Expert Systems With Applications 241 (2024) 122544

Contents lists available at ScienceDirect

Expert Systems With Applications

journal homepage: [Link]/locate/eswa

DDoS attack prediction using a honey badger optimization algorithm based

feature selection and Bi-LSTM in cloud environment
O. Pandithurai a, *, C. Venkataiah b, Shrikant Tiwari c, N. Ramanjaneyulu b
a
Rajalakshmi Institute of Technology, Chembarambakkam, Tamil Nadu 600124, India
b
Rajeev Gandhi Memorial College of Engineering and Technology, Nandyala, Andhra Pradesh 518501, India
c
Department of Computer Science and Engineering, Galgotias University, Plot No. 2, Sector 17A, Greater Noida, Uttar Pradesh 203201, India

A R T I C L E I N F O A B S T R A C T

Keywords: Users are provided access to on-demand services through the Internet with the assist of cloud computing. Ser­
DDoS attack detection vices can be accessed at any time and from any place. Although delivering useful services, this model remains
Bayesian vulnerable to security problems. The accessibility of cloud resources is affected by Distributed Denial of Service
Z-score normalization
(DDoS) attacks, which also present security risks for cloud computing. Unable to access data from cloud services,
Honey Badger Optimization (HBO) Algorithm
Bi-LSTM
various advanced risks such as malware injection, packaging as well as virtual machine escapes and DDoS are
Cloud environment developed by the attackers. Recently, numerous models were designed for detecting attacks in the cloud, but still
they lack certain reasons. To alleviate these concerns, this proposed method presented a DDoS attack prediction
using a honey badger optimization algorithm based on feature selection and Bi-LSTM in a cloud environment.
Input features are gathered from the DDoS attack dataset as the first step in the process. Following this, input
features are transmitted into preprocessing steps, including Bayesian and Z-Score normalization. Preprocessed
data is sent into the feature selection phase that employs Honey Badger Optimization (HBO). In this case, the
features are chosen by decreasing their MSE to obtain the best feature. Then, optimal features are fed into the Bi-
directional Long Short term Memory (Bi-LSTM) classifier for predicting DDoS attacks. The proposed model is also
examined using certain existing approaches, including LSTM, DNN, DBN and ANN. When the performance was
examined using the existing method, the Bi-LSTM model achieved 97% accuracy, 95% sensitivity, 90% speci­
ficity, 3% error, 94% precision and so on. The proposed model is effective at finding DDoS in a cloud
environment.

1. Introduction However, various security concerns make this technology less useful.
There are specific techniques for detecting attacks like acquiring
In the world, the utilization of cloud computing is expanding rapidly someone’s credentials, including phishing, deception, denial of service
across various industries. A method called “cloud computing” enables (DoS), finding vulnerabilities, record-keeping, etc. The availability of
clients to access a range of services on demand with minimum partici­ host server or system asset administrations is the target of a distributed
pation from the cloud distributor or the user of the cloud. Government and well-coordinated attack known as a DDoS attack (Divyasree and
agencies and the IT sector have moved to cloud computing because it Selvamani, 2021). It is challenging to detect due to its various mani­
doesn’t necessitate significant financial outlays for infrastructure crea­ festations in various situations.
tion and management (Sambangi and Gondi, 2021). Could computing Attackers deploy a DDoS assault to prevent genuine customers from
have three different service models, Infrastructure as a Service (IaaS), utilizing the services. By sending the target server numerous requests,
Platform as a Service (PaaS) and Software as a Service (SaaS). Due to the the attackers using this attack place an extremely heavy demand on it.
challenges involved, these can fascinate attackers. Access for consumers Since the attackers made many requests, the target server’s bandwidth
on demand is made possible due to cloud computing. Due to this benefit, became fully utilized, preventing real people from accessing them. The
industries move their databases to the cloud (Agarwal et al., 2021). DDoS attack utilizes botnets to employ brute force on the network’s

* Corresponding author.
E-mail addresses: pandics@[Link] (O. Pandithurai), [Link]@[Link] (C. Venkataiah), shrikanttiwari15@[Link] (S. Tiwari), rams_ganguly@
[Link] (N. Ramanjaneyulu).

[Link]
Received 25 August 2023; Received in revised form 13 October 2023; Accepted 9 November 2023
Available online 10 November 2023
0957-4174/© 2023 Elsevier Ltd. All rights reserved.
O. Pandithurai et al. Expert Systems With Applications 241 (2024) 122544

devices by infecting them through malware (Velliangiri and Premalatha, Kachavimath and Narayan (2021) had designed a identifying DDoS
2019). Based on target and behavior, DDoS attacks may be divided into attacks that may be utilized with a high detection rate involves taking
three primary groups. These include bandwidth, traffic and application note of different sequencing patterns from the traffic that had been
attacks (Karthick et al., 2017). Attackers that employ traffic-based gathered and applying deep learning to analyze the high-level features.
methods attack their target server with a significant number of TCP or Evaluations of the designed method indicate that the long short-term
UDP packets that negatively affect the target server’s general efficiency. memory (LSTM) technique operates the convolutional neural network
For bandwidth harm, attackers transmit a lot of anonymously data ­ (CNN) as well as multilayer perceptron (MLP) in terms of effectiveness
leading to congestion by taking additional bandwidth. It is challenging and high precision. However, one of the challenges relates to the actual
to prevent the application attack that attackers utilize to target a time detection of DDoS attacks.
particular system (Hajimirzaei and Navimipour, 2019). Attacking ma­ Bhardwaj et al. (2020) had developed an innovative architecture by
chine learning based prediction algorithms are employed for detecting combining a Deep Neural Network (DNN), which utilizes a stacking
DDoS. In cloud computing, intrusion detection utilizes machine sparse AutoEncoder (AE) for feature learning to differentiate among
learning. Researchers provided numerous methods for creating DDoS attack traffic and benign network activity. By adjusting the pa­
intrusion-detection systems in the cloud environment (Fathima et al., rameters using properly developed methodologies, AE and DNN were
2022). DDoS attacks are identified through self-adapting evolutionary made to detect DDoS attacks as effectively as possible. The suggestions
extreme learning. made in this article result in a smaller network that avoids overfitting,
Recently, a novel machine learning method called Extreme Learning minimal reconstruction error, and protection against exploding and
Machine (ELM) was introduced as an answer to these problems (Krish­ vanishing gradients. But cloud computing was vulnerable to different
naveni et al., 2021). ELM has only one hidden layer in addition to input cyber-attacks and security challenges specific to the cloud model
and output layers and is a single hidden layer feedforward neural because of its distributed and dynamic nature and the flaws in virtual­
network (SLFN). The hidden layer biases and the weights used to con­ ized technology.
nect the input and hidden layers are both random values. The intrusion Phan and Park (2019) had developed a DDoS mitigation within an
detection in a cloud computing environment is performed through SDN-based cloud. This method comprises three different processes. The
various ML and DL techniques such as the KNN classifier, Navies Bayes initial process of this method was to improve traffic classification. Thus,
classifier, ANN classifier (Shamshirband et al., 2020), SVM classifier this method introduces a hybrid machine learning model developed
(Fontaine et al., 2020) and CNN classifier (Jaber and Rehman, 2020). with the self-organizing map along with support vector machine tech­
Moreover, neural networks and decision trees are applied for detecting niques. The second process was to increase the rate and speed of attack
intrusion in cloud based web applications using machine learning. Also, detection, they suggest An Improved History-Based IP Filtering method
numerous Evolutionary Algorithms (EAs) are employed for detecting (eHIPF). A hybrid machine learning modelling with the eHIPF method
attacks. Several EAs are, Moth-flame Optimization Algorithm (Shehab were combined during the third stage to provide a DDoS assault defense
et al., 2020), Bird Swarm Algorithm (Varol Altay and Alatas, 2020), for the SDN-based cloud platform. However, DDoS attacks seriously
Random Forest Algorithm (Chen et al., 2021), Elephant Herding Opti­ damage every network system, not solely in a traditional cloud network
mization (Elhosseini et al., 2019), Whale Optimization Algorithm (Rana as well as within an SDN-based cloud setting.
et al., 2020), Many Objective Particle Swarm Optimization (Cui et al., Prathyusha and Kannayaram (2021) had developed the application
2020) etc. Few of these methods have flaws. FA’s drawbacks include by recognizing the most likely characteristics of the attack using DDoS
trapping into several local optimums and not remembering any histor­ attack mitigation in cloud computing with artificial immune systems.
ical information. Due to its complexity, RF demands extra time for This technology was capable of identifying threats and responding in a
training and decision-making. MFOA easily reaches local optima. This manner analogous to how individual natural defenses function. This was
study proposed a DDoS attack prediction utilizing an efficient natural accomplished by modelling various immune responses and creating an
bio inspired algorithm based feature selection with Bi-LSTM in a cloud intrusion detection system. The challenge of identifying DDoS attacks
environment to overcome the aforementioned difficulties. The main becomes extremely difficult if related to cloud computing due to the
contribution of the research work is specified as follows. level of computation that needs to be handled.
Abdullayeva (2022) had introduced the detection system through
• A DDoS attack prediction through honey badger optimization algo­ the use of data clustering for distributed denial of service attacks in the
rithm based feature selection and Bi-LSTM in a cloud environment. cloud for e-government. To improve the effectiveness of data clustering,
• Bayesian and Z-Score normalization is employed for preprocessing in the method makes use of a feature selection strategy. The PCA technique
order to improve the missing value replacement. had been applied in order to enable feature selection. The (Density-
• Honey badger optimization is utilized for optimal features by mini­ Based Spatial Clustering Of Applications With Noise) DBSCAN,
mizing the MSE value. agglomerative clustering and k-means techniques were used for
• A Bi-Directional Long Short-Term Memory is applied to detect DDoS analyzing the dataset generated by selecting features. In the study, the
attacks in cloud environments effectively. techniques that obtained better clustering results across all measures
utilized fewer features compared to results produced by methods that
The following sections of this paper are organized as follows: Existing used all the variables. But prevention and avoidance of network in­
papers relevant to the proposed DDoS attack detection in the cloud are trusions was one of the primary crucial security challenges in cloud
illustrated in section 2. Brief explanations of the proposed DDoS attack computing.
detection model utilizing Bi-LSTM are provided in Section 3. Section 4 David and Thomas (2020) had introduced source IP, destination IP,
provides illustrations of the findings obtained and the performance destination port and protocol were network traffic metrics used to
metrics values achieved in this proposed work. Section 5 concludes the identify DDoS attacks. The entropy related to traffic features is handled
entire study. using time series models to avoid prediction errors. This study will
employ a nonlinear model better suited for long-range non-stationary
2. Related work data sets, including network traffic, called the GARCH model (Gener­
alized ARMA model) to identify efficiency better. Therefore, it is crucial
In the cloud computing environment, various researches developed for identifying DDoS attacks. It might be challenging to differentiate
numerous detection and prevention models for Dos/DDoS attacks. These DDoS traffic from regular network traffic.
researches are performed through different cloud machine learning and Batchu and Seetha (2022) had introduced an innovative, effective
deep learning strategies. Some of the articles are reviewed as follows. model to handle the problems in DDOS attack detection. Data

2
O. Pandithurai et al. Expert Systems With Applications 241 (2024) 122544

preparation was first carried out to enhance the training data’s quality. time and stacking in local optima. This approach is used to choose the
Following this, minority class samples were produced using the adaptive best feature subset, increasing accuracy and reducing feature subset
synthetic oversampling technique in order to correct the class differ­ length. Also, apply an effective deep learning strategy to detect attacks
ence. Then, using five basic classifiers and recursive feature elimination, in the cloud environment.
the features were chosen by embedding the SHAP feature importance. In Fig. 1, the proposed model consists of three modules: data pre­
The most contributed characteristics were also determined by tuning the processing, feature selection through honey badger optimization algo­
hyperparameter of these classifiers. Additionally, local and global ex­ rithm and attack detection using Bi-LSTM. At first, input features are
planations for retrieved features were supplied to promote openness. But collected from the DDoS attack dataset. After that, input features were
classification had become more challenging due to the significant preprocessed using Bayesian and Z-score normalization techniques.
growth in traffic data’s number, features and frequency. Then, the optimal features are selected utilizing HBO. The optimization
According to the aforementioned articles, it was highly challenging is applied for selecting the optimal features with minimum MSE. The
to identify DDoS attacks in actual time. This predicted approaches utilize optimal features are then sent into the classification step, which includes
substantially diverse aspects to evaluate the data and identify various the Bi-LSTM classifier for predicting DDoS attacks. The categorization
types of activities from the collected traffic. The evaluation of statistical method is then used to execute DDoS attack detection, with the specified
data using machine learning techniques provides an additional method features as input. The proposed DDoS attack prediction model can detect
for evaluating the performance of DDoS attacks. These sorting methods whether it is an attack or not. The process comprised in the proposed
can be challenging and have a reduced detection rate because of irrel­ model is described as follows.
evant features, lack of transparency, and an imbalance in class. In order
to mitigate these concerns, this proposed model introduced a DoS attack 3.1. Data preprocessing
prediction using an effective natural bio-inspired algorithm based
feature selection and Bi-LSTM in a cloud environment. The considered dataset includes different features like source and
destination bytes, host, flag, type of protocol, number of failed login,
3. Proposed methodology wrong fragment, service, duration, urgent and so on. The corresponding
features have various formats, including numeric, binary, and nominal.
Cloud computing services offer a diverse resource pool for managing Because handling diverse data formats is challenging, the raw input
a huge volume of data. Cloud services are commonly used as a secure or features may decrease the detection accuracy. In order to mitigate this,
public data forum, depending on demand, and the increase in utilization the proposed model applies normalization and removes class imbalance.
caused security concerns. Hacking constitutes a risk to cloud-based data,
but their most common attack against cloud data is a DDoS attack. 3.1.1. Missing value imputation using Bayesian approach
Various attack detection systems have been developed to detect these These Bayesian approaches often include imputing left-censored
attacks, but these approaches cannot attain better findings. Moreover, data utilizing a data augmentation (DA) method as well as deriving
the main problems with the current algorithms are excessive calculation implications like the calculating of general statistics or regression co

Fig. 1. Structure for the proposed DDoS attack prediction system.

3
O. Pandithurai et al. Expert Systems With Applications 241 (2024) 122544

efficients utilizing prediction within the Bayesian approach. This sources or follows a honeyguide bird. Both situations can be referred to
Bayesian technique is then employed to impute the *, unknown values in as “honey mode,” having the first being referred to as “digging mode.” It
X
̃ that were first replaced with zeros (Jun et al., 2019). The fundamental rotates its victim during the previous phase to identify the best location
assumption remains that the distribution p(̃ xt ) generates a single for digging and capturing. It shifts to the new mode once it has roughly
observation ̃xt with each timeframe. As a result, a distribution p(z) identified its target. During its latest form, a honey badger employs a
creates the latent variable z. honeyguide bird as a guide to locate a beehive properly. This HBA al­
The following is a representation of the joint distribution, p(̃
xt , z): gorithm’s computational framework is described in the following
( ) section.
p ̃xt , z = p(z)p(̃xt |z) (1) Although it includes an exploration and extraction phase, HAB is a
global optimization technique. The following describes the mathemat­
Samples obtained from the prior, z distribution and probability ical steps for the proposed HBA. The population of potential solutions in
p(̃
xt |z), distribution of ̃
xt provided z may be utilized to create the joint HAB is shown above.
distribution in Equation (1). The previous value p(z) is frequently cho­ ⎡
x11 x12 x13 ⋯ x1D
⎤
sen to represent a multi-dimensional typical distribution having a zero- ⎢ x21 x22 x23 … x2D ⎥
Population of candidate solutions = ⎢ ⎥ (4)
mean and unit variance, while its probability p(̃ xt |z) may be calculated ⎣… … … … …⎦
through a generating network. xn1 xn2 xn3 ⋯ xnD

From equation (4), Ith position of the honey badger is represented as,
3.1.2. Normalization
xi = [x1i , x2i , ⋯xDi ].
The categorical data are transformed into numerical data during this
Step 1: Initialization phase
normalisation. Z-score normalization is the process of normalizing each
Set the population number with N as well as the honey badgers’
value within a data set such that the average for each value is 0 as well as
places to correspond by equation (5).
its standard deviation is 1 (Kappal, 2019).
Concretely, let xi (i = 1, 2, ⋯, D) denotes the ith component of each xi = lbi + r1 × (ubi − lbi ) (5)
feature vector x ∈ RD . Find the mean and standard deviation for these D
According to equation (5), r1 is a chance number between 0 and 1.
elements initially.
Where lbi and ubi are the lower and upper limits of the search domain,
√̅̅̅̅ D
1 ∑D
1∑ respectively, and xi is the ith honey badger location referring to a po­
μx = xi , σx = (xi − μx )2 (2) tential solution in a population of N.
D i=1 D i=1
Step 2: Defining intensity (I)
Z-score normalization is then applied as, Intensity is related to the concentration strength of the prey and the
x − μx 1 distance among it and ith honey badger. The inverse square law, which is
x(ZN) = ZN(x) = ∈ RD (3) depicted in Fig. 2 as well as stated in Equation (6), indicates that the
σx
smell of the victim is strong, its movement will be rapid and vice versa. Ii
Where 1 = [1, 1, .., 1]T is a D-dimensional vector with its components represents the strength of the victim’s fragrance.
being all ones. The original feature vectors are first projected via z-score
normalization along the 1 vector to a hyperplane that contains the origin S
Ii = r 2 × (6)
and is perpendicular to 1. 4πd2i

S = (xi − xi+1 )2 (7)

3.2. Optimal feature selection through honey badger optimization
di = xprey − xi (8)
After preprocessing, optimal features are selected through a honey
badger optimization. The process of selecting the relevant features for an S stands for source or concentration strength, di denotes the sepa­
intrusion detection system involves eliminating the most redundant and ration between the ith badger and the prey in equation (8).
unnecessary features. The selection of features can reduce model Step 3: Update density factor
complexity and computation. In this proposed model, Honey Badger A density factor (α) that regulates time-varying randomness helps
Optimization (HBO) algorithm is adopted to eliminate the previous al­ sure that moving from exploring to exploiting is simple. The following
gorithms’ concerns. The main problems with the previous algorithms equation should be updated to reflect decreasing factor α that gets
are excessive calculation time and stacking in local optima. This smaller over time when iterations are performed to reduce randomiza­
approach is used to choose the best feature subset, increasing accuracy tion (9).
and reducing feature subset length. The process of the HBO algorithm is − t
provided as follows. α = C × exp( ) (9)
tmax
i Overview of the honey badger optimization
The courageous honey badger is a mammal with fluffy black and From equation (9), C represents the constant ≥ 1.
white fur that lives in semi-deserts and rainforests in Africa, Southwest Step 4: Getting away from the local optimum
Asia, and the Indian subcontinent. A honey badger finds its meal by Following that, three processes are employed to exit localized opti­
moving slowly and consistently while using its ability to detect mice. mum zones. In this case, the proposed method requires utilizing a flag F
Through excavating, it begins to locate the prey’s general location that adjusts searching direction to provide the agent with a high chance
before grabbing it. It can make up to fifty holes in a day in an area of at of extensively exploring the search space.
least forty kilometres in an effort to find food. Although honey badgers Step 5: Updating the agents’ positions
enjoy honey, it is poor for locating beehives. However, honey-guide, a As previously mentioned, the “digging phase” and the “honey phase”
bird, can find the hives but is unable to obtain honey. These phenomena are the two stages of the HBA position updating procedure. A better
result in a relationship between the two, in which the bird directs the explanation is provided below.
badger to beehives and uses its long claws to assist in opening hives Digging Phase: The cardioid structure illustrated by equation (10)
before both reap the benefits of their cooperative efforts (Hashim et al., corresponds to the digging habit of a honey badger.
2022). The Honey Badger Algorithm (HBA) mimics honey badger
foraging behavior. The honey badger either smells or digs to find food

4
O. Pandithurai et al. Expert Systems With Applications 241 (2024) 122544

Fig. 2. Square-inverse law, I indicates the intensity of the smell, S the position of the victim and r for a random number from 0 to 1.

xnew = xprey + F × β × I × xprey + F × r3 × α × di × |cos(2πr4 ) × [1 Step 2: Fitness Function

To obtain the optimal features through minimizing the Mean Square
− cos(2πr5 )]| (10)
Error (MSE) value. The following equation shows the fitness function of
The honey badger having the capacity to locate food due to indicated the process of election.
as β ≥ 1 and the location of the victim, xprey is given from equation (10),
Fitness = min{MSE} (14)
and the distance between prey is given as di and the ith honey badger is
given in equation (5). The three different random numbers between
1 ∑ N
0 and 1 are r2 , r4 andr5 . The following equation (11) can be used to MSE = = (fi − yi )2 (15)
N
determine F, which acts as the flag that changes the direction of the i=1

search. Where N is the number of data points, fi the value returned by the
{
1if r6 ≤ 0.5 model and yi the actual value for data point i.
F= (11) Step 3: Update the function
− 1else
The MSE value is associated with getting updated in each iteration to
From equation (11), r6 is a number chosen at random from 0 to 1. locate the best features within the characteristics.
This honey badger’s primary source of food is smell intensity I the prey is Step 4: Termination
xprey , the difference among badgers as well as Prey di with the time- Once the ideal choice has been identified, the process is finished.
dependent searching impact factor α during the digging stage. Addi­ Through this process, the optimal features in the intrusion dataset
tionally, a badger may experience any disruption F while digging, are elected by minimizing its MSE value. Moreover, these features
enabling it to locate its prey in even better conditions. consist of more information about the intrusions, which is taken as input
Honey Phase: A honey badger tracking a honey lead bird to hives for the detection process. Pseudocode for optimal feature selection using
may be simulated using equation (12). HBO is given in algorithm 1.
xnew = xprey + F × r7 × α × di (12) Algorithm 1: Pseudocode for optimal feature selection using HBO

Input: Number of features (x1 , x2 , x3 , ⋯xn )

In equation (12), the terms xnew and xprey indicate the honey badger’s Begin
new position with the prey’s location, F and α were derived from Initialize (x1 , x2 , x3 , ⋯xn )
equations (11) and (9), respectively. By the basis of equation (11), this While t ≤ tmax do
Update the decreasing factor α using (9)
may be shown that honey badger seeks regions near its prey places that
for i = 1 to N do
fluctuate over time (α). A honey badger might also discover disturbance Calculate the intensity Ii using Equation (7)
F. if r < 0.5 then
Because of its exploration and exploitation phases, HBA is logically Update the position xnew using Equation (10)
considered to be a global optimization technique. The minimum number else
Update the position xnew using Equation (12)
of operators that need to be changed is necessary to make the HBA
end if
simple to operate and understand. Note conscious that the proposed Evaluate new position and assign to fnew
method has a computational price for O(tmax ND), when N indicates the if fnew ≤ fi then
population number or size of solutions tmax stands for the maximum Set xi = xnew and fi = fnew
end if
number of iterations, and D stands for the total number of choice factors.
if fnew ≤ fprey then
Set xprey = xnew and fprey = fnew
3.2.1. Optimal feature selection using honey badger optimization end if
The selection of useful features is regarded as the most important end for
step in developing any detection algorithm since useful features are end while stop criteria satisfied
Return xprey
sufficient to carry out the detection with high accuracy. In order to select
Output: optimal features are selected
the best features, this method uses an optimization technique known as
honey badger optimization. By measuring the MSE value among the
features, the best features are obtained in this case. The following de­ 3.3. Bi-Directional long Short-Term memory
scribes the technique behind using the HBO algorithm.
Step 1: Initialization In the purpose of detecting intrusions in the cloud environment, this
In this phase, the preprocessed features are considered and which is proposed model employs the Bi-LSTM model. The Bi-LSTM classifier
initialized as follows. thus receives its most effective features as input. Output gate, forget
Z = [x1 , x2 , x3 , ⋯xn ] (13) gate, Input gate, and memory cells were the four primary elements
within an LSTM classifier. Data can be stored within a memory cell

5
O. Pandithurai et al. Expert Systems With Applications 241 (2024) 122544

regularly or intermittently. When the input Gate regulates the volume of handles data backwards and forwards.
data, each forget gate is employed to regulate how little information → ̅→
remains in the LSTM cell. The data taken from the LSTM layer cell might ht = f (w1 xt + w2 ht− 1 ) (22)
be modified to calculate and organize the output activation for the
← ←̅̅
output gate (Madni and Vijaya, 2021). (ht ) = f (w1 xt + w2 ht+1 ) (23)
In 1997, Hoch Reiter and Schmid Huber generated LSTMs Networks
→ ←
to address the challenge of long-term expanding and vanished gradients Ot = g(w4 ht + w6 ht ) (24)
within RNN. Longer cycles might be challenging to obtain using a reg­
Where Ot represents the outputs obtained for (y1 ⋯, yn ⋯, yt ). f is the
ular RNN as they develop through back-propagation through time
function of the backward and forward process.
(BPTT), leading to this exploding/vanishing gradients. To correct this,
The optimal features selected through the optimization algorithm are
the RNN cell gets swapped out with a grating cell that acts as a Bi-LSTM
considered the input of this Bi-LSTM. This intrusion detection mecha­
cell. This Bi-LSTM cell structure is depicted in Fig. 3 following.
nism comprises two phases: training and testing. Before that, the
Three entryways are used to enter the data into a cell case. A sigmoid
selected optimal feature set is divided into two portions in the ratio of
layer decides which data to remove from the cell state through the first
80:20 for training as well as testing. Initial process is training here, and
entryway, as shown in the following equation (16).
the model is trained with 80 % of the optimal features. After that, the
ft = σ(Wf .[ht− 1 , xt ] + bf ) (16) trained Bi-LSTM model is tested with the rest of the 20 % of optimal
features. Through this process, the Bi-LSTM model provides two classes:
As demonstrated by the equations below, the next door shows an
normal or attacked. According to the proposed model, more security is
input entry route using a sigmoid layer to select the parameters to be
provided during data storage or data transmission in a cloud
updated and a tanh layer that generates a vector of new refreshed
environment.
variables.
it = σ(Wi .[ht− 1 , xt ] + bi ) (17) 4. Result and discussion

Ct = tanh(Wc .[ht− 1 , xt ] + bc ) (18) This proposed attack detection model is presented using a Bi-LSTM
model in the cloud environment. Python software is employed to eval­
Equation (19)–(21) is then used to update the cell state.
uate the performance of the proposed method. The proposed model is
Ct = ft .Ct− 1 + it Ct (19) testing with several system configurations such as the processor of Intel
(R) Core(TM) i5-10300H processor, CPU @ 2.50 GHz, NVIDIA GTX 1650
The final output represented will be determined by the output of the
4 GB (GDDR6) GPU, 16.0 GB Memory (RAM) and System type of 64-bit
current state, which can be calculated via the refreshing cell state with a
operating system.
sigmoid layer that chooses each element for the cell state.
ot = σ(Wo .[ht− 1 , xt ] + b0 ) (20)
4.1. Dataset description
ht = ot *tanh(Ct ) (21)
DDoS attack prediction dataset is collected from the open source
From equation (21), the sigmoid activation function is denoted as σ , Kaggle website (Dataset 1). CSE-CIC-IDS2018-AWS, CICIDS2017 and
and the tangent activation function is specified as tanh, the weight CIC DoS datasets (2016) are further accessible IDS datasets from which
matrices are mentioned as W, the input vector is specified as xi , the DDoS flows have been extracted. DDOS data is extracted from various
hidden state is mentioned as ht− 1 and the biased is represented as bf ,bi ,bc , IDS datasets created in various years as well as various research attack
b0 . manufacturing processes to add greater variety. An extracted DDOS
In this paper, Bi-LSTM was used. This deep learning technique in­ flows interact with “Benign” flows that are individually obtained from
tegrates the input sequencing through two networks: a network that the identical source dataset to generate one maximum dataset.
operates in regular temporal order and another that runs in a reversed Therefore, the data is initially gathered from the connected gadgets
logical sequence. At every time step, the two networks’ outputs are in the cloud, which is then a dataset. This dataset is considered for
sequential. A stacked layer Bi-LSTM architecture that enables the gath­ processing this entire work. Here, some preprocessing strategies are
ering of both backdrop and forward information about a sequence applied to improve the data quality. Handling missing value replace­
during each time phase offers accurate classification. The following ment and normalization are the process involved in the preprocessing
Fig. 4 specifies the structure of the Bi-LSTM classifier. phase. Once preprocessed data, which is subjected into a feature selec­
Equations (22) and (23) demonstrate that the bi-LSTM classifier tion process. The optimization process is used to choose the features that
have the lowest MSE. The classification process then uses the chosen
features as input to perform DDoS attack detection. The performance of
the model is compared with some existing detection techniques such as
LSTM, DNN, DBN and ANN. The parameters considered during this
performance evaluation method include sensitivity, F1_score, kappa,
specificity, error, false positive rate, and accuracy. The preprocessing
phase is shown graphically in the following way.
Fig. 5a illustrates the raw features of missing value replacement.
When substituting missing data with an estimated value calculated using
additional available information, imputation retains every instance.
Once all missing values have been imputed, the data set can be analyzed
using standard techniques for complete data. Fig. 5b demonstrates the
features plot after replacing the missing values. Here, the Bayesian
approach is employed to improve the missing values for the proposed
method. The convergence graph for the proposed method is given as
follows.
Fig. 3. Cell Structure of Bi-LSTM. Fig. 6 demonstrates the convergence graph based on the proposed

6
O. Pandithurai et al. Expert Systems With Applications 241 (2024) 122544

Fig. 4. Structure of Bi-LSTM classifier.

Fig. 6. Convergence plot for the proposed HBO algorithm.

Fig. 7. Comparison of accuracy for Bi-LSTM training Epoch.

model with all the training data is known as an epoch of learning. This
Fig. 5. Features of a) before missing value replacement, b) after missing value
replacement. proposed Bi-LSTM classifier’s ability to learn using the given sample
dataset is measured during the training phase using accuracy measures.
The accuracy value for this proposed Bi-LSTM was 72 if the epoch is 10,
HBO. A convergence graphic may be utilized to evaluate any optimi­
85 if the epoch is 30 and 97 if the epoch is 50. The error value remains
zation algorithm’s efficiency. Repeating with respect to the fitness
constant at 50 epochs.
function is frequently employed to create a convergence graph. The plot
The comparison of errors within the Bi-LSTM training phase is
reveals that the HBO technique converges at the 12th iteration, where
demonstrated in Fig. 8. Loss is calculated as cross entropy standardized
the level of error is 0 %. The proposed HBO achieves less error than the
to its highest value. Training accuracy is calculated as the proportion of
existing optimization algorithm.
training samples correctly recognized at the end of every epoch. This
The accuracy for the Bi-LSTM training period is analyzed in Fig. 7.
demonstrates accurate Bi-LSTM classifier training using the given
The entire number of iterations required to train a machine learning

7
O. Pandithurai et al. Expert Systems With Applications 241 (2024) 122544

Fig. 10. Comparison of Testing time.

Fig. 8. Comparison of error for Bi-LSTM training Epoch.

sample data. When the epoch for this proposed Bi-LSTM is 10, the error
value is 27, for 30 epoch error value is 12, for 50 epoch, the error value is
1, respectively. This Bi-LSTM training process showed that a greater
level of accuracy and error has been achieved at the lowest epoch. This
Bi-directional long short-term memory classifier for training accuracy
and training error graph is provided below.
The analysis of the training times for proposed and existing tech­
niques employed for predicting DDoS attacks in cloud environments is
shown in Fig. 9. The proposed Bi-LSTM and existing methods include
LSTM, DNN, DBN and ANN for the training time Sec. In the proposed Bi-
LSTM method, the training time had been 780 Sec. Following this, Fig. 11. Comparison of Execution time.
existing techniques for 874 (Sec), 1140 Sec), 1270 (Sec) and 1549 Sec,
such as LSTM, DNN, DBN, and ANN, have been proposed together with
Bi-LSTM. Compared to existing techniques, its proposed Bi-LSTM tech­
niques require less training time.
The testing time between the proposed and existing techniques is
shown in Fig. 10. This proposed Bi-LSTM and existing techniques like
LSTM, DNN, DBN and ANN are used for calculating testing time. The
proposed Bi-LSTM method reduced testing time by 0.8 Sec. The existing
used methods and the proposed Bi-LSTM include LSTM, DNN, DBN and
ANN, including 1.9Sec, 3.2Sec, 4.6Sec and 5.8Sec. Compared to existing
techniques, Bi-LSTM techniques have been developed with shorter
testing times. Fig. 12. Analysis of Accuracy metrics.
Fig. 11 compares the execution times of proposed and existing DDoS
attack prediction techniques in a cloud environment. Among the exist­ Bi-LSTM technique obtained a higher value than the other techniques
ing and proposed Bi-LSTM classification techniques are LSTM, DNN, had considered. The accuracy value shows the effectiveness of the
DBN and ANN. The proposed Bi-LSTM techniques achieved 780 Sec of model.
execution time. The existing classification methods included LSTM, Fig. 13 shows the analysis of sensitivity among the detection tech­
DNN, DBN and ANN with durations of 780 sec, 875 sec, 1143 sec and niques. Here, the proposed Bi-LSTM model is compared with some
1554 sec, respectively. The graph below shows the performance mea­ existing techniques like LSTM, DNN, DBN and ANN. The attained
sures for comparing the proposed and existing classifiers. sensitivity value of the Bi-LSTM is 95 %, and LSTM, DNN, DBN and ANN
Fig. 12 shows the analysis of accuracy among the detection tech­ attained sensitivity of 90 %, 86 %, 83 % and 80 %. The sensitivity of the
niques. Here, the proposed Bi-LSTM model is compared with some Bi-LSTM technique obtained a higher value than the other techniques
existing techniques like LSTM, DNN, DBN and ANN. The attained ac­ had considered. The sensitivity value displays the better performance of
curacy value of the Bi-LSTM is 97 %, and LSTM, DNN, DBN and ANN the model.
attained an accuracy of 93 %, 91 %, 89 % and 85 %. The accuracy of the Fig. 14 denotes the analysis of specificity among the detection

Fig. 9. Comparison of Training time. Fig. 13. Analysis of Sensitivity metrics.

8
O. Pandithurai et al. Expert Systems With Applications 241 (2024) 122544

Fig. 14. Analysis of Specificity metrics. Fig. 16. Analysis of Precision metrics.

techniques. Here, the proposed Bi-LSTM model is compared with some

existing techniques like LSTM, DNN, DBN and ANN. The attained
specificity value of the Bi-LSTM is 90 %, and LSTM, DNN, DBN and ANN
attained specificity of 88 %, 85 %, 82 % and 79 %. The specificity of Bi-
LSTM technique obtained a higher value than the other techniques had
considered. The specificity value displays the better performance of the
model.
Fig. 15 denotes the analysis of the error rate among the detection
techniques. Here, the proposed Bi-LSTM model is compared with some
existing techniques like LSTM, DNN, DBN and ANN. The attained error
rate of the Bi-LSTM is 3 %, and LSTM, DNN, DBN and ANN attained error
rates of 7 %, 9 %, 11 % and 15 %. The error rate of the Bi-LSTM tech­
nique obtained a lesser value than the other techniques had considered. Fig. 17. Analysis of kappa metrics.
The error rate displays the better performance of the model.
Fig. 16 displays the analysis of precision among the detection tech­
niques. Here, the proposed Bi-LSTM model is compared with some
existing techniques like LSTM, DNN, DBN and ANN. The attained pre­
cision value of the Bi-LSTM is 94 %, and LSTM, DNN, DBN and ANN
attained precision values of 92 %, 90 %, 87 % and 81 %. The precision of
the Bi-LSTM technique obtained greater value than the other techniques
had considered. The precision value displays the better performance of
the model.
Fig. 17 specifies the analysis of Kappa among the detection tech­
niques. Here, the proposed Bi-LSTM model is compared with some
existing techniques like LSTM, DNN, DBN and ANN. The attained Kappa
value of the Bi-LSTM is 88 %, and LSTM, DNN, DBN and ANN attained
Kappa values of 83 %, 75 %, 72 % and 70 %. The Kappa of the Bi-LSTM Fig. 18. Analysis of False Positive Rate metrics.
technique obtained greater value than the other techniques had
considered. The Kappa specifies the superiority of the model.
Fig. 18 specifies the False Positive Rate (FPR) analysis among the
detection techniques. Here, the proposed Bi-LSTM model is compared
with some existing techniques like LSTM, DNN, DBN and ANN. The
attained FPR value of the Bi-LSTM is 5 %, and LSTM, DNN, DBN and
ANN attained FPR values of 8 %, 12 %, 15 % and 23 %. The FPR of the
Bi-LSTM technique obtained a lesser value than the other techniques had
considered. The FPR specifies the better effectiveness of the model.
Fig. 19 indicates the analysis of f1_score among the detection tech­
niques. Here, the proposed Bi-LSTM model is compared with existing

Fig. 19. Analysis of f1_score metrics.

techniques like LSTM, DNN, DBN and ANN. The attained f1_score of the
Bi-LSTM is 87 %, and LSTM, DNN, DBN and ANN attained f1_score of 85
%, 80 %, 76 % and 73 %. The f1_score of the Bi-LSTM technique ob­
tained a higher value than the other techniques had considered. The
f1_score specifies the better effectiveness of the model.
Fig. 20 depicts the MatthewsCorrelationCofficient metrics compari­
son between the proposed and existing techniques. The MCC for the
proposed Bi-LSTM then reaches 86 %. However, MCC for the existing
classifiers, including LSTM, DNN, DBN and ANN, were 83 %, 78 %, 74 %
and 71 %, respectively. In contrast to different existing techniques, the
Fig. 15. Analysis of Error metrics.
proposed Bi-LSTM is more accurate.

9
O. Pandithurai et al. Expert Systems With Applications 241 (2024) 122544

Fig. 22. Analysis of FalseDiscoveryRate.

Fig. 20. Analysis of MatthewsCorrelationCofficient metrics.

Fig. 21 illustrates the analysis of the proposed and existing tech­

niques using FalseNegativeRate measures. However, the proposed Bi-
LSTM has an FNR of 6 %, whereas the existing classifiers such as
LSTM, DNN, DBN and ANN have an FNR of 9 %, 14 %, 15 % and 25 %,
respectively. This proposed Bi-LSTM has a lower FNR compared to
different existing techniques.
Fig. 22 displays an analysis of proposed and existing techniques
using FalseDiscoveryRate measures. Following that, the FDR for the
proposed Bi-LSTM reached 0.04 %. However, the FDR for existing
classifiers such as LSTM, DNN, DBN and ANN is 0.11 %, 0.17 %, 0.20 %
and 0.22 %, respectively. When the proposed method is less effective
than the different existing techniques.
Fig. 23 shows the contrast of the proposed and existing techniques Fig. 23. Analysis of Positive Likelihood Ratio.
with Positive Likelihood Ratio measures. This PLR measure for the
proposed Bi-LSTM has reached 5 %. When the proposed method is
compared against various existing techniques like LSTM, DNN, DBN,
and ANN, outcomes were 2 %, 1 %, 1 % and 1 %, respectively. The
proposed method performs better than the existing used methods.
Evaluation of the proposed and existing techniques using the nega­
tive likelihood ratio is shown in Fig. 24. However, the NLR measure for
existing techniques, such as LSTM, DNN, DBN and ANN, is 0.1, 0.17, 0.2
and 0.22, and the proposed Bi-LSTM has achieved 0.04 %. As a result,
NLR for the proposed Bi-LSTM is less efficient than the existing
techniques.
Fig. 25 compares the proposed and existing techniques using mea­
sures for negative predictive value. The proposed Bi-LSTM has an NPV
measure of 90 %, but the existing techniques, including LSTM, DNN,
DBN and ANN, had NPV metrics of 84 %, 78 %, 75 % and 72 %, Fig. 24. Analysis of Negative Likelihood Ratio.
respectively. As a result, the NPV measures of the Bi-LSTM are higher
than those of the existing methods.
Fig. 26 demonstrates the proposed and existing techniques utilizing
FalseOmissionRate metrics. When FOR values for the proposed Bi-LSTM
had attained 10 %. But the FOR values for the existing techniques,
including LSTM, DNN, DBN and ANN, had NPV reaches 16 %, 22 %, 25
% and 28 %. Therefore, the proposed method has been reduced
compared to the existing method.
Fig. 27 compares the proposed and existing techniques using the

Fig. 25. Analysis of NegativePredictivevalue.

Fowlkes-Mallows score. The proposed method achieves a 94 % Fowlkes

Mallows score using Bi-LSTM. If the Fowlkes Mallows scores for existing
techniques like LSTM, DNN, DBN and ANN were 90 %, 87 %, 84 % and
80 %, respectively. These displays that the proposed method out­
performed existing methods in terms of the Fowlkes-Mallows score.
Analyzing the proposed and existing techniques using Markedness
metrics is illustrated in Fig. 28. By utilizing a Bi-LSTM classifier, the
Fig. 21. Analysis of FalseNegativeRate metrics.

10
O. Pandithurai et al. Expert Systems With Applications 241 (2024) 122544

Fig. 26. Analysis of FalseOmissionRate. Fig. 30. Analysis of Informedness.

DBN and ANN. Bi-LSTM, LSTM, DNN, DBN and ANN have Informedness
values of 85 %, 78 %, 71 %, 65 % and 59 % respectively. The proposed
Bi-LSTM is more precise when compared to existing methods.
Comparison of proposed BiLSTM approach is comapared and eval­
uated with various current approaches in the literature. Proposed
appoaxh has a accuracy value of 97 % which is greater when compared
to other current approaches such as LSTM, DNN, AIS and BiLSTM.
Moreover the cpmparision of proposed and existing technique is given in
Table 1. The comparison shows the classification performance of tech­
niques including their execution time.

Fig. 27. Analysis of Fowlkes Mallows score. 5. Conclusion

DDoS Attack Prediction Using a Honey Badger Optimization Algo­

rithm based Feature Selection and Bi-LSTM in Cloud Environment is
presented in this research work. The cloud computing environment
provides clients a platform for sharing resources, services, and infor­
mation. This gives businesses a flexible design that, in effect, gives an
effective technological framework. A number of risks and challenges
have occurred as a result of the widespread adoption of cloud computing
platforms by companies. Since cloud computing servers are a service
offered through the Internet, problems with client privacy, data leakage,
and authorization continue to be among the largest obstacles for this
type of setting. This attempt to breach network safety, known as a DDoS
Fig. 28. Analysis of Markedness. attack, is spreading to practically every gadgets, including edge
computing, cloud computing and the Internet of Things. Extremely
proposed technique achieves a markedness value of 84 %. Existing complex flooded attacks and DDoS attacks will be launched against the
techniques, including LSTM, DNN, DBN and ANN, have achieved cloud using requesting methods to search for security flaws. Using
markedness values of 76 %, 68 %, 62 % and 53 %, respectively. But the traditional machine learning methods has some drawbacks, including a
proposed method is better than the existing methods. high training time, weak detection accuracy, and a high number of false
Fig. 29 depicts an evaluation of proposed and existing techniques alarms. In order to overcome these concerns, DDOS attack prediction
based on a prevalence threshold. This proposed Bi-LSTM had a preva­ uses a honey badger optimization algorithm based on feature selection
lence threshold of 0.22 %. The developed method is evaluated against and Bi-LSTM in the cloud environment. There are three diverse pro­
the existing classification techniques, including LSTM, DNN, DBN and cesses involved in the proposed DDoS Attack Prediction model: data
ANN. The achieved Prevalence threshold for the proposed and existing preprocessing, selection of features and detection of DDoS attack.
techniques were 0.28, 0.34, 0.39 and 0.47. This analyzed values show Before that, the information related to the connected gadgets in the
that the proposed method classifier technique works less effectively than cloud environment is gathered to make a dataset. After that, handling
the existing method in terms of the prevalence threshold. missing value replacement and normalization are applied in the pre­
Fig. 30 illustrates an analysis of proposed and existing techniques processing phase. Then the preprocessed data is given as the input of the
using Informedness measures. This analysis compares the proposed Bi- proposed optimal feature selection process through the BAO algorithm.
LSTM approach against existing techniques, including LSTM, DNN, Here, the features are elected by minimizing its MSE to get the optimal
feature. At last, the Bi-LSTM model receives the input of the most
effective features. The Bi-LSTM is employed for detecting the DDoS at­
tacks present in the cloud environment. Then the proposed model is
compared with existing techniques applied in the detection process. The
proposed approach was developed with a training time of 780 Sec, a
testing time of 843 Sec and an execution time of 780 Sec. Therefore, this
method considered several performance metrics such as false positive
rate, sensitivity, precision, accuracy, specificity, F1_score, error and
Kappa.
Moreover, the proposed model is analyzed with existing techniques
such as LSTM, DNN, DBN and ANN. When analyzing the performance
with the existing technique, the Bi-LSTM model attained 97 % of
Fig. 29. Analysis of Prevalence threshold.

11
O. Pandithurai et al. Expert Systems With Applications 241 (2024) 122544

Table 1
Comparsion of proposed and existing approaches.
Parameters Proposed (BiLSTM) BiLSTM LSTM DNN AIS
(Zhang et al.) (Kachavimath et al.) (Bhardwajet al.) (Prathyushaet al.,)

Accurcay (%) 97 95.6 93 96 96.2

Precision (%) 94 92 91 93 93.4
Error (%) 3 4.4 7 4 3.8
Specificity (%) 90 87 93 92 91
Sensitivity (%) 95 92 89 93 93
Process complexity (%) 20 50 80 86 92
Execution time (s) 780 820 875 1143 1152

accuracy, 95 % of sensitivity, 84 % of markedness, 10 % of FDR, 90 % of Divyasree, I. R., & Selvamani, K. (2021). DAD: Domain adversarial defense system
against DDoS attacks in cloud. IEEE Transactions on Network and Service Management,
specificity, 94 % of Fowlkes Mallow’s score, 3 % of error value, 90 % of
19(1), 554–568.
NPV, 94 % of precision and 88 % of kappa, 5 % of FPR and 87 % of Elhosseini, M. A., El Sehiemy, R. A., Rashwan, Y. I., & Gao, X. Z. (2019). On the
f1_score. The proposed model is effective at identifying malware in a performance improvement of elephant herding optimization algorithm. Knowledge-
cloud environment. In order to improve the system’s ability to detect or Based Systems, 166, 58–70.
Fathima, S. J. S. A., Lalitha, T., Ahmad, F., & Karthick, S. (2022). Unital Design Based
classify the DDoS attack, this paper additionally provided a few rec­ Location Service for Subterranean Network Using Long Range Topology. Wireless
ommendations for future research. Personal Communications, 124, 1815–1839.
Fontaine, J., Kappler, C., Shahid, A., & Poorter, E. D. (2020). Log-based intrusion
detection for cloud web applications using machine learning. In Advances on P2P,
Declaration of Competing Interest Parallel, Grid, Cloud and Internet Computing: Proceedings of the 14th International
Conference on P2P, Parallel, Grid, Cloud and Internet Computing (3PGCIC-2019) 14
The authors declare that they have no known competing financial (pp. 197-210). Springer International Publishing.
Hajimirzaei, B., & Navimipour, N. J. (2019). Intrusion detection for cloud computing
interests or personal relationships that could have appeared to influence using neural networks and artificial bee colony optimization algorithm. Ict Express, 5
the work reported in this paper. (1), 56–59.
Hashim, F. A., Houssein, E. H., Hussain, K., Mabrouk, M. S., & Al-Atabany, W. (2022).
Honey Badger Algorithm: New metaheuristic algorithm for solving optimization
Data availability problems. Mathematics and Computers in Simulation, 192, 84–110.
Jaber, A. N., & Rehman, S. U. (2020). FCM–SVM based intrusion detection system for
No data was used for the research described in the article. cloud computing environment. Cluster Computing, 23, 3221–3231.
Jun, E., Mulyadi, A. W., & Suk, H. I. (2019). Stochastic imputation and uncertainty-aware
attention to EHR for mortality prediction. In 2019 International Joint Conference on
Acknowledgement Neural Networks (IJCNN) (pp. 1–7). IEEE.
AKachavimath, A. V., & Narayan, D. G. (2021). A deep learning-based framework for
The authors declare that no funds, grants, or other support were distributed denial-of-service attacks detection in cloud environment. In Advances in
Computing and Network Communications: Proceedings of CoCoNet 2020, Volume 1 (pp.
received during the preparation of this manuscript. 605-618). Springer Singapore.
Kappal, S. (2019). Data normalization using median median absolute deviation MMAD
Author contributions based Z-score for robust predictions vs. min–max normalization. London Journal of
Research in Science: Natural and Formal, 19(4), 10–13140.
Karthick, S., Devi, E. S., & Nagarajan, R. V. (2017). Trust-distrust protocol for the secure
The corresponding author claims the major contribution of the paper routing in wireless sensor networks. IEEE 2017 International Conference on
including formulation, analysis and editing. The co-authors provides Algorithms, Methodology, Models and Applications in Emerging Technologies
(ICAMMAET) (pp. 1–5). Chennai, India.
guidance to verify the analysis result and manuscript editing. Krishnaveni, S., Sivamohan, S., Sridhar, S. S., & Prabakaran, S. (2021). Efficient feature
selection and classification through ensemble method for network intrusion
Compliance with ethical standards detection on cloud computing. Cluster Computing, 24(3), 1761–1779.
Madni, M. S., & Vijaya, C. (2021). Hand gesture recognition using auto encoder with bi-
direction long short term memoryhand gesture recognition using auto encoder with
This article is a completely original work of its authors; it has not bi-direction long short term memory. International Journal of Intelligent Engineering &
been published before and will not be sent to other publications until the Systems, 14(6).
Phan, T. V., & Park, M. (2019). Efficient distributed denial-of-service attack defense in
journal’s editorial board decides not to accept it for publication.
SDN-based cloud. IEEE Access, 7, 18701–18714.
Prathyusha, D. J., & Kannayaram, G. (2021). A cognitive mechanism for mitigating DDoS
References attacks using the artificial immune system in a cloud environment. Evolutionary
Intelligence, 14, 607–618.
Abdullayeva, F. J. (2022). Distributed denial of service attack detection in E-government Rana, N., Latiff, M. S. A., Abdulhamid, S. I. M., & Chiroma, H. (2020). Whale
cloud via data clustering. Array, 15, Article 100229. optimization algorithm: A systematic review of contemporary applications,
Agarwal, A., Khari, M., & Singh, R. (2021). Detection of DDOS attack using deep learning modifications and developments. Neural Computing and Applications, 32,
model in cloud storage application. Wireless Personal Communications, 1–21. 16245–16277.
Batchu, R. K., & Seetha, H. (2022). An integrated approach explaining the detection of Sambangi, S., & Gondi, L. (2021). Multi linear regression model to detect distributed
distributed denial of service attacks. Computer Networks, 216, Article 109269. denial of service attacks in cloud environments. In Innovations in Cyber Physical
Bhardwaj, A., Mangat, V., & Vig, R. (2020). Hyperband tuned deep neural network with Systems: Select Proceedings of ICICPS 2020 (pp. 535-545). Springer Singapore.
well posed stacked sparse autoencoder for detection of DDoS attacks in cloud. IEEE Shamshirband, S., Fathi, M., Chronopoulos, A. T., Montieri, A., Palumbo, F., &
Access, 8, 181916–181929. Pescapè, A. (2020). Computational intelligence intrusion detection techniques in
Chen, Y., Zheng, W., Li, W., & Huang, Y. (2021). Large group activity security risk mobile cloud computing environments: Review, taxonomy, and open research issues.
assessment and risk early warning based on random forest algorithm. Pattern Journal of Information Security and Applications, 55, Article 102582.
Recognition Letters, 144, 1–5. Shehab, M., Abualigah, L., Al Hamad, H., Alabool, H., Alshinwan, M., &
Cui, Z., Zhang, J., Wu, D., Cai, X., Wang, H., Zhang, W., & Chen, J. (2020). Hybrid many- Khasawneh, A. M. (2020). Moth–flame optimization algorithm: Variants and
objective particle swarm optimization algorithm for green coal production problem. applications. Neural Computing and Applications, 32, 9859–9884.
Information Sciences, 518, 256–271. Varol Altay, E., & Alatas, B. (2020). Bird swarm algorithms with chaotic mapping.
Dataset 1: [Link] Artificial Intelligence Review, 53, 1373–1414.
David, J., & Thomas, C. (2020). Detection of distributed denial of service attacks based Velliangiri, S., & Premalatha, J. (2019). Intrusion detection of distributed denial of
on information theoretic approach in time series models. Journal of Information service attack in cloud. Cluster Computing, 22(Suppl 5), 10615–10623.
Security and Applications, 55, Article 102621.

12