Sage Journals: Discover world-class research

Abstract

The protection of patient information in modern healthcare demands overcoming major challenges intensified by the integration of Internet of Things (IoT) technologies. The proposed Random Coupled Bootstrapped Ensemble Classifier (RCBEC) offers an advanced intrusion detection framework to enhance cyberattack detection in smart healthcare environments. The model optimizes both accuracy and feature selection to improve computational efficiency and precision. Data preprocessing employs Decimal Score Max Normalization for transformation, duplicate removal, and handling of missing values. Feature extraction through K-Best Kernel Discriminant Analysis (K-BKDA) and optimization via Hunter Canis Algorithm (HCA) ensure effective identification of attack-relevant features. Implemented in a Python-based ECU-IoHT environment, the RCBEC achieves 99.6% accuracy and F1-score, outperforming existing intrusion detection methods. The ensemble classifier combines rapid computational performance with robust threat identification capabilities, enhancing security in IoT-enabled healthcare systems. Comparative analysis demonstrates the system’s superior generalization and adaptability across diverse datasets. Overall, the proposed RCBEC model establishes a resilient and intelligent mechanism for detecting and mitigating cybersecurity threats in healthcare networks. This work highlights how machine learning-driven intrusion detection significantly strengthens patient data protection, operational reliability, and trust in next-generation healthcare systems.

Keywords

Healthcare Intrusion detection Machine learning Random coupled bootstrapped ensemble classifier

I. Introduction

The Internet of Things (IoT) has made dramatic advancements in recent years, making it feasible to develop healthcare monitoring systems that use low-power and inexpensive sensors. Over the last several years, these sensors have seen widespread use to permit remote monitoring of patients. This has resulted in a reduction in the need for clinicians to be physically present on-site. A wide variety of medical applications, including early diagnosis, real-time monitoring, and medical crises, may be effectively supported by recent developments in the Internet of Things (IoT) and wireless communications. It is possible to lessen the reliance on carers and cut down on medical treatment expenses by using safe and practical methods to identify life-threatening emergencies in real time. Early therapies that result in favourable health outcomes and potentially save lives in the community may be made possible by adopting innovative decision-making processes. To accomplish such objectives, it is necessary to continuously monitor the vital signs of the community members, which may be accomplished via wearable sensors. Medical care providers will subsequently be able to provide inhabitants of these smart communities with effective remote healthcare communication services for monitoring and diagnosis. The presence of any security risk to these systems can result in a significant issue, such as the imposition of an incorrect diagnosis or the postponement of the contact. Under these circumstances, patients’ right to privacy is violated, they have health problems, and in the most severe situations, they even pass away.¹ In addition to having strong linkages to mathematical optimization, machine learning (ML) is intimately connected to computational statistics, which often overlaps, and it also has significant interactions with ML. A hybrid network analysis that incorporates both abuse identification and anomaly detection has been made possible thanks to the introduction of machine learning (ML) to cybersecurity applications over the last decade. Anomaly detection is used to identify any aberrant behaviour inside the network, while misuse detection is utilized to identify known assaults using their signatures. This is the most promising method for dealing with assaults that have not been observed before, often known as zero-day attacks.² Machine learning may be utilized to manage security vulnerabilities in healthcare systems. Monitoring data tampering or detecting changes in the network’s traffic characteristics are two ways it might discover attacks. Examples of assaults that include the modification of packets in real time include Man-in-the-Middle attacks (MITM) against the System.³ Even though machine learning may not be appropriate for problems that call for a formal descriptive solution, it can produce reliable outcomes in challenges and domains that humans find challenging to formalize. Because of this, machine learning is particularly effective in data clustering and classification, both fundamental building blocks in data security applications. The majority of models for internet security are based on the idea of creating a list of requests that are hazardous or malicious to prohibit them. As a result of the fact that attackers are always using inventiveness to improve and alter their methods, it is hard to anticipate that their malicious requests will fall into the blocklist. If a little adjustment is made, an attacker can avoid detection.⁴ This negative paradigm, which involves repeatedly changing the ruleset and defining all requests that may be detrimental, is not only unrealistic but also exceedingly resource-intensive. At this stage, machine learning has the potential to play a big part in learning excellent requests; thus, it may be used to create a model of them in such a way that requests that do not correlate with them are likely to be attacked.⁵ With the help of a wide range of healthcare sensors, we have developed a testbed for the Ensemble cyber threat detection system. This testbed makes use of machine learning capabilities to address security concerns. An Intrusion Detection System computer monitors network traffic and identifies anomalous behaviours; a gateway for data collection, an attacker to simulate a genuine attack, a danger to the System, and a server are all components of the System. The endpoint of the System is the server, which is responsible for storing records about medical treatment and making them accessible to the clinic. Using machine learning models allows for detecting risks such as data tampering and spoofing. The integration of Internet of Things (IoT) technologies into healthcare has enabled efficient remote monitoring and intelligent patient care. However, the growing interconnectivity of medical devices and cloud-based services has also exposed healthcare networks to complex cyber threats, including Denial-of-Service (DoS), ARP spoofing, and probing attacks. These threats can compromise patient privacy, data integrity, and even patient safety, emphasising the urgent need for intelligent intrusion detection mechanisms. To do this, a thorough examination of the patient’s biometric data and the peculiarities of network traffic is required. This approach will send a threat warning to the system management if any traffic metric or biometric data is abnormal. In the body of research that has been done, several machine-learning techniques have been examined to see whether or not they are suitable for security approaches. Several healthcare companies use machine learning to construct a randomly linked bootstrapped ensemble classifier model; the work presented here goes thoroughly into the operation of this method. Helbing et al. (2015) argue that many societal risks such as disasters, crime, terrorism, wars, and epidemics arise from complex, non-linear dynamics that cannot be addressed effectively through traditional deterrence or control strategies.⁶ They highlight the role of complexity science and real-time information systems in modelling crowd behaviour, detecting early warning signals, and designing proactive, life-saving interventions. Complementing this perspective, Podobnik et al. (2015) explore the resilience of competing and interdependent networks under targeted attacks, introducing a game-theoretic framework to quantify the “cost of attack.” Their findings show that while competition can intensify vulnerabilities, cooperative strategies can reduce systemic risks.⁷ Together, these studies underscore the significance of complexity theory and network science in strengthening cybersecurity and healthcare security systems by enabling predictive, preventive, and adaptive responses to emerging threats.⁸ Traditional machine learning and deep learning–based intrusion detection systems (IDS) often face limitations such as high false alarm rates, overfitting, and weak adaptability⁹ across diverse IoT environments.

This research addresses these challenges through the following research question:

How can an ensemble-based model be designed to enhance intrusion detection accuracy and adaptability across heterogeneous healthcare IoT datasets?

We propose a Random Coupled Bootstrapped Ensemble Classifier (RCBEC), integrated with K-Best Kernel Discriminant Analysis (K-BKDA) for feature extraction and Hunter Canis Optimization (HCA) for optimal feature selection. The key contributions include:

(1) A hybrid feature optimization framework combining K-BKDA and HCA;

(2) The design of an adaptive ensemble model (RCBEC) with random coupling and weighted voting

(3) Comprehensive validation across multiple benchmark datasets showing superior accuracy and generalization.

Beyond state-of-the-art, the proposed system enhances detection precision and resilience by dynamically coupling base learners based on internal validation accuracy—offering improved adaptability, robustness, and real-time applicability in healthcare IoT security. The remaining parts of the paper may be structured as follows: Section 2 analyzes the existing methodology. Section 3 depicts the proposed framework. Sections 4 and 5 present the experimental methodology and the results.

II. Related work

Earlier studies on intrusion detection systems and machine learning have been briefly summarised below, emphasizing their benefits and drawbacks. The study paper’s primary emphasis is on an ensemble-based machine learning technique, which provides the necessary background. Various machine learning-based model techniques have been developed by researchers at multiple points in time. We reviewed pretty recent models, outlining their advantages and disadvantages, so that you may understand the relevance of our ensemble-based strategy to identify intrusion and guarantee network security. Sarker (2022) highlighted the role of machine learning in automating intelligent threat detection and predictive cybersecurity analytics.¹⁰ Jelen (2020) classified intrusion detection systems into NIDS, HIDS, and signature or anomaly-based methods, noting challenges such as false positives.¹¹ Network Security Concepts (2023) emphasized the CIA triad and layered defenses to protect networks from malware and DDoS attacks.¹² Jeong et al. (2023) demonstrated that multi-resolution analysis improves IDS accuracy by effectively visualizing network traffic patterns.¹³

Hachmi et al. (2019) applied multiobjective optimization using genetic algorithms to reduce false positives and negatives in IDS.¹⁴ The average accuracy rate of the KDDCup’99 model is 89%, and it has a 99% accuracy rate. While testing their model on NSL-KDD, another public dataset, they found identification accuracy of $97 %$ and an average of $90 %$ .¹⁵ They created Dendron, a new way to build Decision Tree (DT) classifiers using Genetic Algorithm (GA), to provide criteria for abuse detection systems. They evaluated their model’s performance using three separate datasets that were made publicly accessible.¹⁶ They treat the output label as multiclass detection in every instance. There is very little difference between the KDDCup’99 dataset and the NSL-KDD dataset. When tested against UNSW-NB15, another publicly accessible dataset, their model achieved an accuracy of 84%, whereas the average accuracy was $52 %$ . Consequently, detection effectiveness is wide-ranging across different datasets.¹⁷ It is clear that this paradigm only applies to certain types of cyberattacks or datasets. It will lose the ability to detect assaults in a fresh breach.¹⁸ Mishra and Thakur (2022)¹⁹ compared ML classifiers and found KNN and Naive Bayes to be robust for imbalanced IDS datasets. In 2018, Papamartzivanos et al. developed a technique for detecting network breaches. The paper presents a model for network intrusion detection systems in 2020 that utilizes bidirectional long short-term memory (BiLSTM) and convolution neural networks (CNN).²⁰ A 2019 proposal by Halimaa et al.²¹ was made for an ML-based model using the Support Vector Machine (SVM) technique for intrusion detection.

In the current networking environment, the model’s accuracy, $93.95 %$ -as measured using the NSL-KDD knowledge discovery dataset-is insufficient. They suggested building a better model using organised classifiers that can better categorise new assaults because attackers carry out different sorts of attacks every day. This is because not every assault can be detected by their single classifier-based approach. In the same year, Yang et al.²² suggested an SVM model based on deep belief networks (DBNs) for the same dataset and intrusion detection. Their intrusion detection accuracy is about $97 %$ . Despite their model’s strong detection performance, it failed to significantly improve efficiency²³ when dealing with small sample sizes of network intrusion types.

To put this concept to the test, we employ two datasets. Results showed an accuracy of $83.58 %$ and a recall of $84.49 %$ the NSL-KDD model. Nevertheless, when tested on the UNSW-NB15 dataset, the model achieved $77.16 %$ precision and recall $79.91 %$ . Changes to the dataset provide noticeably different outcomes. If you switch up the dataset, it might mean a new kind of incursion or assault. Detection is not foolproof in any case. Elmasrya et al.²⁴ used a different model called dual Particle Swarm Optimisation (PSO) to choose feature subsets and hyperparameters simultaneously for network intrusion detection.

Remember that the suggested method has only been tried on two widely used IDS datasets; it may not work well with other datasets. Also, much processing power could be required to run the recommended method’s deep learning models and the double PSO-based approach. Turaiki et al.²⁵ established Anomaly-Based Network Intrusion Detection using the CNN approach and conducted experiments on the NSL-KDD dataset. The model has a very low actual positive rate $83 %$ . The model is tested on the NSL-KDD and CICIDS2017 datasets. The error rate is more significant, and the actual positive rate is lower even though both datasets have accuracy levels of over 96%. Using the CICIDS2017 dataset, Prasada et al.²⁶ achieved a 97% accuracy rate with their new intrusion detection algorithm based on Bayesian-Rough Set (BRS) feature selection. However, this model has a very high FPR when applied to this dataset. With the same dataset, Panigrahia et al.²⁷ demonstrated that a machine learning technique based on DTNB and MOEFS could reach a precision of 97.30% and an accuracy of $96.60 %$ . This study only used five characteristics, which weren’t enough to detect subtle class assaults.

Al-Daweri et al.²⁸ offer a fresh dataset and an adaptive technique for the IDS in 2021. Using the UKM-IDS20 dataset, the accuracy is $93 %$ . It’s $89 %$ for UNSW-NB15 and 96% for KDD-CUP'99. In this model, the UKMIDS20 dataset was constructed using connection records that were manually labelled. The adaptive intrusion detection system that they suggest sets up and examines connection data every 24 hours at regular intervals. They offered several periods and their effect on detecting hostile efforts for future research. Liao et al. suggested an ensemble-based method for identifying abnormalities in networks. On the UNSW-NB15 dataset, the model achieved a recall score of 0.924, a precision score of 0.979, and a f1-score of 0.949. With an accuracy of 0.838, a recall of 0.840, and an f 1 -score of 0.835, the model performs poorly when trained and tested on the CICIDS 2017²⁹ dataset. Also, there are some significant discrepancies in this model’s evaluation measure values.³⁰

Tabbaa and Ifzarne created an online ensemble learning model in 2022 that identified assaults in wireless sensor networks with a success rate $99.42 %$ by integrating the ARF and HAT techniques. There is room for improvement in their model’s accuracy, which is 96.84%.³¹ Tahri et al.³² also propose an SVM-based model for intrusion detection. The UNSWNB15 dataset has an accuracy rate of $97.77 %$ . This approach relies on a single classifier and cannot detect new incursions. A strategy for intrusion detection based on machine learning ensembles was proposed by Ahmed et al.³³ This model achieves accuracy $95.10 %$ and precision $94.80 %$ on the UNSW-NB15 dataset. The Synthetic Minority Oversampling Method (SMOTE) helps address the class imbalance problem. Afterwards, the Random Forest (RF) machine learning approach is used to make the prediction, and Principal Component Analysis (PCA) is used to choose the right feature. However, a greater level of accuracy would be required. On rare occasions, SMOTE could lead to overfitting and inaccurate results. Andrecut M.’s³⁴ Nearest Neighbour-based machine learning model is another example of a single classifier. The model has a 98.58% accuracy rate, having been trained and tested on the CSE-CIC-IDS2018 dataset. Data normalization is necessary to enhance the accuracy of this model.

An intrusion detection system that relies on a one-class support vector machine and a Gaussian mixture model was suggested by Wang et al.³⁵ in 2023. Training two semi-supervised detectors, the one-class support vector machine (OCSVM) and the Gaussian mixture model (GMM), on the produced features after autoencoder (AE) extraction of representative features from standard data is the current research’s methodology. They achieved impressive $95.10 %$ accuracy and a very good FPR of 5.772% on the IDS2018 dataset. A significant drawback of this study is the greater PFR. Srinivasan et al.³⁶ use stacking ensemble classification-based machine learning to detect intrusions based on botnets, an additional development in cyberspace security. Their method has a $94 %$ success rate. Despite this, the FPR is more significant, and the TPR is lower.

In contrast, the training and testing procedures of the applied stacking ensemble method are somewhat time-consuming. The stacking ensemble is quite time-consuming due to its usage of a meta-classifier, which becomes more problematic as the size of the training dataset increases. Using the N-BaIoT dataset, Jemili et al.³⁷ proposed and assessed an alternative model combination of Random Forest and XGBoost for Internet of Things intrusion detection. This model achieves a total accuracy of 97%. This table summarizes the working principles, advantages, limitations, and application areas of widely used deep learning models in IoT security, including DNN, RNN, DRL, GAN, DBN, and CNN. The comparison highlights that while these models provide strong capabilities in intrusion detection, malware detection and anomaly recognition, they also face challenges such as vanishing gradients, computational complexity, and training inefficiency.³⁸ Overall, Table 1 illustrates the trade-offs between performance and limitations, indicating that no single model provides a complete solution for IoT security.

Table 1.

Analysis of existing deep learning methodologies for IoT security.

DL models	Working principle	Advantages	Limitations	Application for IoT security
Deep Neural Networks³⁹	DNN is an artificial neural network (ANN) that evaluates input using a nonlinear transformation method. It then creates a statistical model to generate the Output based on its learning ability.	DNNs can model complex and nonlinear models, creating computational models that can accurately handle extensive-scale data.	DNN suffers from vanishing gradient problems, which usually occur in the layers present at the bottom of the network	Intrusion detection
Recurrent Neural Networks (RNN)⁴⁰	RNN belongs to the class of neural networks in which the network’s output from the previous step is fed as input to the current step for computing the output.	RNNs have the capacity for automatic learning and sequence prediction based on previous data and have high prediction capability.	Training RNNs is a slow and complex task. It is also difficult to process longer sequences.	Malware detection
Deep Reinforcement Learning (DRL)^41,42	The DRL algorithm employs an efficient Q-learning mechanism that allows the system parameters to make decisions automatically without requiring previous knowledge of the environment.	DRL can overcome the limitations of conventional ML algorithms, such as high computational time, the requirement of more extensive parameters for training, poor accuracy, and the inability to handle complex problems.	The performance of the DRL algorithm can be affected by sampling efficiency problems.	Attack detection and Intrusion detection
Generative Adversarial Networks (GANs)^43,44	GAN consists of two individual neural networks, such as a Generator ‘P' that includes a random noise vector n and creates a synthetic data P (n) and a discriminator Q that considers an input x or P (n) to generate an output of a probability Q (x) or Q (P (n)). This distinguishes whether the input is obtained from the synthetic data P (n) or the accurate data distribution.	GANs can generate additional data from the available training dataset and are simple to train.	GANs suffer from the problem of slow convergence or non-convergence and diminishing gradient.	Securing data privacy, attack detection and Intrusion detection
Deep Belief Networks (DBNs)⁴⁵	DBN is constituted using two types of neural networks: B: relief networks and the Restricted Boltzmann Machines (RBM), wherein every single layer is an RBM, which is stacked on top of each other to develop DBN	DBN is highly accurate and efficient when dealing with complex	DBN incorporate complex mathematical computation, and training DBN using complex and large-scale data can be computationally expensive	Intrusion detection and preventing security breaches
Convolutional Neural Networks (CNN)^46,47	CNNs operate by automatically extracting features from images without manual intervention. Their structure differs from that of other neural networks (NNs) concerning the shape and function of the layers.	CNNs require less preprocessing compared to other algorithms and can learn the features even from handmade filters with proper training.	The performance of CNN is affected due to issues such as signal down-sampling and low spatial consistency.	Real-time attack detection and Anomaly detection in IoT.

The author presents a deep-autoencoder-based intrusion detection system (IDS) in Ref. 48 to identify hostile acts from IIoT-driven IICS networks in real-time. LSTM auto-encoder design is the foundation for the proposed model, which is intended to recognise intrusive events inside IICS networks. The experimental results of the proposed intrusion detection system (IDS) on two benchmark datasets, namely the gas pipeline dataset and the UNSW-NB-15 dataset, demonstrate the proposed model’s superiority compared to other compelling models. The proposed model achieved an accuracy rate of $97.95 %$ for the gas pipeline data and $97.62 %$ the UNSW-NB15 dataset. The author of Ref. 49 suggests a novel intrusion detection system (IDS) concept for the protection of Internet of Things-based industrial control systems (ICSs) that is called federated-simple recurrent units (SRUs). In particular, the federated-SRUs intrusion detection system (IDS) model uses an enhanced simple recurrent units design to lessen the amount of computing resources required and solve the problem of gradient vanishing in recurrent networks. The next step aggregates data using numerous communication rounds inside the federated architecture. This enables many ICS networks and stakeholders to construct an all-encompassing intrusion detection system model in a way that protects their privacy. To test the performance of the federated-SRUs IDS model, experiments were conducted utilising data from real-world gas pipeline-based industrial control systems (ICS) networks. The results of these experiments demonstrated that the model could reliably detect intrusions in real time without sacrificing privacy or security. Experiments further demonstrate that the federated SRUs model outperforms other state-of-the-art techniques. As a result, it has the potential to function as a viable intrusion detection system in Internet of Things-based industrial control systems networks. The author presents an autoencoder-based detection framework to uncover cyber risks in IIoT networks.⁵⁰ The System makes use of convolutional and recurrent networks. The author also explains the model. To get a more comprehensive understanding of the latent representations of data characteristics, a two-step sliding window (SW) is used. The first step, SW, is responsible for transforming the malicious points present in the raw time series into a fixed-length series. To get knowledge about hidden representations of malevolent occurrences, a smaller SW transforms each series into a subseries dependent on continuous time. The categorization and explanation of assault events are carried out by fully connected networks with the help of the temporal and geographical information that has been retrieved. An Interpretation-based Privacy-Preserving Federated Learning technique that is adapted for ICPS is presented by the author in Ref. 51. This model is designed to protect users’ privacy. To ensure confidentiality, this model incorporates Additive Homomorphic Encryption (AHE), sophisticated feature selection algorithms and Shapley Values (SV), which are designed to improve explainability. The suggested technique addresses issues with privacy in federated learning, an area in which conventional methods are inadequate owing to the limitations imposed by computing restrictions and the absence of interpretability. By using AHE, the IP2FL model reduces the computational overhead and guarantees the confidentiality of the data. The author proposed a methodology called Auditable Privacy-Preserving Federated Learning (AP2FL),⁵² and it is specifically designed for use in healthcare settings that include electronics. Through the use of Trusted Execution Environments (TEE), AP2FL guarantees the safety of training and aggregation procedures on both the client and server sides, so dramatically reducing the likelihood of data leakage situations. To handle non-IID data inside the framework that has been presented, they have included the Active Personalised Federated Learning (ActPerFL) model and the Batch Normalisation (BN) approaches. These techniques facilitate the consolidation of user updates and the identification of data similarities. Additionally, we offer an auditing method in AP2FL that discloses the contribution of each client to the FL process. This makes it easier to update the global model since it considers various data kinds and distributions. Put another way, it guarantees the integrity, openness, fairness, and resilience of the FL process. Utilizing blockchain technology, the author of^53,54 proposes a unique decentralized authentication method for patients in a hospital network scattered across many locations. When we think of a healthcare context, we think of patients, allied health professionals (such as medical physicians, nurses, technicians, and so on), and patients’ health information. The findings that they obtained from their comprehensive simulations provide evidence that the suggested design has the potential to be useful. As an example, it is shown that the proposed architecture’s decentralized authentication among a dispersed associated hospital network does not need reauthentication. Due to this enhancement, the network’s throughput will be significantly increased, overhead will be reduced, reaction time will be improved, and energy consumption will be reduced.

The current intrusion detection model makes it abundantly evident that not all intrusion detection approaches are compatible with deep learning models dependent on a single classifier and the current feature selection strategy. As a result of the fact that not all datasets or newly structured invasions are receptive to all models, some models produce answers that are much superior to others. Therefore, developing an intrusion detection model capable of managing known and unknown intrusions and providing support for any datasets available to the general public is essential. Several novel approaches to choosing characteristics were shown in the recommended technique. Once that is complete, the model is constructed with the help of the ensemble classifier. In the ensemble-based machine learning technique, the stability and accuracy of the models are improved by the combination of random forests. The random forest approach can detect a greater variety of incursions with more reliability. This is because it has a reduced risk of false positives and negatives. A random forest ensemble-based machine learning approach is used for intrusion detection using the technique that has been provided. This technique has the potential to offer a solution that is both more comprehensive and more efficient in terms of ensuring network security against any form of attack or intrusion.

Recent advances in intrusion detection and health-IoT security have been driven not only by powerful deep learners (CNN, LSTM, autoencoders, etc.) but increasingly by hybrid approaches that combine metaheuristic optimization with machine-learning models to improve feature selection, hyperparameter tuning and robustness. Metaheuristics such as Particle Swarm Optimization (PSO), Genetic Algorithms (GA), Grey-Wolf/Hunter-Canis and modified evolutionary strategies have been used to optimise model architectures and select discriminative features, reducing false alarms and training cost when paired with classifiers or deep networks. A promising prospective line of research — directly relevant to both healthcare sensing and IoT security — is the coupling of metaheuristics with sequence and representation learners: for example, Deep LSTM models whose hyperparameters or structure are optimized by a modified metaheuristic algorithm (recent work in biomedical signal classification, e.g., Parkinson’s detection, demonstrates clear gains in sensitivity and robustness when model search is guided by optimization algorithms). Similarly, CNN-enhanced frameworks combined with explainable AI (XAI) methods have been proposed for IoT/metaverse security to both detect attacks and provide human-interpretable reasons for alarms, which is essential for clinical or safety-critical deployments. These hybrid families (metaheuristic + ML, CNN + XAI, federated + metaheuristic tuning) differ from single-classifier or off-the-shelf deep models in that they explicitly address (a) feature-space search, (b) model generalization across datasets, and (c) resource-constrained deployment. The current study’s ensemble approach is well placed within this ecosystem, but the literature review and comparative analysis would benefit from explicitly surveying and benchmarking these hybrid methods — including metaheuristic-driven LSTM/CNN variants, meta-learning/AutoML solutions, and XAI-aware detectors — to establish the true robustness and practical advantages of the proposed RCBEC pipeline. Doing so will shift the comparison from “accuracy numbers only” to a fuller assessment of robustness, interpretability and deployment cost.

To ensure an objective and comprehensive evaluation, several hybrid and baseline methods were selected for comparison. These approaches represent diverse optimization and learning strategies used in recent studies. Table 2 summarises the key categories, representative models, and their purpose in the comparative analysis.

Table 2.

Summary of hybrid and baseline methods added for comparative analysis to objectively evaluate robustness, scalability, and interpretability of the proposed system.

Category	Representative models/techniques	Optimization or enhancement method	Purpose in comparative analysis
Metaheuristic and Deep Sequence Models	LSTM, BiLSTM, GRU	Particle Swarm Optimization (PSO), Genetic Algorithm (GA), Modified Grey-Wolf Optimization (GWO)	Evaluate metaheuristic-driven parameter tuning and sequence modeling performance.
Metaheuristic and CNN/Hybrid CNN–LSTM Models	CNN, CNN–LSTM	GA, PSO, Hybrid Evolutionary Search	Assess the combined spatial–temporal feature extraction and metaheuristic tuning capability.
Metaheuristic and Classical ML Models	SVM, Random Forest (RF), k-Nearest Neighbour (k-NN)	GA/PSO for feature selection and hyperparameter tuning	Provide lightweight baselines and measure computational efficiency.
Double or Nested Optimization Approaches	Dual-PSO, Multi-Phase Optimization Frameworks	Parallel feature and hyperparameter optimization	Examine global search capability and convergence robustness.
AutoML and Bayesian Optimization Baselines	Automated ML pipelines, Bayesian HPO	Automated parameter and model search	Benchmark against modern hyperparameter optimization techniques.
Explainable Deep-Learning Frameworks	CNN + XAI (e.g., SHAP, LIME, Grad-CAM)	Explainable AI Integration	Measure interpretability and transparency of model predictions.
Federated or Privacy-Preserving Hybrid Models	Federated Deep Models with Local Optimization	Local Metaheuristic Tuning, Secure Aggregation	Evaluate privacy-aware learning and distributed optimization.
Adversarial-Robust and Noise-Resilient Methods	Robust CNN/LSTM Models	Adversarial Training, Data Augmentation	Test resilience to noise, spoofing, and adversarial attacks.

III. Proposed work

This section provides a detailed description of the proposed model for detecting intrusions Figure 1.

Figure 1.

Workflow of the proposed intrusion detection framework using the ECU-IoHT dataset.

The Figure 1 illustrates the step-by-step methodology, beginning with structured data preparation and error value removal, followed by normalization (decimal score max normalization) and feature extraction using K-best kernel discriminant analysis. Key features are then selected through HCA, and classification is performed using a random coupled bootstrapped ensemble classifier. Finally, performance analysis is conducted. The overall pipeline highlights how the proposed method integrates preprocessing, feature engineering, and ensemble learning to improve detection accuracy in IoT-based healthcare systems.

a. Dataset

“Datasets are crucial for machine learning models since they provide the necessary information to acquire knowledge and make precise predictions or judgments. In addition, a dataset of superior quality, including precise and pertinent instances, will result in a more accurate and dependable model. The proposed model is trained and assessed using a dataset that is accessible to the public. Here is a concise overview of this dataset. The dataset was acquired from ECU-IoHT, 2020, [online] https://doi.org/10.25958/5f1f97b837aca (accessed on 10 January 2023). Several datasets, including DARPA, KDD Cup 99, NSL-KDD, Moore, UNSW-NB 15, BOT-IoT, ToN-IoT, ISCX, Kyoto, and SCADA, have been used by several researchers to develop and assess network intrusion detection systems. However, none of the aforementioned datasets were used to determine the security of devices in the healthcare sector. Hence, this research utilizes a unique dataset called ECU-IoHT in healthcare to evaluate the effectiveness of the suggested deep learning technique. The dataset has 111,207 samples, including both typical instances and a variety of different assault types. Table 3 provides a comprehensive breakdown of the count of typical and various attack labels, including ARP Spoofing, DoS assaults, Nmap Port Scan, and Smurf attacks, in the original dataset. The Table 3 presents the distribution of normal and attack traffic instances in the ECU-IoHT dataset, split into training (80%) and testing (20%) sets. It includes multiple attack categories such as ARP spoofing, DoS, Nmap port scanning, and Smurf attacks.

Table 3.

Description and distribution of the ECU-IoHT dataset used in the proposed system.

Category	ECU-IoHT	ECU-IoHT in proposed system
Testing (20%)	Counts	Counts	Training $(80 %)$
No Attack/Normal	23,453	23,453	18,780
ARP Spoofing	2359	2359	18,780
DoS Attack	639	639	525
Nmap PortScan	6836	6836	5510
Smurf Attack	77,920	77,920	62,218

b. Preprocessing

Data preliminary processing is an essential step in the machine learning technique as it involves cleaning up and transforming the data to ensure efficient utilization by the models. The input data quality substantially influences the final model’s accuracy and efficacy. Data preprocessing ensures the input data’s consistency, correctness, and utility. Data cleansing aids in eliminating discrepancies and inaccuracies within the data, facilitating data normalization for enhanced comparability and analysis. Additionally, it improves data manageability and usability for machine learning models. The preprocessing in this model involves several steps: applying decimal score max normalization, removing duplicates, replacing infinite and large values with NaNs, dropping rows with NaNs, separating numerical and categorical columns, normalizing numerical columns, encoding categorical columns, and converting the target variable into a discrete variable. First, use the “duplicated” function from the panda’s library to identify duplicate rows in the data frame. The method will return True for those rows if any duplicate entries are detected. The “drop_duplicates” function from the panda’s package is then used to remove duplicate entries from the data frame. Subsequently, the “replace” function was used from the pandas and numpy libraries to substitute infinite and huge numbers with NaNs. The “replace” function was used to substitute values that do not conform to a particular pattern with NaNs. Subsequently, any rows with missing values (NaNs) will be eliminated using the “drop” function from the panda’s library.

The remaining data frame is divided between columns that include numerical values and columns that contain category values. Numerical columns refer to columns with data types “float64” or “int64”, whereas categorical columns refer to columns with data type “object”. Subsequently, the code uses the “StandardScaler” function from the sklearn package to standardize the numerical columns. This guarantees that every feature has a mean of zero and a variance of one. The category columns are encoded using the “LabelEncoder” function from the sklearn package. This process transforms categorical variables into numerical variables by assigning a distinct integer value to each unique value. Ultimately, the information was partitioned into two different components: features (X) and labels (y). The “Label” column was designated as the target variable. The target variable, y, is then transformed into a discrete variable using the “cut” function from the pandas library. The target variable is partitioned into 10 equidistant bins, each allocated a distinct integer value. The $y$ variable includes the integer values corresponding to the bins rather than the bin names.

c. Feature extraction

Numerous approaches heavily use the K-best kernel discriminant analysis (K-BKDA), which has several potential uses. As an aim function, the author employs each sample point’s degree of membership concerning the class centre. Both the sample point and the clustering centre’s goal function are evaluated using the Euclidean distance. The minimal value of each clustering centre may be found by solving the function for the non-similarity index. You may find the generalization in Equation (1).

f (U, c_{1}, c_{2}, \dots, c_{c}) = \sum_{i = 1}^{e} J_{i} = \sum_{i = 1}^{e} \sum_{j}^{n} u_{i j}^{m} d_{i j}^{2}

(1)

where m is the weighted index number and

j^{\land}

th is the sample point next to the

i^{\land}

th clustering centre in terms of the distance measured in geometric units,

d_{i j} = k_{c i} - x_{j k}

, the set of clustering centres, and

u_{i j}

ranges from zero to one. To calculate the minimum, the derivative of the input parameters in Eq. (2) is used to generate the constraint formula of the Lagrangian multiplier.

μ_{i j} = \frac{1}{\sum_{k = 1} {(\frac{d_{i j}}{d_{k j}})}^{\frac{2}{2 - 1}}}

(2)

Centres c and the membership matrix U are the outputs of the K-BKDA algorithm. The union of all object degrees is U, which is a member of the centres c. Equation (3) provides a series of lower approximations.

\frac{{sim}_{a} (x_{i} x_{j}) = 1 -}{\sqrt{α {(μ_{a} (x_{i j}) - μ_{a} (x_{j}))}^{2} + β (\begin{array}{l} w_{a} (x_{i}) - w_{a} {(x_{j})}^{2} + \\ v (π_{a} (x_{i}) - π_{a} {(x_{j})}^{2}) \end{array})}}

(3)

Where object

x_{i}

as a measure of degree of reluctance, non-membership, and membership

π_{a} (x_{i}), v_{α} (x_{i}) μ_{a} (x_{i})

, respectively. The weighted factors are

α_{r} β

and

γ

.as a measure of the degree of reluctance, non-membership, and membership

μ_{D} (x_{i j}) = \frac{x_{i j} - {(x_{i j})}_{\min}}{{(x_{i j j})}_{\max} - {(x_{i j})}_{\min}}

(4)

Where the image pixel of minimum and maximum intensity is denoted as

{(x_{i j})}_{\max} {(x_{i j})}_{\min}

and the normalization process simplifies things by reducing complexity, which may be calculated to be between zero and one.

The new approach may or may not have a non-membership value. When the membership value is close to 0 or 1, the user may say with confidence that the observations support a high level of certainty; when it’s close to 0.5, it can say with considerable doubt. Eq. (5) measures the non-membership value.

v_{D} (x_{i j}) = (1 - μ_{D} (x_{i j})) {(\exp (\frac{- μ_{D} (x_{i j})}{α σ}))}^{\frac{1}{a}}

(5)

Where

{(μ_{D} (x_{i j}))}_{standard deviation σ, which falls within the range of 0.39 - 0.41, is measured by the membership value . A}^{s}

a measure of the degree of hesitation is obtained

π_{D} (x_{i j}) = 1 - μ_{D} (x_{i j}) - v_{D} (x_{i j}) .

(6)

Every feature gets every object membership degree, as given in Eq. (7)

μ R_{a} (x) = U_{F C M (a)} [x]

(7)

Data equivalence is the basis for measuring approximation similarity or equality, whereas equivalence relations are the basis for model equality. The equivalence relation R is used, as in Eq. (8).

R (x, y) = \frac{a - a] x - y] + b \min [x y)}{a - [a - 1)] x - y] + b \min (x x y)}

(8)

The number b represent $b = 0$ s one side’s opening size. The method ensures that feature classes are balanced.

d. Feature selection

The novel optimization algorithm HCA was inspired by the strategies used by grey wolves in the wild while hunting for feature selection. The four steps of this algorithm - encircling, hunting, seeking, and attacking - are shown below as corresponding mathematical models. The whole population of grey wolves may be broken down into four distinct tiers: alpha, beta, delta, and omega. The most significant answer may be in the pack’s alpha Canis, who make all the tough decisions. Beta canis, which backs up alphas, is the best alternative. Delta canis are the third-best option, while omegas represent all other possibilities. In HHWO, the alpha, beta, and delta wolves hunt while the omega wolves follow their lead. Grey wolves, on the other hand, often encircle their victim before beginning to hunt. The below equations serve as a model for the encompassing procedure:

\vec{F} = | \vec{E} . \vec{P_{n}} - \vec{P} (Z) |

(9)

\vec{P} (Z + 1) = \vec{P_{n}} (Z) - \vec{B} \cdot \vec{F}

(10)

Where Z indicates the current iteration, our coefficients

P_{0}

are where the prey is located, and P is where the grey can is.

\vec{B}

and

\vec{E}

are determined by,

\vec{B} = 2 \vec{x} \cdot \vec{y_{1}} - \vec{x}

(11)

\vec{E} = 2 \vec{y_{2}}

(12)

where

β

it is dropped from 2 to 0 over time linearly. Random vectors

\vec{y_{1}} and \vec{y_{2}}

in the range of

[0, 1]

. With the help of Eq. (15) and Eq. (16), a grey canis may randomly relocate itself within the vicinity of its prey. Depending on where its prey is located, the grey canis may assume a variety of stances, as seen in Figure 2. The grey canis’s movement direction is affected by the values of

\vec{B} \vec{E}

and, with the canis’s coordinates being

(P, Q)

and the prey’s coordinates being

(P^{@}

, Q®).

Figure 2.

Process of optimization in the Grey Wolf Optimizer.

The Figure 2 illustrates how wolves encircle prey and update their positions according to the best candidates (alpha, beta, and delta). The main message is that wolves gradually converge toward the prey, demonstrating the exploitation and exploration balance of the algorithm. Wolves in the area around the prey get within a close range. While it’s impossible to know where the prey hides, we may assume that the pack’s alpha, beta, and delta wolves will be the closest. So, given the best answers obtained so far, the following equations are used to simulate the hunting operation and determine where the other wolves are:

\vec{F_{β}} = | \vec{E_{1}} \cdot \vec{P_{β 1}} - \vec{P} |

(13)

\bar{F_{V}} = | \bar{E_{2}} \cdot \bar{P_{V}} - \vec{P} |

(14)

\vec{F_{r}} = | \vec{E_{3} \cdot \vec{P_{đ}}} - \vec{P} |

(15)

\vec{P_{1}} = | \vec{P_{Q}} - \vec{B_{1}} \cdot \vec{F_{Q}} |

(16)

\vec{P_{2}} = | \vec{P_{V}} - \vec{B_{2}} \cdot \vec{F_{V}} |

(17)

\vec{P_{3}} = | \vec{P_{σ}} - \vec{B_{3}} \cdot \vec{F_{σ}} |

(18)

Distances to the alpha, beta, and delta wolves are determined. The new positions of the alpha, beta, and delta wolves are determined by Equations (16)-(18), while the location of the prey is determined by Equation (19). When the grey wolves have finished foraging for food, they are instructed to leave the area. The search process is aided by the coefficient P as well. The value $P$ is randomly picked between 0 and 2, increasing or decreasing the weight of prey in the distance computation. When a value of A is between 1 and 1, the search space is exploited, or the prey is attacked. The addition of $j \sim pj$ ,

\vec{p} (Z + 1) = \frac{\vec{P_{1}} + \vec{P_{2}} + \vec{P_{3}}}{3}

(19)

Where

\vec{P} (Z) = 2 - 2 (\frac{z}{Z_{man x}})

In this Equation, z represents the current iteration,

z_{\max}

the maximum number of iterations allowed, and G is a constant. The encoding of solutions is an essential part of any meta-heuristic method. All the nodes in each cluster are represented by each answer (grey canis). These answers are first produced at random. However, the best solutions are used to direct the remainder of the grey wolves during each iteration of the HCO. In this case, the solutions are arrays of sizes

M^{*} N

, where M is the total number of clusters in the dataset, and N is the total number of characteristics for each data item. Figure 2 depicts a population of grey wolves as a metaphor for the proposed remedies. For this task, we maximize the sum of the distances between individual clusters. Minimizing the objective function with HCO will help you locate the best possible cluster centres. Reducing the overall distance between clusters is an attractive goal. Using Eq. (20), we can define the location of the cluster’s epicentre, and using Eq. (24), we can describe the distances between cluster features (21).

n_{l} = \frac{1}{b_{T}} \sum_{m_{r \in E}} m_{r}

(20)

(m_{r} - n_{K}) = \sqrt{\sum_{k - 1}^{S} (m_{rk} - n_{lk})}

(21)

Here, 1 denotes the cluster whose nucleus is represented

Q_{1}

, and r denotes the feature cluster’s r -th member

m_{r}

; if we denote by x the total NumberNumber of characteristics,

u_{1}

the total NumberNumber of cluster 1 members, and

E_{l}

the feature cluster 1 individual, then xul

+ E_{l} = x

The algorithm for the HCA approach is shown below:

e. Attack detection

The random coupled bootstrapped ensemble classifier (RCBEC) method may be categorized as an ensemble learning approach. The current study used the Ensemble and Random Forest methods to construct a classifier model to classify assault data. The RCBEC classifier model is built using several RF classifiers. The classifier functions independently, enabling concurrent training and testing of models without any disruption between the two processes. For this research, a training dataset, G, which consists of g components, was used.

H = h_{1}, h_{2}, \dots, h_{p}

(22)

The input customization features are denoted as $R_{1}, R_{2, \dots,}, R_{n}$ , where n represents the total number of parameters for customization features

H \in R^{m x y}

(23)

The set $R^{\land} (m \times r)$ represents the collection of all items in H, where $h_i$ a specific sample i is located inside the $R \land (m \times r)$ space. Currently, the variable “m” denotes the total number of samples included inside the set H, whereas the variable “r” reflects the number of features. If the assaults in set H belong to separate classes, the relationship factor w for both items equals ‘1’. The assigned value of variable w is ‘−1’ for assaults within the same category. The formulation of the Random Forest ensemble representation of an element $g$ in a tree $s$ may be expressed as:

f_{s} (h) = f (h, θ_{s})

(24)

Where

θ_{g}

the input vector of h is linked to a randomly created vector.

Equation (9) represents the probability of correctly categorizing a given sample g into class v using the random forest approach. The Equation (10) presents the mathematical formula for the margin function linked to this prediction. The margin function is a quantitative metric used to evaluate the average number of votes obtained by correctly recognized categories relative to the votes received by other categories. The decision function, represented as (24), is responsible for producing the final results provided by the random forest approach.

P (v ∣ h) = \frac{1}{s} \sum_{s = 1}^{S} P_{s} (v ∣ h)

(25)

The notation $P (vlg)$ represents the expected probability density of class labels for a specific sample g inside a particular set of trees. The variable $S$ denotes the aggregate quantity of trees inside the forest.

mh (h, v) = P (v ∣ h) - maxP (j ∣ h)

(26)

Where

j \in w; j \neq v

; For values of

(10) > 0

, the classifier is more likely to forecast the attack classifications accurately. The classifier’s findings become more reliable as the margin function increases.

D (h) = argmax P (j ∣ h)

(27)

j $\in$ The random forest approach is distinguished by its ability to successfully address the issue of generalization error by training multiple classifiers and utilizing random subsets of the training data. The notion of generalization error refers to the scenario when a model cannot effectively predict intended outcomes when given new input data that was not part of the training dataset. Equation (28) serves as a symbolic representation of the generalization error.

{GE}^{*} = R_{h, v} (mh (h, v)) < 0

(28)

The expected customization settings are connected, referred to as $B_{1}, B_{2, \dots,}, B_{n}$ The total number of anticipated features $R_{1}, R_{2}, \dots, R_{n}$ .

The attack categories or classes labelled ${cl}_{1}, {cl}_{2}, \dots, {cl}^{2}$ correspond to the total number of attacks.

f_{n} : R_{1}, R_{2}, \dots, R_{n} \mapsto B_{1}, B_{2}, \dots, B_{n}; B_{i} \in R_{;}; n \in {N h}_{n} : X = {(R_{1}, R_{2}, \dots, R_{n}) U (B_{1}, B_{2}, \dots, B_{n})} \mapsto y

(29)

y \in {{cl}_{1}, {cl}_{2}, \dots, {cl}_{p}}; p \in \frac{N}{0, 1}

(30)

P_{class} = f_{n} {Uh}_{n}

(31)

Finally, the attack data can be classified.

IV. Performance analysis

This section presents the assessment metrics, environmental setup, and results of the proposed System for detecting cyber-attacks on the Internet of Health Things (IoHT). The suggested technique is implemented and evaluated on the ECU-IoHT dataset using a DELL laptop with Windows 10 OS, 16 GB RAM, and an Intel Core I5-10210U CPU. Spyder Python (version 3.8) serves as an implementation tool with other libraries, including matplotlib (version 3.3.2), Numpy (version 1.19.2), Pandas (version 1.1.3), Scikit-learn (version 0.23.2), Keras (version 2.6.0), and Tensorflow (version 2.6.0).

The suggested methodology is implemented on a dataset that includes regular and aberrant instances to identify different sorts of assaults in the Internet of Health Things.

The correlation between features in the dataset is obtained, and features with high negative or positive values are considered highly correlated. The matrix visualizes pairwise correlations among all features, where values closer to +1 or −1 indicate stronger positive or negative correlations, respectively. Features exceeding a predefined correlation threshold were identified as redundant and subsequently removed to minimize multicollinearity and improve model performance. We derived the correlation map showing the highly correlated features and the features with values more significant than the threshold value were dropped. The correlation matrix of the dataset’s features is shown in Figure 3.

Figure 3.

Correlation matrix of the dataset’s features.

The Table 4 lists the set of features retained after correlation analysis and feature selection. These optimized features include both flow-level traffic metrics (e.g., packet counts, jitter, load, and retransmission rates) and biometric parameters (e.g., heart rate, SpO₂, blood pressure, and ECG ST segment). Table 3 presents the data features used for training and testing. Sixteen thousand data samples were collected and labelled 0 for regular (non-attack) traffic and 1 for attack traffic.

Table 4.

Optimized features selected for the ECU-IoHT intrusion detection framework.

Metric	Description	Type
SrcBytes	Source Bytes	Flow metric
DstBytes	Destination Bytes	Flow metric
SrcLoad	Source Load	Flow metric
DstLoad	Destination Load	Flow metric
SrcGap	Source missing bytes	Flow metric
DstGap	Destination missing bytes	Flow metric
SIntPkt	Source Inter Packet	Flow metric
DIntPkt	Destination Inter Packet	Flow metric
SintPktAct	Source Active Inter Packet	Flow metric
DIntPktAct	Destination Active Inter Packet	Flow metric
SrcJitter	Source Jitter	Flow metric
DstJitter	Destination Jitter	Flow metric
sMaxPktSz	Source Maximum Transmitted Packet size	Flow metric
dMaxPktSz	Destination Maximum Transmitted Packet size	Flow metric
sMinPktSz	Source Minimum Transmitted Packet size	Flow metric
dMinPktSz	Destination Minimum Transmitted Packet size	Flow metric
Dur	Duration	Flow metric
Trans	Aggregated Packets Count	Flow metric
TotPkts	Total Packets Count	Flow metric
TotBytes	Total Packets Bytes	Flow metric
Loss	Retransmitted or Dropped Packets	Flow metric
pLoss	Percentage of Retransmitted or Dropped Packets	Flow metric
pSrcLoss	Percentage of Source Retransmitted or Dropped Packets	Flow metric
past loss	Percentage of Destination Retransmitted or Dropped Packets	Flow metric
Rate	Number of Packets per Second	Flow metric
Load	Load	Flow metric
Temp	Temperature	Biometric
SpO 2	Peripheral Oxygen Saturation	Biometric
Pulse_Rate	Pulse Rate	Biometric
SYS	Systolic Blood Pressure	Biometric
DIA	Diastolic Blood Pressure	Biometric
Heart_Rate	Heart Rate	Biometric
Resp_Rate	Respiration rate	Biometric
ST	ECG ST segment	Biometric

The simulation interface Figure 4 shows the configuration of the Random Coupled Bootstrapped Ensemble Classifier (RCBEC) model, with healthcare as the application domain and Denial-of-Service (DoS) as the selected attack category. The system generates simulation results in the form of output files (e.g., replay of message, channel jamming, and cluster control system attacks), which are used for further analysis and visualization. This simulated output validates the model’s capability to detect different types of network attacks in IoHT environments.

Figure 4.

Simulated output of the RCBEC model for attack detection in healthcare IoHT.

This Figure 5 shows the training and validation accuracy over 100 epochs. The training accuracy reaches near-perfect levels early in the training process, while the validation accuracy stabilizes around 99%, indicating a well-fitted model.

Figure 5.

Training and validation accuracy with 100 epochs.

Figure 6 illustrates the training and validation loss across 100 epochs. Both the training and validation losses decrease sharply at the beginning and then stabilize, suggesting that the model quickly learns and generalizes well without overfitting.

Figure 6.

Training and validation loss with 100 epochs.

This Figure 7 shows that both training and validation accuracy rapidly converge to nearly 100% within the first ∼50 epochs and remain stable thereafter. The minimal gap between training and validation accuracy indicates that the model generalizes well without overfitting.

Figure 7.

Training and validation accuracy over 500 epochs.

Figure 8 shows the loss drops sharply during the early epochs and remains consistently low, indicating effective model learning. The close alignment between training and validation loss suggests strong model stability and minimal overfitting.

Figure 8.

Training and validation loss over 500 epochs.

As seen in Figures 7 and 8, the suggested approach significantly improves the detection accuracy, bringing it to 100% when given 500 epochs. The following metrics to measure the efficacy of the proposed System: Accuracy, Precision, Recall, F1-Score, True Positive Rate, and False Positive Rate. The ratio of correctly categorized records to the total number of records or counts is used to measure accuracy, as shown in Equation (32):

Accuracy = (T P + T N) / (T P + T N + F P + F N)

(32)

According to Equation (33), precision is the percentage of abnormal occurrences that are correctly predicted out of all the instances that are anticipated to be abnormal:

Precision = (TP / FP) + FP

(33)

According to Equation (21), recall is the proportion of correctly anticipated abnormal cases to the total number of actual abnormal instances:

To evaluate the precision of the System, the F1 Score takes the harmonic mean of the Precision and Recall, as shown in Equation (22):

F score = 2 (precision * recall) / Precision + recall

Another way to determine accuracy is to look at the Area Under the ROC curve (AUC) and Receiver Operating Characteristics (ROC) curve. This statistic shows how likely it is that a randomly chosen positive test point will be projected to be positive rather than a randomly chosen negative test point.

Figure 9 Performance analysis of the suggested methodology across different attack types (ARP, DOS, NMAP, NORMAL, SMURF). The results show precision, recall, and F1-score values, all consistently above 95%, indicating that the proposed model achieves high detection performance with balanced accuracy across different classes.

Figure 9.

Performance analysis of the suggested methodology.

The misclassification rate measures the architecture’s performance to analyse the results obtained. The misclassification rate refers to the number of samples being misrecognized. Thirty iterations were performed for each session, using the entire training data. According to Figure 10, the result is $1.21 %$ a misclassification rate for 434 test data and 750 training data. This means the suggested model correctly recognized 428 data samples and misrecognized 6 data samples.

Figure 10.

Misclassification rate analysis.

This Figure 11 presents the error rate variation with respect to file size (in MB). The error rate remains consistently low, below 0.03%, across different file sizes, demonstrating the robustness and scalability of the proposed methodology in handling varying data volumes.

Figure 11.

Error rate analysis.

The AUC curve on attack data in Figure 12 shows that the suggested methods show an outstanding value of AUC (96)%. Thus, the classification rate is also higher than that of other existing methodologies.

Figure 12.

Analysis of AUC.

This figure compares the training and testing (execution) times of different machine learning methodologies—Support Vector Machine (SVM), Random Forest (RF), K-Nearest Neighbours (KNN), Decision Tree (DT), and the proposed model. The results show that while traditional models like RF and KNN consume higher testing times (above 25 seconds), the proposed model significantly reduces both training and testing durations. This demonstrates that the proposed approach achieves faster computational efficiency while maintaining high accuracy. To appropriately characterize machine learning algorithms, it is necessary to evaluate their performance in addition to their accuracy.⁵⁵ Essential performance metrics include, in particular, the time spent on training and execution. The amount of time that a model spends training on a dataset is referred to as the training time, whereas the execution time corresponds to the entire amount of time that is spent doing calculations. These computations include data splitting, data preparation, and model assessment. Figure 9 illustrates the amount of time required for training and training execution for each of the machine learning algorithms. The SVM method has a training time of 2.01 seconds and an execution time of 21.59 seconds, respectively. The RF algorithm takes 2.36 seconds and 24.90 seconds, respectively, to complete. Therefore, RF is the approach that takes the most extended amount of time to train and execute because it constructs and computes several different DTs.⁵⁶ The KNN method, on the other hand, has a training time of just 0.49 seconds. This is because it does not generate any models during the training process; instead, it only stores training data for later classification. Despite this, the time it takes to execute is 23.46 seconds. It can be deduced from this that KNN requires more time to determine the distance to the data point of the k-nearest neighbour. According to the DT algorithm, the training time is 0.72 seconds, and the execution time is 7.47 seconds. The time required for training and running the proposed method is 0.5 seconds and 6.2 seconds, respectively. As a result, DT is the algorithm that is the quickest among those assessed in terms of the training and execution durations” Figures 13–15.

Figure 13.

Training and execution times analysis.

Figure 14.

Combined visualization of model performance across multiple datasets.

Figure 15.

Friedman Critical difference diagram for F1 score statistics.

Table 5 compares the proposed system’s precision, recall, and F1-score (%) across different network attack types (ARP, DoS, Nmap, Normal, and Smurf) against several existing methods.^37,38 The proposed system consistently achieves higher performance metrics, demonstrating superior detection accuracy and robustness across multiple attack categories.

Table 5.

Performance analysis of the proposed system compared with existing models under various attack scenarios.

Systems/attacks	Metrics	ARP	DoS	Nmap	Normal	Smurf
Proposed System (%)	Precision	99.30	99.1	99.5	99.40	99.50
	Recall	96	96	99.80	99.80	99.50
	F1 Score	98	99	98	99.500	99.70
Existing System %	Precision	—	—	96.12	96.21	—
	Recall	—	—	96.24	98.34	—
	F1 Score	—	—	97	97	—
Existing DM System %	Precision	—	97	98.56	99.520	—
	Recall	—	99.5	99	97.430	—
	F1 Score	—	98.470	98.780	98.470	—
Existing SM System %	Precision	—	96.550	87.440	99.350	—
	Recall	—	99	99.48	95	—
	F1 Score	—	—	93	—	—

Table 5 illustrates the performance analysis of the suggested methodology. Table 6 displays the suggested machine learning technique and assessment criteria for the IDS dataset, together with current methods. Table 6 summarizes accuracy, precision, recall, and F1-score (%) of various intrusion detection models tested on diverse datasets, including UNR-IDD, SIMARGL2021, NF-ToN-IoT, and others. The proposed model achieves state-of-the-art performance—particularly on NSL-KDD and ECU-IoHT-ICU datasets—highlighting its strong generalization capability and adaptability across IoT and cyber threat environments.

Table 6.

Comparing the shown method’s performance on several datasets to that of already-existing approaches.⁵⁷

Dataset	Model	Accuracy $(%)$	Precision $(%)$	Recall $(%)$	F1-score $(%)$
UNR-IDD	RF, 2023	95.000	96.00	93.00	94.000
	FURIA, 2022	99.960	—	—	—
	Tab-SRU, 2022	99.000	98.000	97.000	97.000
SIMARGL2021	SFV and Domain Adaption, 2022	—	99.41	98.58	98.99
NF-UQ-NIDS	$RF, 2021$	98.00	98.00	98.00	98.00
	Extra Trees ensemble, 2021	97.25	—	—	94.00
	2D-ACNN, 2023	95.20	—	—	—
NF-ToN-IoT	SSW and XGBoost, 2022	98.800	98.80	98.80	98.80
	Extra Trees ensemble, 2021	99.660	—	—	100.00
	2D-ACNN, 2023	90.100	—	87.000	89.800
UKM-IDS20	HOE-DANN, 2021	96.660	—	—	—
CSE-CIC-IDS2018	$RF, 2023$	99.000	96.000	91.00	93.00
	CNN and LSTM, 2023	98.85	98.85	98.85	98.83
	AE, OCSVM and GMM, 2023	95.100	96.100	95.650	95.850
	Nearest Neighbor, 2022	98.580	96.670	97.150	96.210
WSN-DS	$RF, 2019$	99.40	99.40	99.40	99.40
WSN-DS	ID-GOPA, 2021	96.000	96.000	96.000	96.000
UNSW-NB15	ARF and HAT, 2022	99.420	96.840	97.230	96.960
	Tab-SRU, $2022$	99.230	99.040	99.640	99.340
	PCA and RF, 2022	95.100	94.800	95.700	95.100
	SVM, 2022	97.770	—	—	—
	ENAD, 2021	—	97.90	92.40	94.90
	HOE-DANN, 2021	94.080	—	—	—
	$RF, 2019$	90.300	98.80	86.70	92.40
	CNN-BiLSTM, 2020	77.160	82.630	79.910	81.25
Cyber Clean Center (CCC)	Proposed Model	99.010	99.010	99.010	99.01
	Ensemble-Based Stacking, 2023	94.080	71.420	86.500	78.240
	KNN, 2021	97.000	98.100	99.600	98.000
NSL-KDD	Proposed Model	99.880	99.880	99.88	99.88
	$RF, 2023$	99.000	79.000	74.000	76.00
	DBN-SVM, 2019	97.450	97.480	97.780	98.62
	DBN, 2020	96.910	98.10	92.29	95.11
	CNN-BiLSTM, 2020	83.580	85.820	84.490	85.14
	CNN-IDS, 2020	83.00	85.00	83.000	83.000
ECU-IoHT-ICU	proposed	99.90	99.50	99.50	99.5″

To verify the statistical significance of the observed improvements, a non-parametric Friedman test was applied across all evaluated models and datasets. This test is appropriate because it does not assume normal distribution and supports multi-model comparison. When the Friedman test indicated significant differences (p < 0.05), a post-hoc Nemenyi test was performed to identify the specific model pairs with statistically meaningful performance gaps. Additionally, Wilcoxon signed-rank tests and effect size measures (Cohen’s d) were considered to quantify the magnitude and consistency of the improvements achieved by the proposed approach.

The Friedman test ranks models based on their mean F1-score performance across all datasets.

The proposed RCBEC model achieved the lowest (best) average rank, demonstrating statistically superior performance compared to traditional classifiers. Models connected within the same group indicate no statistically significant difference at the 0.05 confidence level.

V. Conclusion

IDS systems maintain unprecedented importance in healthcare networks because cyber threats and network security risks continue to increase in frequency. Research investigates IDS capability to improve network security at a high rate. An ensemble learning-based IoT network attack detection system was developed as a solution for distributed IoT application cybersecurity specifically in healthcare setups. Research findings prove that artificial intelligence works effectively in cybersecurity by producing a functional attack detection system. Experimental testing validated the system performance by measuring accuracy at (99.9%) and execution time at (6.2 seconds) together with false alarm rates demonstrating the better capabilities of deep learning models compared to conventional shallow models. Attack detection algorithms perform best when distributed across multiple locations compared to centralized approaches because the exchange of model parameters reduces training overfitting. On previously unseen data the proposed system demonstrates superior capability than ordinary machine learning methods when distinguishing between normal traffic and malicious patterns. The IDS future assessment will test various datasets until researchers evaluate its performance against classic machine learning methods that include Support Vector Machines (SVM) and Decision Trees with additional neural network models. The proposed analysis will examine network payload data for intrusion detection because it holds key patterns to discover attacks.

Future work will systematically explore hybrid metaheuristic–machine learning approaches (e.g., LSTM/CNN architectures tuned by PSO/GA/HCA and CNN+XAI frameworks for attack attribution), and extend the comparative analysis to include AutoML/Bayesian HPO baselines, federated learning variants, and adversarial robustness tests. These additions will provide a deeper, objective evaluation of the RCBEC method’s robustness, deployment cost, and interpretability across heterogeneous IoT/healthcare datasets.

Footnotes

ORCID iD

V. Pandimurugan

Author contributions

Conceptualization-Paul Rodrigues, methodology-Yosuef Alotaibi,software-Mohammad Alhefdi, investigation, resources,-Yosuef Alotaibi; data curation-Mohammad Alhefdi, writing—original draft preparationwriting-PandimuruganV—review and editing, supervision-Paul rodrigues andYosuef Alotaibi,funding acquisition-Paul Rodrigues and Yosuef Alotaibi.

Funding

The authors disclosed receipt of the following financial support for the research, authorship, and/or publication of this article: The authors extend their appreciation to the deanship of research and graduate studies at king khalid university for funding this work through large research project under grant number RGP 2/321/46.

Declaration of conflicting interests

The authors declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.

Data Availability Statement

Data is available based on the request.*

References

Mazhar

Irfan

Khan

, et al. Analysis of cyber security attacks and their solutions for the smart grid using machine learning and blockchain methods. Future Internet 2023; 15(2): 83. https://doi.org/10.3390/fi15020083

Manjula

Venkatesh

. Cyber security threats and countermeasures using machine and deep learning approaches: a survey. J Comput Sci 2023; 19(1): 20–56. https://doi.org/10.3844/jcssp.2023.20.56

Pallepati

. Network intrusion detection system using machine learning with data preprocessing and feature extraction. Int J Res Appl Sci Eng Technol 2022; 10(6): 2360–2365. https://doi.org/10.22214/ijraset.2022.44326

Perera

Jin

Maurushat

, et al. Factors affecting reputational damage to organizations due to cyberattacks. Informatics 2022; 9(1): 28. https://doi.org/10.3390/informatics9010028

Abraham

Grosan

Chen

. Cyber security and the evolution of intrusion detection systems. Manag J Future Eng Technol 2005; 1(1): 74–82. https://doi.org/10.26634/jfet.1.1.968

Helbing

Brockmann

Chadefaux

, et al. Saving Human Lives: What Complexity Science and Information Systems can Contribute. J Stat Phys 2015; 158: 735–781. https://doi.org/10.1007/s10955-014-1024-9

Podobnik

Horvatic

Lipic

, et al. The cost of attack in competing networks. J R Soc Interface 2015; 12(112): 20150770. https://doi.org/10.1098/rsif.2015.0770

Shinder

Cross

. Facing the cybercrime problem head-on. In: Scene of the Cybercrime. Elsevier, 2008, pp. 1–39. https://doi.org/10.1016/B978-1-59749-276-8.00001-7

Bandakkanavar

. Causes of CyberCrime and Preventive Measures. KrazyTech Technical Papers, 2023. [Accessed 2023 Jan 3]. Available from:https://krazytech.com/technical-papers/cyber-crime

10.

Sarker

. Machine learning for intelligent data analysis and automation in cybersecurity: current and prospects. Ann Data Sci 2022; 10: 1473–1498. https://doi.org/10.1007/s40745-022-00444-2

11.

Jelen

. Intrusion detection systems: types, detection methods and challenges. SecurityTrails Blog, 2020. [Accessed 2023 Jan 1]. Available from:https://securitytrails.com/blog/intrusion-detection-systems

12.

Oluwasanmi

. Network Security Concepts: Dangers and Defense Best Practices. Comput Eng Intell Syst 2023; 14(2): 1–7. https://doi.org/10.7176/CEIS/14-2-03

13.

Jeong

. Multi-resolution analysis with visualization to determine network attack patterns. Appl Sci 2023; 13(6): 3792. https://doi.org/10.3390/app13063792

14.

Hachmi

Boujenfa

Limam

. Enhancing intrusion detection systems’ accuracy by reducing false positives and false negatives rates through multiobjective optimization. J Netw Syst Manag 2019; 27(1): 93–120. https://doi.org/10.1007/s10922-018-9459-y

15.

Ahmed

Islam

Shatabda

, et al. Intrusion Detection System in Software-Defined Networks Using Machine Learning and Deep Learning Techniques – A Comprehensive Survey. TechRxiv Preprint. 2022. https://doi.org/10.36227/techrxiv.17153213.v2

16.

Musleh

Alotaibi

Alhaidari

, et al. Intrusion detection system using feature extraction with machine learning algorithms in IoT. J Sens Actuator Netw 2023; 12(2): 29. https://doi.org/10.3390/jsan12020029

17.

Jain

Pawar

Muthalagu

. Hybrid intelligent intrusion detection system for internet of things. Telemat Inform Rep 2022; 8: 100030. https://doi.org/10.1016/j.teler.2022.100030

18.

Vijayakumar

Ganapathy

. Machine learning approach to combat false alarms in wireless intrusion detection system. Comput Inf Sci 2018; 11(3): 67. https://doi.org/10.5539/cis.v11n3p67

19.

Mishra

Thakur

. Study of machine learning classifiers for intrusion detection system. In: Sharma

Peng

Agrawal

, et al. (eds). Data, Engineering and Applications. Springer Nature, 2022, pp. 213–224. https://doi.org/10.1007/978-981-19-4687-5_16

20.

Papamartzivanos

Gómez Mármol

Kambourakis

. Dendron: Genetic trees driven rule induction for network intrusion detection systems. Future Gener Comput Syst 2018; 79: 558–574.

21.

Halimaa

Sundarakantham

. Machine learning based intrusion detection system. In: Proc 3rd Int Conf Trends Electron Inform (ICOEI), Tirunelveli, India, April 2019, pp. 916–920. IEEE. https://doi.org/10.1109/ICOEI.2019.8862784

22.

Yang

Qin

. Combined wireless network intrusion detection model based on deep learning. IEEE Access 2019; 7: 82624–82632. https://doi.org/10.1109/ACCESS.2019.2923814

23.

Jiang

Wang

, et al. Network intrusion detection combined hybrid sampling with deep hierarchical network. IEEE Access 2020; 8: 32464–32476. https://doi.org/10.1109/ACCESS.2020.2973730

24.

Elmasry

Akbulut

Zaim

. Evolving deep learning architectures for network intrusion detection using a double PSO metaheuristic. Comput Netw 2020; 168: 107042. https://doi.org/10.1016/j.comnet.2019.107042

25.

Al-Turaiki

Altwaijry

Agil

, et al. Anomaly-based network intrusion detection using bidirectional LSTM and CNN. ISC Int J Inf Secur 2020; 12(3): 37–44. https://doi.org/10.22042/isecure.2021.271076.624

26.

Prasad

Tripathi

Dahal

. An efficient feature selection based Bayesian and Rough set approach for intrusion detection. Appl Soft Comput 2020; 87: 105980. https://doi.org/10.1016/j.asoc.2019.105980

27.

Panigrahi

Borah

Pramanik

, et al. Intrusion detection in cyber-physical environment using hybrid Naïve Bayes-decision table and multiobjective evolutionary feature selection. Comput Commun 2022; 188: 133–144. https://doi.org/10.1016/j.comcom.2022.03.009

28.

Al-Daweri

Abdullah

Zainol Ariffin

. An adaptive method and a new dataset, UKM-IDS20, for the network intrusion detection system. Comput Commun 2021; 180: 57–76. https://doi.org/10.1016/j.comcom.2021.09.007

29.

Sharafaldin

Habibi Lashkari

Ghorbani

. Toward generating a new intrusion detection dataset and intrusion traffic characterization. In: Proc 4th Int Conf Inf Syst Secur Privacy, Madeira, Portugal, 2018, pp. 108–116. SCITEPRESS. https://doi.org/10.5220/0006639801080116

30.

Liao

Teo

Kundu

, et al. ENAD: an ensemble framework for unsupervised network anomaly detection. In: Proc IEEE Int Cyber Secur Resilience Conf, Rhodes, Greece, July 2021, pp. 81–88. IEEE. https://doi.org/10.1109/CSR51186.2021.9527982

31.

Tabbaa

Ifzarne

Hafidi

. An online ensemble learning model for detecting attacks in wireless sensor networks. arXiv preprint. 2022. [Accessed 2023 Apr 11]. Available from:https://arxiv.org/abs/2204.13814

32.

Tahri

Balouki

Jarrar

, et al. Intrusion detection system using machine learning algorithms. ITM Web Conf 2022; 46: 02003. https://doi.org/10.1051/itmconf/20224602003

33.

Ahmed

Hameed

Bawany

. Network intrusion detection using oversampling technique and machine learning algorithms. PeerJ Comput Sci 2022; 8: e820. https://doi.org/10.7717/peerj-cs.820

34.

Andrecut

. Attack vs benign network intrusion traffic classification. arXiv preprint. 2022. https://doi.org/10.48550/ARXIV.2205.07323

35.

Wang

Sun

, et al. Intrusion detection system based on one-class SVM and Gaussian mixture model. Electronics 2023; 12(4): 930. https://doi.org/10.3390/electronics12040930

36.

Srinivasan

SDP

Deepalakshmi

. Enhancing cyber-world security by detecting botnets using ensemble classification-based machine learning. Meas Sens 2023; 25: 100624. https://doi.org/10.1016/j.measen.2022.100624

37.

Jemili

Meddeb

Korbaa

. Intrusion detection based on ensemble learning for big data classification. Preprint. 2023. https://doi.org/10.21203/rs.3.rs-2596433/v1

38.

Meidan

Bohadana

Mathov

, et al. N-BaIoT: network-based detection of IoT botnet attacks using deep autoencoders. IEEE Pervasive Comput 2018; 17(3): 12–22. https://doi.org/10.1109/MPRV.2018.03367731

39.

Diro

Chilamkurti

. Distributed attack detection scheme using deep learning for Internet of Things. Future Gener Comput Syst 2018; 82: 761–768. https://doi.org/10.1016/j.future.2017.08.043

40.

Hossain

Islam

. Ensuring network security with a robust intrusion detection system using ensemble-based machine learning. Array 2023; 19: 100306. https://doi.org/10.1016/j.array.2023.100306

41.

Alladi

Agrawal

Gera

, et al. Deep neural networks for securing IoT enabled vehicular ad-hoc networks. In: Proc IEEE Int Conf Commun (ICC), Montreal, QC, 2021, pp. 1–6. https://doi.org/10.1109/ICC42927.2021.9500823

42.

Wózziak

Siłka

Wieczorek

, et al. Recurrent neural network model for IoT and networking malware threat detection. IEEE Trans Ind Inform 2021; 17(8): 5583–5594. https://doi.org/10.1109/TII.2020.3021689

43.

Liang

Huang

Long

, et al. Deep reinforcement learning for resource protection and real-time detection in IoT environment. IEEE Internet Things J 2020; 7(7): 6392–6401. https://doi.org/10.1109/JIOT.2020.2974281

44.

Abd El-Rahiem

Hammad

. A multi-fusion IoT authentication system based on internal deep fusion of ECG signals. In: Security and Privacy Preserving for IoT and 5G Networks: Techniques, Challenges, and New Directions. Springer, 2022, pp. 53–79.

45.

Huang

Chen

Zhang

, et al. A robust approach for privacy data protection: IoT security assurance using generative adversarial imitation learning. IEEE Internet Things J 2021; 1: 17089–17097. https://doi.org/10.1109/JIOT.2021.3128531

46.

Nie

Wang

, et al. Intrusion detection for secure social Internet of Things based on collaborative edge computing: a GAN-based approach. IEEE Trans Comput Soc Syst 2022; 9(1): 134–145. https://doi.org/10.1109/TCSS.2021.3063538

47.

Balakrishnan

Rajendran

Pelusi

, et al. Deep belief network enhanced intrusion detection system to prevent security breach in the Internet of Things. Internet Things 2021; 14: 100112. https://doi.org/10.1016/j.iot.2019.100112

48.

de Assis

Carvalho

Rodrigues

, et al. Near real-time security system applied to SDN environments in IoT networks using CNN. Comput Electr Eng 2020; 86: 106738. https://doi.org/10.1016/j.compeleceng.2020.106738

49.

Ullah

Mahmoud

. Design and development of a deep learning-based model for anomaly detection in IoT networks. IEEE Access 2021; 9: 103906–103926. https://doi.org/10.1109/ACCESS.2021.3094024

50.

Khan

Keshk

, et al. Enhancing IIoT networks protection: a robust security model for Internet Industrial Control Systems attack detection. Ad Hoc Netw 2022; 134: 102930. https://doi.org/10.1016/j.adhoc.2022.102930

51.

Khan

Abbas

, et al. Federated-SRUs: A federated-simple-recurrent-units-based IDS for accurately detecting cyber attacks against IoT-augmented industrial control systems. IEEE Internet Things J 2023; 10(10): 8467–8476. https://doi.org/10.1109/jiot.2022.3200048

52.

Khan

Moustafa

, et al. A new explainable deep learning framework for cyber threat discovery in industrial IoT networks. IEEE Internet Things J 2022; 9(13): 11604–11613. https://doi.org/10.1109/jiot.2021.3130156

53.

Namakshenas

Yazdinejad

Dehghantanha

, et al. IP2FL: Interpretation-based privacy-preserving federated learning for industrial cyber-physical systems. IEEE Trans Ind Cyber-Phys Syst 2024; 2: 321–330.

54.

Yazdinejad

Dehghantanha

Srivastava

. AP2FL: Auditable privacy-preserving federated learning framework for electronics in healthcare. IEEE Trans Consum Electron 2023.

55.

Yazdinejad

Srivastava

Parizi

, et al. Decentralized authentication of distributed patients in hospital networks using blockchain. IEEE J Biomed Health Inform 2020; 24(8): 2146–2156. https://doi.org/10.1109/JBHI.2020.2969648

56.

AlZoman

Alenazi

. A comparative study of traffic classification techniques for intelligent city networks. Sensors 2021; 21(14): 4677. https://doi.org/10.3390/s21144677

57.

Manimurugan

Al-Mutairi

Aborokbah

, et al. Effective attack detection in Internet of Medical Things bright environment using a deep belief neural network. IEEE Access 2020; 8: 77396–77404. https://doi.org/10.1109/access.2020.2986013

Enhanced threat detection in health care systems with random coupled bootstrapped ensemble classifier

Abstract

Keywords

I. Introduction

II. Related work

III. Proposed work

a. Dataset

b. Preprocessing

c. Feature extraction

d. Feature selection

e. Attack detection

IV. Performance analysis

V. Conclusion

Footnotes

ORCID iD

Author contributions

Funding

Declaration of conflicting interests

Data Availability Statement

References