Multiverse fractional calculus based hybrid deep learning and fusion approach for detecting malicious behavior in cloud computing environment

Abstract

The tremendous development and rapid evolution in computing advancements has urged a lot of organizations to expand their data as well as computational needs. Such type of services offers security concepts like confidentiality, integrity, and availability. Thus, a highly secured domain is the fundamental need of cloud environments. In addition, security breaches are also growing equally in the cloud because of the sophisticated services of the cloud, which cannot be mitigated efficiently through firewall rules and packet filtering methods. In order to mitigate the malicious attacks and to detect the malicious behavior with high detection accuracy, an effective strategy named Multiverse Fractional Calculus (MFC) based hybrid deep learning approach is proposed. Here, two network classifiers namely Hierarchical Attention Network (HAN) and Random Multimodel Deep Learning (RMDL) are employed to detect the presence of malicious behavior. The network classifier is trained by exploiting proposed MFC, which is an integration of multi-verse optimizer and fractional calculus. The proposed MFC-based hybrid deep learning approach has attained superior results with utmost testing sensitivity, accuracy, and specificity of 0.949, 0.939, and 0.947.

Keywords

Malicious behavior detection fractional calculus multi-verse optimizer Hierarchical Attention Network (HAN)Random Multimodel Deep Learning (RMDL)

1. Introduction

Cloud computing is an advanced category of Information technology (IT) that provides services like infrastructures, and software services by means of a request-service and utilization [18, 23]. The ultimate need of cloud computing is the virtualization of cloud utilities, its storage and executions and the whole operation of the cloud are effectively handled using a central hypervisor machine. Hence, this advancement has become a spectacular platform for malicious attackers of application software because of a large amount of traffic caused in the cloud environment [24, 25, 19]. The major threat is mainly due to a denial of service attack (DoS), which is a commonly found cyber intruder in the cloud computing environment. In addition, packet flooding in transmitting protocols can cause huge deterioration to resources and bandwidth usage, thereby resulting in a short-term issue, or else the whole domain will be disintegrated. Such issues paved a path for the development of intrusion detection particularly to prevent zero-day attacks. The major issues associated with the Intrusion Detection System (IDS) are false alarms that lead to misuse problems and some anomaly prediction techniques are deployed in the cloud for alleviating such attacks [20, 26]. Though classical security models [21] are trustworthy in terms of identifying the user’s details, an attack recognition issue enters the platform when the model requires identifying the user’s malicious behaviors other than the log-in level. Besides, conventional security methods are still confronting a huge race between malware defenders and malware creators and recent malware defenses are not sufficient for unknown attacks due to the designing of novel attacking methods [1].

Malicious behavior is an illegitimate behavior carried out to demolish a whole online network with enormous details of advanced technology. The devastating intention of user behavior does not be stable for a time and it is highly expanding and causes severe damage to the web such attacks to cause more security issues. The threats can happen in diverse areas like IT organizations, government entities, educational institutions, financial services, Wikipedia, and online social domains. Online anonymity gives rise to crucial attacks and minimizes social restrictions and paved the way for many-to-many intervention [22, 27]. The presence of unidentified users is everywhere in the environment and they are faster in their execution when compared with the genuine users [22, 28]. Therefore, it is significant to learn and identify attacks on all web areas [9]. Most malicious attacks can be easily detected by observing Inter-Control Center Communications Protocol (ICCP) link. However, intruders make use of illegitimate authorization to control the central system through overlooked access nodes like dial-up or remote access establishments with weak access control techniques. Insider attacks, such as illegitimate data access and communication, and modifications of secure configurations are the results of a privacy breach inside a center. A DoS is caused due to the recurrent data requests that exploit the server’s utilization and protect the authorized function of the ICCP link. Moreover, malicious things attacking the ICCP server or different components in the network system can be utilized to eliminate thoughtful data for destruction, financial disruption, and certain malicious attacks [10].

Different types of artificial intelligence algorithms have been presented for IDS to improve the performance of classifiers like Naïve Bayes network, decision tree, K-nearest neighbor (K-NN), Support Vector Machine (SVM), and so forth. By analyzing the performance of classical methods, SVM is considered an efficient intrusion detection advancement when compared to various classifiers. For example, Logistics Regression, decision tree, Naïve Bayes, and other regression techniques are utilized in categorizing the KDD 99 database and outcomes revealed that SVM has achieved superior results over diverse categorization techniques. Hence, SVM can be termed an efficient categorization method over other algorithms. An SVM-based algorithm is a widely utilized algorithm for intrusion detection and this growing technique for malicious detection enhances the performance of the detection model. This algorithm merged both one-class and two-class SVM and this SVM perform very well on imbalanced datasets. The detailed features refined from the original KDD 99 can result in the data standard on the intrusion detection model performance. The balanced iterative reducing and clustering using hierarchies algorithm is utilized to pre-process the original samples, which has high-quality detection performance. Recently, researchers have developed an efficient intrusion detection structure depending upon SVM with feature augmentation that applies the logarithmic boundary density proportion to attain high-standard features and attained prediction accuracy that shows the superiority of the method [29].

The major contribution of this research is to model an effectual mechanism for malicious behavior detection employing a hybrid deep learning technique. Initially, cloud nodes are simulated in the cloud area and input data acquired from the dataset is fed to the feature selection process, which is carried out using a wrapper-based technique in order to choose the appropriate features for learning. Once appropriate features are selected, malicious behavior in the cloud environment is detected effectively using hybrid deep learning classifiers, namely Hierarchical Attention Network (HAN) and Random Multimodel Deep Learning (RMDL), where both the network classifiers are separately trained using Multiverse Fractional Calculus (MFC). The proposed MFC is derived from the integration of multi-verse optimizer and fractional calculus. Finally, both the results obtained from HAN and RMDL are fused together to generate a final output using Hausdorff distance-based method. From the fused result, the presence of malicious and non-malicious behavior in a cloud environment is detected efficiently.

Proposed MFC-based hybrid deep learning, an effective model is developed for malicious behavior detection using hybrid deep learning classifiers, namely HAN and RMDL. The final outcome is predicted based on Hausdorff distance by fusing both the results from HAN and RMDL.

The rest of the paper is arranged as follows: Section 2 illustrates the motivation of conventional techniques associated with malicious behavior detection in cloud computing beside with their benefits and disadvantages that motivate the researchers to set up a competent technique for malicious behavior detection. Section 3 explains cloud system model for malicious behavior detection and Section 4 deliberates the malicious behavior detection using hybrid deep learning and fusion-based approach. Section 5 presents the results and discussion of the developed approach. Finally, Section 6 concludes the paper.

2. Literature review

This section explains the literature survey of existing techniques to malicious behavior detection in cloud computing environments besides with their benefits and drawbacks that provoke the researchers to design an effectual technique for malicious behavior detection. Rabbani et al. [1] developed a new approach to detect malicious behavior using particle swarm optimization-based probabilistic neural network. In the first phase of the recognition task, the user’s behavior was meaningfully transformed into an easy form and classified and detected the malicious attacks by exploiting a multi-layer neural network. The implementation of the deep learning approach provided effective dealing with high dimensionality problems and also increased the intra-class similarity of samples. The developed system effectively detected the malicious behavior in the network, but it failed to provide an ideal recognition system with the utilization of abundant features and fewer samples. Moreover, the method had a high computational cost. Samriya and Kumar [2] designed a new hybridization technique called fuzzy-based artificial neural network to enhance the overall performance of the cloud environment. An effective clustering of attacks was performed using fuzzy-based artificial neural network, while the fuzzy-based clustering was optimized using spider-monkey optimization. The major intention of the hybridization method was to address the iterative classification and to automatically update the fitness function. The developed spider-monkey optimization algorithm reduced the dimensionality size and considerably decreased the computational time. This method achieved an error value, which affects the intrusion detection process. Praise et al. [3] developed an effective method for blocking the malicious behavior by ensuring the payload signature of receiving data using reinforcement learning and pattern matching, which was derived by integrating the features of reinforcement learning and fast pattern matching. Here, the reinforcement learning method effectively performed the payload signature in a parallel way. The developed reinforcement learning and pattern matching framework effectively detected different malicious behavior and prevented the cloud environment. Though the method achieved high throughput, the implementation cost of this method was high. Aldribi et al. [4] modeled a hypervisor-based cloud IDS that exploited online multivariate statistical change analysis to identify malicious behavior. Here, the detection capability was increased by exploiting the correlated and individual behaviors of instances. The developed method was efficient and feasible. The major obstacle of this method was high computational complexity.

Wei et al. [5] designed an IDS model that relied on an ensemble support vector machine with bag mapping. More importantly, the sample structures were partitioned into bags and sample flows in each bag were corresponding to each other. Every individual bag was comprised of various related data flows that reflected the malicious attacks, particularly continuous intrusion. The experimental results proved that the method achieved high precision and recall rate for continuous attacks. Moreover, the method had better generalization ability. However, the method failed to provide better accuracy with a large dataset. Nathiya and Suseendran [6] developed an efficient security model using hybrid IDS. Here, the framework of the virtual network layer was divided into four layers, such as node layer, cloud cluster layer, virtual machine layer, and cloud layer. In addition, the cloud layer utilized a “correlation module to identify the distributed attacks, and a Dempster-Shafer Theory” was adopted to provide the final decision in IDS to enhance its performance. This method improved the detection accuracy but the processing time for the detection process was high. Jaber and Rehman [7] developed an IDS that merged a Fuzzy C-means Clustering (FCM) algorithm with SVM to enhance the accuracy of the detection model. The developed model consisted of three phases, such that the first stage introduced the FCM clustering set that was utilized to divide large datasets into small clusters. In the second phase, various SVM was trained with respect to allocated cluster values, whereas the third phase combined the results of the hypervisor inspector. The developed mechanism was highly suitable for identifying different intrusions with high accuracy and also the method had low computational cost. The developed method produced false alarm rates that produce misuse problems. Ravindranath et al. [8] modeled an IDS model named Whale Pearson hybrid feature selection wrapper for minimizing the irrelevancy. The developed method can be combined with other optimization algorithms to improve the accuracy level.

3. Adopted hybrid deep learning method for malicious behavior detection in cloud computing

3.1 Cloud model

This section describes the cloud model [10] and security is the most crucial thing for wide applications of cloud systems and detection of such cyber-attacks on the cloud environment is very significant for preserving the cloud infrastructures. Nevertheless, it is very hard to detect malicious behavior on cloud platforms because of dynamic and complex behavior of cloud platforms. Moreover, the access from different mobile smart devices to cloud platforms maximizes the complexity of attack detection. In this cloud model, there are various components utilized for detecting the presence of malicious behavior cloud users, firewall, router, and processing servers. A cloud offers both storage services as well as computational and storage services to its users and such users may consist of home users, enterprise users, and mobile users. Cloud users exploit cloud resources and services through certain access points that are effectively handled by the cloud. The purpose of a firewall is to effectively redirect the user traffic to guarantee privacy by proper estimation and filtering process before reaching the destination point. In addition, the router in the model detects any malicious packet depending on the IP address. The main computational tasks like conversion of raw data into high-level context, context collaboration, and generation of context-aware service are filtered and assigned to various cloud processing servers. The heavy data traffic can be encrypted using processing servers and it outputs the data from malicious behavior. Figure 1 portrays the system model of the cloud for malicious behavior detection in a cloud environment.

Figure 1.

Cloud system model for malicious behavior detection.

3.2 Proposed method

The major objective of this method is to establish a competent technique to identify the malicious behavior in cloud computing area. Initially, the nodes are simulated in the cloud network and input data obtained from the dataset specified in [15, 16] is fed into the feature selection process, where the appropriate features are chosen by adopting the wrapper selection technique. Thereafter, the malicious behavior is effectively detected using deep learning techniques, such as HAN and RMDL. Here, the network classifiers are separately trained using MFC and the proposed MFC is derived by the combination of multi-verse optimizer [13] and fractional calculus [14]. Finally, the results from both the classifiers are fused together using Hausdorff distance, which effectively detects the malicious behavior present in the cloud network. Figure 2 shows the schematic diagram of the adopted MFC-based hybrid deep learning model.

Figure 2.

Structural diagram of adopted multiverse fractional calculus (MFC) based hybrid deep learning model.

Consider training dataset as $D$ with $n$ number of samples and the dataset is represented as,

$\displaystyle D=\{{I_{1},I_{2},\ldots I_{i},\ldots I_{n}}\}$ (1)

where $n$ signifies total cunt of samples, and $i^{\text{th}}$ data $I_{i}$ in training dataset is considered input data for further process.

3.2.1 Feature selection using wrapper based method

The input data $I_{i}$ is fed to a feature selection process to choose relevant features suitable for further processing using the wrapper-based method. The main purpose of utilizing this wrapper-based approach for feature selection is that it significantly identifies the essential features in the dataset and only the subset is fed into the learning algorithm. Here, the feature selected by exploiting KDD cup dataset has the dimension of $[{125973\times 10}]$ and the size of the selected features with the BoT-IoT dataset $[{773705\times 10}]$ .

a) Wrapper method

Figure 3 demonstrates the diagrammatic model of the wrapper method. The effective feature subset selection [17] is done using wrapper approach in order to search a good subset. The process of searching is begun in the space of possible functions. Here, the search space needs a state space, an initial state, a termination criterion, and a search engine. Each state illustrates a feature subset in the search space organization. For $m$ features, there are $m$ bits in each state and each bit represents whether a feature is absent or present. Operators indicate the connectivity among states and the importance of such operators is to add or eliminate a single feature from a state. The ultimate aim of this search is to determine state with high evaluation using a heuristic parameter. Typically, wrapper based method needs a search space, operators, a search engine, and an evaluation parameter. For the purpose of evaluating the function, cross-validation method is employed. This method exploited the search space with two operators like add and delete for comparing two search engines, namely hill-climbing and best-first search. The selected feature using wrapper based feature selection method is denoted as $x_{i}$ .

Figure 3.

Schematic model of wrapper method.

4. Malicious behavior detection by exploiting hybrid deep learning and fusion-based technique

The selected feature $x_{i}$ is subjected to the process of detecting the malicious behavior that exists in the cloud computing environment using hybrid deep learning and fusion-based approach. Here, two deep learning classifiers named HAN and RMDL are employed separately for detecting malicious behavior. However, the two classifiers are trained separately using the proposed MFC that integrates the benefits of both multi-verse optimizer and fractional calculus. The major benefit of selecting hybrid approach is that the hybrid algorithms have a good searching ability, high detection accuracy, and fewer iterations required for the optimization process.

4.1 Fusion process using Hausdorff distance

The fusion process is process in malicious behavior detection, where the output from two network classifiers like HAN and RMDL are combined together to generate a final outcome that identifies the existence of malicious behavior in a cloud environment. The fusion process is mainly selected to achieve higher reliability with a high detection rate. For this purpose, Hausdorff distance is used, which is a non-linear operator that determines the mismatch of the two sets and it is expressed as,

$\displaystyle\Re=\vartheta X_{\textit{HAN}}+\chi X_{\textit{RMDL}}$ (2)

where $X_{\textit{HAN}}$ and $X_{\textit{RMDL}}$ represents the output of the HAN and RMDL classifier, respectively.

The Hausdorff distance determined between HAN output $X_{\textit{HAN}}$ and target output $T_{\textit{out}}$ is specified as $\vartheta$ , whereas the parameter $\chi$ represents the Hausdorff distance calculated between RMDL output $X_{\textit{RMDL}}$ and $T_{\textit{out}}$ .

4.2 Proposed multiverse fractional calculus (MFC) based hierarchical attention network (HAN) for malicious behavior detection

The result obtained from feature selection process $x_{i}$ is considered as an input for HAN, which detects the malicious actions present in the cloud environment. The structure of HAN, as well as the training algorithm involved in this malicious behavior detection process, are deliberated in the below section.

i) Structure of HAN

HAN [11] is a specific type of neural network that captures the malicious behavior present in the network easily by presenting two significant characteristics, such as hierarchical structure and two-level attention mechanisms. The overall structure of HAN consists of layers, like the input layer, bidirectional (GRU) layer, dense layer, attention layer, dropout layer, and output layer. The HAN is trained for two datasets, like BOT-IoT and the KDD cup 99 datasets. By considering the BOT-IoT, the input layer is fed with a data of dimension $[{733705\times 10}]$ , and the output obtained from the input layer is subjected to time distributed mode with the same dimension without any change. The data with dimension size $[{733705\times 10}]$ is fed as an input to the GRU layer and data with dimension size of $[{733705\times 100}]$ is obtained as a result, which is also considered as an input to the dense layer. The resulting outcome by the dense layer having the dimension of $[{733705\times 100}]$ is given into the attention layer as an input data. The attention layer generates an output of $[{1\times 100}]$ and the output with the same dimension is obtained at the dropout layer. Finally, the output of HAN possesses the dimension size of $[{1\times 2}]$ .

On the other hand, the steps followed by HAN while considering the KDD cup 99 are explained as follows: The input data with dimension size of $[{125973\times 10}]$ is fed into time distributed mode, which results in an output with a dimension of $[{125973\times 10}]$ followed by a GRU layer that reflects an output of size $[{125973\times 100}]$ . The output with the same dimension is generated by the dense layer and the attention layer produces an output with a dimension size of $[{1\times 100}]$ that is considered as an input to the dense layer and this generates a final outcome of size $[{1\times 2}]$ . Figure 4 exhibits the structure of HAN by considering the data from the BOT-IoT dataset.

The GRU utilizes a gating procedure to update the state of sequences without exploiting separate memory cells. There are two kinds of gates, such as reset gate and update gate. Both reset and update gate tracks the updating mechanism of information to the state. At the time $l$ , the new state of GRU is expressed using the following equation,

$\displaystyle H_{l}=({1-U_{l}})\Theta H_{l-1}+U_{l}\Theta\tilde{H}_{l}$ (3)

This is a linear interpolation among the preceding state $H_{l-1}$ and the current new state $\tilde{H}_{l}$ is determined with the latest sequence information. The main purpose of the update gate $U_{l}$ is utilized to trace down the past updated information and the current information going to be added. The expression for $U_{l}$ is given as follows,

$\displaystyle U_{l}=\alpha({W_{U}a_{l}+J_{U}H_{l-1}+b_{U}})$ (4)

where $a_{l}$ denotes the sequence vector at a time $l$ . The candidate state $\tilde{H}_{l}$ is estimated in the same way as that of a conventional Recurrent Neural Network (RNN), which is represented as,

$\displaystyle\tilde{H}_{l}=\tan h({W_{H}a_{l}+R_{l}\Theta({J_{H}H_{l-1}})+b_{H% }})$ (5)

where $R_{l}$ indicates the reset gate that manages how much information of the preceding state is utilized for the candidate state. If $R_{l}$ is equal to zero, then it is fully lost about the preceding state. Hence, the reset gate is updated as follows,

$\displaystyle R_{l}=\alpha({W_{R}a_{l}+J_{R}H_{l-1}+b_{R}})$ (6)

Figure 4.

Structural model of Hierarchical Attention Network (HAN).

ii) Training HAN by exploiting adopted MFC

Multi-verse optimizer is a stochastic population-based algorithm, which inspires the concept of multi-verse in physics. The word multi-verse refers to the opposite of the universe, which specifies the presence of a different universe. In a multi-verse concept, a number of universes meet each other and three major concepts are adopted in this multi-verse theory, black holes, white holes, and wormholes. Typically, objects are permitted to move from side to other with the help of white or black hole passages. If a white or black hole is developed among two planets, the planet with maximum and minimum inflation value is assumed to have a white hole and a black hole, respectively. The objects are moved from the white hole of the origin universe to the black hole of another universe. The important rules applied in multi-verse optimizer are illustrated as follows: If inflation value is high, then probability of having a white hole is high. Similarly, if inflation value is low, the probability of having a black hole is low. In other terms, planets with maximum inflation value are capable to transfer items by means of white holes, whereas universes with minimum inflation rate are to obtain more objects by means of black holes. Sometimes there may be a chance of facing random movement by all the objects in the universe through wormholes. Here, MFC is derived from the combination of the fractional calculus concept with multi-verse optimizer.

Fitness function

The fitness value is used to establish the best solution for malicious behavior detection and it is expressed as,

$\displaystyle\Im_{1}=\frac{1}{n}\sum\limits_{k=1}^{n}{[{T_{\textit{out}}-X_{% \textit{HAN}}}]^{2}}$ (7)

where $n$ represents total count of training samples, $T_{\textit{out}}$ represents targeted outcome, and outcome obtained from the HAN classifier is specified as $X_{\textit{HAN}}$ .

The algorithmic procedure of the proposed multiverse fractional calculus (MFC)

The algorithmic steps followed in the adopted MFC for malicious behavior detection using HAN are explained as follows:

Step 1: Initialization

Consider population of the universes with a number of parameters and it is represented as,

$\displaystyle A=\left[{\begin{array}[]{cccc}Y_{1}^{1}&Y_{1}^{2}&\ldots&Y_{1}^{% p}\\ Y_{2}^{1}&Y_{2}^{2}&\ldots&Y_{2}^{p}\\ \vdots&\vdots&&\vdots\\ Y_{j}^{1}&Y_{j}^{2}&&Y_{j}^{p}\\ \end{array}}\right]$ (8)

where $p$ implies the number of parameters and $j$ is a number of universes, which is also known as candidate solutions.

$\displaystyle Y_{u}^{v}=\left\{{\begin{array}[]{ll}Y_{c}^{v}&r_{1}<N({Au})\\ Y_{u}^{v}&r_{1}\geqslant N({Au})\\ \end{array}}\right.$ (9)

where $Y_{u}^{v}$ represents the $v^{\text{th}}$ parameter of $u^{\text{th}}$ universe, $A u$ indicates the $u^{\text{th}}$ universe, normalized inflation value of $u^{\text{th}}$ universe is indicated as $N({Au})$ , $r_{i}$ indicates a random value that lies in the limit of $[{0,1}]$ and $Y_{c}^{v}$ signifies $v^{\text{th}}$ function of $c^{\text{th}}$ universe chosen by roulette wheel selection technique.

Step 2: Calculate fitness function

The fitness parameter is determined in order to obtain optimal solution by exploiting already specified Eq. (7).

Step 3: Roulette wheel selection model

The choosing process and estimation of white holes are performed using a roulette wheel that is completely dependent upon normalized inflation measures. When the inflation value is less, the probability of transmitting items through white or black hole tunnels is high. The exploration phase can be ensured by exploiting this roulette wheel selection process since the universes are needed to maintain the trade-off between the objects and meet sudden changes in order to investigate search space. By employing the roulette wheel selection process, the universes are able to trade off objects without any disruptions. To handle the heterogeneity of universes effectively and to execute the exploitation mechanism, it is necessary to assume that each planet possesses wormholes to exchange its objects through space uniformly. It may be noted that the wormholes unevenly change the universe’s items without considering their inflation values. The probability of having a high inflation rate is achieved by establishing a tunnel between the universe and the best universe created. The computation of roulette wheel mechanism is represented as below,

$\displaystyle Y_{u}^{v}({t+1})=Y_{u}^{v}+\eta\times({({UB_{v}-LB_{v}})\times r% _{4}+LB_{v}})$ (10)

Subtracting $Y_{u}^{v}(t)$ on both sides, formulation becomes

$\displaystyle Y_{u}^{v}({t+1})-Y_{u}^{v}(t)=Y_{u}^{v}+\eta\times({({UB_{v}-LB_% {v}})\times r_{4}+LB_{v}})-Y_{u}^{v}(t)$ (11)

Fractional calculus is a branch of mathematics and it plays an essential part in enhancing the performance of a number of methods like curve fitting, modeling, pattern matching, filtering, and edge identification. However, fractional calculus handles the integral and derivative problems effectively. From fractional calculus, it is observed that it provides smoother changes and a higher memory effect. By incorporating the concept of fractional calculus into multi-verse optimizer, the equation obtained is expressed as,

$\displaystyle G^{\beta}[{Y_{u}^{v}(t+1)}]=Y_{u}+\eta\times({({UB_{v}-LB_{v}})% \times r_{4}+LB_{v}})-Y_{u}^{v}(t)$ (12) $\displaystyle Y_{u}^{v}({t+1})-\beta Y_{u}^{v}(t)-\frac{1}{2}\beta Y_{u}^{v}({% t-1})-\frac{1}{6}({1-\beta})Y_{u}^{v}({t-2})-\frac{1}{24}\beta({1-\beta})({2-% \beta})$ (13) $\displaystyle\quad Y_{u}^{v}({t-3})=Y_{u}+\eta\times({({UB_{v}-LB_{v}})\times r% _{4}+LB_{v}})-Y_{u}^{v}(t)$ $\displaystyle Y_{u}^{v}({t+1})=\beta Y_{u}^{v}(t)+\frac{1}{2}\beta Y_{u}^{v}({% t-1})+\frac{1}{6}({1-\beta})Y_{u}^{v}({t-2})+\frac{1}{24}\beta({1-\beta})({2-% \beta})$ (14) $\displaystyle\quad Y_{u}^{v}({t-3})+Y_{u}+\eta\times({({UB_{v}-LB_{v}})\times r% _{4}+LB_{v}})-Y_{u}^{v}(t)$ $\displaystyle Y_{u}^{v}(t+1)=Y_{u}^{v}(t)({\beta-1})+\frac{1}{2}\beta Y_{u}^{v% }({t-1})+\frac{1}{6}({1-\beta})Y_{u}^{v}({t-2})+\frac{1}{24}\beta({1-\beta})({% 2-\beta})$ (15) $\displaystyle\quad Y_{u}^{v}({t-3})+Y_{u}+\eta\times({({UB_{v}-LB_{v}})\times r% _{4}+LB_{v}})$

Therefore, the updated equation of this roulette mechanism is expressed as follows,

$\displaystyle Y_{u}^{v}({t+1})=\left\{{\begin{array}[]{ll}\left\{{\begin{array% }[]{ll}Y_{u}^{v}(t)({\beta-1})+\frac{1}{2}\beta Y_{u}^{v}({t-1})+\frac{1}{6}({% 1-\beta})Y_{u}^{v}({t-2})\\ \quad{}+\frac{1}{24}\beta({1-\beta})({2-\beta})Y_{u}^{v}({t-3})+Y_{u}\\ \quad{}+\eta\times({({UB_{v}-LB_{v}})\times r_{4}+LB_{v}});&r_{3}<0.5\\ Y_{u}^{v}(t)({\beta-1})+\frac{1}{2}\beta Y_{u}^{v}({t-1})+\frac{1}{6}({1-\beta% })Y_{u}^{v}({t-2})\\ \quad{}+\frac{1}{24}\beta({1-\beta})({2-\beta})Y_{u}^{v}({t-3})+Y_{u}\\ \quad{}-\eta\times({({UB_{v}-LB_{v}})\times r_{4}+LB_{v}})&r_{3}\geqslant 0.5% \\ \end{array}}\right.&r_{2}<\lambda\\ Y_{u}^{v}(t)&r_{2}\geqslant\lambda\\ \end{array}}\right.$ (16)

where $Y^{v}$ indicates $v^{\text{th}}$ parameter of the best universe created. $\eta$ and $\lambda$ indicates coefficients. $LB_{v}$ denotes the lower leap of $v^{\text{th}}$ measure, whereas $UB_{v}$ specifies upper leap of $v^{\text{th}}$ variable, the $v^{\text{th}}$ parameter of $u^{\text{th}}$ universe is denoted as $Y_{u}^{v}$ and $r_{2}$ , $r_{3}$ , and $r_{4}$ indicates random values that lie in the range of $[{0,1}]$ .

Step 4: Determine the coefficients

Here, 2 main coefficients are considered namely wormhole existence probability $(\eta)$ as well as traveling distance rate $(\lambda)$ . The presence of wormholes in the universe can be determined using $\eta$ , whereas the distance rate can be estimated using $\lambda$ . The traveling distance rate is linearly increased over a number of iterations to achieve a more accurate local search around optimal attained universe. The expression for two coefficients is given as follows,

$\displaystyle\lambda=\min+q\times\left({\frac{\max-\min}{Q}}\right)$ (17) $\displaystyle\eta=1-\frac{q^{1/s}}{Q^{1/s}}$ (18)

where $q$ denotes current iteration, and maximum iteration is indicated as $Q$ and $s$ indicates the exploitation accuracy over the iterations, which is equal to 6. If $s$ is higher, the local search will be more accurate.

Step 5: Termination

The process is repeated until best solution is attained and also it fulfills the condition. Algorithm 1 describes the pseudocode of adopted MFC for malicious behavior detection. Figure 5 demonstrates flowchart of adopted MFC.

Algorithm 1: Pseudocode of adopted multiverse fractional calculus (MFC)
1. Input: $A,Y_{u}^{v},\delta,N$
2. Output: $Y_{u}^{v}({t+1})$
3. for each universe indexed by $u$
4. Black hole index $=u$
5. for each object indexed by $v$
6. $r_{1}=\textit{random}({[{0,1}]})$
7. if $r_{1}<N({A_{u}})$
8. White hole index $=$ Roulette wheel selection $({-N})$
9. $A({\textit{Black}\_\textit{hole}\_\textit{index},v})=\delta({\textit{White}\_% \textit{hole}\_\textit{index},v})$
10. end if
11. end for
12. end for
13. For each universe indexed by $u$
14. For each universe indexed by $v$
15. $r_{2}=\textit{random}({[{0,1}]})$
16. if $r_{2}<\textit{Wormhole}\_\textit{existence}\_\textit{probability}$
17. $r_{3}=\textit{random}({[{0,1}]})$
18. $r_{4}=\textit{random}({[{0,1}]})$
19. Update solution using Eq. (16)
20. end if
21. end for
22. end for
23. Terminate

Figure 5.

Flowchart of proposed multiverse fractional calculus (MFC).

iii) Proposed MFC based RMDL for malicious behavior detection

The extracted feature $x_{i}$ with a dimension of $[{125973\times 10}]$ is fed as an input to RMDL classifier for malicious behavior detection, where network classifier is trained by exploiting same adopted MFC algorithm. The main purpose of using this RMDL is that it is feasible for any kind of dataset for classification. The architecture and training process of RMDL is described in the below section.

a) Structure of RMDL

RMDL [12] architecture is comprised of three basic deep learning structures in parallel, such as Deep Neural Networks (DNN), Recurrent Neural Networks (RNN), and a Convolutional Neural Network (CNN) model. Figure 5 portrays the structural model of RMDL.

DNN

DNN architecture is developed to understand the multi-connection layers such that an individual layer only gains joints from the preceding state and offers connection to the next layer in a hidden unit. The input is a set of features with an initial hidden layer for all random schemes, while the output layer is comprised of numerous classes for multi-class categorization and only one result is utilized for binary categorization. Moreover, DNN is a discriminatively trained system that exploits a back-propagation algorithm utilizing sigmoid and ReLU as an activation parameter, which is expressed as follows,

$\displaystyle f(x)=\frac{1}{1+e^{-x}}\in({0,1})$ (19) $\displaystyle f(x)=\max({0,x})$ (20)

The output obtained from DNN is called as $K_{d}$ .

RNN

RNN allocates more weights to earlier data of sequence. In RNN, it assumes the data of preceding nodes in a sophisticated way that permits semantic evaluation of dataset structure in a better way.

$\displaystyle x_{d}=F_{f}({x_{d-1},V_{d},\theta})$ (21) $\displaystyle x_{d}=w_{rec}\varpi({x_{d-1}})+w_{in}V_{d}+B$ (22)

where $x_{d}$ denotes the state at time $d$ and $V_{d}$ indicates input at the step $d$ . The recurrent matrix weight and input weight are denoted as $w_{\textit{rec}}$ and $w_{in}$ , respectively. $B$ and $\varpi$ indicates the bias and an element-wise operator.

Long Short Term Memory (LSTM)

LSTM is a kind of RNN that is exploited to protect long-term relevancy efficiently when compared to classical RNN. This network is highly utilized to address the vanishing gradient issue. LSTM is somewhat similar to that of RNN, which is a chain-like structure that exploits different gates to handle massive data. The LSTM cell procedure is stated as below:

$\displaystyle E_{d}=\varpi({w_{E}[{x_{d},y_{d-1}}]+B_{E}})$ (23) $\displaystyle\tilde{C}_{d}=\tan y({w_{C}[{x_{d},y_{d-1}}]+B_{C}})$ (24) $\displaystyle f_{d}=\varpi({w_{f}[{x_{d},y_{d-1}}]+B_{f}})$ (25) $\displaystyle M_{d}=E_{d}*\tilde{C}_{d}+f_{d}M_{d-1}$ (26) $\displaystyle O_{d}=\varpi({w_{O}[{x_{d},y_{d-1}}]+B_{O}})$ (27) $\displaystyle y_{d}=O_{d}\tan y({M_{d}})$ (28)

where $\tilde{C}_{d}$ is candid memory cell, $E_{d}$ denotes the input gate, $f_{d}$ is forget gate activation and $M_{d}$ is value of new memory cell. Here, $O_{d}$ and $y_{d}$ represents output gate value.

Gated Recurrent Unit (GRU)

It is a gating process for RNN that is comprised of 2 gates. GRU does not contain internal memory, and formulation for GRU cells is stated as below:

$\displaystyle Z_{d}=\varpi_{g}({w_{Z}x_{d}+P_{Z}y_{d-1}+B_{Z}})$ (29)

where $Z_{d}$ denotes update gate vector of $d$ , $x_{d}$ denotes input vector, and parameters are called as $w$ , $P$ , and $B$ . $\varpi_{g}$ stands for activation parameter that can be either sigmoid or ReLU.

$\displaystyle\tilde{S}_{d}=\varpi_{g}({W_{S}x_{d}+P_{S}y_{d-1}+B_{S}})$ (30) $\displaystyle y_{d}=Z_{d}\circ y_{d-1}+({1-Z_{d}})\circ\varpi_{g}({w_{y}x_{d}+% P_{y}({S_{d}\circ y_{d-1}})+B_{y}})$ (31)

where $y_{d}$ represents the output vector, and reset gate vector is signified as $S_{d}$ . $Z_{d}$ is the update gate vector of $d$ and hyberbolic tangent parameter is specified as $\varpi_{g}$ .

CNN

The last deep learning model that serves RMDL is CNN, which is mostly exploited for classification purposes. Generally, an image sensor is transformed with a group of kernels size $z\times z$ . Such layers are named as feature maps and it is arranged to present various filters on the input side. In order to mitigate computational complexity that arises in CNN, pooling was employed that minimizes the result size from one layer to the next layer. The most commonly utilized pooling model is max pooling in that a high element is selected in the pooling window. In the last layer, the maps are flattened into one column and the last layer is a fully connected layer. The outcome obtained from CNN is expressed as $L_{d}$ . Thus, the ultimate outcome attained from RMDL is exhibited as $X_{\textit{RMDL}}$ with dimension size of $[{1\times 2}]$ .

Figure 6.

Architectural model of RMDL.

b) Training of RMDL using adopted MFC

The RMDL classifier is trained to utilize same developed MFC algorithm that is utilized for training purposes of the HAN. A detailed explanation of steps followed in the algorithm of MFC is given under Section 4.2.1.

Fitness function

The fitness parameter is used to calculate optimal solution for malicious behavior detection, which is the difference amid the target value and the result produced from the RMDL classifier and it is represented as,

$\displaystyle\Im_{2}=\frac{1}{n}\sum\limits_{k=1}^{n}{[{T_{\textit{out}}-X_{% \textit{RMDL}}}]^{2}}$ (32)

where $n$ signifies total number of training samples, $T_{\textit{out}}$ signifies targeted outcome, and output attained from the RMDL classifier is specified as $X_{\textit{RMDL}}$ .

5. Results and analysis

This section describes the result and analysis of adopted MFC-based hybrid deep learning regarding the evaluation metrics by changing training data.

5.1 Experimental setup

The experimentation of the developed MFC-based hybrid deep learning model is performed in the “PYTHON tool with Intel core i-3 processor, windows 10 OS with 4 GB RAM”.

5.2 Dataset description

The dataset used in the adopted MFC-based hybrid deep learning approach is “KDD cup 99 (dataset 1), and BOT-IoT (dataset 2)”.

5.2.1 KDD cup 99

KDD cup 99 [15] is the most commonly utilized dataset for the assessment of anomaly detection techniques and this dataset contains approximately 4,900,000 single connection vectors each of which consists of 41 features and is considered as either normal behavior or malicious behavior.

5.2.2 BOT-IoT

The BoT-IoT dataset [16] is developed by designing a realistic network platform in the cyber range lab of UNSW Canberra and this dataset consists of DDoS, DoS, OS, keylogging, and data exfiltration attacks.

5.3 Evaluation measures

The performance improvement of the developed MFC-based hybrid deep learning approach is estimated by evaluation measures, such as sensitivity, testing accuracy, and specificity.

5.3.1 Testing accuracy

Testing accuracy is described as the degree of closes value to true measure and it is represented as,

$\displaystyle\textit{Testing accuracy}=\frac{T_{p}+T_{n}}{T_{p}+T_{n}+F_{p}+F_% {n}}$ (33)

where $T_{p}$ specifies the true positive and $T_{n}$ implies a true negative. $F_{p}$ and $F_{n}$ represents false positive as well as false negative, correspondingly.

5.3.2 Sensitivity

Sensitivity is termed as the test’s ability to detect malicious behavior in cloud environment and it is stated as,

$\displaystyle\textit{Sensitivity}=\frac{T_{p}}{T_{p}+F_{n}}$ (34)

5.3.3 Specificity

Specificity is the test’s ability to detect the presence of normal behavior in a cloud computing environment and it is expressed as,

$\displaystyle\textit{Specificity}=\frac{T_{n}}{T_{n}+F_{p}}$ (35)

5.4 Comparative analysis

This section explains comparative evaluation of the proposed MFC-based hybrid deep learning approach by considering with attack and without attack scenarios for two datasets, such as KDD cup 99 and BOT-IoT. The performance enhancement of the developed MFC-based hybrid deep learning model is evaluated and compared with the traditional methods like Reinforcement learning and Pattern matching [3], Ensemble SVM [5], and FCM-SVM [7].

Figure 7.

Analysis by dataset 1 for without attack scenario.

5.4.1 Analysis by dataset 1 without attack

Figure 7 represents the evaluation of the without attack scenario for dataset 1 regarding the performance measures by varying the training data percentage. Figure 7a demonstrates evaluation of testing accuracy regarding training data. By changing the training data to 90%, the testing accuracy obtained by the developed MFC-based hybrid deep learning model is 0.939, while conventional models attained testing accuracy of 0.779 for reinforcement learning and pattern matching, 0.846 for Ensemble SVM, and 0.902 for FCM-SVM. The developed scheme has the performance enhancement of 17.077%, 9.942%, and 3.977% than of existing models, like reinforcement learning and pattern matching, Ensemble SVM, and FCM-SVM.

The assessment of sensitivity is exhibited in Fig. 7b. If training percentage is 60%, the developed MFC-based hybrid deep learning model attained a sensitivity of 0.904, whereas the sensitivity obtained by the proposed approach is 0.949 for the training data percentage is 90% that resulting in the performance improvement of the adopted MFC-based hybrid deep learning model when compared it with classical methods, such as reinforcement learning and pattern matching is 8.556%, Ensemble SVM is 3.200%, and FCM-SVM is 2.468% for training data percentage is 90%.

Figure 7c portrays evaluation of specificity regarding training percentage. If training data is 60%, the specificity yielded by the adopted MFC-based hybrid deep learning approach is 0.836, where conventional models obtained specificity of 0.713 for reinforcement learning and pattern matching, 0.743 for Ensemble SVM, and 0.818 for FCM-SVM. The performance improvement of the adopted MFC-based hybrid deep learning approach by comparing it with that of traditional techniques like reinforcement learning and pattern matching is 17.131%, Ensemble SVM is 11.430%, and FCM-SVM is 5.305% for training data percentage is 90%.

5.4.2 Analysis utilizing dataset 1 with attack

Figure 8 exhibits evaluation of with attack scenario for dataset 1 with respect to evaluation metrics by changing training data. Figure 8a exhibits evaluation of testing accuracy. While training data is 90%, testing accuracy attained by the adopted MFC-based hybrid deep learning approach is 0.939, while existing techniques obtained testing accuracy for reinforcement learning and pattern matching, Ensemble SVM, and FCM-SVM is 0.814, 0.844, and 0.882, respectively. The proposed MFC-based hybrid deep learning approach shows performance development by evaluating it with the traditional techniques such as reinforcement learning and pattern matching is 13.226%, Ensemble SVM is 10.026%, and FCM-SVM is 5.993%.

Figure 8b represents assessment of sensitivity by varying training data percentages from 60% to 90%. By varying training data percentage to 90%, sensitivity obtained by the developed MFC-based hybrid deep learning approach is 0.949 that outcomes of performance improvement of the developed model with that of existing schemes, like reinforcement learning and pattern matching are 14.669%, Ensemble SVM is 9.937%, and FCM-SVM is 4.506%.

The analysis of specificity regarding training data is illustrated in Fig. 8c. If the training data is 90%, the adopted MFC-based hybrid deep learning approach obtained specificity of 0.911, whereas conventional methods obtained a specificity of 0.772 for reinforcement learning and pattern matching, 0.811 for Ensemble SVM, and 0.875 for FCM-SVM. The proposed MFC-based hybrid deep learning model shows the performance enhancement of 15.307%, 11.042%, and 3.963% than the conventional techniques, such as reinforcement learning and pattern matching, Ensemble SVM, and FCM-SVM.

Figure 8.

Analysis using dataset 1 for with attack scenario.

5.4.3 Analysis using dataset 2 without attack

Figure 9 specifies assessment of the without attack scenario for dataset 2 with respect to evaluation metrics by changing the training data percentage. Figure 9a illustrates the evaluation of testing accuracy for dataset 2. If training data is 90%, testing accuracy produced by the adopted approach is 0.932 over traditional approaches, like reinforcement learning is 8.990%, Ensemble SVM is 5.664%, and FCM-SVM is 2.262%. Nevertheless, the testing accuracy attained by existing techniques like reinforcement learning and pattern matching, Ensemble SVM, and FCM-SVM is 0.848, 0.879, and 0.911.

Figure 9b represents the evaluation of sensitivity by increasing training data from 60% to 90%. By considering the training data as 60%, the sensitivity attained by the adopted MFC-based hybrid deep learning model is 0.895 and for training data percentage of 90% is 0.944 shows performance development of the adopted scheme with that of conventional techniques such as reinforcement learning and pattern matching is 8.688%, Ensemble SVM is 4.224%, and FCM-SVM is 2.684%. The sensitivity attained by existing techniques, such as reinforcement learning and pattern matching is 0.862, Ensemble SVM is 0.904, and FCM-SVM is 0.918.

The analysis of specificity is depicted in Fig. 9c. The specificity achieved by the developed MFC-based hybrid deep learning approach is 0.929 while comparing with the traditional techniques like reinforcement learning and pattern matching is 12.735%, Ensemble SVM is 6.030%, and FCM-SVM is 2.787%. Nevertheless, specificity acquired by traditional schemes, like reinforcement learning and pattern matching, Ensemble SVM, and FCM-SVM is 0.811, 0.873, and 0.903.

Figure 9.

Analysis using dataset 2 for without attack scenario.

Figure 10.

Analysis by exploiting dataset 2 for with attack scenario.

5.4.4 Analysis by dataset 2 with attack

Figure 10 represents assessment of with attack scenario for dataset 2 with respect to evaluation metrics by changing training data. Figure 10a exhibits evaluation of testing accuracy. If the training data percentage is increased to 90%, testing accuracy obtained by the developed MFC-based hybrid deep learning approach is 0.923, while the conventional approaches attained testing accuracy of 0.768 for reinforcement learning and pattern matching, 0.827 for Ensemble SVM, and 0.898 for FCM-SVM.

Figure 10b exhibits the evaluation of sensitivity by changing the training data percentage from 60% to 90%. If training data as 60%, sensitivity attained by the developed MFC-based hybrid deep learning model is 0.888 results the performance development of the developed scheme with that of traditional techniques such as reinforcement learning and pattern matching, Ensemble SVM, and FCM-SVM is 18.619%, 11.733%, 3.183%, respectively.

The assessment of specificity is depicted in Fig. 10c. By considering training data percentage as 90%, the specificity obtained by the adopted MFC-based hybrid deep learning approach is 0.905, when compared it with the conventional techniques, such as reinforcement learning and pattern matching, Ensemble SVM, and FCM-SVM, is 19.723%, 12.153%, and 3.562%. Nevertheless, specificity attained by conventional models, such as reinforcement learning and pattern matching, Ensemble SVM, and FCM-SVM are 0.727, 0.795, and 0.873.

5.4.5 Receiver operating characteristics curve (ROC)/area under curve (AUC) analysis

Figure 11 demonstrates the Receiver operating characteristics curve (ROC)/area under curve (AUC) analysis of proposed and conventional models for with and without attack for dataset 1 and 2. It is analyzed by true positive rate and false positive rate. The AUC is area covered by ROC curve. In Fig. 11a, the AUC value of the existing methods, like reinforcement learning and pattern matching, Ensemble SVM, and FCM-SVM is 0.884, 0.846, 0.833 and the proposed method value is 0.923. For Fig. 11b, the AUC value of the existing methods, like reinforcement learning and pattern matching, Ensemble SVM, and FCM-SVM is 0.798, 0.852, 0.832 and the proposed method value is 0.933. In Fig. 11c, the AUC value of the existing methods, like reinforcement learning and pattern matching, Ensemble SVM, and FCM-SVM is 0.891, 0.86, 0.834 and the proposed method value is 0.92. For Fig. 11b, the AUC value of the existing methods, like reinforcement learning and pattern matching, Ensemble SVM, and FCM-SVM is 0.826, 0.85, 0.8 and the proposed method value is 0.9.

5.5 Comparative discussion

Table 1 summarizes the comparative analysis of the developed MFC-based hybrid deep learning approach. From the discussion, it is vivid that proposed MFC-based hybrid deep learning approach provides superior outcomes while comparing with the classical approaches. The proposed MFC-based hybrid deep learning approach has attained an utmost testing accuracy of 0.939, utmost sensitivity of 0.949, and utmost specificity of 0.947.

Table 1
Comparative analysis

		Measures/ methods	Reinforcement learning and pattern matching	Ensemble SVM	FCM-SVM	Proposed MFC-based hybrid deep learning approach
Dataset 1	Without attack	Testing accuracy	0.779	0.846	0.902	0.939
		Sensitivity	0.868	0.919	0.926	0.949
		Specificity	0.785	0.839	0.897	0.947
	With attack	Testing accuracy	0.814	0.844	0.882	0.939
		Sensitivity	0.810	0.855	0.906	0.949
		Specificity	0.772	0.811	0.875	0.911
Dataset 2	Without attack	Testing accuracy	0.848	0.879	0.911	0.932
		Sensitivity	0.862	0.904	0.918	0.944
		Specificity	0.811	0.873	0.903	0.929
	With attack	Testing accuracy	0.768	0.827	0.898	0.923
		Sensitivity	0.813	0.846	0.903	0.928
		Specificity	0.727	0.795	0.873	0.905

Figure 11.

AUC-ROC curve analysis of proposed and conventional models.

6. Conclusion

In recent years, utilization of cloud computing has been growing very fast and due to its sophisticated services, the malicious attack in the environment is also growing exponentially due to third-party attacks. To alleviate such security breaches, an efficient method is proposed using hybrid deep learning and fusion approach. The proposed approach consists of three phases, such as cloud simulation, feature selection, and malicious behavior detection. At first, the cloud environment is simulated and then the input data is subjected to a feature selection process, where the relevant features are chosen through a feature selection process by exploiting a wrapper-based model. The malicious behavior detection is carried out by exploiting hybrid deep learning classifiers, like Hierarchical Attention Network (HAN), Random Multimodel Deep Learning (RMDL) and each of them is separately trained by proposed Multiverse Fractional Calculus (MFC). Nevertheless, adopted MFC is derived by incorporating the fractional calculus concept into multi-verse optimizer. The proposed MFC-based hybrid deep learning model has attained an utmost testing sensitivity of 0.949, accuracy of 0.939, and specificity of 0.947 for without attack scenarios while considering dataset 1. The future work would be the inclusion of some other optimization approaches with other deep learning networks that further enhances the detection accuracy.

Footnotes

Author’s Bios

Chandra Sekhar Kolli is currently working as an Assistant Professor in the Department of Computer Science, GITAM (Deemed to be University), Visakhapatnam. He completed a Master’s in Computer Applications from Andhra University in 2008, Masters in Engineering from Hindustan University in 2011, and Ph.D. in Computer Science from GITAM (Deemed to be University) in 2021. He has 16 Research Publications to his credit in various International Journals and Conferences. His major focused research areas are Predictive Analytics, Cyber Security, Privacy-Preserving, Machine Learning, and Deep Learning techniques for some domain-specific problems.

Nihar M. Ranjan Having 20 plus years of teaching experience and currently working as an Associate professor & Head of Department (Computer Engineering) at Rajarshi Shahu College of Engineering, Pune. I had more than 30 publications in reputed international journals and conferences. Authored more than 10 books like Discrete Structure, Software Engineering, Software Testing & Quality Assurance, System Operation & Maintenance etc. More than 20 guest sessions conducted for students, faculty and research scholars. More than 20 professional course certifications completed like Coursera, NPTEL etc. More than 100 FDPs attended in online and offline mode like NITTTR etc. Holding the position of subject chairman for many subjects at university level. Also handled some key portfolio like NAAC Coordinator, Dean, Academic Coordinator, Student Council etc.

	Dharani Kumar Talapula is an Industry Fellow (Eq Associate Professor) in the School of Computer Science, University of Petroleum and Energy Studies, Dehradun, Indiain 2016. Earlier to moving into academics, worked in Sun Microsystems, Genisys, Glassbeam with a working culture of both MNC’s and Start-up’s with varying roles and responsibilities foran overall 18 years in the field of Storage Products, application development, Distributed applications, Data processing (structured/semi structured/unstructured data), Data store, Data management and ETL process, Big data solutions Stacks and NoSQL’s. Did M.S from Middlesex University, North London, United Kingdom. Research interests include Bigdata, AI-ML, Cloud and applying bio-inspired heuristics in optimization.
	Vikram S Gawali has worked as Junior Telecom Officer for 9.4 years in Bharat Sanchar Nigam Limited, Maharashtra circle. He has field experience in Installation, Commissioning and maintenance of 2 G, 3 G, Vast, Microwave system, RF drive, RF network optimization and optical fiber system. Now working as Assistant Professor in the department of Electronics and Telecommunication Engineering at Government College of Engineering, Chandrapur, Maharashtra. I have 9 years of teaching experience and I taught the subjects Digital Image Processing, wireless communication, Optoelectronics Devices and Communications, Computer Networking and Electronics Devices and circuits.
	Dr. Siddhartha Sankar Biswas is Assistant Professor at Department of Computer Science and Engineering, School of Engineering Sciences and Technology, Jamia Hamdard University, New Delhi, INDIA. He was awarded Ph.D. (Computer Engineering) by Jamia Millia Islamia in 2015. He was a Ph.D. Research Scholar at Department of Computer Engineering, Faculty of Engineering and Technology, Jamia Millia Islamia, New Delhi, INDIA. He has published 51 research papers and book chapters in various international journals and books published by Springer, Elsevier, Hindawi, etc which are indexed by Thomson Reuters, SCI, Scopus, IEEE, etc. Apart from Ph.D. in Computer Engineering, he is M.Tech in Computer Engineering, MBA in Information Technology and B.Tech. in Information Technology. He has more than 12 Years of Teaching experience at M.Tech., M.C.A. and B.Tech. level courses. He has also guided 7 M.Tech. students in their research thesis. Currently he is guiding 1 Ph.D. student and 2 M.Tech. students. He is Life Member of The Indian Science Congress (ISC), Life Member of Computer Society of
India (CSI), Life Member of Indian Society for Technical Education (ISTE), Life Member of IETE. He has attended various Refresher Courses FDP, QIP organized by IIT Delhi, Jamia Millia Islamia, Jamia Hamdard, AICTE and other institutes.

References

Rabbani

Wang

Y.L.

Khoshkangini

Jelodar

Zhao

and Hu

, A hybrid machine learning approach for malicious behaviour detection and recognition in cloud computing, Journal of Network and Computer Applications 151 (2020), 102507.

Samriya

J.K.

and Kumar

, A novel intrusion detection system using hybrid clustering-optimization approach in cloud computing, Materials Today: Proceedings, 2020.

Praise

J.J.

Raj

R.J.S.

and Benifa

J.V.B.

, Development of Reinforcement Learning and Pattern Matching (RLPM) Based Firewall for Secured Cloud Infrastructure, Wireless Personal Communications 115(2), (2020), 993–1018.

Aldribi

Traoreb

Moa

and Nwamuo

, Hypervisor-based cloud intrusion detection through online multivariate statistical change tracking, Computers & Security 88 (2020), 101646.

Wei

Long

and Zhao

, An intrusion detection algorithm based on bag representation with ensemble support vector machine in cloud computing, Concurrency and Computation: Practice and Experience 32(24) (2020), 5922.

Nathiya

and Suseendran

, An effective hybrid intrusion detection system for use in security monitoring in the virtual network layer of cloud computing technology, In Data management, analytics and innovation, Springer, Singapore, 2019, 483–497.

Jaber

A.N.

and Rehman

S.U.

, FCM–SVM based intrusion detection system for cloud computing environment, Cluster Computing 23 (2020), 3221–3231.

Ravindranath

Ramasamy

Somula

Sahoo

K.S.

and Gandomi

A.H.

, Swarm intelligence based feature selection for intrusion and detection system in cloud infrastructure, in: IEEE Congress on Evolutionary Computation (CEC), Glasgow, UK, Date of Conference: 19–24 July, 2020, pp. 1–6.

Deshpande

D.S.

Deshpande

S.P.

and Thakare

V.M.

, Detection of online malicious behavior: An overview, Ambient communications and computer systems, Advances in Intelligent Systems and Computing, Springer, Singapore, 904(2) (2019), 11–24. doi: 10.1007/978-981-13-5934-7.

10.

Saljoughi

A.S.

Mehvarz

and Mirvaziri

, Attacks and intrusion detection in cloud computing using neural networks and particle swarm optimization algorithms, Emerging Science Journal 1(4) (2017), 179–191.

11.

Yang

Dyer

Smola

and Hovy

, Hierarchical attention networks for document classification, in: Proceedings of the 2016 Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies, NAACL, San Diego, California, 2016, pp. 1480–1489.

12.

Kowsari

Heidarysafa

Brown

D.E.

Meimandi

K.J.

and Barnes

L.E.

, Rmdl: Random multimodel deep learning for classification, in: Proceedings of the 2nd International Conference on Information System and Data Mining, Lakeland FL USA April 9 – 11, 2018, pp. 19–28.

13.

Mirjalili

S.M.

and Hatamlou

, Multi-verse optimizer: A nature-inspired algorithm for global optimization, Neural Computing and Applications 27(2) (2016), 495–513.

14.

Bhaladhare

P.R.

and Jinwala

D.C.

, A clustering approach for the-diversity model in privacy preserving data mining using fractional calculus-bacterial foraging optimization algorithm, Advances in Computer Engineering, 2014.

15.

The KDDCup99 data set taken from, https://datahub.io/machine-learning/kddcup99, accessed on October 2021.

16.

The BoT IoT dataset taken from, https://www.unsw.adfa.edu.au/unsw-canberra-cyber/cybersecurity/ADFA-NB15-Datasets/bot_iot.php, accessed on October 2021.

17.

Kohavi

and John

G.H.

, Wrappers for feature subset selection, Artificial Intelligence 97(1–2) (1997), 273–324.

18.

Abdi

and Williams

L.J.

, Principal component analysis, Wiley Interdisciplinary Reviews: Computational Statistics 2(4) (2010), 433–459.

19.

Ambusaidi

M.A.

Nanda

and Tan

, Building an intrusion detection system using a filter-based feature selection algorithm, IEEE Transactions on Computers 65(10) (2016), 2986–2998.

20.

Bhuyan

M.H.

Bhattacharyya

D.K.

and Kalita

J.K.

, Network anomaly detection: Methods, systems and tools, IEEE Communications Surveys & Tutorials 16(1) (2013), 303–336.

21.

Binu

and Misbahuddin

, A survey of traditional and cloud specific security issues, in: International Symposium on Security in Computing and Communication, Springer, Berlin, Heidelberg, 2013, pp. 110–129.

22.

Jain

Pawar

and Kalbande

, Network security analyzer: Detection and prevention of web attacks, in: Proceedings of First International Conference on Information and Communication Technology for Intelligent Systems, Springer, Cham, Vol. 1, 2016, pp. 497–505.

23.

Kumar

, Characterization and detection of malicious behavior on the web, Doctoral dissertation, University of Maryland, College Park, 2017.

24.

Ranjan

N.M.

and Prasad

R.S.

, Automatic text classification using BPLion-neural network and semantic word processing, The Imaging Science Journal 66(2) (2018), 69–83.

25.

Ranjan

N.M.

and Prasad

R.S.

, LFNN: Lion fuzzy neural network-based evolutionary model for text classification using context and sense based features, Applied Soft Computing 71 (2018), 994–1008.

26.

Ranjan

N.M.

and Chakkaravarthy

, Evolutionary and incremental text document classifier using deep learning, International Journal of Grid and Distributed Computing 14(1) (2021), 587–595.

27.

Ranjan

N.M.

and Chakkaravarthy

, A brief survey of machine learning algorithms for text document classification on incremental database, Test Engineering and Management 83 (2020), 25246–25251.

28.

Cristin

Cyril Raj

Dr. and Marimuthu

, Face image forgery detection by weight optimized neural network model, Multimedia Research 2(2) (2019), 19–27.

29.

Cristin

Merlin

N.R.G.

Ramanathan

and Vimala

, Image forgery detection using back propagation neural network model and particle swarm optimization algorithm, Multimedia Research 3(1) (2020), 21–32.

Multiverse fractional calculus based hybrid deep learning and fusion approach for detecting malicious behavior in cloud computing environment

Abstract

Keywords

1. Introduction

2. Literature review

3. Adopted hybrid deep learning method for malicious behavior detection in cloud computing

3.1 Cloud model

a) Wrapper method

4.1 Fusion process using Hausdorff distance

i) Structure of HAN

ii) Training HAN by exploiting adopted MFC

Fitness function

The algorithmic procedure of the proposed multiverse fractional calculus (MFC)

Step 1: Initialization

Step 2: Calculate fitness function

Step 3: Roulette wheel selection model

Step 4: Determine the coefficients

Step 5: Termination

iii) Proposed MFC based RMDL for malicious behavior detection

a) Structure of RMDL

DNN

RNN

Long Short Term Memory (LSTM)

Gated Recurrent Unit (GRU)

CNN

b) Training of RMDL using adopted MFC

Fitness function

5.1 Experimental setup

5.2 Dataset description

5.2.1 KDD cup 99

5.2.2 BOT-IoT

5.3 Evaluation measures

5.3.1 Testing accuracy

5.4.2 Analysis utilizing dataset 1 with attack

5.4.5 Receiver operating characteristics curve (ROC)/area under curve (AUC) analysis

5.5 Comparative discussion

Table 1 Comparative analysis

Footnotes

Author’s Bios

References

Table 1
Comparative analysis