This section performs an overview of system configuration for performing our methodology along with the description of the experimental datasets. Next, we discuss the results obtained for the proposed model and provide an indepth analysis. We have compare and contrast our approach with some state of the art models in IDS.
Parameter tuning process using GridSearchCV
The hyperparameter grid used to tune various ML models via GridSearchCV is presented in Table 5. Finding the best combination of hyperparameters is essential to enhance your model’s performance, integrate generalization, and avert overfitting. For the J48 and ExtraTreeClassifier algorithms, parameters such as ‘criterion’, ‘max_depth’, and ‘min_samples_split’ were finetuned in order to balance the trade-off between accuracy and computational performance. For maximizing performance, tuning such factors such as square, ‘n_neighbors’, ‘weights’, and ‘algorithm’ for the KNN were considered. The EEO parameters, including population size, max iterations, and update strategies, were fine-tuned to ensure effective feature selection. In the final selected values, we established a totally empirical approach to balance accuracy, computational cost, and stability. With this selection in place, the application framework faced advanced classifiers and outperformed the best results on the datasets. The system configuration for experimental set up of the proposed methodology is shown in Table 6.
Cybersecurity dataset
Malware, DoS, SQL injections, and phishing attacks are common in cybersecurity datasets, showing how cyber threats change. Researchers use popular datasets like NSL-KDD, UNSW-NB15, and CICIDS2017 to test their algorithms’ real-world threat detection capabilities. This lets them analyze their IDS’s accuracy and efficiency. We tested the UNSW-NB15 and NSL-KDD datasets in our research. NSL-KDD and UNSW-NB15 were chosen as test datasets because they were popularly used as benchmark datasets in IDS research, so that the results could be compared directly11,18,50,51,52,53. NSL-KDD is an improved version of the KDD’99 dataset, which tackles redundancy and class-imbalance issues while accommodating four primary attack categories, namely DoS, Probe, R2L, and U2R. This highlights that it is a well-structured dataset to assess IDS effectiveness; on the other hand, UNSW-NB15 is a relatively recent and realistic dataset that encompasses modern cyber threats, such as Generic, Exploits, Fuzzers, DoS, Reconnaissance, Analysis, Backdoor, Shellcode, Worms, reflecting contemporary attack patterns. Additionally, NSL-KDD provides a discriminant and balanced dataset; in contrast, UNSW-NB15 incorporates many different features extracted from real-world network traffic to make sure that the IDS is tested under both artificial and real-world conditions. The use of these two datasets guarantees a thorough evaluation of the proposed model across various kinds of attack scenarios, with a nutshell aim of reducing overfitting to the single dataset structures. Such an approach ensures strength to the generalizability and robustness of our results by substantiating the model, which happens to be effective across different networking environments.
NSL-KDD dataset
The NSL-KDD dataset is an improved version of the original KDD Cup 1999 dataset, which was used for evaluating network IDS. It is available publicly and has become one of the most widely used datasets in IDS research. The NSL-KDD database contains 125,973 cases in the training set and 22,544 cases in the testing set. In total, there are 41 characteristics which signify different attributes of the network traffic including protocol type, service type, flag and multiple calculated network statistics like the count of failed login attempts and connection duration. The dataset is divided into four attack categories: Denial of Service (DoS), Probe, Remote to Local (R2L), and User to Root (U2R), alongside a class for normal traffic. The NSL-KDD dataset addresses some of the issues in the original KDD dataset, such as redundant records and class imbalance, which improves the evaluation of IDS models.
UNSW-NB15 dataset
The UNSW-NB15 dataset has been developed by the University of New South Wales in the context of a cybersecurity research project in support of IDS development. This data set is considered a public domain and has been specifically designed for evaluating ML models to detect network intrusions of various attack classes. The dataset contains data streams of real-world traffic and attacks through the hybridization of modern attack techniques. Of the many characteristics exhibited by the traffic types, the dataset consists of 2,540,044 instances, each associated with 49 features. For example, both categorical and continuous data describe a large variety of these network traffic attributes. Among these features are flow-based statistics, basic packet features, and statistical characteristics like average packet size and connection duration. The dataset is divided into ten classes: nine attack classes (analysis, worm, exploits, reconnaissance, backdoor, shellcode, DoS, fuzzers, and generic) and one for normal traffic. The wide variety of attacks present should enable a comprehensive evaluation of IDS models.
Pre-processing of NSL-KDD and UNSW-NB15
Missing value imputation: The ‘service’ attribute of UNSW-NB15 dataset got KNN impute by calculating the distance between that incomplete instance and all complete instances. Having found the ‘k’ nearest neighbors, we then impute the absent value by averaging neighbor values in case of numerical features or utilizing majority voting in categorical attributes. Table 3 provides the filling results for the ‘Service’ attributes in the UNSW-NB15 dataset. There are no missing values in the NSL-KDD dataset.
Label encoding: The UNSW-NB15 and NSL-KDD datasets include categorical features with nominal values: “service”, “proto” and “state”, for the first and “Protocol_Type”, “Service”, and “Flag”, for the second. To convert these categorical variables into a usable form for ML algorithms, label encoding was performed upon them, so that each individual nominal value could be expressed in a binary format that may then be numerically processed by algorithms concerned with categorical information.
Normalization of datasets: Normalization with a standard scaler adjusts the features of the UNSW-NB15 and NSL-KDD datasets to have a mean of zero and a standard deviation of one. This ensures that the proposed model does not remain bias to larger values.
Performance metrics
Accuracy, precision, recall, and F1 score are essential metrics for assessing the effectiveness of anomaly detection in IDS.
$$\begin{aligned} \text{Accuracy}&= \frac{\text{Count of accurately categorized instances}}{\text{Total number of instances}} \times 100\%\\ \text{Precision}&= \frac{\text{True Positives}}{\text{True Positives} + \text{False Positives}}\\ \text{Recall}&=v \frac{\text{True Positives}}{\text{True Positives} + \text{False Negatives}}\\ \text{F1-score}&= 2 \times \frac{\text{Precision} \times \text{Recall}}{\text{Precision} + \text{Recall}} \end{aligned}$$
Results and discussion
In this study, we initially applied the EO and the proposed EEO on raw datasets to assess the impact of the optimization techniques on the results. Then we applied SMOTE-IPF for data balancing. We evaluated multiple ML algorithms, including KNN, DT, J48, and ExtraTreeClassifier, as classification models for both the UNSW-NB15 and NSL-KDD datasets. We conducted experiments across four data scenarios: non-optimized imbalanced data (Case 1), non-optimized balanced data (Case 2), optimized imbalanced data (Case 3), and optimized balanced data (Case 4). The results indicated an improvement in accuracy when using EEO for feature selection compared to EO, as demonstrated in Tables 7 and 8. Consequently, EEO was selected as the feature selection method for all subsequent experiments. Before applying SMOTE-IPF, the NSL-KDD and UNSW-NB15 datasets exhibited severe class imbalance, leading to poor classification performance for minority attack classes, particularly U2R, R2L, Backdoor, Shellcode, and Worms. Tables 9 and 10, shown below presents the accuracy of different attack classes before and after applying SMOTE-IPF for UNSW-NB15 and NSL-KDD dataset respectively.
We constructed six stacking models by combining the four base machine learning models—DT (Model 1), KNN (Model 2), ExtraTreeClassifier (Model 3), and J48 (Model 4)—in various configurations. The first stacking model, referred to as Model 5, used KNN as the base classifier and DT as the meta-classifier. Model 6 utilized DT as the base classifier and ExtraTreeClassifier as the meta-classifier. In Model 7, DT was used as the base classifier and J48 as the meta-classifier. Model 8 employed KNN as the base classifier and ExtraTreeClassifier as the meta-classifier. For Model 9, KNN was used as the base classifier and J48 as the meta-classifier. Finally, Model 10 combined J48 as the base classifier with ExtraTreeClassifier as the meta-classifier. The highest performance for both datasets was achieved with the combination of EEO for feature selection, SMOTE-IPF for data balancing, and the sixth stacking model (Model 10), which used J48 as the base classifier and ExtraTreeClassifier as the meta-classifier. The results of our analysis for all models across the four cases (Case 1, Case 2, Case 3, and Case 4) are illustrated in Figs. 2 and 3 for the UNSW-NB15 and NSL-KDD datasets, respectively. Among all the evaluated cases, Model 10 showed the best performance in Case 4, which involved optimized and balanced datasets, as highlighted in Fig. 4. The results for the stacking models are provided in Table 13. Tables 11 and 12 shows the classwise perfromence for NSL-KDD and UNSW-NB15 dataset where Table 13 shows overall accuracy, precision, recall and F1 score for both datasets.

Performance analysis of different models on different cases for UNSW-NB15 dataset. Model 1: DT; Model 2: KNN; Model 3: ExtraTreeClassifier; Model 4: J48; Model 5: stacking model with KNN as base classifier and DT as meta classifier; Model 6: stacking model with DT as base classifier and ExtraTreeClassifier as meta classifier; Model 7: stacking model with DT as base classifier and J48 as meta classifier; Model 8: stacking model with KNN as base classifier and ExtraTreeClassifier as meta classifier; Model 9: stacking model with KNN as base classifier and J48 as meta classifier; Model 10: stacking model with J48 as base classifier and ExtraTreeClassifier as meta classifier. Case 1: non-optimized imbalanced data; Case 2: non-optimized balanced data; Case 3: optimized imbalanced data; Case 4: optimized balanced data.

Performance analysis of different models on different cases for NSL-KDD dataset. Model 1: DT; Model 2: KNN; Model 3: ExtraTreeClassifier; Model 4: J48; Model 5: stacking model with KNN as base classifier and DT as meta classifier; Model 6: Stacking model with DT as base classifier and ExtraTreeClassifier as meta classifier; Model 7: stacking model with DT as base classifier and J48 as meta classifier; Model 8: stacking model with KNN as base classifier and ExtraTreeClassifier as meta classifier; Model 9: stacking model with KNN as base classifier and J48 as meta classifier; Model 10: stacking model with J48 as base classifier and ExtraTreeClassifier as meta classifier. Case 1: non-optimized imbalanced data; Case 2: non-optimized balanced data; Case 3: optimized imbalanced data; Case 4: optimized balanced data.

Performance analysis of proposed model (stacking model of J48 as base classifier and ExtraTreeClassifier as meta classifier) on different cases for UNSW-NB15 and NSL-KDD datasets. Case 1: non-optimized imbalanced data; Case 2: non-optimized balanced data; Case 3: optimized imbalanced data; Case 4: optimized balanced data.
Many ML algorithms have been employed for intrusion detection on the NSL-KDD dataset, which have provided excellent results on accuracy, precision, recall, and F1-score. Abbas et al.54 used a hybrid ensemble model with random forest-recursive feature elimination. They did not consider balancing the data before the classification process, which might induce bias against the model, particularly in identifying minority attack classes. As a result, this could possibly lower the detection efficacy on less frequent but crucial attack types. Pokharel et al.55 employed the Naive Bayes classifier and SVM for attack detection inside a network. Their model had a long training time, mainly focusing on reducing false positives rather than maximizing detection speed; consequently, their method cannot be applied in real-time threat-monitoring scenarios. Bong et al.56 used Gaussian NB models. Their analysis was limited to a small portion of the NSL-KDD dataset, looking at only a limited number of selected attack types from the dataset, consequently limiting the exposure of the model to the entire range of possible network intrusions and possibly risking generalizability against a broader threat landscape. Das et al.44 have executed a supervised Ensemble ML framework (SupEnML) by uniting various ML classifiers belonging to different classification families like DT, Logistic regression, Naive Bayes, Neural Network, and SVM for IDS. While the classifiers performed well, their training time was high and also the consumption of memory was huge due to the complexity of implementing multiple classifiers, which generate a computational overhead on practical deployment in resource-starved network environments. In addition, Meliboev et al.57 put their weight on DL through CNN-LSTM for the extraction of hierarchical features for any other type. They only addressed SMOTE, which did not seem to tackle the minor class imbalance dilemma effectively, and their approach included heavy training of 100 epochs with a fixed learning rate, which might prove inefficient for swiftly adapting to diverse network traffic patterns and fresh attack vectors.
The development of intrusion detection in the UNSW-NB15 dataset has been the focus of many works. Dora et al.58 have employed the K Best for feature selection. For classification, they have used the ML algorithms such as RF, XGBoost, and DT. However, the usage of traditional DL and insider-optimized LSTM tends to put heavy burdens on computational resources for training and detections at unchecked rates, thereby possibly invalidating its greater accuracies in constrained-resource environments. They also gave importances on finding some specific type of attacks. Kasongo et al.18 implemented XGBoost for feature selection, then applied the SVM and ANN algorithms to a small binary dataset possessing an accuracy of 0.77%. Their oversimplified binary classification approach impended the reality of the multi-class dimensionality of most modern network attack classes, with far less correct classification to illustrate the feature representation or model selection firm as a limitation. Yin et al.17 presented a hybrid feature selection technique in which the hybrid ranking relates Information Gain and RF feature selection to the respective classifier, followed later by MLP, showing much higher classification accuracy. Although the feature selection fared well in this context, the MLP model scored only 84.24% accuracy in multi-class intrusion detection, pointing to the severe challenge in distinguishing between attack types that look very much the same and may overfit due to feature reduction.
Ethala et al.19 also pointed out a proposed model for hybrid approach combining SMO with HPSO to handle the high data size more efficiently in an IDS. Their quite complex optimization heavily relies on high processor resources during the training phase and such effect could heavily restrict real-time implementations and adaptability in addressing evolved network traffic patterns. Similarly, with the concept of RF, Ahmad et al.59 corroborated somewhat of the contributions their RF-based cluster-based model was able to offer-regrettably with inconsistencies across different feature subsets, for their classifier to achieve just 91.4% accuracy with the TCP features, hence, largely speaking to the challenge posed by the need for different traffic-type resolutions apart from attack vectors the model has ever perceived. Our model outperforms all the state of the art approaches and introduces a novel approach to IDS research domain that addresses several critical limitations identified in previous studies. Feature selection, which was done with EEO, resulted in a reduced multi-dimensionality without losing the necessary attack features. By reducing the number of irrelevant and redundant features, it helps to extend beyond classic ML models due to different accurate selections, overcoming the feature redundancy issues faced in Abbas et al.’s54 work and the suboptimal feature selection seen in Bong et al.’s56 limited dataset analysis. Unlike Kasongo et al.’s18 XGBoost selection that achieved only 0.77% accuracy on UNSW-NB15, EEO’s nature-inspired optimization capability identifies optimal feature subsets that capture the essential characteristics of various attack patterns.
The data balancing problem for minor attack categories, completely ignored by Abbas et al.54 and inadequately addressed by Meliboev et al.57 using only SMOTE, is comprehensively resolved in our proposed method through SMOTE-IPF. Before applying SMOTE-IPF, the NSL-KDD and UNSW-NB15 datasets exhibited severe class imbalance, leading to poor classification performance for minority attack classes, particularly U2R, R2L, Backdoor, Shellcode, and Worms. This dual-phase technique balances the dataset and prevents synthetic samples from creating noise that degrades the model. According to empirical research, SMOTE-IPF outperforms both SMOTE-ENN and regular SMOTE. Our stacking model architecture, utilizing J48 as the base classifier and ExtraTreeClassifier as the meta classifier, creates a powerful ensemble that outperforms the simpler approaches like Pokharel et al.’s55 hybrid classifier and Yin et al.’s17 MLP implementation. This multi-level learning framework leverages the complementary strengths of decision tree-based algorithms while mitigating their individual weaknesses. Unlike Das et al.’s44 ensemble approach that suffered from high computational overhead, our stacking model achieves superior performance (99.7% accuracy on NSL-KDD and 98.1% on UNSW-NB15) with lower computational requirements by focusing on two strategically selected complementary classifiers rather than combining many different classification families.
These results improve our approach towards understanding the immense ensemble potential of these three components for feature selection, feature representation, error-driven classification, and decision-based mechanisms during data imbalance handling. Now, this work is instrumental in understanding a prominent ensemble interaction, it offers the full range of possibility or alternatives to create a better or more diversified learner for a wider range of divergent instances, especially under the umbrella of attacking network-like data in the domain of network security. Such considerations enforce us to look beyond seeking best opportunities toward developing diverse options with which to improve one’s probability. The detailed performance comparison is presented in Tables 14 and 15, while Fig. 5 provides a comparative analysis with baseline models across both datasets.

Comparison of Proposed method with existing methods44,54,55,56,57 over NSL-KDD dataset and state-of-the-art methods17,18,19,58,59 over UNSW-NB15 dataset.
The confusion matrix results obtained using the proposed methodology, which incorporates EEO for feature selection, SMOTE-IPF for data balancing, and a stacking model with J48 as the base classifier and ExtraTreeClassifier as the meta-classifier, demonstrate a significant improvement in classification accuracy as shown in Fig. 6. When applied to the NSL-KDD and UNSW-NB15 datasets, the approach effectively enhances the detection of cyberattacks, showing a better balance between precision, recall, and F1-score compared to baseline models. The AUC-ROC curves were obtained using the proposed methodology, which incorporates EEO for feature selection, SMOTE-IPF for data balancing, and a stacking model comprising J48 as base classifier and ExtraTreeClassifier as the meta-classifier. This approach was applied to both the NSL-KDD and UNSW-NB15 datasets to evaluate the classification performance. Figure 7 represents the AUC-ROC curve for both datasets.

Result of Confusion Matrix using Proposed Methodology where we used EEO for feature selection, SMOTE-IPF for data balancing and stacking model of J48 as base classifier and ExtraTreeClassifier as meta classifier for classification on NSL-KDD and UNSW-NB15 datasets.

Result of AUC-ROC curve using Proposed Methodology where we used EEO for feature selection, SMOTE-IPF for data balancing and stacking model of J48 as base classifier and ExtraTreeClassifier as meta classifier for classification on NSL-KDD and UNSW-NB15 datasets.
The findings of this study underscore the effectiveness of integrating the EEO for feature selection, SMOTE-IPF for data balancing, and stacking ML models in IDS. The EEO, which incorporates the fisher Score, outperformed the standard EO by ensuring that the selected features have strong discriminative capabilities, thereby enhancing the model’s robustness and interpretability. The inclusion of accuracy scores from the KNN classifier further validates that the selected features positively influence the classifier’s performance, leading to improved predictive accuracy. Additionally, EEO maintains a balance between exploration and exploitation by leveraging the adaptive nature of EO, allowing it to explore diverse feature subsets while concentrating on high-quality solutions. This balance facilitates faster convergence and helps avoid local optima, ultimately improving the overall performance of the model. The use of SMOTE-IPF addressed the significant class imbalance often present in IDS datasets by not only generating synthetic samples of the minority class but also employing noise-filtering techniques to remove misclassified instances. This dual approach ensures that the data is more balanced and less noisy, allowing ML models to better learn decision boundaries between normal and attack classes, thus reducing the rates of false positives and false negatives. The quality and balance of the data improved through SMOTE-IPF contribute to the robust training of the models, enhancing overall classification performance. The stacking of ML models further amplified the system’s effectiveness by combining the strengths of different classifiers into a cohesive framework. By utilizing various combinations of base classifiers, such as KNN, DT, J48, and ExtraTreeClassifier, with a meta-classifier, the stacking approach captured diverse patterns in the data that individual models might miss. This ensemble method reduces the biases and variances associated with single classifiers, leading to a more stable and accurate system. The combined use of EEO for feature selection, SMOTE-IPF for data balancing, and stacking models with J48 as base classifier and ExtraTreeClassifier as meta classifier results in a comprehensive and adaptive framework that significantly improves IDS performance, offering a robust solution that outperforms traditional models in detecting intrusions with high accuracy.
Practical considerations of the proposed IDS
In real-world IDS applications, factors such as latency, model size, and computational cost play a crucial role in determining the feasibility of deployment. The proposed IDS, which integrates feature selection and a stacking-based ML model, is designed to optimize these aspects while maintaining high detection accuracy.
Latency: The usage of proposed EEO for feature selection has led to reduction of features from the original dataset thereby enhancing the computing operations. For the UNSW-NB15 dataset, the proposed model takes 1.6394 s for training purposes while the prediction time stands at 0.3525 s per instance. Similarly, for the NSL-KDD dataset, the training time computed is 0.8560 s while the prediction time is 0.2974 s per instance. Thus it can be perceived that the proposed model has lower latency while performing the intrusion detection.
Model size: We have used the ensemble of J48 combined with ExtraTreeClassifier in our proposed approach with EEO as feature selection. The final model size for the UNSW-NB15 dataset is 5.8905 MB while for the NSL-KDD it is 9.8779 MB. These model sizes are of uncompressed versions. Further compression can be done to make the model further smaller in size.
Computational cost: As a result of the ensemble process involving the feature selection and stacking ML method, our proposed model has the following compute costs for each dataset. The computation for the UNSW-NB15 dataset in terms of memory, CPU is 0.2031 MB, 0.6000% respectively. On the other hand the computation for the NSL-KDD dataset in terms of memory, CPU is 30.0156 MB, 0.3000% respectively. Thus the proposed system can be readily deployed on a system with limited resources also.
Overall complexity analysis
The EEO, a metaheuristic optimization algorithm, has a time complexity of \(O(P \cdot I \cdot D)\), where P is the number of particles (agents), I is the number of iterations, and D is the number of features. For SMOTE-IPF, the time complexity is \(O(N \cdot k)\) for the Synthetic Minority Over-sampling Technique (SMOTE), where N is the number of samples and k is the number of nearest neighbors, and \(O(I \cdot N)\) for Iterative Partitioning Filter (IPF), where I is the number of iterations.
The time complexity for training a stacking model with J48 and ExtraTreeClassifier involves: J48, which has a time complexity of \(O(N \cdot D \cdot \log (N))\), where N is the number of samples and D is the number of features. ExtraTreeClassifier, which has a time complexity of \(O(T \cdot N \cdot D \cdot \log (N))\), where T is the number of trees.
Combining these complexities, the overall time complexity of our experiment can be approximated as:
$$\begin{aligned} \permille (P \cdot I \cdot D) + O(N \cdot k) + O(I \cdot N) + O(N \cdot D \cdot \log (N)) + O(T \cdot N \cdot D \cdot \log (N)), \end{aligned}$$
providing a comprehensive view of the computational complexity involved in the proposed IDS method. Therefore, the overall time complexity of the experiment is:
$$\begin{aligned} O(N \cdot D \cdot \log (N)), \end{aligned}$$
which simplifies to \(O(N \cdot \log (N))\).
