The widespread implementation of innovative healthcare systems brings about notable security risks, especially in cyber-physical systems (CPS). Ensuring patient safety and system performance is crucial in CPS, particularly when detecting and preventing attacks. This paper discusses smart healthcare systems and presents a modified deep neural network (DNN) model that can efectively classify various types of attacks on CPS. In addition, we present a modified Ant Lion Optimization (ALO) algorithm that enhances the model's accuracy and reliability when combined with ensemble methods. By incorporating multiple feature selection techniques, the voting-based ensemble selection method improves the ability to detect attacks by leveraging the importance of the rankings of each feature assessed in those approaches. This enhances the recovery of vital data while minimizing the number of characteristics utilized for identification. Our optimized DNN model outperforms traditional approaches regarding real-time attack detection in smart healthcare system networks. From a theoretical standpoint, the methods outlined in the paper have the potential to enhance the security measures implemented in the construction of CPS and significantly bolster the resilience of smart healthcare systems against the latest cyber threats. The optimized DNN, which was further optimized with the help of the modified ALO algorithm, returned excellent results, with a carpet accuracy of 99.5%, a precision of 99.3%, a recall of 99.4%, an F1-score of 99.35%, and an ROCAUC of 0.995. Such metrics illustrate the model's efectiveness in detecting and classifying diferent cyberattack forms with a high accuracy rate.
Integrating cyber-physical systems (CPS) into competent healthcare has improved the efectiveness of
patient monitoring, treatment, and care delivery. However, these advances could result in significant
security vulnerabilities. Such systems can become vulnerable to attacks, which could jeopardize the
patient’s safety and the system’s overall functionality. The urgent need to protect healthcare systems
from unauthorized intrusion, data and services assault, and illicit content embedding is becoming
increasingly apparent [
This work enhances DNN models for CPS healthcare security using a modified ALO algorithm and ensemble feature selection. The ALO algorithm optimizes hyperparameters, while feature selection removes redundancies. Key contributions include ALO’s role in security-focused DNN optimization and showing improved attack detection. Experimental results validate its real-time efectiveness.
Deep learning (DL) consistently outperforms traditional machine learning techniques, as demonstrated
in studies such as [
In this study, we develop an optimized DNN model to detect diferent cyberattacks on intelligent healthcare CPS. We have utilized the TON_IoT dataset, which includes a range of attacks, and addressed the challenges of data imbalance and selection through a voting-based ensemble approach. In addition, the ALO algorithm, modified explicitly for ant lion optimization, is employed to optimize the hyperparameter of the DNN to attain the utmost detection rate for diferent attack scenarios. The working lfow diagram is shown in Figure 1. The selected features are assessed and selected using techniques such as mutual information, lasso regression, and chi-square tests before they are integrated using a voting-based ensemble feature selection. The extracted features also guide the DNN model architecture design, which the modified ALO algorithm enhances. The last step involves classifying input data into normal and attack classes using the optimized deep neural network, further improving the security of smart healthcare systems.
The study uses the TON_IoT dataset, which is highly suitable for cybersecurity research in Internet of Things (IoT) environments and includes applications in intelligent healthcare systems. The dataset consists of various attack types, making it a solid basis for training and evaluating the proposed DNN model. The dataset contains a wide range of instances, including injection attacks, benign trafic, Distributed Denial of Service (DDoS) attacks, password attacks, scanning attacks, Cross-Site Scripting (XSS) attacks, backdoor attacks, Man-in-the-Middle (MITM) attacks, Denial of Service (DoS) attacks, and ransomware attacks. Figure 2 shows the data distribution from the TON_IoT dataset. In addition, the data underwent preprocessing, including normalization and encoding of categorical features. It was then split into a training set, which accounted for 70% of the data, and a testing set, which accounted for the remaining 30%. The processing methodology in this study consists of several basic steps: data normalization, feature extraction, and data splitting. The normalization of a feature is performed using the following equation: Here, represents the original feature value, and denote the minimum and maximum values of that feature in the dataset, respectively, and ′ is the resulting normalized value.
− min max − min ′ = (1) 3.2. Feature Selection Extraction of features entails detecting and extracting specific essential characteristics found in the raw information to diferentiate between the normal and attack states. Information concerning the features is obtained from network trafic, sensor data, and system event logs. In this case, an ensemble feature selection method is adopted, where the voting technique is utilized to rank the features while several feature selection methods are employed. The DNN then receives the selected features.
The degree to which each characteristic depends on the target variable may be determined via mutual information. Features are deemed more relevant to the job if they have excellent mutual knowledge of the goal. Mathematically, mutual information between a feature and the target variable is calculated as (; ) = ∑︁ (, ) log , ︂( (, ) )︂ ()() Where (, ) is the joint probability distribution of and , and () and () are the marginal probability distributions of and , respectively. Features with the highest mutual information scores are selected for further analysis.
By applying an L1 penalty to the coeficients, the linear model known as Lasso Regression selects features. Some coeficients become zero due to this penalty, eliminating aspects that aren’t crucial to the model. The Lasso objective function is: ⎨⎧ 1 ∑︁( − ˆ )2 + ∑︁ | |⎬⎫ ⎩ 2 =1 =1 ⎭ (2) (3) (4) Where is the coeficients, is the regularization parameter, and and represent the number of samples and features, respectively. Features with non-zero coeficients are selected as they contribute to predicting the target variable.
To determine if categorical traits are independent of the dependent variable, statisticians employ the chi-square test. In terms of categorical variables, it quantifies the discordance between actual and predicted frequencies. The Chi-square statistic for a feature concerning the target is calculated as: 2(, ) = ∑︁ ( − )2
where is the observed frequency and is the expected frequency under the independence assumption. Features with the highest Chi-Square scores are considered the most relevant.
The voting-based ensemble method summarizes the diferent feature selection outcomes and credits repeated feature selections in the various techniques. This avoids the problem of bias resulting from excessive dependence on one method of selecting the best features. The dataset , consisting of features, is represented as: = {1, 2, . . . , }. We apply diferent feature selection methods to this dataset, resulting in subsets of selected features 1, 2, . . . , , where ⊆ is the subset of features selected by the -th feature selection method. For each feature in the dataset , a vote is assigned based on whether it was selected using a particular feature selection method. The total number of votes for the feature across all methods is calculated as
() = ∑︁ 1( ∈ ) =1 (5) where 1( ∈ ) is an indicator function that equals 1 if is present in , and 0 otherwise. A threshold k is set to determine the minimum number of votes required for a feature to be included in the ifnal selected feature set F. The final selected feature set F is given by = { ∈ | votes() ≥ } Where, k is the minimum number of votes a feature must receive to be considered essential and included in the final feature set. The final feature set F consists of features that have received at least k votes, reflecting a consensus among the various feature selection methods. The choice of k can be adjusted depending on the desired strictness of feature selection. For example, setting = would require a feature to be selected by all methods, while = 2 would require selection by at least half of the methods. Algorithm: Voting-Based Ensemble Feature Selection Input: Dataset with features {1, 2, . . . , } and target variable Output: Selected feature set 1. Initialize empty lists for selected features: , , ℎ 2. Set voting threshold (e.g., = 2) 3. Step 1: Feature Selection using Mutual Information a) For each feature in :
i. Compute Mutual Information (; ) b) Select the top features based on the highest (; ) values and add to 4. Step 2: Feature Selection using Lasso Regression (L1 Regularization) a) Fit Lasso Regression model on with target b) For each feature in :
i. If Lasso coeficient ̸= 0, add to 5. Step 3: Feature Selection using Chi-Square Test a) For each feature in :
i. Compute Chi-Square statistic 2(, ) b) Select top features based on highest 2(, ) values and add to ℎ 6. Step 4: Voting Mechanism a) Initialize an empty dictionary VoteCount to store vote counts for each feature b) For each feature in : i. VoteCount[] = 0 ii. If ∈ , then VoteCount[] = VoteCount[] + 1 iii. If ∈ , then VoteCount[] = VoteCount[] + 1 iv. If ∈ ℎ, then VoteCount[] = VoteCount[] + 1 7. Step 5: Select Final Feature Set a) Initialize empty set b) For each feature in :
i. If VoteCount[] ≥ , add to c) Return
The number of features, , selected in the feature selection process corresponds to the number of input features, which is the input layer. Let ∈ R be the vector of the selected input features. The DNN model for CPS intrusion detection proposes an attack. It is embedded in an intelligent health care system of five hidden BUS fully connected dense layers. In each hidden layer l, the input from the previous layerℎ(−1)
undergoes a linear transformation followed by applying the rectified linear unit (ReLU) activation function. The mathematical operation for the ℎ hidden layer is given by − ℎ = ReLU(ℎ1
+ ) where is the weight matrix that connects the neurons of layer l-1 to the neurons of layer l, is the bias vector added to the linear transformation, and ReLU is the activation function defined as
ReLU() = max(0, ). This activation function introduces non-linearity into the model, allowing it to learn more complex functions. The first hidden layer consists of 256 neurons, transforming the input vector ℎ0 = is the input features vector) using the weight matrix 1 and bias . The second hidden layer reduces the dimensionality further by using 128 neurons and applying a new set of weights 2 and biases 2. The third hidden layer has 64 neurons, continuing to distill the most relevant information through the weight matrix 3 and bias 3. The fourth hidden layer comprises 32 neurons, used 4 to refine the feature representation further. The fifth and final hidden layer contains 16 neurons, producing the final intermediate output ℎ5 before the model’s predictions are computed in the output layer. Batch normalization is used after each hidden layer to standardize the input to each layer to improve training stability and speed. Dropout is another measure used after each hidden layer, which aims to avoid overfitting by training a random percentage of neurons with zero outputs. Stacking these hidden layers enhances the model’s capacity to identify diferent kinds of cyberattacks in smart healthcare CPS by allowing it to learn hierarchical feature representations gradually. Figure 3 shows the proposed deep DNN network. The batch normalization operation for a given layer is defined as: ℎnorm = ℎ − · + (6) Where, and are the mean and standard deviation of the mini-batch. and are learnable parameters that scale and shift the normalized output. To prevent overfitting, dropout layers are applied after each hidden layer. Dropout randomly sets a fraction of input units to zero during training. The dropout operation is defined as ℎdrop = ℎ · ,
where ∼ Bernoulli() mask vector that is drawn from a Bernoulli distribution, which has a probability p of retaining a unit. The variable represents a binary The output layer consists of 2 neurons, corresponding to the two classes: ‘normal’ and ‘attack.’ The softmax activation function is applied to the output logits to convert them into class probabilities. The mathematical operation for the output layer is = Softmax(6ℎ5 + 6). Where, 6 and 6 are the output layer’s weight matrix and bias vector. The softmax function is defined as: This function ensures that the outputs are non-negative and sum to 1, representing valid probabilities. The model learns to reduce the categorical cross-entropy loss, which looks at how diferent the predicted probabilities are from the actual class labels. The cross-entropy loss is defined as: exp() Softmax() = ∑︀
=1 exp( ) 1 ∑︁ ∑︁ , log(ˆ,) = −
=1 =1 Here, denotes the number of training examples, is the number of classes, (,) represents the true label (1 for the correct class, 0 otherwise), and ˆ, is the predicted probability for class for the -th example.
Algorithm: Modified ALO for DNN Hyperparameter Tuning Input: Population size , Maximum number of iterations MaxIter, Search space for hyperparameters and DNN model architecture Output: Optimal hyperparameters for the DNN 1. Initialize a population of Ant lions with random hyperparameters within the defined search space. 2. Evaluate the fitness of each Ant lion by training the DNN and measuring validation accuracy and loss. 3. Select the best-performing ant lions as elites. 4. while (termination criteria not met) do a) for each ant (candidate solution) do i. Perform a random walk in the hyperparameter space based on the position of the nearest Ant lion. ii. Update the ant’s position using: ant( + 1) = ant() + lion() 2 iii. Train the DNN with the current hyperparameters of the ant. iv. Evaluate the fitness of the ant using the fitness function:
() = Validation Accuracy − × Validation Loss v. If the ant’s fitness is better than the corresponding Ant lion’s fitness, update the Ant lion’s position. b) end for c) Apply elitism: retain the best-performing Ant lions as elites. 5. end while 6. Return the best set of hyperparameters found. (7) (8)
The evaluation focused on a DNN model enhanced with a modified ALO algorithm, tested on a healthcare CPS dataset containing various attacks. Performance was measured using accuracy, precision, recall, F1-score, and ROC-AUC metrics. Table 1 defines the performance parameters showcased by the deep neural network, or the DNN model, to identify the various forms of cyberattacks in smart healthcare cyber-physical systems. The model delivers appreciable performance in terms of the multiple forms of attacks with the weakness’s injection attacks (accuracy of 99.7%, precision of 99.6%, recall of 99.8%, F1 score of 99.7%, and ROC AUC of 0.997) and DDoS attacks (accuracy of 99.6%, precision 99.5%, recalled 99.7%, F1 score of 99.6% and an AUC score of 0.996). The model performs similarly in classifying benign trafic accuracy at 99.4% and ROC AUC of 0.994, but at a lower level of precision and recall than the attack categories. However, while the model does well in terms of detection of XSS, scanning, backdoor, DoS, MITM, and ransomware attacks, the associated performance scores for these categories are less, with accurate values between 98.9% and 99.3%, AUC values nearing 0.99. Judging from these results, it can be inferred that the model is generally eficient, especially when detecting common and more devastating types of attacks such as injections and DDoS attacks. Results show the model performs optimally across most attack types, indicating its practical applicability, particularly in smart healthcare systems. Figure 4 shows the training and testing accuracy of the proposed DNN model optimized with the modified ALO technique, which has been carried out for 100 epochs. The graph implies that improvement and understanding of the model have taken place over time, both in the training data and testing data, since there has been a gradual increase in the accuracy percentages on both datasets. The training accuracy graph is slow to rise in the first few epochs, indicating that the model can harness a fast learning rate from the training set. However, after additional training, the graph begins to resemble a straight line, slightly below the optimal level of 100% accuracy. This means that the model has learned almost every feature of the data. The dashed line in the graph refers to the accuracy obtained during the testing phase, which follows almost the same trend but is lower than the training phase. There is a tiny margin between training and test accuracy. This evidence suggests the model can fit the unseen data reasonably well and does not overfit considerably. The high accuracy for both training and testing data is because the model’s hyperparameters have been efectively adjusted using modified ALO for optimizing hyperparameters in detecting harmful cyberattacks in smart healthcare systems. Figure 5 illustrates the loss curves for training and test datasets over 100 epochs. The losses converge as constants remain stable, with an initial sharp dip indicating the model’s learning phase. As training progresses, the curves stabilize, signifying optimal performance. Training loss is typically lower than test loss since both datasets share a similar distribution. The small gap between the curves suggests minimal overfitting, demonstrating that the model generalizes well. This balance ensures reliable predictions without excessive bias toward training data. The impact of feature selection on the performance of the proposed DNN model is shown in Table 2. Applying feature selection techniques significantly improved all evaluated metrics, including accuracy, precision, recall, F1-score, and ROC-AUC. Accuracy increased from 98.5% to 99.5%, enhancing prediction precision. Similarly, precision rose from 98.2% to 99.3%, while recall improved from 98.3% to 99.4%, demonstrating better target identification. The F1-score, which balances precision and recall, increased from 98.25% to 99.35%. ROC-AUC also showed performance gains, reflecting improved class discrimination. These enhancements highlight the importance of feature selection in optimizing input data, ultimately strengthening the model’s accuracy and efectiveness in detecting cyberattacks in smart health CPS. Table 3 presents the results of the modified ALO algorithm on the proposed DNN model performance metrics. The results indicate that using the ALO algorithm enhances the model’s performance across all evaluated metrics. For instance, the accuracy of the model terms without ALO is 98.8%, while with ALO, it is 99.5%. This means ALO helps enhance the model’s performance in classifying positive and negative classes. The same, the precision in positive predictions made by the model, i.e., true positives, is 98.5% in the absence of the ALO algorithm. In contrast, it is 99.3% in the presence of ALO, with even better performance. This improvement indicates that the model is better at decreasing false positives with ALO optimization. The F1-score, calculated as the harmonic mean of precision and recall, improves significantly from 98.55% to 99.35% percentile given the application of ALO techniques, emphasizing proportional advancement of precision and recall. Finally, the ROC-AUC score, which helps in understanding all the distinct classes in this data set, increases from 0.988 to 0.995, showing that the model performs better after ALO optimization. This study demonstrates that modified ALO for hyperparameter optimization enhances cyberattack detection in healthcare CPS.
The proposed approach to detecting cyber threats within smart healthcare CPS demonstrates impressive eficiency by harmonizing advanced feature selection methods with DNN architecture carried out with the modified ALO algorithm. The enhanced optimal DNN, which was refined with the modified ALO algorithm, performed well, as evidenced by an accuracy level of 99.5%, precision of 99.3%, recall of 99.4%, F1-score of 99.35% and ROC-AUC of 0.995. These statistics suggest that the model efectively detects and classifies multiple categories of cyber threats, hence injection attacks, DDoS, and XSS, among many others. The findings provide evidence that the considered strategy efectively increases the safety and reliability of intelligent healthcare CPS, which is essential for accurately and quickly mitigating potential risks. Several avenues for future study might be explored in light of the successes of this work to deepen and expand the suggested technique. One such exciting possibility is determining how the modified ALO is extended to handle more extensive and complex datasets, as in the case of healthcare CPS, which are becoming very common. Expanding the model with real-time data enables continuous monitoring and quicker detection, enhancing the system’s agility against cyber threats. Further work could also be conducted by integrating other optimization techniques, such as genetic algorithms, to develop new strategies for hyperparameter tuning. Furthermore, testing this approach in particular domains like industrial IoT or autonomous cars would be valuable since it will help demonstrate and assess its lfexibility and generality. Finally, subsequent work can enhance model interpretation and clarify how DNN makes decisions and the strategies carried out to enhance better acceptance of AI-based security control systems, especially in critical areas such as healthcare.
The authors have not employed any Generative AI tools. [20] O. T. Taofeek, M. Alawida, A. Alabdulatif, A. E. Omolara, O. I. Abiodun, A cognitive deception model for generating fake documents to curb data exfiltration in networks during cyber-attacks, IEEE Access 10 (2022) 41457–41476. [21] D. Hsu, Time series compression based on adaptive piecewise recurrent autoencoder, arXiv preprint arXiv:1707.07961 (2017). [22] T. Wong, Z. Luo, Recurrent auto-encoder model for multidimensional time series representation (2018).