detection,’’ Int.
[11] D. D. Lewis, Y. Yang, T. G. Rose, and F. Li, ‘‘RCV1: A new benchmark J. Adv. Comput. Sci. Appl., vol. 11, no. 8, pp. 781–791, 2020.
collection for text categorization research,’’ J. Mach. Learn. Res., vol. 5, [33] H. Attou, A. Guezzaz, S. Benkirane, M. Azrour, and Y. Farhaoui, ‘‘Cloud-
pp. 361–397, Dec. 2004. based intrusion detection approach using machine learning techniques,’’
[12] P. Varun and K. Ashokkumar, ‘‘Intrusion detection system in cloud secu- Big Data Mining Analytics, vol. 6, no. 3, pp. 311–320, Sep. 2023.
rity using deep convolutional network,’’ Appl. Math. Inf. Sci., vol. 16, [34] I. Reis, D. Baron, and S. Shahaf, ‘‘Probabilistic random forest: A machine
pp. 581–588, Jan. 2022. learning algorithm for noisy data sets,’’ Astronomical J., vol. 157, no. 1,
[13] S. I. Shyla and S. S. Sujatha, ‘‘Cloud security: LKM and optimal fuzzy p. 16, Jan. 2019.
system for intrusion detection in cloud environment,’’ J. Intell. Syst., [35] Accessed: Jan. 14, 2024. [Online]. Available: https://www.kaggle.com/
vol. 29, no. 1, pp. 1626–1642, Dec. 2019. datasets/solarmainframe/ids-intrusion-csv

99238 VOLUME 12, 2024

P. Rana et al.: Efficacious Novel Intrusion Detection System for Cloud Computing Environment

[36] A. Sundas and S. N. Panda, ‘‘An introduction of CloudSim simulation tool IN-HO RA (Member, IEEE) received the Ph.D.
for modelling and scheduling,’’ in Proc. Int. Conf. Emerg. Smart Comput. degree in computer engineering from Chung-Ang
Informat. (ESCI), Mar. 2020, pp. 263–268. University, Seoul, South Korea. He is currently a
[37] H. S. Gebremedhen, D. E. Woldemichael, and F. M. Hashim, ‘‘A firefly Professor. His research interests include wireless
algorithm based hybrid method for structural topology optimization,’’ Adv. ad hoc and sensor networks, blockchain, the IoT,
Model. Simul. Eng. Sci., vol. 7, no. 1, pp. 1–20, Dec. 2020. PS-LTE, and microgrids.
[38] [Online]. Available: https://www.kaggle.com/datasets/solarmainframe/
ids-intrusion-csv

POOJA RANA received the B.Tech. and M.Tech.

degrees in computer science and engineering
from Punjab Technical University, Jalandhar. She
was an Assistant Professor. She is currently a
Research Scholar with Lovely Professional Uni- OH-SUNG LEE received the bachelor’s degree
versity, Phagwara. Her research interests include in electronic and electrical engineering from
cloud computing and security. Hanyang University, South Korea, in 2008, and
the master’s degree in business administration
from Chonbuk National University, in 2018. He is
currently pursuing the Ph.D. degree in informa-
tion and communications propagation engineering
with Kunsan National University. His research
interests include cloud, blockchain, and the
ISHA BATRA received the M.E. and Ph.D. Internet of Thing.
degrees. She is currently an Associate Professor
with Lovely Professional University, India. She
has over ten years of teaching experience and has
published around 30 research papers and articles.
She has supervised nine M.Tech. and supervis-
ing eight Ph.D. dissertations. Her research inter-
ests include wireless networks, sensor networks,
ad hoc networks, VANET, MANET, and the A. S. M. SANWAR HOSEN received the M.S.
Internet of Things. and Ph.D. degrees in computer science and engi-
neering from Jeonbuk National University, Jeonju,
South Korea. He is currently an Assistant Profes-
sor with the Department of Artificial Intelligence
and Big Data, Woosong University, Daejeon,
ARUN MALIK received the M.Tech. and Ph.D. South Korea. He has published several papers
degrees. He is currently a Professor with Lovely in journals and international conferences. His
Professional University, India. He has more than research interests include wireless sensor net-
13 years of teaching experience and has published works, the Internet of Things, fog cloud com-
around 60 research papers in SCI/Scopus-indexed puting, cyber security, data distribution services, artificial intelligence,
journals and conferences. He has supervised eight blockchain, and green IT. He has been an Expert Reviewer of IEEE
M.Tech. students and supervising eight Ph.D. dis- TRANSACTIONS, Elsevier, Springer, and MDPI journals and magazines. He has
sertations. His current research interests include also been invited to serve as the Guest Editor and the Program Committee
wireless networks, ad hoc networks (VANET Member for several reputed international conferences, such as IEEE and
and MANET), the Internet of Things (IoT), and ACM.
network security.

VOLUME 12, 2024 99239