Journal of King Saud University – Computer and Information Sciences 35 (2023) 131–144

Contents lists available at ScienceDirect

Journal of King Saud University –

Computer and Information Sciences
journal homepage: www.sciencedirect.com

A Fuzzy-Based Duo-Secure Multi-Modal Framework for IoMT Anomaly

Detection
Shiraz Ali Wagan a,1, Jahwan Koo b,1, Isma Farah Siddiqui c, Nawab Muhammad Faseeh Qureshi d,⇑,
Muhammad Attique e,⇑⇑, Dong Ryeol Shin a
a
Department of Electrical & Computer Engineering, Sungkyunkwan University, Suwon, Republic of Korea
b
College of Software, Sungkyunkwan University, Suwon, Republic of Korea
c
Department of Software Engineering, Mehran University of Engineering & Technology, Jamshoro, Pakistan
d
Department of Computer Education, Sungkyunkwan University, Seoul, Republic of Korea
e
Department of Software, Sejong University, Seoul, Republic of Korea

a r t i c l e i n f o a b s t r a c t

Article history: With the advancement in the Internet of Medical Things (IoMT) infrastructure, network security issues
Received 14 September 2022 have become a serious concern for hospitals and medical facilities. For this, a variety of customized net-
Revised 29 October 2022 work security tools and frameworks are used to distract several generalized attacks such as botnet-based
Accepted 15 November 2022
distributed denial of services attacks (DDoS) and zero-day network attacks. Thus, it becomes difficult to
Available online 29 November 2022
operate routine IoMT services and tasks in between the under-attack scenario. This paper discusses a
novel approach named Duo-Secure IoMT framework that uses multi-modal sensory signals’ data to dif-
Keywords:
ferentiate the attack pattern and routine IoMT devices’ data. The proposed model uses a combination
Fuzzy logic
Multi-modal
of two techniques such as dynamic Fuzzy C-Means clustering along with customized Bi-LSTM technique
Duo-secure that processes sensory medical data securely along with identifying attack patterns within the IoMT net-
Anomaly detection work. As a case study, we are using a dataset to evaluate heart disease which consists of 36 attributes and
Internet of Medical Things (IoMT) 18940 instances. The performance evaluation shows that the proposed model evaluates a) prediction of
heart issues and b) identification of network malware with an individual accuracy of 92.95% and multi-
modal joint accuracy of 89.67% in the IoMT-based distributed network environment.
Ó 2022 The Author(s). Published by Elsevier B.V. on behalf of King Saud University. This is an open access
article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/).

1. Introduction
Internet of Things (IoT) consists of a network of intelligent
devices such as intelligent machines, intelligent cars, intelligent
appliances, Which use a unique Internet Address to communicate
with each other and with other devices or networks (IP). Internet
of Medical Things (IoMT) is a subset of IoT reflects recent develop-
ment in which medical equipment such as smart blood pressure
⇑ Corresponding author.
⇑⇑ Co-corresponding author.
E-mail address: faseeh@skku.edu (N.M.F. Qureshi).
1
Are equally contributed first authors.
Peer review under responsibility of King Saud University.
Production and hosting by Elsevier
monitors, smart glucometers, smart bands, and smart pulse rate
monitors are the contemporary device (Lokshina, 2019; Wang,
2020; Sikarndar, 2020; Park, 2022b). The data is transmitted to
end users via gateway after being stored in the cloud. The techno-
logical advancements also encourage hackers to break into these
servers stealing all the confidential data. These sophisticated med-
ical equipment might be taken over by a variety of cyber attacks
(Principi, 2017; Naz, 2022). If an attacker gains control of an intel-
ligent pacemaker, it can be harmful for the patient. All such alarm-
ing dangers could have an impact on the IoMT infrastructure and
there must be a valid solution that could deal these problems
before happening (Hassan, 2019; Polonsky, 2010; Wagan, 2022).
IoMT-collected information is essential in many sectors because
it makes it possible to handle remote systems simultaneously in
real-time and monitor them from a distance. IoT devices, control
the manufacturing processes and monitor the patient in hospitals
and homes. An effective data management is needed for large-
scale data collection. Infinite data collection is unusable in the
absence of systems to clean, arrange, and process it. IoT involves

https://doi.org/10.1016/j.jksuci.2022.11.007
1319-1578/Ó 2022 The Author(s). Published by Elsevier B.V. on behalf of King Saud University.
This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/).
S.A. Wagan, J. Koo, I.F. Siddiqui et al.
analysis the data produced by machines, including such sensors in
household appliances and other devices that makes it. In order to
make decisions in real-time, IoT can collect and process data simul-
taneously with different algorithms that makes it different from
other data.
Intrusion is a way of stealing, altering or damaging other
users’ data by transmitting malicious packets through the net-
work. For this we use, two varieties of Intrusion Detection sys-
tem (IDS) that monitors and detects the issues systematically
(Gupta, 2017; Chandola, 2009; Wu, 2015; Cho, 2014; Guo,
2022). The first technique recognizes the attack depending on
system characteristics and signatures, but it does not detect
new attacks. Another method looks for transactions that are out-
side of the expected behavior (Malhotra, 2016; Park, 2022c). The
hackers continuously keep track of sensitive and critical informa-
tion that is obtained through variety of vulnerabilities available
in the open servers (Gupta, 2017; Wazid, 2019; Koo, 2022). An
IoMT server may become vulnerable due to intrusions in a num-
ber of ways, including application defects, improper system con-
figuration and network security loop holes (Garg, 2022; Park,
2022a). The application defects could be sorted out by monitor-
ing the data passing through the network. The improper system
configuration is handled by the network administrators and may
not affect much in helping a hacker to get into the infrastruc-
ture. The network security loop hole is an important aspect that
may lead to a disaster for all IoMT operations over the dis-
tributed network (Yang, 2019; Qureshi, 2022).
For this network security issue, we have several techniques
such as IDS:, ML algorithms: and DL algorithms:. The
IDS uses heuristic approach to void the attack using fuzzy logic
and distract a hacker with false data processing. The machine
learning algorithms uses variety of malfunction detection and
anomalies to keep system performing within the trained data only.
For this, we may take an example of Mirai botnet that captured bil-
lions of devices as a source for a DNS server attack. The researchers
detected Mirai botnet through training and then test abnormal pat-
terns (Dahl, 2013; Firdausi, 2010; Shamili, 2010; Koo, 2020). More-
over, the deep learning algorithms were used to analyze the
possibility of live Mirai botnet attack that eventually ended with
a continues change in the pattern detection of the attacking bots
(Nakip and Gelenbe, 2021).
Thus, we need to find out such strategy that could deal with all
uncertainties and successfully detect and protect the IoMT infras-
tructure. This paper proposes an effective multi-modal technique
named Duo-Secure IoMT framework that is a combination of two
required aspects such as finding network security issue having
uncertainty and make sure the normal operation works well. The
proposed technique uses dynamic Fuzzy C-Means clustering and
customized two Long Short Term Memory (Bi-LSTM) algorithm
that identifies abnormal pattern uncertainties in the network and
perform data evaluation tasks simultaneously. This combination
reduces the risk of complexity, heuristic uncertain attacks and
patient’s person data safe storage. The main contributions of this
paper are as follows:

Addresses a proper solution for uncertainty of abnormal net-
work attacks

Performs normal IoMT tasks without issue of network security.

A multi-Modal approach to use two different technology mod-
els such as Fuzzy C-Means and Bi-LSTM.
The rest of the paper is designed in such a way that section-II
discusses related study, section-III presents materials and meth-
ods(methodology), section-IV includes results and analysis fol-
lowed by the conclusion and references.
132
Journal of King Saud University – Computer and Information Sciences 35 (2023) 131–144
2. Related study
Our literature review deals with IDS and Heart attack anomaly
detection and focuses mostly on assessing data preparation and
algorithmic techniques in order to come up with novel strategies
for constructing a reliable intrusion detection system in heart
disease.
To cluster individuals with heart disease, researchers employed
the extended K-means clustering approach. The challenge of iden-
tifying the beginning point in the procedure results plagues clus-
tering, n terms of the number of clusters discovered as well as
their centers. This paper discusses methods for improving the K
means clustering algorithm for the anomaly detection of heart dis-
ease (Singh, 2019). A framework that covers the preprocessing
phase, fuzzy associative law exploration, and Using the fuzzy cor-
relation rule to make decisions. The suggested framework has pri-
marily focused on the factors that may lead to a heart attack in
patients (Shaji, 2019; Nedelcu, 2018).
To identify intrusion in the system, the researchers employed a
hybrid enhanced conditional variational Auto Encoder (ICVAE) and
(DNN). The ICAVE encoder performs weight initialization for the
(DNN) all hidden layers (Bhattacharya, 2020; Liu, 2020; Möckl,
2020). The DNN is speedy by employing the dimension of features.
DNN uses automated extraction of the given features and classifi-
cation algorithms, rather than heuristic rules. The suggested
approach is capable of detecting minorities attacks for example
shellcodes R2L,U2R (Yang, 2019; Hakak, 2019).
Deep adversarial learning (DAL) framework is used for statisti-
cal knowledge and data augmentation to identify intrusion in net-
works, In the field of data augmentation, this approach addresses
the issues of data imbalances. The discriminator can be used to
reject enhanced intrusion of data samples. The generator, on the
other hand, is used to create intrusion augmented datasets. The
Poisson-Gamma joint probabilistic model is used to create syn-
thetic intrusion samples using the Monte Carlo approach. Intrusion
datasets are classified as normal or attacks using SVM. Different
experiments were conducted on the KDD Cup 99 dataset, which
yielded higher precision, recall, and accuracy results than other
standard techniques (Zhang, 2019).
A convolutional neural network (CNN) implemented on the
KDD99 dataset, softmax algorithm are utilized to identify human
cyber intrusion attacks.This proposed system is divided into tow
parts. (1) Data normalization by preprocessing. (2) The A soft-
max method is used to classify the data. The researchers employed
training samples 494021 and test samples respectively 311029 test
samples with 99.23% accuracy result (Khan, 2019).
The authors presented the IoMT components with a semanti-
cally enhanced ontology framework, security challenges and pro-
cedures.To construct a recommendation system that helps users
to make high-accuracy judgments, the ontology is built with
context-aware rules to facilitate reasoning. As aforementioned, this
article addresses three main stakeholder perspectives: Health
workers, patients, and the system administrators. Moreover, Only
those parties that have a direct relationship with IoMT solutions
are taken into account (Alsubaei, 2019).
On the NSL-KDD datasets, feedforward deep neural networks
(FFDNN) fussed with the Filter-Based Feature Selection algorithm
(FBFSA) to identify anomalous incursion in wireless networks.The
algorithm chooses the optimal feature with the least amount of
redundancy for wireless networks. It comprises three hidden lay-
ers, each of which has 30 neurons. The dataset is split into two sec-
tions: training and testing, producing a 99.69% percent accuracy
(Kasongo, 2019).
Author implemented some complicated attack data, using vari-
ous ML algorithms.The Bagging ensemble approach and Random
S.A. Wagan, J. Koo, I.F. Siddiqui et al. Journal of King Saud University – Computer and Information Sciences 35 (2023) 131–144

Table 1
The comparison table of recent research studies.

Ref dataset Technique Modality/Multitasking Accuracy

(Khalil, 2022) EEG Signals CNN Single task 77.78%
(Wang, 2022) Computed Tomography KNN, LR, NB Single task 81%
(Singh, 2022) TON-IoT,KDD LSTM/HLSTM Single task 99.31%
(Wibowo, 2022) Covid-19 SVM,LR,RF Single task 88.43%
(Haque, 2022) Diabetes,Parkinson DeepCad,DNN Single task 95.5%
(Kaur, 2022) TCIA Cukoo,Naive Bayes Single task 98.61%
(Behera, 2022) EEG Signals WVFLN Single task -
Our research WUSTL-EHMS Fuzzy C-means, Bi-LSTM Multitasking Multimodal 92%, 89.67%

Forest outperform other classifier models with 97.67% accuracy. As
an outcome, an innovative health care system might be con-
structed on top of it to improve cyber security (Subasi, 2021).
The author built an effective IDS using a deep neural network
(DNN) to classify and forecast unexpected cyberattacks. They also
conducted hyperparameter selection feature engineering (Subasi,
2021). The presented DNN model outperforms existing machine
learning algorithms in terms of performance. On NSL-KDD, there
was a 15% improvement in accuracy, overall accuracy of 99.7%
(RM, 2020; Moosavi, 2016; Rahmani, 2015).
3. Material and method
In this section we have addressed different materials and meth-
ods including dataset description, pre-processing, data splitting
and normalization, and feature selection. Fig. 2 shows the complete
mechanism of our contribution. In addition, fuzzy C-mean and Bi-
LSTM methods discuss in detail. Moreover, Table 1 shows the com-
parison of recent studies with our contribution.
3.1. Dataset
In our Proposed framework Overall sixteen thousands three
hundred eighteen samples are collected accordingly, the ratio of
normal sample and attack data sample is 87.5% and 12.5%. Label
0 represents Non-attack traffic and 1 for attack traffic. A real-
time Enhanced Healthcare Monitoring System (EHMS) testbed is
used to build the WUSTL-EHMS-2020 dataset. The testbed is the
combination of two types, (1) Network-flow metrics and (2)
patients biometrics. This dataset originally contains 44 attributes,
including 35 network-flow metrics, eight patient biometrics, and
one label feature. The dataset may be found in (Hady, 2020).
Furthermore, our data was packet Capture (pcap) format so we
split data into chunks by using SplitCap software, after splitting
data into chunks, we used CICFlowMeter software to generate
the report of the chunks for the further analysis. A network traffic
flow analyzer called CICFlowMeter, it is an open source program
which creates Biflows from pcap files and extracts features from
flows. Moreover, Algorithm 1, Fig. 3 and Table 2 defines the data

Table 2
A list of features in the network traffic modality (flow metric) and the heart attack modality (bio metric).

Features Short Description Types

Flow Metric Bio Metric
SrcBytes Source Packet Bytes j
DstBytes Destination Packet Bytes j -
SrcLoad Source Packet Load Bytes j
DstLoad Destination Load of Packet j
SrcGap Source Bytes packet gap j
SLntPkt Source Inter packet j
DLntPkt Destination Inter Packet Bytes j
SLntPkAct Source Inter Packet Bytes j
DLntPkAct Destination Inter Packet Bytes j
SrcJitter Source Jitter j
DstJitter Destination Jitter j
sMaxPktSz Source Maximum Transmitted Packet Size j
dMaxPktSz Maximum destination and Transmit Packet Size j
sMinPktsz Source Minimum Transmitted Packet Size j
Dur Duration j
Trans Aggregated Packet Count j
TotPkts Total Packet Count j
TotBytes Total Packets Byte j
Loss Re-transmitted or Dropped Packets j
pLoss Percentage Re-transmitted or Dropped Packets j
pSrcLoss Percentage and Source Re-transmitted/ Dropped Packets j
pDstLoss Percentage of Destination Re-transmitted or Dropped Packet j
Rate Number of Packets per Second j
Load Load j
Temp Temperature j
SpO2 Peripheral Oxygen Saturation j
Pulse_Rate Pulse Rate j
Sys Systrolic Blood Pressure j
DIA Diastolic Blood Pressure j
Heart_Rate Heart Rate j
Resp_Rate Respiration rate j
ST ECG ST segment j

133
S.A. Wagan, J. Koo, I.F. Siddiqui et al.
pre-processing of two modalities flow metrics and biometrics
accordingly.
Algorithm 1. Data Preprocessing
3.2. Data splitting
Our models are built on deep learning approaches, as per our
dataset and literature studies. As a result, We divide dataset into
134
Journal of King Saud University – Computer and Information Sciences 35 (2023) 131–144
training, testing and validation using an accurate technique. Fur-
thermore, we have divided the dataset into 70% and 30% ratio for
testing, training and validation. The proposed deep learning model
was trained and optimized utilizing 70% of the training and valida-
tion set using the 10-fold cross-validation. This process repeats ten
times, with the normal average results and standard deviations
stated each time.
3.3. Data normalization
Significant numerical variation exists between the various attri-
butes. Sequences of features with higher ordered values can be
found if the retrieved features are incorporated in DL model.
Lower-valued pattern sequences would be suppressed in contrast.
Before feeding the generated statistical features to the deep learn-
ing model, we used a min–max normalization approach to ensure
that the model converged swiftly and training time was reduced.
3.4. Data balancing
Our dataset is highly imbalanced. We have 2041 records for
label 1 and 14273 label 0. Primarily we have implemented balanc-
ing technique SMOTE Edited Nearest Neighbours SMOTE(ENN) for
Over-sampling using SMOTE and cleaning using ENN (Scribber,
2022). Although the final dataset performed well, in the medical
profession, creating fake data for data balance is not suggested as
medical professionals will not trust the outcome. Undersampling
is another strategy for data balancing, which involves lowering
the size of the abundant class at random while maintaining all
samples in the rare class. This strategy, however, wastes a lot of
data. As a result, researchers used oversampling techniques for
improving the result. As a response, we use the oversampling
approach (Japkowicz, 2000) distinct datasets for training and vali-
dation. This method balances the dataset by increasing the amount
of rare samples by adding new examples from the rare class (for
example, by adding new samples from the rare class). A synthetic
minority, bootstrapping, or repetition).
3.5. Feature selection
For a range of ML mining challenges, feature selection tech-
nique is useful and efficient data preparation strategy, especially
for high-dimensional data. The purposes of feature selection are
to build simpler models, improve data mining effectiveness, and
produce clean, understandable data. For our data, to get high
ordered features we have implemented a new technique for fea-
ture selection called (Searching for Uncorrelated List of Variables).


Considering the dataset DT ¼ Kj ; Lj where
j ¼ 1; . . . ; n; Kj 2 Ri ; Lj 2 Ri g, having number samples n and fea-
tures i. Let L ^ j calculated as:
X
n


^j ¼
L Tj Kj
j¼1
where the regression tree is presented as Tj . to minimize the learn-
ing the objective function Tj as follows:
X
n

 Xn


O¼ ^j þ
M Lj ; L X Tj
j¼1 j¼1
3.6. Data scaling
Scaling is a another approach, also known as min–max scaling
or min–max normalization, is scaling the range of features to scale
the range in [0, 1] or [1, 1]. Depending on the data type, the target
S.A. Wagan, J. Koo, I.F. Siddiqui et al. Journal of King Saud University – Computer and Information Sciences 35 (2023) 131–144

range must be chosen. The following is the natural generalization

for a min–max of [0, 1].

3.7. Fuzzy C-means clustering

Clustering methods are useful tools for analyzing data struc-

tures, have become popular unsupervised pattern detection meth-
ods, and are used in many applications. The collection of
algorithms that minimize an objective function, known as the
objective function algorithms, includes the clustering technique
(Bezdek, 2013). Given that c is the total number of classes and clus-
ters, the technique is frequently referred to as C-Means when it can
reduce an error function, When used classes are applying fuzzy
technique it is called fuzzy approach. The FCM technique employs
a fuzzy membership that gives each class a level of membership Fig. 1. Defines the feature extraction for the flow metrics and biometrics modalities
_
(Içer, 2013). The advantage of FCM is that it allows for the creation by using Fuzzy C-Means.

of new clusters using data points with near membership values to

already existing classes. we have used FCM to extract features in
our study, there are 4 steps mainly consists in the mechamsim,
Preprocessing:, Clustering:, Feature extraction:, and
Classification:. The origional features are proccessed in the sys-
tem that is in the numarical form. In the next step these features
are passed in the clustering phase, this phase provides cluster cen-
ters, to obtain the final attributes the feature extraction is per-
formed, furthermore the processed features are passed in the
classifier for testing, these features improves the accuracy and of
the model. Furthermore, Fig. 1 explains the feature extraction for
the modalities.
Consider a vector of n values X ¼ ðx1 ; x2 ; . . . ; xn Þ for FCM to make
C clusters. The fuzzy partition matrix Mfc is used for fuzzy meme-
quickly process and compile longitudinal data from each modality
individually, we add two Bi-LSTM layers. The two layers do not
raise the calculation burdens because the patient time series only
include four steps.
There are three gates in the LSTM cell structure: first the input


gate ðitn Þ, second, forget gate f tn , lastly, the output gate ðotn Þ.
Information stored in the cell state is controlled by these gates.
b t are the cell status contents at the time tn , the
C t ; C t and C
n n1 n
most recent update to the current cell status value and the cell sta-
tus value from the previous time step, respectively.
htn1 is a hidden layer memory cell’s value at the t n1 time step.
ht is now the output value of a hidden layer. t n obtained from C bt
n n

bership matrix as defines below: and C tn1 . hs and b are used to denote the computed weight matri-
( ) ces and bias vectors, respectively.
X
C X
n
As a result of the back propagation method, they are updated.
Cn
Mfc ¼ X2R jxik 2 ½0; 1; 8i; k; xik ; 8k; 0 < < n; 8i Hadamard product, concatenation operator, logistic sigmoid func-
i¼1 k¼1
tion, and activation function output, such as SoftMax, ReLU, or
where 1 6 i 6 C; 1 6 k 6 n. Tanh, are all represented by the mathematical symbols  , r and
/. The equations illustrate the flow of information in LSTM
memory-cell for each stage in Eq. 1 to Eq. 7.
3.8. Proposed Bi-LSTM architecture

  
f tn ¼ r hf
htn1 ; xtn þ bf ð1Þ
A strong method for finding patterns in time - series data is
LSTM. We have used BiLSTM as it works better than other algo-
  
rithms and achieves optimum results and accuracies for time series itn ¼ r hi
htn1 ; xtn þ bi ð2Þ
multimodal data. There are currently only a few research studies

 
using LSTM for multimodal longitudinal data analysis. A sequenc- e t ¼ tanh hC
ht ; xt þ b
C ð3Þ
n n1 n
ing process model called a bidirectional LSTM, sometimes known
as a BiLSTM, consists of two LSTMs: one processing the data in a  
forward manner, the other going backward way. With the help of et
C tn ¼ f tn  C tn1  itn  C ð4Þ
n

BiLSTMs, the network has access to more information, which

improves the algorithm’s context but with the standard LSTM,
  
otn ¼ r h0
htn1 ; xtn þ bo ð5Þ
input can only flow in one way, either forward or backward. Each
time point’s data on heart illness is connected with the time points
before and after it. ði ¼ 1;    ; nÞ and a backward LSTM ði ¼ n;    ; 1Þ. htn ¼ otn  tanh ðC tn Þ ð6Þ
BiLSTM networks implemented in two conditions. First, modalities,
i.e. X 2 fX PET ; X MRI ; X CSD ; X NPD ; X ASD g are trained separately by Bi-


yn ¼ u hy htn þ by ð7Þ
LSTM subnetwork.
Five two-layer BiLSTM networks have been trained simultane- The relationship between the subsequent input sequence and
ously and independently to capture the temporal characteristics the preceding input sequence is not captured by the LSTM unit in
inside individual features as well as across features of various a time series. To discover the underlying correlations in a time ser-
modalities in our two modalities. Second, to extract the character- ies, BiLSTM merges two separate hidden LSTM layers in both for-
istics shared by various modalities, the learned features from these ward and backward directions into a single output.
five networks are merged and trained using an additional two- BiLSTM receives a sequence as input, X ¼ ðX t0 ; X t1 ; . . . ; X tn Þ, iin
layer Bi-LSTM network. The Bi-LSTM network that is used to com- an forward hidden sequence similar to the traditional LSTM,
! ! ! ! 
bine several modalities (Tran-Anh, 2022). h t ¼ h t0 ; h t1 ; . . . ; h tn , with a hidden sequence going towards
The output of the Bi-LSTM is created by concatenating the out-
puts of the forward and backward Bi-LSTMs for each time point. To the opposite side, h t ¼ h t0 ; h t1 ; . . . ; h tn . The hidden layer’s
135
S.A. Wagan, J. Koo, I.F. Siddiqui et al. Journal of King Saud University – Computer and Information Sciences 35 (2023) 131–144

output vector yt ¼ ðyt0 ; yt1 ; . . . ; ytn Þ; t ¼ 1; 2::t is the combination of of our study are single-task and multitask experiments. (1) Our
! ! proposed model trains on two single-task experiments using a par-
h t and h t ; yt ¼ h t ; h t , as mentioned in Eq. 8 to Eq. 11.
ticular classification problem. For example, the model classifies
h! i whether the input traffic is benign or malicious. (2) We developed
!
h tn ¼ r h!
h tn1 ; xtn þ b! ð8Þ the multitasking studies model to predict two classification tasks
hn hn simultaneously. We use the performance metrices including accu-
racy, recall, precision, and the F1-score to evaluate our proposed
h tn ¼ r hht n  h tn1 ; xtn þ bh n
ð9Þ framework. The experimental results are presented as mean
Standard Deviation (SD).
We design our experiments in the following way. We evaluate
! ! the model on (1) the network flow modality, (2) the biometric
h t0 ; h t0 . . . h tn ; h tn ¼ BiLSTM ðX t0 ; X t1 ; . . . ; X tn Þ ð10Þ
(heart attack) modality, and (3) the fusion of both modalities. For
each experiment, we set three different parameters for the pro-
!! posed approach: (a) train the model using all of the numerical fea-
yt ¼ r hyt h n h tn þ hyt hn h tn þ byt ð11Þ
tures without the class imbalance technique, (b) employ the class
imbalance technique in training the model, and (c) train the model
The subsequent hidden layer receives the outcome of the BiLSTM yt using selected features with the class imbalance technique. Using a
. As shown in Fig. 2., the output yt from the previous layer is pro- single modality and the fusion of both modalities, we train and
vided as an input to a subsequent layer (architecture). The short evaluate the proposed model for single-task and multitasking.
duration of the time series in our investigation means that the The following subsections explain the single-task and multitask
two BiLSTM layers’ computing load is minimal. experiment results.

3.9. Evaluation metrics

4.1. Single-task and multitasking using network flow modality
The deep learning model’s quality is measured by using evalu-
ation measures. Any project requires evaluating machine learning The dataset has two modalities: (1) the network flow and (2)
models or methods. There are a variety of evaluation measures that the heart attack. We have two classification tasks: (i) whether
may be used to test a model. The suggested multitask deep learn- the input network traffic is benign or malicious and (ii) whether
ing model’s performance is measured using the metrics listed a patient is going to get heart attack or not. We experiment to find
below. out how the network flow modality affects the ability of the pro-
Accuracy. It is the percentage of samples that are successfully posed model to predict whether an input traffic is benign or malig-
classified out of a total number of samples. nant and if the patient will experience a heart attack. We conduct
several experiments for both single-task and multitasking inde-
TP þ TN
Accuracy ¼ pendently. The results of a single-task and multitask experiment
TP þ FP þ TN þ FN that focused on the network modality are presented in this
Precision. The proportion of correctly categorized positive sam- subsection.
ples compared to all expected positive samples.
TP 4.1.1. Single-task: Classify IoT network traffic
Precision ¼
TP þ FP In this experiment, we train the proposed model on a single net-
Recall.It’s the proportion of correctly categorized positive sam- work traffic column by omitting the other labeled column. We
ple among each sample in a particular class. used all three model settings as previously stated, i.e., without
imbalance technique, with class imbalance, and with feature selec-
TP tion. Fig. 4 shows the results of three different model settings. It
Recall ¼
TP þ FN expects to observe an improvement in all performance metrics
F1-score.Both recall and precision are used in calculation. It with class imbalance method following a feature selection. The
demonstrates, both false negatives and false positives are taken model achieves 67% CV and 63% testing accuracy without class
into account when counting the score. imbalance and feature selection method. Following class imbal-
ance technique, the model’s CV and testing performance improves
Precision  Recall by 7% and 8%, respectively. We use SULOV recursive feature selec-
F1  score ¼ 2 
Precision þ Recall tion method. Our proposed model achieves 80% CV and 77% testing
accuracy with SULOV selection strategy.
3.10. Experimental setup
4.1.2. Single-task: Classify heart attack patient
The experiments are conducted using Python 3.7.7 environment In this experiment, the other labeled column is left out while
in the Anaconda 4.8.3 and an Intel Xeon(R) CPU E5-2620 v3 @ the proposed model is trained on only one column of heart attach.
2.40 GHz times 24 machine with Cuda-10.0 and Nvidia GeForce We employed all three model settings: feature selection, class
12 GB GPU (64-bit). imbalance, and without imbalanced approach. The outcomes of
three alternative model settings are displayed in Fig. 5. Following
4. Results and analysis feature selection, it anticipates seeing an improvement in all per-
formance metrics with the class imbalance technique. The model
Using a 10-fold CV, we deployed the model using the training obtains a 63% CV and a 61% testing accuracy without class imbal-
set before evaluating the trained model against the testing set. ance and feature selection approach. After applying the class
We use the following design experiments to test the effectiveness imbalance approach, the model’s CV and testing performance
of the proposed multitasking framework from various perspec- improve by 6% and 5%. With the SULOV selection technique, our
tives. We conduct the two sets of experiments. The two groups proposed model achieves 76% CV and 74% testing accuracy.
136
S.A. Wagan, J. Koo, I.F. Siddiqui et al.
Fig. 2. Proposed framework for multi-modal anomaly detection and prediction of heart attack.
4.1.3. Multitask
The results of the single-task experiment reveal that the selec-
tion of feature improves the model’s training and testing perfor-
mance. Fig. 6 depicts the two-task problem in two model
settings. The model must optimize for several tasks, which results
in a increase or decrease in performance based on the task correla-
tion. It is more complicated than optimizing a single task. How-
ever, our model shows a very modest increase in accuracy that
reveals that the modalities are highly correlated. The proposed
model obtains 63% testing accuracy for single-task and 69% for
multitasking while predicting the network traffic is benign or
not. Whereas, in predicting the heart attack patient, the proposed
model obtains 61% testing accuracy for single-task and 63% for
multitasking without class imbalanced technique. Following the
class imbalanced and feature selection approach, the proposed
multitasking model’s training and testing performance improve
by 3% and 4%, respectively.
4.2. Single-task and multitasking using heart attack modality
The goal of this experiment is to examine how the heart attack
modality influences the potential to predict if a patient will have a
heart attack and whether the input traffic is benign or malignant.
We individually do a number of single-task and multitasking
experiments similar to the network flow modality. The true label
137
Journal of King Saud University – Computer and Information Sciences 35 (2023) 131–144
of whether a patient would get a heart attack or not is unavailable
from the original dataset. However, the heart attack column is pro-
duced using the well-known method known as Fuzzy Mean Clus-
tering (FMC) technique. This subsection presents the findings of a
single-task and multitasks experiment that targeted the heart
attack modality.
4.2.1. Single-task: Classify IoT network traffic
In this experiment, we train the suggested model on a single
network traffic column while leaving out the other named column.
As previously said, we applied all three model settings: without the
usage of the imbalance approach, class imbalance, and feature
selection. The outcomes of three distinct model settings are dis-
played in Fig. 7. Following a feature selection, the proposed model
anticipates seeing an improvement in all performance metrics
using the class imbalance approach. Without class imbalance and
selection of feature, the model achieves a 66% CV and a 63% testing
accuracy. The model’s CV and testing performance improve by 8%
and 8%, respectively, after applying the class imbalance approach.
We employ the SULOV recursive feature selection approach. With
the SULOV selection technique, our suggested model achieves
80% CV and 78% testing accuracy. Table 3 shows a comparison
between each modality in the classification of IoT network traffic
and heart attack patient without employing the class imbalance
technique.
S.A. Wagan, J. Koo, I.F. Siddiqui et al.
Fig. 3. Defines the process of dataset flow from PCAP file to CSV transformation
with the help of SplitCap and CICFlowMeter.
4.2.2. Single-task: Classify heart attack patient
The suggested model is trained on just one column of heart
attach in this experiment, leaving the other labeled column out.
We used the feature selection, class imbalance, and without class
imbalance model options. Fig. 8 shows the results of three different
model settings. Following feature selection, it forecasts that the
class imbalance approach will result in an improvement in all per-
formance metrics. Without class imbalance and feature selection,
the model achieves a 62% CV and a 60% testing accuracy. The mod-
el’s CV and testing performance improve by 6% and 6% after using
the class imbalance technique. Our suggested model obtains a 76%
CV and a 74% testing accuracy using the SULOV selection approach.
While using the imbalance approach for class, Table 4 compares
each modality used to classify IoT network traffic and heart attack
patients.
4.2.3. Multitask
The single-task experiment’s findings show that choosing a fea-
ture enhances the model’s performance throughout training and
Fig. 4. Determine whether the input traffic packet is benign or malware. The results are reported by employing the IoT network traffic modality alone.
138
Journal of King Saud University – Computer and Information Sciences 35 (2023) 131–144
testing process of the model deployment. The two-task problem
of model’s performance is shown in Fig. 9 in three different model
configurations. Depending on the task correlation, the model must
optimize for a number of tasks, which affects performance either
positively or negatively. It is more difficult to optimize many tasks
at once. The modalities are closely connected, as evidenced by our
model’s very slight gain in accuracy. The suggested model predicts
whether network traffic is benign or not with a testing accuracy of
63% for single-task and 65% for multitasking. While the suggested
model achieves 60% testing accuracy for single-task and 63% for
multitasking without class unbalanced approach for predicting
the heart attack patient. The suggested multitasking model’s train-
ing and testing performance improves by 15% and 14%, respec-
tively, using the class unbalanced and feature selection
approaches. In order to classify IoT network traffic and heart attack
patients simultaneously with utilizing class-imbalance approach
and the feature selection method, Table 5 compares each modality.
4.3. Single-task and multitasking using fusion of modalities
Most studies concentrated on analyzing IoT medical signal,
where several medical studies asserted that IoT signal is not suffi-
cient to study heart attack rate. Thus, the patient’s current state
and entire medical history from EHR must be considered to achieve
customized, intuitive, stable, and robust decisions. Additionally,
many IoT devices are susceptible to malware attacks, a significant
concern for IoT users. Therefore, we fusion the heart attach modal-
ity with the network flow modality to distinguish a network traffic
from malware. Thus, several features must be considered, such as
packet-related, flow-related, and flag-related in combination with
biomedical feature including oxygen saturation, blood pressure,
pulse rate, and respiration rate. The combination of modalities
facilitates the detecting and distinguishing all subtle changes of
all modalities from the very beginning, which results in reliable
diagnoses. Building a multimodal system based on all patient’s
data is challenging because the fusion of different modalities
affects system performance. This subsection reports the findings
of a single-task and multitasks experiment that fuses the network
flow modality with the heart attach modality.
4.3.1. Single-task: Classify IoT network traffic
In this experiment, we train the suggested model on both col-
umns i.e., network traffic column and heart attack prediction col-
umn. As previously said, we applied all three model settings:
without using the imbalance approach, class imbalance, and fea-
ture selection. The outcomes of three distinct model settings are
displayed in Fig. 10. Following a feature selection, it anticipates
seeing an improvement in all performance metrics and feature
selection, the model achieves a 89% CV and a 86% testing accuracy.
After applying the class imbalance approach, the model’s CV and
S.A. Wagan, J. Koo, I.F. Siddiqui et al. Journal of King Saud University – Computer and Information Sciences 35 (2023) 131–144

Fig. 5. Determine whether the input traffic packet is a patient of having heart attack or a healthy one. The results are reported by employing the IoT network traffic modality
alone.

Fig. 6. Determine whether the input traffic packet is benign or malware and belongs to a patient having heart attach or a healthy patient. The results are reported by
employing the IoT network traffic modality alone.

Fig. 7. Multitask.The results are reported without employing the class imbalance technique.

Table 3
The performance comparison between task 1 and task 2 without the class imbalance techniques in all different modalities reported. The average performance of the test and
the results of a 10-fold CV are displayed as mean. SD.

Data 10-CV performance Evaluation performance

F1-scores Recalls Precisions Accuracies F1-scores Recalls Precisions Accuracies
Task 1 - Classification of Network Traffic (benign or anomaly)
Network packets 69.02 ± 3.26 68.93 ± 0.69 68.42 ± 3.67 66.51 ± 3.83 65.48 ± 2.46 68.32 ± 1.32 63.73 ± 4.29 63.33 ± 4.09
Bio-metric modality 65.31 ± 3.08 65.57 ± 2.02 66.07 ± 3.76 62.56 ± 4.12 63.78 ± 3.66 64.54 ± 2.9 60.17 ± 5.8 61.14 ± 4.56
Task 2 - Bio-metric Heart Attack Classification
Network packets 68.26 ± 3.02 69.02 ± 1.30 68.01 ± 2.33 65.86 ± 3.64 64.90 ± 3.90 67.60 ± 2.35 63.08 ± 4.08 63.32 ± 4.38
Bio-metric modality 65.03 ± 2.94 65.57 ± 1.61 65.37 ± 4.26 61.85 ± 3.15 63.33 ± 2.69 64.22 ± 2.51 60.55 ± 2.85 59.9 ± 5.19

testing performance improve by 2% and 2.5%. We employ the ing accuracy. Table 6 shows a comparison between each modality
SULOV recursive feature selection approach. With the SULOV selec- in the classification of IoT network traffic and heart attack patient
tion technique, our suggested model achieves 93% CV and 90% test- without employing the class imbalance technique.

139
S.A. Wagan, J. Koo, I.F. Siddiqui et al. Journal of King Saud University – Computer and Information Sciences 35 (2023) 131–144

Fig. 8. Multiclass Classification - Heart prediction.The results are reported by employing the class imbalance technique.

Table 4
The class imbalance approach is used to compare task 1 and task 2 performance, and the results are given across all modality types. Mean SD is used to describe the findings of a
10-fold CV and measuring average performance

Data 10-CV Performance Evaluation Performance

F1-scores Recalls Precisions Accuracies F1-scores Recalls Precisions Accuracies
Task 1 - Classification of Network Traffic (benign or anomaly)
Network packets 76.62 ± 4.11 77.63 ± 2.36 75.61 ± 4.55 74.15 ± 2.64 73.98 ± 1.54 76.40 ± 2.63 72.68 ± 3.67 71.48 ± 2.28
Bio-metric modality 69.83 ± 3.04 72.17 ± 1.93 71.07 ± 3.99 69.09 ± 3.92 67.85 ± 2.84 70.96 ± 1.6 65.41 ± 4.26 66.09 ± 4.77
Task 2 - Bio-metric Heart Attack Classification
Network packets 76.04 ± 3.34 76.74 ± 1.62 76.16 ± 2.56 73.58 ± 4.23 73.28 ± 3.41 71.16 ± 3.18 71.46 ± 3.45 71.11 ± 3.79
Bio-metric modality 71.16 ± 3.18 71.94 ± 1.17 71.98 ± 3.74 68.23 ± 4.02 68.92 ± 3.61 71.75 ± 1.92 66.42 ± 4.61 66.26 ± 4.23

Fig. 9. Multiclass Classification - Heart prediction.The results are reported by utilizing the feature selection and class-imbalance techniques.

Table 5
The performance comparison between task 1 and task 2 across the modalities, the feature selection methods and class imbalance are reported. Findings of the 10-fold Cross-
Validation and the mean SD of test performance average are reported.

Dataset 10-CV Performance Evaluation Performance

F1-scores Recalls Precisions Accuracies F1-scores Recalls Precisions Accuracies
Network Traffic and Classification are (benign or anomaly)
Network packets 83.15 ± 2.58 81.68 ± 1.43 80.89 ± 3.7 80.15 ± 3.62 77.38 ± 2.41 82.02 ± 2.82 76.75 ± 5.49 77.19 ± 4.46
Bio-metric modality 80.28 ± 3.08 78.64 ± 2.09 78.83 ± 4.33 76.46 ± 5.38 75.69 ± 1.37 79.44 ± 1.8 73.51 ± 4.01 73.77 ± 6.42
Bio-metric Heart Attack Classification
Network packets 83.04 ± 2.32 82.44 ± 1.44 80.74 ± 3.99 80.07 ± 3.73 77.29 ± 2.5 82.11 ± 1.86 75.79 ± 5.4 77.86 ± 5.36
Bio-metric modality 80.07 ± 1.58 79.23 ± 1.46 79.22 ± 4.56 76.23 ± 5.11 75.64 ± 1.62 79.91 ± 2.26 74.66 ± 3.64 74.14 ± 4.8

4.3.2. Single-task: Classify heart attack patient
In this experiment, only one column of heart attaches are
labeled, and the suggested model is trained on only that one col-
umn. All three model settings—feature selection, class imbalance,
and approach without class imbalance—were used. In Fig. 11, the
results of three different model settings are shown. It forecasts
that, after feature selection, the class imbalance approach will
result in an improvement in all performance metrics. Without
using feature selection or class imbalance, the model achieves a
CV of 84% and a testing accuracy of 81%. The model’s testing and
CV performance improve by 2% and 3%, respectively, after imple-
140
menting the class imbalance technique. Our suggested model gets
a CV of 88% and a testing accuracy of 85% using the SULOV selec-
tion procedure. With using the class imbalance approach, Table 7
compares each modality used to classify IoT network traffic and
heart attack patients.
4.3.3. Multitask
The single-task experiment’s findings indicate that choosing a
feature enhances the model’s training and testing performance.
Two model parameters for the two-task problem are shown in
Fig. 12. The model must optimize for a number of tasks, which
S.A. Wagan, J. Koo, I.F. Siddiqui et al. Journal of King Saud University – Computer and Information Sciences 35 (2023) 131–144

Fig. 10. Multitask.The results are reported without employing the class imbalance technique.

Table 6
The performance comparisons between tasks 1 and 2 and multitasking without implementing the class imbalance approach are given throughout the modalities. The results of
10-fold Cross-validation using the test’s benchmark performance average are displayed as mean SD.

Data 10-CV Performance Evaluation Performance

F1-scores Recalls Precisions Accuracies F1-scores Recalls Precisions Accuracies
Network Traffic and Classification are (benign or anomaly)
Network packets 69.44 ± 2.14 69.77 ± 2.22 69.9 ± 4.18 69.25 ± 2.39 67.15 ± 4.34 69.55 ± 2.88 64.81 ± 4.7 65.13 ± 5.04
Bio-metric modality 69.68 ± 3.3 68.99 ± 2.51 68.23 ± 4.31 66.76 ± 3.03 65.18 ± 3.35 69.08 ± 2.09 63.82 ± 4.72 63.07 ± 6.34
Bio-metric Heart Attack Classification
Network packets 69.91 ± 2.51 70.82 ± 1.5 70.5 ± 4.47 67.34 ± 3.1 66.63 ± 3.02 69.09 ± 1.34 66.15 ± 3.93 65.41 ± 5.86
Bio-metric modality 69.67 ± 2.12 69.02 ± 2.11 68.12 ± 4.62 67.46 ± 2.45 66.06 ± 1.92 71.13 ± 1.94 63.74 ± 4.15 62.65 ± 5.82

Fig. 11. Multitask.The results are reported by employing the class imbalance technique.

Table 7
The performance comparisons between tasks 1 and 2, as well as multitasking using the class imbalance approach, are given throughout the modalities. The results of 10-fold
Cross-validation using the test’s benchmark performance average are displayed as mean SD.

Data 10-CV Performance Evaluation Performance

F1-scores Recalls Precisions Accuracies F1-scores Recalls Precisions Accuracies
Network Traffic and Classification are (benign or anomaly)
Network packets 82.41 ± 1.88 80.92 ± 1.66 79.58 ± 3.24 81.44 ± 3.44 77.45 ± 2.5 83.57 ± 3.79 75.5 ± 4.19 75.77 ± 4.45
Bio-metric modality 77.96 ± 2.65 76.95 ± 2.15 75.26 ± 3.76 74.44 ± 3.31 73 ± 2.38 77.45 ± 3.11 71.97 ± 4.53 72.24 ± 5.18
Bio-metric Heart Attack Classification
Network packets 82.84 ± 0.9 80.75 ± 0.93 79.39 ± 3.4 79.33 ± 2.71 78.54 ± 1.54 84.28 ± 3.49 75.56 ± 5.37 77.69 ± 5.21
Bio-metric modality 78.15 ± 2.13 76.38 ± 2.19 74.79 ± 2.51 75.7 ± 3.54 73.42 ± 2.03 76.61 ± 2.98 72.6 ± 3.94 72.83 ± 5.85

affects how well it performs depending on how well the tasks are
correlated. It is more difficult to optimize for just one job. However,
our model’s very slight accuracy improvement indicates that the
modalities are strongly connected. When predicting whether net-
work traffic is benign or not, the suggested model achieves testing
accuracy of 86% for single-task and 89% for multitasking. In con-
trast, the suggested model predicts heart attack patients with a
testing accuracy of 81% for single-task and 84% for multitasking
without class unbalanced approach. The training and testing per-
formances of the proposed multitasking model improve by 4%

141
S.A. Wagan, J. Koo, I.F. Siddiqui et al. Journal of King Saud University – Computer and Information Sciences 35 (2023) 131–144

Fig. 12. The method of feature selection and the class imbalance techniques are applied to report to the results of multitasking..

Table 8
Multitask: Across the modalities, employing feature selection, performance evaluation of tasks 1, and task 2,with the class imbalance strategies is provided.The results of 10-fold
Cross-validation using the test’s benchmark performance average are displayed SD.

Data 10-CV Performance Evaluation Performance

F1-scores Recalls Precisions Accuracies F1-scores Recalls Precisions Accuracies
Network Traffic and Classification are (benign or anomaly)
Network packets 84.84 ± 2.1 84.7 ± 2.63 83.43 ± 4.35 82.72 ± 5.19 81.38 ± 3.15 83.64 ± 2.68 79.27 ± 4.34 80.24 ± 4.73
Bio-metric modality 82.31 ± 2.47 80.89 ± 1.88 80.47 ± 4.77 78.16 ± 4.06 77.51 ± 3.25 80.69 ± 3.95 74.06 ± 4.83 77.55 ± 4.87
Bio-metric Heart Attack Classification
Network packets 84.74 ± 1.75 84.87 ± 1.91 82.63 ± 3.68 82.79 ± 3.75 81.5 ± 2.62 83.19 ± 1.73 78.87 ± 5.94 80.39 ± 4
Bio-metric modality 82.05 ± 3.09 81.18 ± 1.32 80.97 ± 3.92 77.6 ± 5.12 76.75 ± 2.8 81.39 ± 4.33 74.46 ± 5.41 76.9 ± 5.28

Table 9
The performance comparison between task 1, task 2, and multitasking by combining the network packets and bio-metric modalities reported in the different modalities. The
results of 10-fold Cross-validation using the test’s benchmark performance average are displayed SD.

Data 10-CV Performance Evaluation Performance

F1-scores Recalls Precisions Accuracies F1-scores Recalls Precisions Accuracies
Without Employing the class imbalance technique
Task 1 92.49 ± 4.3 92.11 ± 0.91 87.83 ± 3.1 89.29 ± 3.8 86.08 ± 3.67 91.09 ± 4.39 84.76 ± 4.95 86.08 ± 4.95
Task 2 87.84 ± 2.77 84.17 ± 1.73 87.11 ± 5.36 83.56 ± 4.04 83.64 ± 2.5 88.77 ± 2.4 81.83 ± 5 80.69 ± 7.19
Multitask 1 94.51 ± 2.32 93.81 ± 2.95 91.46 ± 5 90.23 ± 3 90.67 ± 2.23 91.32 ± 3.52 86.04 ± 5.88 88.57 ± 2.91
Multitask 2 90.68 ± 3.26 88.92 ± 2.41 90.89 ± 4.17 85 ± 6 84.59 ± 2.24 90.43 ± 4.07 81.73 ± 5.55 83.92 ± 6.26
By Employing the class imbalance technique
Task 1 94.41 ± 4.23 93.99 ± 1.47 90 ± 2.68 91.25 ± 4.15 88.61 ± 3.67 93.14 ± 4.61 86.74 ± 5.2 88.4 ± 5.01
Task 2 90.65 ± 3.36 87.21 ± 1.7 89.02 ± 5.67 85.74 ± 4.16 86.65 ± 3.07 91.09 ± 3.05 84.57 ± 4.36 83.35 ± 6.65
Multitask 1 97.41 ± 2.32 96.79 ± 3.02 93.23 ± 5.4 92.75 ± 2.98 93.08 ± 2.81 93.91 ± 3.56 88.86 ± 5.14 90.6 ± 3.06
Multitask 2 93.02 ± 3.65 91.86 ± 1.82 93.43 ± 4.31 87.09 ± 5.49 87.17 ± 2.29 93.12 ± 3.87 84.88 ± 5.89 86.98 ± 6.41
By implementing feature selection and class imbalance techniques
Task 1 96.9 ± 4.34 96.14 ± 1.13 92.05 ± 2.66 92.63 ± 4.08 90.44 ± 3.93 94.89 ± 4.4 88.8 ± 5.24 90.02 ± 5.43
Task 2 92.66 ± 3.11 89.89 ± 2.07 91.91 ± 4.85 88.45 ± 4.24 89.48 ± 3.81 92.99 ± 2.44 86.91 ± 4 85.43 ± 7.39
Multitask 1 98.16 ± 2.04 99.88 ± 3.53 95.38 ± 6.21 95.82 ± 3.1 95.64 ± 1.92 95.64 ± 3.84 91.61 ± 5.28 92.95 ± 3.42
Multitask 2 95.74 ± 3.24 94.54 ± 2.12 95.62 ± 4.63 89.1 ± 5.76 89.82 ± 2.25 95.71 ± 4 88.07 ± 5.54 89.67 ± 6.24

and 6%, respectively, after using the class unbalanced and feature
selection technique. In order to classify IoT network traffic and
heart attack patients simultaneously with using the class imbal-
ance approach and the feature selection method, Table 8 compares
each modality.
4.4. Comparison and discussion
We compare our work with the recent research studies in the
IoT network traffic and heart attach prediction. Both deep learning
and predicting heart attack patients have improved using the pro-
posed multi-modal multitasking hybrid deep learning model in
this study. In addition, we analyze the proposed models in various
configurations. When jointly trained for multitasking with two
142
tasks, the model’s performance improves steadily. To the best of
our knowledge, the proposed multitasking with various model
configurations using the IoT network traffic and bio metric heart
attack modality never investigates in the context of heart attack
classification. A comparison between without class imbalanced,
with class imbalanced, and feature reduction of multitasking
model is reported in Table 9 Our contribution is compared with
recent studies and clearly differentiate the difference the flow met-
ric biometric and heart data.
5. Limitations and future work
The increased demand for virtual care monitoring systems
involves the implementation of a secure system that ensures the
S.A. Wagan, J. Koo, I.F. Siddiqui et al.
data’s integrity and confidentiality. Their capacity to interact with
distant servers is crucial for utilizing the system to its maximum
potential.Unfortunately, they could be unable to offer the neces-
sary confidentiality and privacy for the patient’s data because to
their physical limitations, such as low computing power and low
battery capacity. Using IDSs to guarantee that such systems meet
the security standards is one way to overcome such limitations.
However, the findings indicate that the system’s performance is
not perfect, requiring more research. In our upcoming work, we
intend to improve the approaches’ performance by selecting the
best hyperparameters, limiting the feature space, increasing com-
plexity of the model, and launching advanced attack. moreover,
Explainable Artificial intelligence (XAI) can be used to improve
the reasoning that how algorithms work anomaly detection and
improving the accuracy.
6. Conclusion
Since most people are normally inattentive about their routine
health checkups, a heart disease prediction mechanism and anom-
aly detection might be a valuable tool that aids in making the gen-
eral public aware of their health condition. There is sufficient
amount of data to support paradigm shifts to novel concepts
regarding IoMT multi-modality. Our proposed study based on
Fuzzy C-means and Bi-LSTM algorithms for the early diagnosis of
anomaly detection and heart attack prediction. The proposed
framework can be helpful for multi-modal data fusion in health-
care environment. On the basis of our best model and parameters
compared, helpful medical suggestion can be available for the
healthcare. The suggested method’s significant accuracy demon-
strates its proficiency in modeling training based on features cho-
sen during the high-ordered feature selection stage, matching
parameters for Bi-LSTM, and mitigating for anomalies found in
the proposed approaches. Our model shows multitask 1, accuracy
92.95% and multitask 2, 89.67%. The following results clearly
shows that anomaly can be reduced to produce an accurate data
for the further analysis. In future work, Explainable AI can be a
helpful tool for the Fairness, interpret-ability and for the stability
of sensitive data to make transparent decision from black-box to
white-box.
Declaration of Competing Interest
The authors declare that they have no known competing finan-
cial interests or personal relationships that could have appeared
to influence the work reported in this paper.
Acknowledgement
This research was supported by Basic Science Research Program
through the National Research Foundation of Korea (NRF) funded
by the Ministry of Education (2021R1I1A1A01052299).
References
Alsubaei, 2019. Ontology-based security recommendation for the internet of
medical things. IEEE Access 7, 48948–48960.
Behera, 2022. Artifact removal using deep wvfln for brain signal diagnosis through
iomt. Measurement: Sensors 100465.
Bezdek, J.C., 2013. Pattern Recognition with Fuzzy Objective Function Algorithms.
Springer Science & Business Media.
Bhattacharya, 2020. A novel pca-firefly based xgboost classification model for
intrusion detection in networks using gpu. Electronics 9, 219.
Chandola, 2009. Anomaly detection: A survey. ACM Comput. Surv. (CSUR) 41, 1–58.
Cho, 2014. Learning phrase representations using rnn encoder-decoder for
statistical machine translation. arXiv preprint arXiv:1406.1078.
Dahl, 2013. Large-scale malware classification using random projections and neural
networks. In: 2013 IEEE International Conference on Acoustics, Speech and
Signal Processing. IEEE, pp. 3422–3426.
143
Journal of King Saud University – Computer and Information Sciences 35 (2023) 131–144
Firdausi, 2010. Analysis of machine learning techniques used in behavior-
based malware detection. In: 2010 Second International Conference on
Advances in Computing, Control, and Telecommunication Technologies, IEEE.
pp. 201–203.
Garg, 2022. Security in iomt-driven smart healthcare: A comprehensive review and
open challenges. Security Privacy 5, e235.
Guo, W., 2022. Cooperative communication resource allocation strategies for 5g and
beyond networks: A review of architecture, challenges and opportunities. J.
King Saud Univ.-Comput. Informat. Sci.
Gupta, 2017. Proids: Probabilistic data structures based intrusion detection system
for network traffic monitoring. In: GLOBECOM 2017–2017 IEEE Global
Communications Conference, IEEE. pp. 1–6.
Hady, 2020. Intrusion detection system for healthcare systems using medical and
network data: A comparison study. IEEE Access 8, 106576–106584.
Hakak, 2019. Exact string matching algorithms: Survey, issues, and future research
directions. IEEE Access 7, 69614–69637.
Haque, 2022. Deepcad: A stand-alone deep neural network-based framework for
classification and anomaly detection in smart healthcare systems. In: 2022 IEEE
International Conference on Digital Health (ICDH), IEEE. pp. 218–227.
Hassan, 2019. Current research on internet of things (iot) security: A survey.
Comput. Networks 148, 283–294.
_
Içer, S., 2013. Automatic segmentation of corpus collasum using gaussian mixture
modeling and fuzzy c means methods. Comput. Methods Programs Biomed.
112, 38–46.
Japkowicz, N., 2000. The class imbalance problem: Significance and
strategies. In: Proc. of the Int—l Conf. on Artificial Intelligence, Citeseer. pp.
111–117.
Kasongo, 2019. A deep learning method with filter based feature engineering for
wireless intrusion detection system. IEEE Access 7, 38597–38607.
Kaur, 2022. Computational intelligence and metaheuristic techniques for brain
tumor detection through iomt-enabled mri devices. Wireless Commun. Mobile
Comput. 2022.
Khalil, 2022. Efficient anomaly detection from medical signals and images with
convolutional neural networks for internet of medical things (iomt) systems.
Int. J. Num. Methods Biomed. Eng. 38, e3530.
Khan, 2019. An improved convolutional neural network model for intrusion
detection in networks. In: 2019 Cybersecurity and Cyberforensics Conference
(CCC), IEEE. pp. 74–77.
Koo, J., 2020. Iot-enabled directed acyclic graph in spark cluster. J. Cloud Comput. 9,
1–15.
Koo, J., 2022. Sahws: Iot-enabled workflow scheduler for next-generation hadoop
cluster. In: 2022 Global Conference on Wireless and Optical Technologies
(GCWOT), IEEE. pp. 1–4.
Liu, 2020. Deep learning approach for ids. In: Fourth International Congress on
Information and Communication Technology. Springer, pp. 471–479.
Lokshina, 2019. A qualitative evaluation of iot-driven ehealth: knowledge
management, business models and opportunities, deployment and evolution.
In: Data-centric Business and Applications. Springer, pp. 23–52.
Malhotra, 2016. Lstm-based encoder-decoder for multi-sensor anomaly detection.
arXiv preprint arXiv:1607.00148.
Möckl, 2020. Accurate and rapid background estimation in single-molecule
localization microscopy using the deep neural network bgnet. Proc. Nat. Acad.
Sci. 117, 60–67.
Moosavi, 2016. End-to-end security scheme for mobility enabled healthcare
internet of things. Future Generat. Comput. Syst. 64, 108–124.
Nakip, M., Gelenbe, E., 2021. Mirai botnet attack detection with auto-associative
dense random neural network. In: 2021 IEEE Global Communications
Conference (GLOBECOM), IEEE. pp. 01–06.
Naz, K., 2022. Predictive modeling of employee churn analysis for iot-enabled
software industry. Appl. Sci. 12, 10495.
Nedelcu, 2018. Mining medical data. In: 2018 10th International Conference on
Electronics, Computers and Artificial Intelligence (ECAI). IEEE, pp. 1–4.
Park, W.H., 2022a. Ai-enabled grouping bridgehead to secure penetration topics of
metaverse. Comput. Mater. Continua 73, 5609–5624.
Park, W.H., 2022b. An effective 3d text recurrent voting generator for metaverse.
IEEE Trans. Affective Comput.
Park, W.H., 2022c. Scarcity-aware spam detection technique for big data ecosystem.
Pattern Recogn. Lett. 157, 67–75.
Polonsky, 2010. Coronary artery calcium score and risk classification for coronary
heart disease prediction. Jama 303, 1610–1616.
Principi, 2017. Acoustic novelty detection with adversarial autoencoders. In: 2017
International Joint Conference on Neural Networks (IJCNN), IEEE. pp. 3324–
3330.
Qureshi, N.M.F., 2022. Intelligent mapreduce technique for energy harvesting
through iot devices. Energy Harvest. Wireless Sensor Networks Internet Things
259.
Rahmani, 2015. Smart e-health gateway: Bringing intelligence to internet-of-things
based ubiquitous healthcare systems. In: 2015 12th Annual IEEE Consumer
Communications and Networking Conference (CCNC), IEEE. pp. 826–834.
RM, 2020. An effective feature engineering for dnn using hybrid pca-gwo for
intrusion detection in iomt architecture. Comput. Commun. 160, 139–149.
Scribber, 2022. SMOTEENN — Version 0.9.0. URL: https://imbalanced-learn.org/
stable/references/generated/imblearn.combine.SMOTEENN.html.
Shaji, 2019. Predictionand diagnosis of heart disease patients using data mining
technique. In: 2019 International Conference on Communication and Signal
Processing (ICCSP), IEEE. pp. 0848–0852.
S.A. Wagan, J. Koo, I.F. Siddiqui et al.
Shamili, 2010. Malware detection on mobile devices using distributed machine
learning. In: 2010 20th International Conference on Pattern Recognition, IEEE.
pp. 4348–4351.
Sikarndar, 2020. Iomt-based association rule mining for the prediction of human
protein complexes. IEEE Access 8, 6226–6237.
Singh, 2019. Prediction of heart disease by clustering and classification techniques
prediction of heart disease by clustering and classification techniques. Int. J.
Comput. Sci. Eng.
Singh, 2022. Dew-cloud-based hierarchical federated learning for intrusion
detection in iomt. IEEE J. Biomed. Health Informat.
Subasi, 2021. Intrusion detection in smart healthcare using bagging ensemble
classifier. In: International Conference on Medical and Biological Engineering.
Springer, pp. 164–171.
Tran-Anh, 2022. Multi-task learning neural networks for breath sound detection
and classification in pervasive healthcare. Pervasive Mobile Comput. 86,
101685.
Wagan, S.A., 2022. Internet of medical things and trending converged technologies:
A comprehensive review on real-time applications. J. King Saud Univ.-Comput.
Informat. Sci.
144
Journal of King Saud University – Computer and Information Sciences 35 (2023) 131–144
Wang, 2020. A deep learning based medical image segmentation technique in
internet-of-medical-things domain. Future Generat. Comput. Syst. 108, 135–
144.
Wang, 2022. Anomaly prediction of ct equipment based on iomt data.
Wazid, 2019. Iomt malware detection approaches: analysis and research
challenges. IEEE Access 7, 182459–182476.
Wibowo, 2022. Pruning-based oversampling technique with smoothed bootstrap
resampling for imbalanced clinical dataset of covid-19. J. King Saud Univ.-
Comput. Informat. Sci. 34, 7830–7839.
Wu, 2015. Online steady-state detection for process control using multiple change-
point models and particle filters. IEEE Trans. Autom. Sci. Eng. 13, 688–700.
Yang, 2019. Improving the classification effectiveness of intrusion detection by
using improved conditional variational autoencoder and deep neural network.
Sensors 19, 2528.
Zhang, 2019. Deep adversarial learning in intrusion detection: A data augmentation
enhanced framework. arXiv preprint arXiv:1901.07949.