A Novel Intrusion Detection System for RPL Based IoT Networks with Bio-Inspired Feature Selection and Ensemble Classifier

. Internet of Things (IoT) is the powerful latest trend that allows communications and networking of many sources over the internet. Routing protocol for low power and lossy networks (RPL) based IoT networks may be exposed to many routing attacks due to resource-constrained and open nature of the IoT nodes. Hence, there is a need for network intrusion detection system (NIDS) to protect RPL based IoT networks from routing attacks. The existing techniques for anomaly-based NIDS (ANIDS) subjects to high false alarm rate (FAR). Therefore, a novel bio-inspired voting ensemble classifier with feature selection technique is proposed in this paper to improve the performance of ANIDS for RPL based IoT networks. The proposed voting ensemble classifier combines the results of various base classifiers such as logistic Regression, support vector machine, decision tree, bidirectional long short-term memory and K-nearest neighbor to detect the attacks accurately based on majority voting rule. The optimized weights of base classifiers are obtained by using the feature selection method called simulated annealing based improved salp swarm algorithm (SA-ISSA), which is the hybridization of particle swarm optimization, opposition based learning and salp swarm algorithm. The experiments are performed with RPL-NIDDS17 dataset that contains seven types of attack instances. The performance of the proposed model is evaluated and compared with existing feature selection and classification techniques in terms of accuracy, attack detection rate (ADR), FAR and so on. The proposed ensemble classifier shows better performance with higher accuracy (96.4%), ADR (97.7%) and reduced FAR (3.6%).


Introduction
The massive development of IoT increases the physical device connections on internet. The long-time operation of huge number of devices requires low power network consumption [1]. The Ipv6 based low-power wireless personal area network (6LoWPAN) is a small IoT network that can enable the devices of IoT to operate on a low power [2]. Conventional routing protocols of IoT are not suitable for 6LoWPAN networks due to the lossy and low-power nature of 6LoWPAN networks. Therefore, RPL networks are introduced to provide efficient routing in 6LoWPAN networks [3,4]. The main advantage of these control messages is that it follows particular patterns in case of repair and creation of IoT networks. Though RPL based IoT networks give more merits in routing, it is exposed to several routing attacks due to mobility and limited battery life. These attacks include selective forwarding, sybil, blackhole, sinkhole, hello flooding, clone ID and local repair attacks [1]. Apart from these, attackers may compromise the privacy and security of users through eavesdropping and economic losses to get access to their personal data. As a result, the solution to protect IoT from various routing attacks is network intrusion detection systems [5].
NIDSs are categorized into two namely anomaly-based NIDS and signature-based NIDS (SNIDS) [4]. SNIDS matches the network traffic with stored attack signatures to identify and detect the attacks [6]. ANIDS takes the normal traffic behavior and network traffic deviation as the baseline to detect any attacks [7]. Though SNIDS brings higher accuracy and less FAR, it is unable to detect novel attacks in existing methodologies. On the other hand, ANIDS can detect novel attacks but with high FAR. The performance of ANIDS mainly depends on the effectiveness of the analysis model i.e., classifier and quality of training dataset [8]. Thus, an effective ANIDS model built using machine learning (ML) algorithms are required to detect novel attacks in IoT. These algorithms train a classifier with normal and anomaly data for attack detection in IoT network. Many literature works on IDSs are focused on different classification techniques like ML classifier [8,9], deep learning classifiers [10,11], or ensemble learning [12,13]. Of this, ensemble learning combines multiple classifiers to make better classification with reduced FPR compared to individual classifiers. The widely used algorithms in ensemble learning are majority voting, bagging and AdaBoost [14]. In this paper, a novel bioinspired voting ensemble classifier is proposed. Bio-inspired algorithms are effective in finding the best solution for classification and feature selection [15]. A recent bio-inspired algorithm inspired from the swarm behavior of salp commonly termed as SSA is adopted in this research for both feature selection and classification. The advantages of SSA are few parameters requirement, low computational cost and simple implementation [16]. The convergence speed of traditional SSA is enhanced by integrating opposition based learning (OBL) strategy at the initialization stage and named as Improved SSA (ISSA) [17]. In this paper, a hybridized approach incorporated from both ISSA and particle swarm optimization (PSO) [18] is employed to optimize the weights of the voting classifier.
The FAR and accuracy of the classifier is dependent on the quality of the dataset used for training [8]. For training purpose, publicly available datasets such as KDD99, UNSW-NB15 and NSL-KDD cup 99 are utilized by many researchers in NIDS evaluation. However, NIDS evaluation for RPL based IoT networks with existing datasets such as NSL-KDD cup 99 and KDD99 are found to unfit and obsolete [4]. Hence, RPL-NIDDS17 dataset [19] is utilized for training the proposed NIDS for RPL based IoT networks. Though this dataset is imbalanced, the classification task will misclassify the minority classes. And so, it is necessary to balance the minority and majority classes by oversampling the minority classes. Besides, many sampling methods are available to balance the datasets. Synthetic minority over-sampling technique (SMOTE) is the most effective sampling method to balance the datasets [20]. If we include all the features for training the classifier, it will affect the performance of classification in terms of complex computation. Therefore, feature selection techniques are widely used by many researchers to lessen the computational complexity in NIDSs [9,14]. In this paper, the ISSA [17] is applied for feature selection before classification. Moreover, simulated annealing approach [21] is integrated with ISSA to enhance the performance of feature selection in addition to search space exploitation [22].
In this paper, a novel feature selection and voting ensemble classifier-based NIDS is proposed for security against seven types of attacks in RPL based IoT networks. At first, the dataset is preprocessed in three steps i.e., cleaning, encoding and normalization. Though the dataset is imbalanced, a common method called SMOTE is applied for dataset balancing. Then feature selection is performed with SA-ISSA to minimize the size of balanced dataset by considering the best features from the dataset. The proposed voting classifier is the ensemble of ML-based classifiers namely decision tree (DT), logistic regression (LR), K-nearest neighbor (KNN), support vector machine (SVM) and deep learning-based classifiers namely bidirectional long short-term memory (Bi-LSTM). The weights of all the classifiers are optimized using PSO-ISSA technique to achieve higher attack detection rate (ADR). Finally, the performance of the proposed feature selection and classification approaches is evaluated and compared with existing methods. The major contribution of the proposed work is summarized as follows.
• A bio-inspired voting ensemble classifier based on SA-ISSA technique is proposed to detect seven types of attacks in the RPL based IoT networks. • A bio-inspired feature selection technique based on PSO-ISSA technique is introduced to minimize the dimensionality of dataset and to minimize the FAR. • The performance of the proposed feature selection algorithm is compared with existing feature selection algorithms such as PSO, GA, GWO, original SSA and improved SSA in terms of best fitness, average fitness, average error, standard error and worst fitness. • The performance of the proposed bio-inspired voting-based NIDS model is compared with existing bioinspired voting-based classifiers in terms of accuracy, precision, ADR, specificity, F-measure and FAR.
The remainder of this paper is arranged as follows. Section 2 details the existing works for RPL based NIDS, bio-inspired feature selection and ensemble-based classification. Section 3 explains the background of methods used in the proposed NIDS. A brief overview of the proposed NIDS is given in Section 4. The experimental results are discussed in Section 5. Finally, Section 6 concludes this paper.

Related Work
This section explores the existing NIDS for RPL based IoT including feature selection and ensemble classification processes.

Ensemble Classifier
There are many literatures that utilized ensemble classifier as IDS. Ranga and Verma [8] investigated the ML algorithms to detect DoS attacks in IoT. Datasets utilized for training the classifier are NSL-KDD, UNSW-NB15 and CIDDS-001. They have used various ensemble classifiers like random forest (RF), gradient boosted machine, AdaBoost, extremely randomized trees, extreme gradient boosting and single classifiers like multilayer perceptron and classification and regression trees (CART). The performance is evaluated in terms of different measures like accuracy, sensitivity, specificity, FPR and AUC. Similarly, Al-Abassl et al. [23] utilized an ensemble deep learning-based IDS with deep neural network and DT classifiers for IoT in an industrial control system (ICS). Shahraki et al. [24] compared different versions of boosting algorithms such as modest AdaBoost, gentle AdaBoost and real AdaBoost for NIDS evaluation. Kasongo and Sun [25] analyzed the performance of ML-based IDS using a feature selection method called XGBoost algorithm. This approach utilized several classifiers like LR, KNN, SVM, ANN and DT to analyze the UNSW-NB15 dataset.
Yang et al. [12] introduced a paralleled quadratic ensemble learning based on gradient boosting decision tree (GBDT) for IDS. The detection accuracy is higher for CICIDS17 dataset against attacks like distributed DoS (DDoS), port scan, benign, web attack traffic and infiltration. Bhati et al. [13] presented an IDS based on majority voting based ensemble of discriminant classifiers. KDDcup99 dataset is utilized for evaluation. This technique detects all types of attacks with higher accuracy. The above-mentioned literatures utilized various ensemble classifiers in IDS. The ensemble-based classifier for RPL based IoT networks are introduced by Verma and Ranga [1]. They utilized an ensemble learning-based NIDS (ELNIDS) for detecting seven types of routing attacks in RPL based IoT. It contains four different classifiers namely, RUSBoosted trees, bagged trees, boosted trees and subspace discriminant boosted trees. Different measures such as accuracy, area under curve and ROC curve are evaluated for performance assessment. RPL-NIDDS17 dataset is utilized to train the classifiers. However, they did not utilized classifier tuning method and feature selection technique.

Hybrid Feature Selection and Voting Ensemble Classifier
Some literatures combined the merits of both feature selection and voting based ensemble learning. Zhou et al. [26] proposed new IDS with ensemble learning and feature selection techniques. A hybrid approach of correlation-based feature selection and bat algorithm (CFS-BA) is employed to reduce the data dimension. Then a voting ensemble methodology is introduced with the combination of RF, c4.5 and forest by penalizing (Forest PA) algorithms. CIC-IDS2017, AWID and NSL-KDD datasets are utilized in the experimental analysis to show the effectiveness of CFS-BA ensemble method. The feature selection technique reduced the model building time of this model compared to those models with all the features. Moreover, it exhibits better performance than other approaches. Asadi et al. [27] utilized voting classifier and feature selection techniques to detect the botnet attacks. PSO algorithm is utilized in feature selection process to select effective features from the dataset. SVM, DT C4.5 and deep neural network algorithms are utilized in the voting system to detect the botnet attack. The datasets utilized in this proposed work are Bot-IoT and ISOT. The experimental results revealed the low accuracy of this approach in both datasets.
Tama et al. [28] designed a two-stage ensemble for ANIDS. The feature selection process utilized a hybrid of three optimization algorithms i.e., genetic algorithm (GA), PSO and ant colony algorithm. The datasets utilized for training the classifier are UNSW-NB15 and NSL-KDD. The two-stage ensemble consists of a Meta classifier with another Meta classifier as the base classifier. The training time of proposed model is reduced with the optimal feature selection method. The accuracy, sensitivity and precision of the proposed approach is higher than existing works. However, the FPR is higher than existing works. Kumar et al. [29] proposed a cyber-attack detection framework for internet of medical things (IoMT) based on fog-cloud architecture and ensemble learning. The ensemble learning includes NB, RF and DT classifiers. The outputs of classifiers are directed to XGBoost model in order to detect the attacks. It produced higher ADR, accuracy and reduced the FAR up to 5.59%. The above mentioned works utilized an ensemble learning-based classifier with feature selection technique for IDS. Nevertheless, there are no other works for RPL based IoT with bio-inspired hybrid feature selection and ensemble classification.

IDS in RPL based IoT
Though many works proposed various IDS for IoT networks, only few literatures proposed IDS for RPL based IoT networks. Cakir et al. [10] presented a deep-leaning-based gated recurrent unit (GRU) to detect hello flooding (HF) attacks with high accuracy rate in the RPL based IoT networks. They have compared the performance measures of proposed model with SVM and LR classifiers. The performance of this approach is measured in terms of mean square error (MSE), accuracy, root mean square error (RMSE), mean absolute error (MAE), delay, energy consumption and packet delivery rate (PDR). Though GRU based deep learning model shows higher performance, it can detect only one attack. Pu [30] designed a Gini Index-based countermeasure (GINI) to protect the RPL based networks from Sybil attack. The performance of proposed GINI countermeasure is compared with two existing algorithms like two-step detection and SecRPL. This approach showed improved performance interns detection latency and detection rate. However, it cannot detect other types of attacks.
Murali and Jamalipour [31] introduced a bio-inspired lightweight IDS based on artificial bee colony (ABC) to protect mobile RPL from Sybil attack. The performance of this model is analyzed for three types of Sybil attacks in terms of specificity, control traffic overhead, accuracy, packet delivery ratio, sensitivity and energy consumption. Though this approach gives better results, it can detect only one kind of attack. Gothawal and Nagaraj [32] proposed game models-based anomaly intrusion detection system (GAIDS) for the protection of RPL based networks. It has two interrelated formulations like evolutionary game for confirmation of attack and stochastic game for detection of attack. The detected attackers are isolated by GAIDS in order to maintain the performance of GAIDS. This method detects many RPL attacks such as local pair, rank, neighbor and DIS attack. Though the proposed approach can detect the RPL attack, it was unable to detect new types of attacks.

Salp Swarm Algorithm
SSA is a novel optimization algorithm that mimics the behavior of salp (kind of marine tunicate). The Salp's are planktonic tunicate with barrel shape and belong to the Salpidae's family. They have a unique swarm behavior called salp chain that helps them to do better movements and foraging. The salp chain behavior can be mathematically modeled for optimization problems commonly called as salp swarm algorithm. Initially, the population is divided into two groups called follower and leader. The leader group is the front of salp chain and followers are other salps. The direction of movement of leader is followed by the follower salps. The position of the salp is determined for -dimension, which is the search space of given problem. The target of salp swarm is food source searching. The position of the leader salp is updated using Equation (1).
Where, the position of leader in m th dimension is represented by x m 1 . The food source for m th dimension is F m .
ub m and lb m represents the upper and lower bound value of m th dimension. Random values are represented by k 2 , and k 3 . The balance between exploration and exploitation of SSA is maintained by a significant controlling parameter k 1 . The k 1 parameter can be calculated by using Equation (2).
Here, the current iteration is represented by k 1 and maximum number of repetitions of the algorithm is represented by L. The random values k 2 and k 3 are in the interval [0,1]. The position of followers can be updated using Equation (3).
Here, the value of i≥ 2 and the position of i th follower in m th dimension is represented by x m i . The initialization of SSA starts by randomly generating the position of populations. Then the fitness value is evaluated. The best fitness value is considered as F m , which is the goal for the followers. In each iteration, k 1 value, the position of leader and follower is updated using Equations (1), (2) and (3). All these steps except initialization will be continued until reaching the maximum number of iterations..

Opposition Based Learning
The OBL technique is utilized among many researches as an optimization technique to improve the quality of initial population through diversifying the population. This strategy searches the search space in both directions. The original solution and opposite solution are included in the directions. From both the solutions, the worst solutions are taken and the opposition is applied on the worst solution. The opposite position x of original position x ∈ [a, b] in the j-th dimension will be calculated using the Equations (4).
Here, D is the problem dimension. j= 1, 2, 3, …, D. The original position x and opposite position x will be denoted by Equations (5) and (6).
If the fitness value of opposite population f (x) is better than original position f(x), then x=x, else x=x. Thus, optimization is performed using opposite population.

Simulated Annealing
SA is inspired from the physical annealing process of metalwork. It is widely used in many optimization problems to obtain a best neighboring solution. The initial stage of SA randomly generates initial solutions (R) taken as best solutions (R best ). New neighbor solution (R*) can be generated from the current solution. Then the fitness function is calculated for new solution (R*) and compared with the best solution(R best ). The difference in the fitness function of both solutions is calculated using following Equation (7). θ = f(R*) -f(R) (7) If (θ >0), then the new neighbor (R*) is considered as the best solution (R best ) in the next iteration. Otherwise, (θ < 0)) the worse solutions are accepted with a probability as given in Equation (8).
Here, θ is difference in the fitness function of both solutions. Here, represents the fitness function, R* is a new neighbor solution and R is the current best neighbor, T is a control parameter called absolute temperature.

Particle Swarm Optimization
PSO is inspired from the swarm behavior of both bird flocking and fish schooling. The swarm is initialized by generating the velocity (v i ) and positions (p i ) in j-th dimension. PSO initializes its main loop to evaluate all particles via fitness function determination. The fitness solution is evaluated with its global best and best value. The position as well as velocity of particles can be updated using Equations (9) and (10) respectively. These steps except initialization are repeated until reaching the maximum number of iterations.
In the j-th dimension, x ij is the position of i-th particle and v ij is the i-th velocity. The current iteration is represented by t and inertia weight is represented by w. c 1 and c 2 represents the coefficients of acceleration. In jth dimension, the best previous i-th particle position is represented by x ij p(t) . In j-th dimension, the position of global best is represented by x j g(t) . The random variables r 1 and r 2 lies in the range between 0 and 1.

Classification Methods
SVM is one of the most popular supervised learning algorithms that perform both regression and classification. However, it is widely used for classification in machine learning models. It can handle simple and complex datasets with higher accuracy compared to other algorithms. In classification, SVM transforms the data points and find a hyperplane with maximum margin from multiple decision boundaries to classify the data points in ndimensional space using kernel trick concepts. The Gaussian RBF, polynomial or linear kernel can be utilized to minimize the computational complexity related to the prediction of new data points. The data vectors closer to the hyperplane called support vectors determine the position of the hyperplane.
DT is also a supervised learning technique that can be utilized to perform both regression and classification. It utilizes tree structure to classify the data based on given conditions in which root node represents the whole training dataset. Decision rules such as Boolean function are represented as branches and label of output class is represented by each leaf node. The DT algorithm starts with root node containing the whole dataset. The best attributes are selected using attribute selection measure. The decision node is then created with best attributes. This process is repeated until finding the leaf node for all branches.
KNN is also one of the simplest supervised learning techniques which are utilized for both regression and classification. This algorithm assumes the similarity between training data and new data to classify a new data. The similarity is calculated between the training data and the testing data using Euclidean distance. During classification, the data is assigned to the category for which the similarity is maximum. The number of nearest neighbors is calculated for testing data. The category of new data is selected for those data having a large number of nearest neighbors.
LR is also a supervised learning classification technique mainly utilized to predict the probability of target variable. The target variable can take only discrete values for given set of features in a classification problem. It can predict the output of a categorical dependent variable. It can classify the new dataset using discrete and continuous datasets.
Bi-LSTM is the advanced process of conventional LSTM. LSTM is one of the widely used recurrent neural networks. It is a sequence processing model that can solve the long-term dependencies. Bi-LSTM consists of two independent LSTMs. The input is given in forward direction in one LSTM and in backward direction in another LSTM. Thus, Bi-LSTM increases the amount of information available to the network by connecting the forward and backward information about the input data at every time step.

Proposed Methodology
In the proposed work, a novel bio-inspired feature selection algorithm and voting-based classifier is introduced for attack detection in RPL based IoT networks. Initially, encoding, scaling and cleaning methods are applied to preprocess the dataset. After preprocessing, the dataset is balanced with SMOTE technique. The essential features are selected from balanced dataset by using novel feature selection technique (SA-improved SSA). The selected features are then divided into training and testing data. Finally, the proposed voting-based classification algorithm (PSO-improved SSA) is applied to classify the routing attacks. Figure 1 displays the complete framework of the proposed NIDS.

Dataset Preprocessing and Balancing
The first step in data preprocessing is cleaning process to improve the quality of dataset. This step performs removing duplicates, handling missing values and encoding. Machines can read only numeric data but the dataset consists of both numeric and nominal data. Thus, encoding is utilized to convert the characters in the dataset to numeric values. The last step in preprocessing is data scaling performed to speed up the process. The features in the dataset highly vary in range with magnitude and units. It is necessary to keep all the data in one format and hence scaling can normalize the data within the range between 0 and 1.
The RPL-NIDDS17 dataset is consisted of large number of normal instances compared to the number of attack instances. That is, the routing attack becomes minority class and the normal traffic becomes majority class. This type of data is known as imbalanced data. This makes the classifier to be dominated with normal class which in turn reduces the possibilities of attack detection. Classification with these kinds of imbalanced data will bias in favor of the normal class. Hence, the classification accuracy will be poor for attack class compared to normal class. To overcome this issue, many techniques are suggested to balance the dataset. One of the recent algorithms is SMOTE, which is widely utilized by many researchers. It can over-sample the minority classes by duplicating randomly selected data in order to balance the dataset. A subset of data is taken as an example from the attack class where SMOTE finds the k-nearest neighbors. New instances of attack class are synthesized between the nearest neighbor and instances of attack class. These synthetic instances are then added with the original dataset. The new oversampled dataset is used to train the classification models.

Feature selection
The presence of unwanted and redundant data consumes higher computation time and degrades the performance of classifiers. To overcome these issues, optimization algorithms pick only the best features from all kind of features with less computational effort in a reasonable time. This section details the proposed SAimproved SSA employed for feature selection. The selected features are divided to be used for training and testing. The training data is directed as input to the voting classifier.

A) Improved SSA (ISSA)
The improved SSA is the advanced method of traditional SSA. A subset of population with lowest fitness is selected from population of SSA to apply opposition instead of opposing all the population. This is given in Equation (11). . In fitness calculation, the preprocessed dataset is divided into training and testing sets using k-fold cross-validation. KNN classifier is trained with training data and the classification is performed using testing data. Accuracy is calculated for the KNN classifier to obtain error rate of the classifier. This error rate is saved as the cost function of fitness calculation. Based on this fitness value, the position is updated with best solutions from (x m i ∪ x m ĩ ). The best fitness value is saved as f j position which act as the target of followers. The value of k 1 is updated with Equation (2). Moreover, the position of leader and follower is updated using Equations (1) and (3). These processes except initialization and opposition of population are continued until the maximum iteration condition is reached. The final best solutions (x j fitness ) are taken as the selected features. This strategy can improve the performance of traditional SSA.

B) SA-improved SSA
The final solutions (x j fitness ) of ISSA are applied to SA algorithm to enhance the solutions of ISSA. In this manner, the SA approach acts as an internal local search agent for ISSA algorithm. Initially, SA algorithm sets the final solution (x j fitness ) of ISSA algorithm as the current best solution (x j best ). Then, mutation is

Voting Classifier based on PSO-improved SSA
After feature selection, the data partitioned for training purpose is applied to train the classifier. In the proposed work, a voting classifier based on PSO-improved SSA is utilized to classify the network traffic. The proposed model is the combination of five different ML classifiers like SVM, KNN, LR, DT and Bi-LSTM. The main goal of integrating PSO-improved SSA with voting classifier is to optimize the weights of each classifier.
After the initialization of ISSA, the fitness value is measured for its initial solutions. During fitness calculation, the weights of the base classifier are utilized to predict the outputs of test data. The error rate is calculated from the prediction accuracy which is set as objective function in fitness value calculation and weight optimization. The best solutions (x j fitness ) are selected based on the fitness values. The value of k 1 is updated using Equation (2). Based on the velocity of PSO as shown in Equation (10), the velocity of follower is calculated as given in Equation (12).
v j (t+1) = w v j (t) +k 1 (x j fitnessf j position ) (12) Here, x j fitness is the best solutions selected based on the fitness value. f j position represents the best fitness value which act as the target for followers. Then the leader position is updated using Equation (1). Based on Equations (9) and (3), the position of follower is updated as shown in Equation (13).
These processes except initialization and opposition are continued until the maximum iteration condition is obtained. Thus, the weights of classifiers can be effectively optimized by PSO-improved SSA technique. The Algorithm 2 is the pseudocode for PSO-ISSA based weight optimization for voting classifier. The optimized weights of the five classifiers are utilized by the voting classifier to predict the output of test data. The accuracy of each classifier is calculated with the predicted labels and text labels of each classifier. Then the predicted labels and the accuracy of each classifier are given to the voting classifier to generate final predicted labels. The voting classifier generates predicted labels according to the maximum accuracy of all five classifiers.

Figure 2. Architecture of proposed NIDS
The architecture of the proposed NIDS is shown in Figure 2. The architecture of the proposed work contains three units i.e., data collection unit, analysis unit and detection unit. The data collection unit consists of sensor events/traffic repository and sniffer. The sniffer is utilized to monitor all the packet transmissions within the 6LoWPAN network. It is directly connected to sensor events/ traffic collection repository that stores all the packet transmissions and sniffed sensor events in the form of packet traces. From the collected packet traces, the useful features can be extracted by using feature extraction process. The analysis unit is also named as analysis engine, which is the main part of the architecture. It has trained ensemble models that classify the traffic instances. A voting system utilizes the predictions to classify traffic into normal or attack based on the majority voting. The detection unit consists of alarm/attack notification module which receives the commands from analysis unit for raising alarm if an attack is detected. Besides, the analysis engine monitors the traffic regularly and sends information to the user interface to store all the information in the form of log reports. This paper is mainly focused on the performance improvement of analysis engine.

Experiment Results and Discussion
The experiments are performed on an HP laptop with Windows 10 operating system, Intel Core i3 processor having 2.3 GHz frequency, 4GB of RAM. The software used for the implementation and evaluation of the proposed framework is MATLAB R2020a. In this section, the performance of the proposed feature selection and classifier techniques is evaluated and compared with existing algorithms.

Dataset
RPL-NIDDS17 dataset is utilized to train the ensemble classifier in the proposed work. NetSim tool is used to create this synthetic dataset. NetSim is widely utilized for different network environment simulations i.e., FANET, MANET, IoT and VANET. The IoT network includes gateway, sensor nodes, wired node and router to create the dataset. All the information is saved in a separate CSV file for every attack. Finally, all the CSV files are combined to form single dataset. This dataset consists of 20 attributes with features of time, basic and flow type and two additional attributes for labelling. Moreover, it is comprised of one normal traffic pattern with seven routing attack patterns such as Sybil, blackhole, sinkhole, clone ID, local repair attacks, hello flooding and selective forwarding. In this dataset, the number of routing attack instances is 33,337 and the number of normal instances is 431,981. Thus, the dataset is imbalanced.

Table 1. Dataset balancing using SMOTE
The full description of the RPL-NIDDS17 dataset is shown in Table 1. It shows that the number of normal instances utilized for classification is 1, 33,348. The number of attack instances utilized for classification is 33,337. This demonstrates that the number of instances in attack class is very less compared to the normal class. Thus, SMOTE based oversampling is done in the attack class to balance the dataset. The nearest neighbor parameter is set as = 4 on the SMOTE algorithm to oversample the number of instances in the attack class equal to the normal class. After SMOTE based oversampling, the number of attack instances is increased to 1,33,348. That is, 40% of features are increased in the attack class (normal class = 4 * attack class). Table 2 shows the performance metrics of the proposed NIDS with and without SMOTE algorithm. In terms of accuracy, the proposed model shows higher accuracy of 96.4%, which is very less for the model without SMOTE. Moreover, precision, recall, F-measure and specificity of the proposed model with SMOTE algorithm are higher than the model without SMOTE. The error rate is very less for the model with SMOTE. Thus, the performance of the proposed NIDS is improved significantly with the integration of SMOTE.

Feature Selection
The dataset balanced through SMOTE technique is then applied for feature selection process via SA-ISSA. Initial temperature, T 0.1

Number of search agents 20
The proposed algorithm for feature selection (SA-ISSA) is compared with other feature selection algorithms such as traditional SSA, OBL-SSA (ISSA), PSO, GA and GWO to show its performance in NIDS. Table 3 shows the values of optimization parameters assigned in the proposed and other optimization algorithms for feature selection experiments. The constant value is set for number of search (s= 20), maximum iterations 50 and current iteration (l=2) for the proposed and existing algorithms.  Table 4 displays the performance evaluation of the proposed feature selection method with other feature selection methods. Other feature selection algorithms employed in the comparison are GA, PSO, GWO, traditional SSA and OBL-SSA (ISSA). Compared with other optimization algorithms, the proposed SAimproved SSA algorithm achieved minimum error in feature selection. This proves that the proposed algorithm selects proper features from the full dataset. It also shows that the lowest fitness value can be achieved by the proposed algorithm which is lower than other algorithms. Moreover, it can be observed that the best fitness value can be found by the proposed feature selection algorithm. Though the proposed algorithm has lowest standard deviation, it cannot find the worst fitness. KNN classifier is utilized in the fitness calculation with value of k=5.

Evaluation Metrics for Classification
The performance results of the proposed work have been measured with four basic classification metrics i.e., TN (true negatives), FN (false negatives), TP (true positives) and FP (false positives). The performance measures utilized in this paper include accuracy, precision, detection rate, specificity, F-measure, FPR, FNR and FAR.
• TP: It is the count of correctly detected attack instances.
• TN: It is the count of correctly detected normal instances.
• FP: It is the count of incorrectly detected attack instances.
• FN: It is the count of incorrectly detected normal instances.
• Accuracy: It measures the capability of the model to predict all the instances correctly as denoted in Equation (14). It is the count of correctly detected instances over the total detected in the test data.
• Precision: It is the count of correctly detected attack instances over the total attack instances in test data and it is computed as denoted by Equation (15).
• Attack Detection rate (ADR): It is also called as sensitivity or recall. It calculates the capability of the attack detection as denoted in Equation (16). It is the number of correctly detected attack instances over classified attack instances.
• Specificity: It is called as specificity or selectivity. It is the number of correctly detected normal instances over classified normal instances. It calculates the capability of the normal instance detection as denoted in Equation (17).
• F-measure: It is defined as the harmonic mean of ADR and Precision. It is also known as F-score and it is calculated as shown in Equation (18).
• FAR: It is the average of false negative rate (FNR) and false positive rate (FPR) computed as denoted in Equation (19).
Here, FPR and FNR are calculated using Equations (20) and (21) • Kappa: It can be measured as given in Equation (23).
Here, RA is random accuracy can be calculated as denoted in Equation (24).

Classification with PSO-ISSA
The proposed voting classifier is based on PSO-ISSA utilized to optimize the weights of the classifiers. After weight optimization, the predicted outputs are taken by the voting classifier. Based on maximum voting, it classifies the attacks in the RPL based IDS. To show the effectiveness of the proposed PSO-ISSA based voting classifier, comparison is performed with various optimization techniques. Comparison results are taken with various algorithms such as PSO, GA, GWO, traditional SSA and ISSA. The performance of the proposed voting classifier algorithm (PSO-ISSA) is compared with other voting classifier algorithms such as traditional SSA, OBL-SSA (ISSA), PSO, GA and GWO to prove the effectiveness of proposed voting classifier. Table 5 shows the values of optimization parameters assigned in the proposed and other optimization algorithms for feature selection experiments. The constant value is set for the proposed and other algorithms such as the number of search s= 20, maximum iterations = 20, current iteration l=2. Figure 3 shows the convergence curve comparison of proposed voting classifier algorithm (PSO-ISSA) with other voting algorithms. From this, it can be observed that the convergence speed of proposed PSO-ISSA algorithm is higher than other algorithms such as PSO, GA, GWO, traditional SSA and OBL-SSA (ISSA). The convergence rate of original SSA is improved with the integration of PSO and OBL strategy. The proposed PSO-ISSA based voting classifier is faster than other voting classifiers and gives better-optimized weights in a lesser time. Hence, the convergence graph proves that the proposed PSO-ISSA algorithm is more suitable for classification in NIDS.  instances are utilized for testing the voting classifier. All the classifiers except PSO based classifier accuracy is above 90%. In these classifiers, the proposed PSO-ISSA based voting classifier has higher accuracy of 96.4%. The voting classifier predicts the test data based on the maximum votes of ensemble classifiers so that it outperforms other classifiers.  Table 6 shows the comparison results of voting classifier with various algorithms in terms of precision, ADR, specificity, F-measure, FAR, Mathew correlation coefficient (MCC) and Kappa. The precision rate, specificity and F-measure of all the voting classifiers except PSO based voting classifier is above 90%. However, the proposed PSO-ISSA based voting classifier achieved a higher value with 95.26% accuracy, 95.14% specificity and 96.45% F-measure. The attack detection rate of GWO and PSO based voting classifiers are less than 90%. The proposed classifier attains 97.67% attack detection rate which is higher than other voting classifiers. Moreover, MCC and Kappa values of all the classifiers show that the proposed classifier has better performance than other methods. Besides, the FAR of proposed IDS with PSO-ISSA based voting classifier is 3.6% which is very lesser than others. Thus, the PSO-ISSA based voting classifier outperforms other classifiers for the IDS in RPL based IoT networks. Figure 5 shows the comparison for voting classifier with proposed and other bio-inspired algorithms in terms of ROC curve. It shows that the voting system with proposed algorithm outperforms other algorithms. To prove the effectiveness of the proposed voting classifier, it is compared with other ensemble learning methods. Table 7 shows the comparison results of proposed voting classifier and other ensemble classifiers in terms of accuracy, ADR and FAR. The proposed voting classifier outperforms other ensemble techniques like majority voting, AdaBoost and bagging. From these results, it can be concluded that proposed NIDS is effective for seven types of attacks in the RPL based IoT networks.

Conclusion
In this paper, a novel NIDS is proposed to combine the merits of both voting ensemble classifier and feature selection. The proposed NIDS can detect Sybil, blackhole, sinkhole, selective forwarding, local repair and hello flooding attacks. Two types of optimization are utilized in this paper. First, SA-ISSA technique is utilized to select the optimal best features to reduce the dimensionality and improve the computational complexity. Then, PSO-ISSA algorithm is utilized in the ensemble classifier to optimize the weights of base classifier. SVM, LR, DT, KNN and Bi-LSTM are the base classifiers utilized in the proposed voting ensemble classifier. RPL-NIDDS17 dataset is utilized to train the proposed NIDS model. The performance of the proposed approach is calculated and compared with existing algorithms for both feature selection and classification in terms of ADR, accuracy, F-measure, FAR and so on. From the experimental results, it can be known that the proposed voting ensemble classifier based on PSO-ISSA technique with SA-ISSA shows the best performance. Thus, the proposed NIDS is effective to detect the attacks in RPL based IoT networks.