Leveraging Centrality Matrix and Enhanced Walrus Evoked Learning Framework for Digital Forensics Anomaly Data Detection

Smart environments today provide a wide array of advanced technologies and services, including smart transportation systems, autonomous vehicles, intelligent homes, urban lighting solutions, ticketing for travel, energy-efficient grids, and sophisticated sensors [1]. The functionality of these systems is largely reliant on small-scale electronic chips and IoT devices like sensors, wireless communication technologies, Radio-Frequency Identification (RFID) devices, location-tracking systems, and Near-Field Communication (NFC) tools.

The rise of smart environments has attracted criminal activity, with offenders exploiting these digital platforms. In response, DF has become an essential method for identifying these criminals and supporting law enforcement in holding them accountable [2-4]. The process of reviewing, scrutinizing, and drawing conclusions from electronic data is regarded as DF and plays a significant role in criminal investigations [5-7].

Suspicious activities and unsafe events can cause organizations to face significant financial losses and damage their reputation. Such incidents may have severe consequences for both individuals and organizations. As indicated by statistics from published reports, there have already been over five million instances of computer-related violations [8, 9]. A substantial number of cybercrimes remain undocumented, as victims often refrain from reporting them to authorities. These victims may feel embarrassed or uncertain or perceive that the authorities are not adequately addressing the issue to hold perpetrators accountable. Moreover, the government must work to curb cybercrime by addressing the gaps in expertise and workforce competencies.

Law enforcement agencies are becoming more reliant on DF to catch and prosecute criminals, as the use of digital devices in criminal acts continues to grow [10, 11]. Identifying abnormal or suspicious behavior within digital forensics (DF) data is crucial, yet it presents a significant challenge. Designing an intelligent detection system is vital as it empowers investigators to ascertain unusual behavioral patterns that could indicate criminal activity. Traditionally, anomaly detection in DF has relied on statistical methods and rule-based systems [12]. These techniques may fail to detect subtle irregularities intended to deceive investigative frameworks.

AI, especially through Machine Learning (ML) and Deep Learning (DL) approaches, offers efficient and sophisticated methods for generating valuable insights for decision-makers. These approaches involve analysing datasets from various angles and transforming them into meaningful formats. The aim of these approaches is to learn from past data to forecast future behaviors. By leveraging ML methods, researchers can enhance their ability to identify patterns in criminal activities and gain insights from historical data regarding when, where, and how cybercrimes are likely to occur.

Several ML algorithms, such as Support Vector Neural Networks (SVNN), Support Vector Machines (SVM), Multi-layer Neural Networks, and K-Nearest Neighborhood (KNN), are deployed for the detection of anomalies in DF systems. These techniques are used in numerous fields like financial fraud detection and intrusion detection. But these algorithms need to be studied extensively so they can be applied in DF analysis. Hence, the current approaches need the brighter light of improvisation in terms of DF data. Inspired by the aforementioned drawbacks, this article aims to examine the challenges in determining anomalies in DF data pertaining to criminal activity. The paper proposes the novel ensemble of centrality-based feature extraction with an enhanced Walrus Evoked multi-layer learning framework for anomaly detection in forensic digital data. The key contributions are as follows:

(1) The paper recommends centrality feature extraction methods for better detection of anomalies in DF data.

(2) An enhanced Walrus Evoked multi-layer framework for achieving the robustness and scalability of the scheme is recommended in this research.

(3) The paper proposes a novel synthetic data generation method based on Wireshark and the Python environment to evaluate the proposed model.

(4) Extensive evaluation is facilitated by utilizing the above datasets, and various evaluation metrics are measured, analyzed, and examined with the varied schemes. From the experimental outcomes, the recommended model has outshined the other available schemes.

The structure of the study is organised in the following manner: The relevant studies by distinct authors on ML models deployed for anomaly detection in DF investigations are discussed in Section 2. The novel dataset generation, feature extraction, and learning networks are discussed in Section 3. Implementation details are provided in Section 4. Experimental outcomes and evaluative assessments are outlined in Section 5. Finally, the study concludes with suggestions for future improvements in Section 6.

The proposed framework consists of four components such as synthetic data generation, data-pre-processing, centrality feature extractor and walrus optimized extreme learning networks have shown in Figure 1. The detailed description of the each and every module is as follows.

1.png

Figure 1. Overall Architectures for the recommended framework

3.1 Synthetic data generation

The research utilizes synthetic data generation to evaluate the proposed model in detecting anomalies within the DF framework. To generate the synthetic data, Wireshark, a network packet analyzer, is used to capture network packets and attempt to reveal the packet data. The detailed components of Wireshark are presented in Table 1. Figures 2-4 show the screenshots from Wireshark, capturing packets from different devices.

Table 1. Components of Wireshark used for the synthetic data generation

2.png

Figure 2. Wireshark-capturing the packets from the networked devices

3.png

Figure 3. Filtering the data using the Wireshark installed devices

To inject the anomalies, Python programming was employed. Multiple attack models were designed and injected from neighboring devices using Wi-Fi and Ethernet networks. Several research works [22-24] have demonstrated that DF data are vulnerable to various types of attacks. The categorization of significant anomalies is presented as follows.

4.png

Figure 4. Anomaly data injected from devices and transmitted to Wireshark

3.1.1 Denial of Service (DoS)

A DoS attack occurs when excessive unwanted traffic originates from a single source or receiver. In this scenario, the attacker overwhelms the target with numerous malicious packets, rendering its services inaccessible to other users [25].

3.1.2 Distributed Denial of Service/Botnet attacks (DDoS)

These attacks focus on compromising a large number of vulnerable IoT devices, enabling the attacker to execute a much more potent DoS attack or other forms of assault [26].

3.1.3 Man-in-the-Middle (MitM)

This attack compromises the communication channel between the IoT device and its target data recipient. While the connection is breached, the attacker acts as an intermediary, allowing them to observe, insert, and alter the data being transmitted [27].

3.1.4 Data type Probing (D.P.)

The Data Probing attack involves altering the raw data packets as they travel between departure and arrival points [28].

Algorithm-1 presents the pseudocode for the data collection mechanism.

3.1.5 Spying (SP)

In this attack, an intruder exploits system vulnerabilities and uses a backdoor channel to infiltrate the system, exposing sensitive information [29].

For efficient data collection, a series of malicious anomalies were documented over a span of three weeks for further predictive analysis. To ensure a thorough evaluation of the proposed framework, it is essential to create an expanded dataset that includes both benign and harmful data. The Python API developed was used to implement various types of attacks, and the information samples collected during the experimentation are presented in Table 2. All the data were captured and stored in PCAP CSV files in Wireshark, as shown in Figure 5.

Table 2. Dataset collected during experimentation

5.png

Figure 5. PCAP CSV file format stored in Wireshark after the pre-defined time stamps

3.2 Data pre-processing technique

It is considered the paramount technique in designing an efficient learning model and includes data cleaning, conversion, and scaling. As the first step, missing values and null values (NaN) are eliminated from the datasets. In the second step, categorical features are converted into numerical values using the Label Encoding technique, which is included as a separate library in Scikit-Learn. Finally, data normalization is applied to the datasets, converting all the inputs to a standard scale, which is essential to avoid misinterpretations during model training. In this research, the Min-Max scaling process is used, which converts each feature to a predefined range from 0 to 1.

3.3 Centrality feature extraction

The primary goal of this research is to design efficient attribute databases capable of distinguishing between normal and influential nodes. Various methods for detecting centrality measures have been proposed in previous literature to signify the significance of nodes. However, this paper emphasizes the application of an expanded set of centrality metrics to achieve the most precise classification of influential nodes.

3.3.1 Degree centralities

This refers to the number of connections linked to the nodes within a network. It comprises two variations: indegree centrality and outdegree centrality. The values of these centralities can be calculated using the equations provided below.

Indegree centrality

$D_{i n}\left(P_i\right)=\left|P_{j i} \in P\right|, j \neq i$          (1)

$P_{j i}$ is the edge going from $P_i$ node to examined node $P$.

Outdegree centrality

$D_{o t}\left(P_i\right)=\left|P_{i j} \in P\right|, i \neq j$          (2)

3.3.2 Amongness centralities

Amongness centrality indicates the proportion of all shortest paths that pass through specific nodes. The formula for calculating betweenness centrality is presented below:

$D_B\left(P_i\right)=\sum_{P_s \neq P_i \neq P_d} \frac{\mu_{P_s, P_d}\left(P_i\right)}{\mu_{P_s, P_d}}$          (3)

where, $\mu_{P_s, P_d}\left(P_i\right)$ is the shortest paths among nodes $P_S$ and $P_d$ relaying through node Pi and $\mu_{P_s, P_d}$.

3.3.3 Closeness centralities

This signifies the distance of nodes in the network, expressed mathematically as follows:

$D_c\left(P_i\right)=\frac{N}{\sum_{P y} d\left(P_y, P_i\right)}$          (4)

3.3.4 Eigen vector centralities

The eigenvector centrality method is used to derive the centralities of other nodes in the network. The formula for determining this is given below:

$E_v\left(P_i\right)=1 / A \sum_k \gamma_{P_k, P_i} * E_v\left(P_k\right)$          (5)

where, $A=\alpha(k, i)$ is the adjacency matrix of a graph and $\gamma$ a constant.

3.3.5 PageRank centralities

PageRank centrality ranks nodes based on their centrality within networks, with the expression used to calculate it given by:

$R_p\left(P_i\right)=\rho \sum_k \frac{A_{P_k, P_i}}{d_k} * R_p\left(P_k\right)+\beta$          (6)

where, $\rho$ and $\beta$ are constant values, and $\mathrm{d}_{\mathrm{k}}$ indicates the outdegree of node $P_k$ if the degree is greater than zero; if the outdegree of node $P_k$ is zero, then $d_k$ is set to 1 . Furthermore, $A=(\mathrm{ai}, \mathrm{j})$ signifies the adjacency matrix of a graph, where $A=\alpha(\mathrm{k}, \mathrm{i})$ serves as the adjacency matrix.

3.3.6 Position centrality

This is considered the most important measure, representing the position of nodes relative to key nodes identified by the PageRank method.

$\mathrm{S}_{\mathrm{c}}\left(\mathrm{U}_{\mathrm{i}}\right)=\mathrm{B} \sum_{\mathrm{k}} \gamma_{\mathrm{U}_{\mathrm{i}}, \mathrm{U}_{\mathrm{k}}} * R_U\left(U_i\right)$          (7)

where, $B=(\mathrm{ai}, \mathrm{j})$ is the adjacency matrix of a graph and $R_U\left(U_i\right)$ is the Page Rank of the node.

3.3.7 Clustering co-efficient

This factor denotes the fraction of triangles found among the residing triangles in the nodes' neighborhood. The quantitative expression for calculating the clustering coefficient is given by:

$\mathrm{C}_{\mathrm{c}}=2 \mathrm{M}_{\mathrm{U}, \mathrm{i}} / \mathrm{O}_{\mathrm{i}}\left(\mathrm{O}_{\mathrm{i}}-1\right)$          (8)

Apart from these centralities, this paper also discusses another important parameter called Clique, which plays a crucial role in improving the classifier's performance. Reference [30] contains additional information regarding this measure, which is incorporated into the recommended scheme. The methods for assessing K-Score and K-Shell are explored in reference [31].

Another crucial metric used for classification includes neighborhood variability and timestamp centrality.

All attribute vectors utilized for classification are detailed in Table 3.

Table 3. Summary of centrality feature extraction mechanism

3.4 Walrus evoked multilayer network classification

This section discusses the working principles of the Walrus Optimization Algorithm (WaOA) and the proposed model.

3.4.1 Walrus Optimization Algorithm (WaOA)

The walrus is a substantial aquatic species characterized by flippers and a patchy dispersion in the Arctic Ocean and subarctic regions surrounding the North Pole. The detailed characteristics of living habitat and its hunting nature are detailed in previous study [32]. Conversely, walruses can defend themselves with their tusks during such encounters.

(i) Directing individuals to follow the lead of a walrus possessing the longest tusks. Identifying the top member of the population during the search phase guides the algorithm toward favorable regions. In walrus social structures, the most dominant individual, recognized by its extended tusks, plays an essential role in leading the group. The movement of these walruses causes notable shifts in their positions. Mimicking these substantial relocations enhances the method’s global search capabilities and exploration efficiency.

(ii) The walrus’s migration towards shores is a natural behaviour triggered by the warming climate during summer.

During this process, walruses significantly alter their locations, often moving toward outcrops or rocky coastlines. In the WaOA simulation, the positions of various walruses are treated as potential migration targets. One of these locations is chosen at random, and the walrus navigates toward it. By emulating this strategy, WaOA improves its global search and exploration abilities. Unlike the foraging behavior driven by the dominant walrus, the migration strategy allows for a population update mechanism that does not rely on any specific individual, such as the top-contributing member. This updating method helps avoid premature convergence and prevents the algorithm from becoming trapped in local optima.

(iii) Defending or evading predators. Walruses defend themselves against natural predators, including polar bears and killer whales, using a prolonged pursuit tactic. This pursuit occurs within a limited zone surrounding the walrus, resulting in minor positional shifts. By simulating these subtle movements during confrontations, the WaOA enhances its capacity for local searching and exploitation, enabling it to converge on superior solutions.

3.4.2 Algorithm initialization

This algorithm is primarily based on the walrus population. It represents a potential remedy to the optimization challenge at hand. Consequently, the location of each walrus within the search space represents the potential values for the variables in the problem. During the initial stages of implementing WaOA, the walrus populations are generated randomly. This population matrix for WaOA is established using Eq. (9):

$X=\begin{array}{cccccc}X_1 & f_{1,1} & \cdots & f_{1, j} & \cdots & f_{1, m} \\ \vdots & \vdots & \ddots & \vdots & \cdots & \vdots \\ {\left[X_i\right]_{N \times m}=} & {\left[f_{i, 1}\right.} & \cdots & f_{i, j} & \cdots & \left.f_{i, m}\right]_{N \times m}, \\ \vdots & \vdots & \ddots & \vdots & \cdots & \vdots \\ X_N & f_{N, 1} & \cdots & f_{N, j} & \cdots & f_{N, m}\end{array}$          (9)

Let $X$ represents the population of walruses, where $X_i$ denotes the $i$-th walrus (representing a potential solution), and $f_{i, j}$ signifies the j -th decision proposed by the i -th walrus. Here, N indicates the total number of walruses, while mmm refers to the total count of decision variables. The calculated score for the objective function (OF) derived from the walruses are outlined in Eq. (10).

$\begin{array}{cc}F_1 & F\left(X_1\right) \\ \vdots & \vdots \\ F=\left[F_i\right]_{N \times 1} & {\left[F\left(X_i\right)\right]_{N \times 1},} \\ \vdots & \vdots \\ F_N & F\left(X_N\right)\end{array}$          (10)

$F$ represents the vector of OFs, while $F_i$ denotes the evaluated score of the OF based on the ith walrus. The values of the OF serve as the most effective indicators for assessing the quality of potential solutions. The potential solution yielding the highest value for the OF is referred to as the best member, whereas the solution that produces the lowest value is termed the worst member.

3.4.3 Phase 1: Exploration phase

Walruses exhibit a varied diet, consuming over sixty types of marine species. Nonetheless, they particularly favor benthic bivalves, especially clams, which they locate by foraging along the ocean floor. They search for food by utilizing vigorous flipper movements and their sensitive vibrissae. In this foraging process, the most robust walrus with the longest tusks leads other members of the group to food sources. The tusk length in walruses correlates with the integrity of the OF values of potential solutions. Thus, the optimal candidate solution, characterized by the best OF value, is regarded as the strongest walrus among the group. This foraging behavior allows walruses to cover several areas of the search space, enhancing the exploration abilities of the WaOA approach during global searches. The method for updating walrus locations is quantitatively designed based on their feeding habits, supervised by the leading member of the group, as represented in Eqs. (11) and (12):

$f_{i, j}^{P_1}=f_{i, j}+{rand}_{i, j} \cdot\left(S W_j-I_{i, j} \cdot f_{i, j}\right)$          (11)

$X_i=\left\{\begin{array}{cc}X_i^{P_1}, & F_i^{P_1}<F_i, \\ X_i, &  { else },\end{array}\right.$          (12)

where, $X_i^{P_1}$ represents the recently instituted location for the ith walrus during the first phase, $f_{i, j}^{P_1}$ indicates its $j$ th dimension, and $F_i^{P_1}$ denotes its corresponding OF value. The terms ${rand}_{i, j}$ are random values drawn within the limit $[0,1]$, while SW signifies the optimal candidate solution regarded as the most capable walrus. The integers $I_{i, j}$ are randomly selected to be either 1 or 2 , which enhances the exploration capacity of the algorithm. Specifically, if $I_{i, j}$ equals 2 , it results in more substantial and extensive alterations to the walrus positions, examined to a value of 1 , which represents the typical state of displacement. These parameters aid in enhancing the global search efficacy of the algorithm, enabling it to escape local optima and effectively locate the true optimal region within the problem-solving landscape.

3.4.4 Phase 2: Migration

One inherent behavior of walruses is their movement towards rocky outcrops or beaches as summer progresses and temperatures rise. This migratory behavior is utilized in the WaOA to help walruses explore the search space for optimal locations. This behavioral pattern is mathematically represented using Eqs. (13) and (14). According to Eq. (14), if this new position enhances the OF value, it replaces the walrus's prior location.

$f_{i, j}^{P_2}=\left\{\begin{array}{c}f_{i, j}+{rand}_{i, j} \cdot\left(f_{k, j}-I_{i, j} \cdot f_{i, j}\right), F_k<F_i ; \\ f_{i, j}+{rand}_{i, j} \cdot\left(f_{i, j}-f_{k, j}\right),  { else },\end{array}\right.$          (13)

$X_i=\left\{\begin{array}{cc}X_i^{P_2}, & F_i^{P_2}<F_i ; \\ X_i, &  { else },\end{array}\right.$          (14)

where, $X_i^{P_2}$ denotes the upgraded position of the ith walrus based on phase two, $f_{i, j}^{P_2}$ represents its jth dimension, and $F_i^{P_2}$ denotes its OF value. $X_k, k \in\{1,2, \ldots, N\}\,$ and $\,k \neq i\,$ signifies the locations of the choosen walruses that the ith walrus migrates towards, while $f_{k, j}$ is its $j$ th dimension and $\mathrm{F}_k$ is its corresponding OF value.

3.4.5 Phase 3: Exploitation phase

Walruses often encounter dangers from polar bears and orcas. Their tactics for escaping and confronting these predators lead to changes in their locations within their habitat. By imitating these natural activities, the WaOA enhances its capability to exploit local search areas around potential solutions. This positional change among walruses is modeled as occurring within a walrus-centred neighborhood defined by a specific radius. Initially, the algorithm prioritizes a global search to identify optimal regions within the search space, which is why the radius is considered to be variable-beginning at a maximum value and gradually decreasing with each iteration of the algorithm. Consequently, local lower and upper bounds are utilized in the segment of the WaOA to adjust the radius dynamically through successive algorithm runs. To mimic its behavior, a neighborhood is established around them, wherein a new location is randomly constructed within this vicinity.

$\begin{aligned} f_{i, j}^{P_3}=f_{i, j}+\left(l b_{l o c a l, j}^t\right. &+\left(u b_{l o c a l, j}^t- { rand }\right. \left.\left.\cdot l b_{l o c a l, j}^t\right)\right)\end{aligned}$          (15)

Localbounds: $\left\{\begin{array}{l}l b_{l o c a l, j}^t=\frac{l b_j}{t}, \\ u b_{l o c a l, j}^t=\frac{u b_j}{t},\end{array}\right.$          (16)

$X_i=\left\{\begin{array}{cc}X_i^{P_3}, & F_i^{P_3}<F_i ; \\ X_i, &  { else },\end{array}\right.$          (17)

6.png

Figure 6. Flowchart of the WaOA model used for the tuning the network

3.4.6 Repetition process

After modifying the locations of the walruses following the first, second, and third phases, the preliminary iteration of the WaOA is concluded. New scores for the locations of the walruses and the OF are computed. Once the algorithm execution is complete, WaOA presents the most optimal candidate solution identified throughout the procedure as the resolution to the specified problem. The WaOA flow diagram is outlined in Figure 6.

3.5 Extreme feed forward training networks

The proposed model incorporates the concept of Extreme Learning Machines (ELM) as introduced by Huang et al. [33], aiming for rapid and precise classification of various grades. It employs a single hidden layer that does not require mandatory tuning. ELM leverages kernel functions to attain high accuracy and improved efficiency. One of the primary benefits of ELM is its ability to minimize training errors while providing superior approximation. Due to its automatic adjustment of weight biases and utilization of non-zero activation functions, ELM is widely used for classification tasks and deriving categorization values.

In this framework, the 'E' neurons within the hidden layer must utilize an activation function that is highly differentiable, such as the sigmoid function, while the output layer employs a linear function. Notably, the hidden layers in ELM do not require mandatory tuning. The weights for the hidden layer can be assigned arbitrarily, including the bias weights.

$f_L(x)=\sum_{i=1}^L \beta_i l_i(v)=l(v) \beta$          (18)

where, $x$ : input features from encoder-decoder.

$\beta$: output weight vector

$\beta=\left[\beta_1, \beta_2, \ldots \ldots \ldots \ldots . . \beta_L\right]^T$          (19)

$l(v)$: output hidden layer as shown in the equation below:

$l(v)=\left[l_1(v), l_2(v), \ldots \ldots \ldots \ldots . . l_L(v)\right.$          (20)

To ascertain Output Vector O, denotes target vector, the hidden layer E is expressed by Eq. (21).

$E=\left[\begin{array}{c}l\left(v_1\right) \\ l\left(v_2\right) \\ \vdots \\ l\left(v_N\right)\end{array}\right]$          (21)

The foundational execution of the ELM makes use of the minimal non-linear least squares techniques defined in Eq. (22).

$\beta^{\prime}=E^* O=E^T\left(E E^T\right)^{-1} O$          (22)

where, E*: inverse of E known as Moore-Penrose generalized inverse.

$\beta^{\prime}=E^T\left(\frac{1}{C} E E^T\right)^{-1} O$          (23)

$f_L(v)=l(v) \beta^{\prime}=l(v) E^T\left(\frac{1}{C} E E^T\right)^{-1} O$          (24)

where, $l(v)$ stands for input feature, $\beta$ is the output weight vector that is calculated using the Moore-Penrose generalized inverse theorem, represented by $E^T, C$ is a constant, and $O$ denotes the target (or label) vector.

$Y^{\prime}={Softmax}(S)$          (25)

Loss $=\left(\frac{1}{K}\right) \sum_{i=1}^K\left(Y(i) * \log Y^{\prime}+\eta| | \theta|  | ^2\right)$          (26)

where, $K$ is the dimensional capsule feature length, $\eta$ is the regularization co-efficient and $|\theta|$ is the constant.

3.6 Walrus evoked extreme feed forward networks

The recommended scheme aims to reduce complexity further. Before training the model, hyperparameter adjustments are made. The hyperparameters that require tuning include the number of hidden layers, hidden units, epochs, and batch size. In this research, the WaOA is used to fine-tune the network attributes for superior classification.

Figure 7 portrays the confusion matrix of the recommended scheme for identifying both anomaly and normal attacks across various ratios of training and testing data. Figure 7 (a) depicts the confusion matrix of the recommended scheme using 60% of the data for training and 40% for testing. Figures 7 (b) and 7 (c) present the confusion matrices of the recommended scheme for 70% of the data used for training and 30% for testing, along with 80% for training and 20% for testing, respectively. From Figure 7, it is evident that the recommended scheme achieved a 96.5% detection rate for anomaly detection.

7a.png

(a) 60:40

7b.png

(b) 70:30

7c.png

(c) 80:20

Figure 7. Confusion matrix of the recommended scheme in detecting the normal and anomaly data

Figure 8 illustrates the validation function used to evaluate the model’s effectiveness, with the primary objective being to minimize this loss. It is standard practice to display two distinct curves: one representing the model’s performance on the training dataset and the other showing its performance on the validation dataset.

Tables 5 and 6 showcase the benchmarking performance of various learning models in identifying normal conditions and anomalies in the Digital Forensic (DF) environment. Table 5 highlights the evaluation metrics for detecting normal conditions, where the proposed model achieves the highest accuracy of 96%, significantly outperforming other algorithms. Though ELM and ANN have produced the better performance among the other ML models, it can’t able to match the effectiveness of the recommended scheme. Similarly, Table 6 presents the results for anomaly detection, where the proposed model again leads with 96% accuracy and outstanding precision and recall values, indicating its robustness in handling diverse scenarios.

8a.png

(a)

8b.png

(b)

Figure 8. Validation-loss curve performance of the recommended scheme in detecting both normal and anomalies

Table 5. Benchmarking examination of the varied schemes in identifying the normal conditions in DF environment

Table 6. Evaluation metrics of the varied schemes in identifying the anomalies in DF environment

Figures 9 and 10 illustrate the benchmarking results of the learning models under two distinct scenarios: detecting normal conditions and anomalies in the DF environment. Figure 9 highlights the models’ performance in normal condition detection, with the proposed model emerging as the clear leader, achieving a substantially higher accuracy and F1-score compared to other models. Similarly, Figure 10 emphasizes the anomaly detection scenario, where the proposed model once again outperforms all others, showcasing its robustness and precision in identifying anomalies. From the results, it is clear that the WOA tuned Feed forward networks has played the significant role in detecting the anomalies attacks in the DF Environment.

9.png

Figure 9. Benchmarking examination of the varied learning models in normal scenario

10.png

Figure 10. Benchmarking examination of the varied learning models in anomaly detection