International Journal of

INTELLIGENT SYSTEMS AND APPLICATIONS IN

ENGINEERING
ISSN:2147-67992147-6799 www.ijisae.org Original Research Paper

A Hybrid Cluster Based Intelligent IDS with Deep Belief Network to

Improve the Security over Wireless Sensor Network

Dr. Priyanka R.1, Teena K. B.2, Rashmi T. V.3, Dr. Reshma J.4, Dr. Tejashwini Nagaraj5, Tejaswini N.6

Submitted: 22/12/2023 Revised: 28/01/2024 Accepted: 08/02/2024

Abstract: Numerous inexpensive, compact devices compose a Wireless Sensor Network (WSN). They're usually readily available to
some types of attacks due to their location, which is not well protected. A large number of researchers are focusing on WSN security at
the moment. This kind of network is characterized by vulnerable characteristics, such as the ability to organize oneself without a stable
infrastructure and open-air transmission. To train variables for the probability-based feature vectors, a Deep Neural Network (DNN)
framework that is derived from international vehicle network packets shall be applied. The detector is capable of detecting any malicious
attack on the vehicle since DNN gives each category a chance to distinguish between attacks and regular packets. Intrusion Detection
Systems (IDS), can help to identify and stop security attacks on vehicles. The study proposes a mechanism for enhancing the security of
WSNs based on Hybrid Clusters and Intelligent Intrusion Detection Systems with Deep Belief Networks (HCIIDS-DBN). It can provide
a protection system for intrusions and an analysis of vehicle attacks in real time. They are designed based on their respective attack
probability and ability, to the sensor node, sink, or cluster head. The proposed HCIIDS-DBN is composed of modules designed to detect
anomalies and dereliction. The objective is to increase detection rates and decrease false positive incidences by detecting anomalies and
abuse. Finally, the detected data are integrated and the various types of vehicle communication attacks are reported using the Decision
Support System (DSS). The results of the experiment show that the proposed method may respond to the attack in real-time with a much
detection of higher ratio in the Controller Area Network (CAN) bus.

Keywords: Wireless Sensor Network; Hybrid Cluster Intelligent IDS; Deep Belief Network; Deep Learning; In-Vehicle security;
Performance measures

1. Introduction not infrastructure and is created by the widespread

deployment of SNs. However, due to the limited power
The development of Sensor Nodes (SNs) and
of sensors, it is only possible to reduce energy
microelectronics has brought about miniaturized, cheap
consumption using multiple communications among
sensors that are available with features such as sensing,
sensors [2]. WSN's primary function is to gather and
processing, or interaction at low power [1]. As a
store relevant data about a given environment, such as
consequence, there is an increasing interest in research
healthcare, military, business, or environmental
on issues related to WSN. A WSN is a network that is
protection. After detection of the target or surrounding
1
Assistant Professor, Department of Information Science & area, SNs use wireless communications to transmit
Engineering, Cambridge Institute of Technology, Bangalore, Affiliated
to VTU, Belgaum, India* information to the sink. The information shall then be
priyanka.89.r@gmail.com examined to determine the present status of the target. As
2
Assistant Professor, Department of Information Science & a result of the hardware architecture, though, WSNs are
Engineering, East Point College of Engineering and Technology, limited in their resource capacity, including low
Bangalore, India
teena.k@eastpoint.ac.in processing power, less memory, and lower energy [3].
3
Assistant Professor, Department of Computer Science &
In Figures 1 and 2, respectively, dual of the most popular
Engineering, East Point College of Engineering and Technology,
Bangalore India, topologies of WSNs are the Cluster-based Wireless
rashmitv.harsha@gmail.com Sensor Network (CWSN) and the Flat-based Wireless
4
Associate Professor, Department of Information Science & Sensor Network (FWSN) are depicted. However, multi-
Engineering, Dayananda Sagar College of Engineering, Bangalore,
hop communication is generating a lot of information
India
reshma-ise@dayanandasagar.edu and increasing the energy used in FWSNs such as SPIN
5
Associate Professor, Department of Computer Science & Engineering, [4]. CWSN is the most widely exploited network
Sai Vidya Institute of Technology, Bangalore, India structure for WSN. Each SN in the CWSN is divided into
tejashwini.n@gmail.com
6
clusters, and each cluster is run by an elected cluster
Assistant Professor, Department of CS&E, JSS Science and
Technology University, Mysore India leader, who is responsible for the operation of the cluster.
tejaswinin@jssstuniv.in CH should compile data from any SNs that have been
*Corresponding author: priyanka.89.r@gmail.com identified on a specific target. Several protocols,
including LEACH and APTEEN, have been proposed for
International Journal of Intelligent Systems and Applications in Engineering IJISAE, 2024, 12(17s), 225–238 | 225
the CWSN [5]. WSNs are the target of a wide range of Vehicle-to-Vehicle (V2V), which facilitates both intra
attacks because they're composed of several inexpensive, and inter-vehicle communications, has become
small pieces of equipment that typically deploy into an increasingly necessary in recent years [9]. The use of
unguarded area. In the case of using a WSN in combat, vehicle communications can be applied to many suitable
adversaries attack and destroy SNs [6]. As a result, transport schemes. It is proposed that this
consideration must be given to WSN security. A communication be used to learn driving behaviour, such
preventive technique shall be applied to deal with well- as the speed and fuel consumption of each vehicle. A
known attacks. Based on the characteristics of an attack, unique communication system for the transmission of
it develops a comparable defense strategy. Nevertheless, messages has been created. Fuel efficiency shall be
precautionary measures are at risk of being attacked in considered when setting the speeds or distances of
large numbers. Consequently, attacks have to be connected vehicles [10]. Moreover, wireless
identified. The IDS is often utilized for identifying communication can facilitate the cooperation of platoons
packets on the network and ascertaining whether they and thus improve traffic flow. The most recent
occur attackers. Moreover, IDS could assist in the developments in realistic cooperative driving are
development of a prevention system if it studies the highlighted by the best-performing results from the
acquired characteristics of attacks [7]. Grand Cooperative Driving Challenge (GCDC).
Consequently, the vehicle's processing components have
Integration with several computing devices, known as
a great deal more power. Different communication
Electronic Control Units (ECUs), has recently made
protocols have been established to facilitate the exchange
significant advances in automotive systems [8]. The
of information [11]. The most straightforward
ECU of an automobile is used for monitoring and
communication protocol for connecting sensors and
controlling a subsystem that improves energy efficiency
actuators to ECUs is CAN, which is also the de facto
and reduces vibration and noise. The ECU replaces the
model for in-vehicle network communication. New
traditional mechanical control components. Computer
automotive applications are encouraged to be developed
equipment for Vehicle-to Infrastructure (V2I) and
through the adoption of CAN [12].

Fig 1: Flat WSN

The protection of drivers should be ensured by the communications. A significant focus is placed on the
confidentiality of information. Unfortunately, there are effectiveness and ease of use of IDS sensors [14]. An
several safety vulnerabilities in the automotive network intrusion detection method is proposed by applying a
and networking capacity is growing with serious security series of different attack patterns that have been arranged
concerns. ECUs can't determine the sender of the in the dataset. Developed a description Strategy to
broadcast messages, but they may receive any message compare the performance of the standard system in
from another ECU-to-ECU on the same bus [13]. It practice with selected patterns. To identify an
illustrates the potential for misunderstanding of critical undesirable intrusion, this detection technique relies
components to protect drivers' safety caused by upon numerous sensors engineered to deal with some
attempted attacks, such as data manipulation and packet attack situations. Safe procedures that conform to the
injection. Several studies were performed on safety standard criteria are proposed [15].
issues associated with intra and intervehicular

International Journal of Intelligent Systems and Applications in Engineering IJISAE, 2024, 12(17s), 225–238 | 226
 Fig 2: Cluster Based WSN
WSN has become more and more important as an area of broadcast bus networks in the rail network. The packet is
study in recent years. Due to their various characteristics obtained by a receiver ECU, which recognizes the ID of
such as low power consumption, energy limitation, radio the sender [14]. The unique ID number of the sender
frequency usage, and so on, mobile sensor networks may ECU may be provided in the package. As a result, the
be subject to many security risks. In case of an attacker's CAN packet doesn’t exclude an explicit destination field.
presence in the network, encryption, which is generally The syntax of the CAN data packet can be found in
regarded as one of the primary security lines, shall no Figure 3. There is an arbitration field including 11 bits of
longer be effective [16]. The identification and identification, each with a distinct ECU. There are 2
suppression of both external and internal threats are features to the arbitration field: 1) allowing each ECU to
facilitated by IDS, sometimes referred to as the 2nd line filter out a strange message, and 2) ranking messages
of defense. Direct installation of IDSs that are built for according to their ID in descending order [15]. The area
ad hoc networks or wired in a WSN is not possible. This of data may contain as many as 8 bits of information that
necessitates the development of a special detection can be sent in the message. The angle of the on-and-off
system for cellular sensor networks, which takes account status and the steering wheel of the display panel
of their constraints [17]. elements are examples of this type of information. The
data field size is set in a control field. Any mistakes in
2. Related Works
the data packet are found using the Cyclic Redundancy
With a maximum communication speed of 1 Mbps, CAN Check (CRC) field. It is confirmed that valid CAN
is intended to be used for high-speed, half-duplex packets were received by the acknowledgment field [16].

Fig 3: CAN packet syntax

Intensive research is being undertaken into intrusion packets [17]. As the abovementioned work relies on
detection techniques to strengthen the defense of supervised Machine Learning techniques, several labeled
conventional networks against malicious attacks. data sets are required to be used during training. In the
Numerous intrusion detection techniques have been detection of network intrusions, for example by Self-
developed in the literature using machine learning Organised Maps (SOM) an autonomous machine
techniques, presuming that attack packet patterns are learning algorithm is used in contrast to conventional
different from regular packet patterns. The Artificial methods [18]. In Figure 4, we can see a model of an IDS
Neural Networks (ANN) and Support Vector Machines architecture based on machine learning. The monitoring
(SVM) codes use a radio frequency encoding technique unit is usually able to determine the category of
which can be used to determine the characteristics of incoming packets following feature extraction. The

International Journal of Intelligent Systems and Applications in Engineering IJISAE, 2024, 12(17s), 225–238 | 227
profiling unit contains features that can be manually Monitoring unit of the latest type of attack, the profiling
trained from the Internet. In case of discovery by the unit may update its database for future packets [19].

Fig 4: IDS based on machine learning method architecture

Deep learning is a machine learning approach, which performance compared with conventional hybrid models
takes advantage of the architecture with several proposed in the literature, and those derived from
hierarchical levels for non-linear processing. The two signature models [24].
types of architecture that could be distinguished based on
3. Proposed System
how they are used are generative deep architecture and
discriminative deep architecture. The DNN or deep A common scenario for which an attacker will attack the
structure can include many hidden layers from an ANN CAN bus within a vehicle with unauthorized packets of
structure [20]. It is proposed to build a cluster-based information shall be considered in the recommended
hierarchical IDS. Using this method, the authors installed IDS. In-vehicle networks can be accessed via cellular
an IDS agent (core defense) on every cluster head. The data links such as 3G, 4G, or WIFI and the OBD
agent has 3 modules: Decision Making, a supervised diagnostics tools which are integrated with a driver's
learning component, and an anomaly detection module wireless device.
based on the rules [21]. To achieve this detection
3.1 Data Collection
method, a large number of calculations needed for cluster
heads may shorten the network's lifetime. It proposed a In total, around 200,000 packets are created in the
lightweight, hybrid IDS that is integrated into sensor simulation. To avoid over-fitting issues, researchers
networks based on the proposed model. IDS use cluster divided the packets into 70% learning and 30% testing
protocols for the creation of a hierarchy network and data. To confuse the system, a proportion of packets are
offer an intrusion architecture derived from abuse edited and inserted in an attack scenario. To avoid a
mechanisms and anomaly models [22]. The IDS agent is breakdown of the in-vehicle network, it is important to
composed of two detection modules, global and local, in note that assault packets are injected at certain intervals
their system. The authors use their model in a procedure shown in Figure 5. Figure 6 displays the CAN data
of cooperation between the two agents where they are packets for experimental control ECUs, including an
both located within one node, to detect an attack more identifier and a field of data. To avoid over-fitting issues,
accurately. However, this system is a disadvantage in researchers divided the packets into 70% learning and
that it overloads the node's memory due to an excessive 30% testing data. To confuse the system, a proportion of
number of signatures [23]. packets are edited and inserted in an attack scenario. To
avoid a breakdown of the in-vehicle network, it is
According to these hybrid models. We present a proposal
important to note that assault packets are injected at
for an efficient light sensor network IDS in this paper.
certain intervals.
This research aims to explore and apply a new intrusion
detection model in an environment of wireless sensor 3.2 Proposed technique
clusters that incorporates the advantages of both The proposed HCIIDS-DBN is capable of detecting an
anomaly-relying models, which exhibit superior attack by observing CAN communications packets on the

International Journal of Intelligent Systems and Applications in Engineering IJISAE, 2024, 12(17s), 225–238 | 228
bus, as shown in Figure 7. Our architecture consists of learning, meaning it's either an attack or a standard
two main stages: the detection and training stage, as packet. As a result, it is expected that the information on
shown in Figure 8, an existing IDS based on machine the label will be communicated using matching features.
learning. It is being carried out offline in this phase The adoption of a DNN framework for feature training
because of the long duration of training. There's a binary allows us to gain weight parameters at edges linking
label on every CAN training packet in supervised nodes. The detection phase is also depicted in Figure 8.

Fig 5: Simulation configuration

Fig 6: (a) Top-down with n hidden layers DBN; (b) Bottom-up with n hidden layers DNN with Pretrained layers
The learning structure would be created of supervised label information. The altered structure is presented in
learning, as the HCIIDS-DBN framework gives rise to an Figure 6 (b) a deep feed forward structure of the ANN.
unobserved learning mechanism in Figure 6 (a). For this The correction of parameters is performed with a
purpose, a discriminative deep learning structure is gradient descent approach within the deep feed forward
created by appending the last classification layer to the ANN structure as soon as they have been initialized for
top level of the HCIIDS-DBN framework and including weights.

International Journal of Intelligent Systems and Applications in Engineering IJISAE, 2024, 12(17s), 225–238 | 229
 Fig 7: Attack scenario in the connected car
A method to detect intrusions built into the CWSN is and an HCIIDS-DBN for the sink. For HCIIDS-DBN to
proposed in this study. In the case of sinks, CHs, and be trained in the new attacks that HCIIDS-DBN has
SNs, three separate IDS are established based on a identified and classified, a feedback system operates at
variety of capacities and attack probability. It is proposed each sink and on CH.
that an IDS be misused for SN, a HCIIDS-DBN for CH,

Fig 8: Overview architecture of the proposed HCIIDS-DBN

An HCIIDS-DBN for CWSN is created overall. In real- capable of learning in real-time and adding new classes if
time, it could offer effective defense against invaders and attacked by unexpected threats, alongside having a low
analysis of attacks. Application of techniques that need false positive rate and a very high detection rate. The
greater computational power and more energy could not HCIIDS-DBN identified in this analysis are composed of
be achieved due to limited resources for general 4 models, as shown in Figure 8. The DSS will combine
supernovae. An immense source of the sink, which links data from both sensors to determine the nature and extent
anomaly and abuse detection, is used in this research to of any breach before sending this information back to
design an HCIIDS-DBN. The proposed HCIIDS-DBN is management for further action shown in Figure 9.

International Journal of Intelligent Systems and Applications in Engineering IJISAE, 2024, 12(17s), 225–238 | 230
 Fig 9: Proposed Architecture
3.3 Anomaly detection model anomaly detection module in CWSN to see if any
abnormal packets are present. As the misuse detection
The anomaly detection model operates the same way as a
module relies on many well-known attack behavior
filter. To be further detected, the misuse detection model
models, it is appropriate to design model foundations
will receive abnormal packets. If the present behavior
based on those behaviors. Since most intruder detection
deviates from the normal behavior model, the system
techniques guarantee performance based on training data,
will classify the packet as abnormal, since the anomaly
this study uses BPN with a supervised learning method.
detection is based on that model. Consequently, it is of
When BPN learns an appropriate relationship between
concern that anomaly detections may classify regular
input and output variables, its weight is increased
communications as abnormal and thereby lead to errors
accordingly. This can reduce the error of inferences to a
in classification. However, it rarely defines abnormal
great extent, to achieve an accurate level of precision.
communication as normal. Many packets on CWSN
Therefore, BPN can achieve perfect accuracy by
should be recognized, a majority of which are common.
HCIIDS-DBN based on extensive training. This study
The anomaly detection method will be used as the
uses three layers of HCIIDS-DBN which consist of an
starting filter and screening packet. In the event of an
input layer, the concealed layer, and the output layer.
abnormal packet being detected, a misuse detection
Figure 11 depicts the abuse detection model's structure.
module shall be used to detect additional suspicious
The input vector we use is an anomalous packet, which
packets. An anomaly detection module has detected an
has been identified by the anomaly detection module.
intrusion to compare the present behavior with the
The maximum number of processors in the input layer
expected behaviour as shown in Figure 10. If the existing
shall be defined by the characteristics selected for
behavior is contrary to normal behavior patterns, it
packets. Moreover, to get a hidden layer's number of
would not be appropriate for the system to be classified
processing units, input and output layer unit values shall
as an anomaly. To be able to monitor CWSN packet
be averaged. After examination, eight prevalent assaults
status, packets have to create a regular pattern of
were identified in the CWSN: Sinkhole, Select Forward,
behavior. In these cases, the necessary rules are defined
Hello Floods, Sybil Attack, Acknowledgment Spoofing,
by professionals and anomaly detection modules have
Denial of Service, and Spoofed/Altered/Replayed
been developed in this study with a Rule-Based Analysis
Routing Information.
method.
Consequently, there is no balance in the data on training.
The process of construction may be separated into the
On the other hand, HCIIDS-DBN will ignore anomalous
following three steps:
packets owing to their low occurrence rate. To prevent
Step 1: The packets delivered from CH's neighbor are the this, after training data have been processed in the
ones that go through the sink in CWSN. Therefore, the anomaly detection module, the abnormal packet that has
analysis of all prior packets that have communicated to been taken for training shall be segregated. To verify the
the tank will be carried out and each packet type shall be malicious behaviour of the target that has been detected
classified as either normal or irregular. using anomaly detection, a set of attacks characterized by
Step 2: Choose a feature. Search for the essential predefined rule signatures and anomalies based on SVM
characteristics assigned to a particular package so that it is used in this proposed approach. Cluster-based
can be differentiated into normal and irregular packages. architectures incorporate detection technology to prolong
a network's lifetime. This is accomplished by appointing
Step 3: The development of guidelines for the detection one recognized node as the CH, which transmits packets
of anomalies. Attributes chosen the specifications of a (aggregated data) from the nodes to the BS rather than
standard pack are used to develop these rules. the node's collected data being sent to the base station
Any packet that runs into the sink when all CHs that is located in a faraway place.
communicate with each other shall be filtered by an

International Journal of Intelligent Systems and Applications in Engineering IJISAE, 2024, 12(17s), 225–238 | 231
 Fig 10: HCIIDS-DBN System architecture
CHs are sensors for local base stations, and groups have select the CAN syntax's 64-bit locations (equivalent to 8
a specific probability of becoming CHs at any time. A bytes) in the DATA field, and we examine the bit-
single cluster is composed of all nodes in this symbol statistical distributions. A mathematical
architecture, which are geographically distributed representation of the data vector PO2 R64 is possible.
throughout the network. The CH is aimed at prolonging Any bit locations in the DATA field can be used to
the network's life and reducing its energy consumption. generate a characteristic. However, it is possible to
Consideration will be given to the circumstances of the reduce the dimension of certain semantic elements in a
bit symbol symbols in a data packet. Specifically, we related syntactic element.

Fig 11: HCIIDS-DBN misuse detection method

International Journal of Intelligent Systems and Applications in Engineering IJISAE, 2024, 12(17s), 225–238 | 232
 𝑁𝑜.𝑜𝑓 𝑑𝑒𝑡𝑒𝑐𝑡𝑒𝑑 𝑎𝑡𝑡𝑎𝑐𝑘𝑠
4 Results and Discussions 𝐴𝑐𝑐𝑢𝑟𝑎𝑐𝑦 = × 100% (1)
.𝑜𝑓 𝑎𝑡𝑡𝑎𝑐𝑘𝑠
4.1 Performance measures 𝑁𝑜.𝑜𝑓 𝑚𝑖𝑠𝑐𝑙𝑎𝑠𝑠𝑖𝑓𝑖𝑒𝑑 𝑐𝑜𝑛𝑛𝑒𝑐𝑡𝑖𝑜𝑛𝑠
𝐹𝑎𝑙𝑠𝑒 𝑃𝑜𝑠𝑖𝑡𝑖𝑣𝑒 𝑅𝑎𝑡𝑒 = ×
𝑁𝑜. 𝑜𝑓 𝑛𝑜𝑟𝑚𝑎𝑙 𝑐𝑜𝑛𝑛𝑒𝑐𝑡𝑖𝑜𝑛𝑠
The computer used in this study is an AMD AthlonTM
100% (2)
64 X2 Dual Core Processor 5000+ 2.59GHz and has
2048MB of RAM running Windows XP Professional. 𝑁𝑜.𝑜𝑓 𝑐𝑜𝑟𝑟𝑒𝑐𝑡 𝑐𝑙𝑎𝑠𝑠𝑖𝑓𝑖𝑒𝑑 𝑐𝑜𝑛𝑛𝑒𝑐𝑡𝑖𝑜𝑛𝑠
𝐷𝑒𝑡𝑒𝑐𝑡𝑖𝑜𝑛 𝑅𝑎𝑡𝑒 = ×
𝑁𝑜.𝑜𝑓 𝑐𝑜𝑛𝑛𝑒𝑐𝑡𝑖𝑜𝑛𝑠
The NN tool, which is part of MATLAB 7.1, allows the
100% (3)
BPN method to be trained. The experiment's
effectiveness is assessed using the following Equations:
(1)–(3), which determine the accuracy and False Positive
Rate (FPR), and Detection Rate (DR).
Table 1: Categorization detail
Attacks Category No. of the amount of sample/ DR (%)
correct detection
Normal 2511/2573 98.95
Probe 1672/2155 77.42
DoS 9742/9896 98.54
U2R 5/27 15.78
R2L 56/569 9.92

Table 2: Threshold accuracy

Value of Amount of sample/ Correct outuput DR (%)
threshold
0.9 14612/5328 93.55
0.95 14589/1527 94.07
0.98 14576/1556 94.46
0.99 14467/1510 96.15
0.997 12024/1223 98.39

The results of the test show that the accuracy is 91.26%, addition, if BPN were incapable of identifying several
the FP is 2.06%, and the DR is 90.96%, as shown in new attacks that are present in these classes it would
Table 1. Examining each assault class displayed in Table have misclassified those attacks. This means that our
2 and each efficiency, it is evident that Probe, U2R, and models need to be continually updated during learning to
R2L have poor DR figures—even 9.77% R2L's and maintain a large data rate for Integrated Data Streams
15.38% U2R's. It is due to the lack of training data for shown in Table 3.
R2L or U2R, which makes it difficult to detect them. In
Table 3: Simulation packets of CAN
ID Data Field ECU Target
10F 02 𝛼0 𝛽0 𝐴0 𝐵2 𝛼1 𝛽1 𝛼2 𝛽2 𝛼3 𝛽3 𝛼4 𝛽4 Engine
24F 33 𝛼0 𝛽0 𝐵1 𝐴3 𝛼1 𝛽1 𝛼2 𝛽2 𝛼3 𝛽3 𝛼4 𝛽4 Body Control
400 00 𝛼0 𝛽0 𝐸𝐹 10 𝛼1 𝛽1 𝛼2 𝛽2 𝛼3 𝛽3 𝛼4 𝛽4 Display Panel

As seen in Figure 12, the value data indicates the value the mode data denotes the command state of an ECU,
of the mode, such as the speed or the wheel angle, and such as controlling wheels. While noise may distort the

International Journal of Intelligent Systems and Applications in Engineering IJISAE, 2024, 12(17s), 225–238 | 233
values information, for a brief period mode data remain detection stage, the use of mode data shall be
unchanged. The value data is only utilized as part of the demonstrated.
training phase for the proposed method. During the

Fig 12: The instances of the bit-symbol "1" at time t in the 8-byte Data field, which contains both value and mode data
1 𝜆 𝑚 𝑚 2 algorithm returns a logistic value of 0 or 1 so that it can
𝐶(𝑊𝑖) = ∑𝑘 𝐶(𝑊𝑖; 𝑢𝑘 , 𝑗𝑘 ) + ∑𝑁 𝑙
𝑛 ∑𝑥 ∑𝑦
𝑙+1 𝑥𝑡
(𝑊𝑖𝑦𝑥 )
𝐾 2
determine whether the sample is an attack packet or not.
(4)
An ECU may be able to draw on many attack situations,
Where i- Neural Network depth, 𝑚𝑙 – nodes in ith layer, and its weight vectors can be adapted for each situation.
𝑥𝑡
and 𝑊𝑖𝑦𝑥 ∈ 𝑊𝑖 - weight edge between node y and node To determine the situation to enable an appropriate
x. Optimal parameter set represented as Wi* is shown in training set to be applied, mode information shall be
Equation (5). considered in the proposed strategy. To this end,
template matching shall be provided in the proposed
𝑊𝑖 ∗ = arg min 𝐶(𝑊𝑖) (5)
𝑊𝑖 method shown in Figure 13. A template containing
𝑥𝑡 𝑥𝑡−1 𝜕 information on the mode shall be drawn up by reference
𝑊𝑖𝑦𝑥 = 𝑊𝑖𝑦𝑥 +𝜉 𝑥𝑡−1 𝐶(𝑊𝑖) (6) to data and training samples applied for the specific
𝜕𝑊𝑖𝑦𝑥
situation. In Figure 14, find a template-matching
The class of the test CAN packet is expected to be
example that uses the YellowfinColor template. As
detected during the detection phase. To calculate an
demonstrated, if the template matches a CAN packet and
output, the set of features taken from the test CAN
training sample that must be assessed, the detector will
packet and a set of trained weighting variables are used,
use matched trained parameters derived from value data.
just as they were used for training. The classification

Fig 13: Strategy location of HCIIDS-DBN

International Journal of Intelligent Systems and Applications in Engineering IJISAE, 2024, 12(17s), 225–238 | 234
 Fig 14: Determining the appropriate training parameters using the template matching method
According to its energy, CH will be chosen dynamically. network was first created, sensor nodes didn't even know
The CH election procedure is announced by the BS, and that a rogue node existed. After the WSNs have been
the CHs determine the residual energy using the formula deployed, their signature database will be built up. A CH
Vi(t) = [Initial – Re(t)] / s, in which Initial denotes the makes this item in a malicious node database and
initial energy, Re(t) is the residual energy, and s is the distributes it to all the nodes.
CH selection round number eight. The BS shall compute
Global agent: The global agent is monitoring the
the mean deviation and average, based on the values
communications between the neighboring nodes. Due to
obtained. The CH election process of nodes is announced
the broadcasting nature of wireless networks, it can
by CH. The message regarding the transfer of power will
receive all packets passing through the radio range of the
be sent by Old CH. Alert messages from a new CH are
node. It must know the details of its nearest nodes for a
received by sensor nodes. The BS oversees CH
global agent to monitor packets. We shall use the
authentication, whereas CH is in charge of the other
preconfigured rules and a Local Monitoring System to
cluster members' authentication. The individual agents
keep an eye on these packets. Each detector node shall
are operated only where necessary due to the limited
generate and communicate to the Community Health
resources and battery life.
Authorities every potential security breach detected at
Local agent: The monitoring of sensor data that is sent or one of its neighboring nodes. When the alert has been
received shall be performed by the local agent module. received, CHs use the X threshold to determine if a node
In its internal database, the node is keeping a close eye is suspicious.
on attacks of specific hostile network nodes. When the

International Journal of Intelligent Systems and Applications in Engineering IJISAE, 2024, 12(17s), 225–238 | 235
 Fig 15: Evaluation of the performance of intrusion detection with ROC curves

Fig 16: Confusion Matrix Outcomes

Fig 17: The HCIIDS-DBN performance based on no. of layer

A ROC curve that plots more points at the top, leftmost used in the tests demonstrated that the proposed
corner is superior for detection. In Figure 15 the ROC technique has a detection ratio superior to conventional
curves for the proposed method and an ANN which were methods. When the FPR is less than 1-2%, the detection

International Journal of Intelligent Systems and Applications in Engineering IJISAE, 2024, 12(17s), 225–238 | 236
ratio exceeds 99%. To evaluate the performance of layers of the conventional feedforward artificial neural
quantitative detection, coherence matrices are shown in network and the intrusion detection efficiency. The
Figure 16. The proposed technique's performance offers recommended approach outperforms the feed-forward
a noticeably high detection rate. False positives make up (𝑅𝐴+𝑅𝑁)
ANN in terms of detection effectiveness of two
2
just 1.6 percent of errors, while 2.8% are false negatives.
scenarios, as illustrated in Figure 17. The vanishing
This is an overall accuracy of approximately 97.8%. Two
gradient issue with the ANN structure results in
differences in the recommended DL structure utilizing
inconsistent results as the number of layers increases.
the DNN framework are compared between several
Table 4: Time complexity
Layer’s Testing(s) Testing
Classification(ms) Feature extraction(µs)
5 5.11 3.06 9.5
7 7.28 3.28 9.6
9 9.85 4.18 9.8
11 10.98 4.77 9.8

Furthermore, Table 4 shows the complexity of feature that is capable of effectively serving as both
identification times which is different according to the training and testing equipment. They consist of
number of concealed layers. The measurement time information received from network packets on mode and
required to examine each, and every packet sent over a value. The findings showed that the proposed
network is reflected in the evaluation time and the methodology could react to an attack promptly and have
training time is reflected in the measurement time a significant reliable identification ratio of about 99.8%
required to train the structure of DNN during the training when computational complexity related to multiple
stage. It is best to conduct training in the offline layers is very low.
environment as it involves time complexity ranging from
References
4 to 11 seconds. Nevertheless, the testing time
complexity for packet inspection only takes 8–9 μs to [1] Bediya, A. K., & Kumar, R. (2023). A novel
process each packet's features and 2–5 ms to classify the intrusion detection system for internet of things
packets—a time complexity that can be used for real- network security. In Research Anthology on
time applications. Convergence of Blockchain, Internet of Things, and
Security (pp. 330-348). IGI Global.
5. Conclusion
[2] He, K., Kim, D. D., & Asghar, M. R. (2023).
The three distinct IDSs of the sink, SH, and CN are Adversarial machine learning for network intrusion
engineered based on the diverse threats and likelihoods detection systems: a comprehensive survey. IEEE
they face. An HCIIDS-DBN with learning capabilities is Communications Surveys & Tutorials.
proposed for the sink; when the sink is subjected to [3] Abdulganiyu, O. H., Ait Tchakoucht, T., & Saheed,
unknown attacks, it not only studies and improves new Y. K. (2023). A systematic literature review for
classes through learning mechanisms in actual time, but network intrusion detection system
also lowers the threat of assault in the system. It aims at (IDS). International Journal of Information
effective detection of attacks and the prevention of waste Security, 1-38.
of resources. By contrast, when HCIIDS-DBN is [4] Yi, L., Yin, M., & Darbandi, M. (2023). A deep and
updating its attack class, it will use a feedback systematic review of the intrusion detection systems
mechanism from the CH to the sink. In the case of SNs, in the fog environment. Transactions on Emerging
an IDS for misuse is proposed. A quick and easy way to Telecommunications Technologies, 34(1), e4632.
manage SN is being developed to save resources and [5] Sivanantham, S., Mohanraj, V., Suresh, Y., &
avoid overwork for security. For the protection of the in- Senthilkumar, J. (2023). Association Rule Mining
vehicle network, they proposed a powerful HCIIDS- Frequent-Pattern-Based Intrusion Detection in
DBN. DNN allows each class to distinguish between Network. Computer Systems Science &
legitimate and malicious packets so that a vehicle Engineering, 44(2).
security system will be able to detect an attack of some [6] Talukder, M. A., Hasan, K. F., Islam, M. M.,
kind. In addition, we have proposed a new vector graphic Uddin, M. A., Akhter, A., Yousuf, M. A., ... &

International Journal of Intelligent Systems and Applications in Engineering IJISAE, 2024, 12(17s), 225–238 | 237
 Moni, M. A. (2023). A dependable hybrid machine detection scheme with dimensionality reduction in
learning model for network intrusion next generation networks. IEEE Transactions on
detection. Journal of Information Security and Information Forensics and Security, 18, 965-979.
Applications, 72, 103405. [19] de Carvalho Bertoli, G., Junior, L. A. P., Saotome,
[7] Sharma, B., Sharma, L., Lal, C., & Roy, S. (2023). O., & dos Santos, A. L. (2023). Generalizing
Anomaly based network intrusion detection for IoT intrusion detection for heterogeneous networks: A
attacks using deep learning technique. Computers stacked-unsupervised federated learning
and Electrical Engineering, 107, 108626. approach. Computers & Security, 127, 103106.
[8] Mohy-eddine, M., Guezzaz, A., Benkirane, S., & [20] Putri, A. A., Agustina, C., Fauzan, H., Saputra, M.
Azrour, M. (2023). An efficient network intrusion R. E., Erdiansyah, M., & Wardani, P. S. (2023).
detection model for IoT security using K-NN Network security implementation with snort-based
classifier and feature selection. Multimedia Tools intrusion detection system using windows
and Applications, 1-19. 10. JComce-Journal of Computer Science, 1(1).
[9] Hnamte, V., & Hussain, J. (2023). DCNNBiLSTM: [21] Logeswari, G., Bose, S., & Anitha, T. (2023). An
An efficient hybrid deep learning-based intrusion intrusion detection system for sdn using machine
detection system. Telematics and Informatics learning. Intelligent Automation & Soft
Reports, 10, 100053. Computing, 35(1), 867-880.
[10] Okey, O. D., Melgarejo, D. C., Saadi, M., Rosa, R. [22] Kadry, H., Farouk, A., Zanaty, E. A., & Reyad, O.
L., Kleinschmidt, J. H., & Rodríguez, D. Z. (2023). (2023). Intrusion detection model using optimized
Transfer learning approach to IDS on cloud IoT quantum neural network and elliptical curve
devices using optimized CNN. IEEE Access, 11, cryptography for data security. Alexandria
1023-1038. Engineering Journal, 71, 491-500.
[11] Ennaji, S., El Akkad, N., & Haddouch, K. (2023). i- [23] Ghanbarzadeh, R., Hosseinalipour, A., & Ghaffari,
2NIDS Novel Intelligent Intrusion Detection A. (2023). A novel network intrusion detection
Approach for a Strong Network method based on metaheuristic optimisation
Security. International Journal of Information algorithms. Journal of ambient intelligence and
Security and Privacy (IJISP), 17(1), 1-17. humanized computing, 14(6), 7575-7592.
[12] Lilhore, U. K., Manoharan, P., Simaiya, S., [24] Wang, R. X., Wang, Y., & Dai, L. (2023, March).
Alroobaea, R., Alsafyani, M., Baqasah, A. M., ... & Intrusion detection in network security. In Second
Raahemifar, K. (2023). HIDM: Hybrid Intrusion Guangdong-Hong Kong-Macao Greater Bay Area
Detection Model for Industry 4.0 Networks Using Artificial Intelligence and Big Data Forum (AIBDF
an Optimized CNN-LSTM with Transfer 2022) (Vol. 12593, pp. 366-371). SPIE.
Learning. Sensors, 23(18), 7856.
[13] Cui, J., Sun, H., Zhong, H., Zhang, J., Wei, L.,
Bolodurina, I., & He, D. (2023). Collaborative
Intrusion Detection System for SDVN: A Fairness
Federated Deep Learning Approach. IEEE
Transactions on Parallel and Distributed Systems.
[14] Du, J., Yang, K., Hu, Y., & Jiang, L. (2023). Nids-
cnnlstm: Network intrusion detection classification
model based on deep learning. IEEE Access, 11,
24808-24821.
[15] Shaorong, W., & Guiling, L. (2023). Research on
campus network security protection system
framework based on cloud data and intrusion
detection algorithm. Soft Computing, 1-10.
[16] Sousa, B., Magaia, N., & Silva, S. (2023). An
Intelligent Intrusion Detection System for 5G-
Enabled Internet of Vehicles. Electronics, 12(8),
1757.
[17] Huang, Y., & Ma, M. (2023). Ill-ids: An
incremental lifetime learning ids for
vanets. Computers & Security, 124, 102992.
[18] Sood, K., Nosouhi, M. R., Nguyen, D. D. N., Jiang,
F., Chowdhury, M., & Doss, R. (2023). Intrusion

International Journal of Intelligent Systems and Applications in Engineering IJISAE, 2024, 12(17s), 225–238 | 238