1.1. Smart Water Management in Saudi Arabia

SWM uses IoT sensors to track and enhance water consumption in communal areas and buildings, minimising inefficiency and preserving resources. Institutions, companies and households can use smart water systems to manage and control water consumption. Smart water systems have several advantages that help conserve water, reduce cost and improve water management [11]. SWM enhances the understanding of water systems, including identifying defects, conservation and water administration. Water supply and sanitation in Saudi Arabia are characterised by challenges and successes. The water scarcity is a significant concern in this area. Substantial investments have been made in water desalination, water distribution, sewerage and wastewater treatment to mitigate water scarcity. Currently, desalination constitutes approximately 50% of the nation’s drinkable water supply, groundwater extraction contributes 40% and surface water resources in the southwestern mountain region contribute 10% [12]. Freshwater resources in Saudi Arabia are severely constrained, and the capacity of water desalination facilities needs to be increased to meet the substantial demand. Furthermore, in Saudi Arabia, every household relies on its underground reservoirs to store water until the National Water Company distributes water throughout the local area [13]. One of the primary objectives of this research is to mitigate water scarcity by implementing a comprehensive monitoring system for each tank in an urban area. This system utilises a sensor feedback to effectively direct water flow to specific locations in need.

This research focuses on developing and validating an efficient IDS model called TabNet-SFO, which was specifically designed for SWM within SC applications in Saudi Arabia. Leveraging advanced deep learning (DL) techniques, particularly the TabNet architecture, optimised using the SFO. The primary focus is achieving superior performance in detecting and mitigating cyber threats. This is demonstrated by comprehensively evaluating both the simulated and real-time datasets. Finally, this research aims to contribute to the advancement of intrusion detection technology for SC environments, thereby facilitating the sustainable management of critical water resources in SC.

1.2. Problem Statement and Contributions

The remaining parts of this work are structured as the following section presents an analysis of the literature review. The third section presents the implementation of the proposed research model TabNet-SFO. This includes the presentation of the dataset, the data preprocessing techniques employed and the TabNet-SFO-based classification approach. The fourth section analyses the performance of the research model. This analysis will be conducted by comparing it with several existing IDS models. Finally, the conclusion of the research will be presented along with suggestions for further research directions.

2.1. Research Gap Analysis

The reviewed existing works show that research into intrusion detection for SC applications has primarily focused on employing various ML and DL techniques. However, despite the diversity of techniques, several research gaps have emerged. First, although many studies have proposed advanced models for IDS, there is a lack of consensus on the most effective techniques for integrating these models into practical SC applications. In addition, most studies have focused on detecting anomalies within the digital domain, such as network traffic or sensor data, neglecting potential physical threats like DoS and DDoS attacks, on SC infrastructure. Furthermore, there is a notable gap in research addressing the scalability and real-time processing requirements of IDSs for large-scale SC deployments. Lastly, there is limited exploration of interdisciplinary approaches, integrating domain-specific water management knowledge with advanced data analytics techniques. Addressing these gaps is crucial for developing a robust and comprehensive IDS model specifically for SWM in an SC environment.

3.1. CIC-DDoS-2019 Dataset

In this study, the CIC-DDoS-2019 dataset was used to train the proposed IDS model. This dataset has been extensively used to detect and classify DDoS attacks. The Canadian Institution for Cybersecurity (CIC) generated this dataset [31]. The dataset comprises benign and up-to-date DDoS attacks that simulate real-world data. The APL has witnessed the implementation of several new attacks using TCP/UDP-based protocols. A novel taxonomy is also presented in Figure 4, which distinguishes between exploitation and reflection-based attacks.

Data were collected on two separate days for training and testing. The training dataset was acquired on January 12, 2019 and included 12 distinct types of DDoS attacks, with each attack type stored in a distinct PCAP file. The features retrieved from the dataset were obtained using the CICFlowMeter tool. Every record in the collection has 88 statistical attributes, such as IP addresses of source and destination, timestamp, port numbers of source and destination, attack protocol and label indicating the type of DDoS attack. The training dataset comprises a comprehensive collection of 12 distinct DDoS attacks: DNS, NTP, NetBIOS, MSSQL, SSDP, SNMP, LDAP, UDP-Lag, UDP, SYN, TFTP and WebDDoS attacks. In contrast, the testing datasets exclusively encompasses seven DDoS attacks: NetBIOS, PortScan, LDAP, UDP, UDP-Lag, MSSQL and SYN. The public can access the dataset on the CIC website in both PCAP files and flow formats. Table 2 shows the distribution of data in the dataset [32].

3.2. Data Preprocessing

This study highlights a binary classification issue for intrusion classification, where all observations are classified as either an attack or normal class. Data preprocessing involves many activities, such as eliminating unnecessary features, data cleaning, label encoding and normalisation. The original dataset contains 88 features. The noncontributing features for detecting DDoS attacks were eliminated. The features in this compilation include unnamed, destination IP, Flow ID, Flow Packets, Destination Port, Source IP, Flow Bytes, Source Port, Timestamp and Similar HTTPs. After removing these 10 attributes, 78 attributes were acquired for this study. Additionally, values that included not a number (NaN) and blanks were eliminated, and values representing infinity were assigned a value of 0. Label encoding utilises one-hot encoding to transform category labels into numerical representations. In addition, binary labels of 1 and 0 were employed to indicate whether the given data indicate a DDoS attack or not [33].

In this context, X_i represents the normalised numeric values within the range of [0-1], while min and max represent the lowest and maximum values derived from all data points, respectively.

3.3. TabNet Architecture

The TabNet model is a singular DL architecture that relies on the sequential multistep processing. This unique DL architecture facilitates FS and enhances the ability to acquire knowledge about features with many dimensions. TabNet outperforms decision trees (DTs) by leveraging its advantages through meticulous design. It achieves this through the following methods: (i) employing sparse instance-wise FS acquired from data; (ii) construct a sequential multistep architecture, where each step influences an aspect of the decisions based on the chosen attributes; (iii) enhance learning capability through nonlinear process of the chosen attributes; and (iv) emulate resembling through higher dimensions and more steps [20].

3.3.1. TabNet Encoder

The encoder architecture shown in Figure 5 comprises an attentive transformer (AT), feature transformer (FT), and feature masking at all decision steps in the TabNet encoder. Tabular data encompass both categorical and quantitative information. In TabNet, raw integer records are used, and a trainable embedding is employed to transform category characteristics into integer features. All decision steps receive the identical B × D attribute matrix, where B represents the batch sizes, and D represents the feature dimension. The encoding of TabNet relies on the execution of several decision processes. The features of all decision steps were established based on the outcomes of the preceding decision steps via AT. The generated feature representation is output and included in the broader decision-making process [35].

3.3.2. FS

The Mask module of each decision step is responsible for performing FS. The decision step’s AT is responsible for selecting the function to be applied. The AT achieves the FS of the present decision steps by acquiring the mask, as shown in Figure 6. The FS process can be elucidated as follows.

The tensor is output by the FT in the preceding decision step and transmitted to the Split unit. Initially, the Split unit divides the tensor and produces a[i − 1]. The function a[i − 1] traverses the layer h_i, which is a combination of fully connected (FC) and batch normalisation (BN) layers. The primary function of layer h_i was to facilitate the linear integration of data, thereby enabling the extraction of abstract and higher-dimensional characteristics. In the h_i layer, the output is multi-multiplied by the prior scale p[i − 1] from the preceding decision steps. The p[i − 1] denotes the use of characteristics in the preceding decision step. The weight of the present decision steps decreases as the number of characteristics used in the prior decision step increases.

Then, M[i] is then created using the Sparsemax (SMax). The mask learning procedure is represented by equation (3)

$$ ()

SMax promotes sparsity by applying the Euclidean prediction to the probability-based simplex, enhancing FS’s sparsity. In the SMax context, it is possible to express $$; here, D is the feature dimension. The SMax algorithm applies a weight distribution to every feature, j, of each sample, b. Then, it calculates the total weights of each feature in every sample, which is equal to 1. This approach allows TabNet to select the most advantageous features for the model at all decision steps. TabNet employs sparse regular terms to regulate the sparsity of selected features

$$ ()

The sparsity of the FS improved the inductive bias for convergence to more accurate results when most features in the dataset were unnecessary. Equation (5) is employed by M[i] to update p[i]

$$ ()

When γ is equal to 1, each feature is limited to a single occurrence in a decision step. This decision phase’s FS involves the multiplication of M[i] and the feature elements. Subsequently, the selected features are sent to the FT of the current decision steps, initiating the subsequent decision step loop.

3.3.3. Processing Features

After filtering by the Mask, the features are transmitted to the Fourier transform layer for further feature processing. The split module partitions the processed features into two distinct components. One component is used as the outcome for the present decision steps, while the rest is the input data for subsequent decision steps. Equation (6) represents the process:

$$ ()

The FT layer consists of three main components: the FC, BN and gated linear unit (GLU) layers. Figure 7 shows the FT architecture.

The FT layer comprises two distinct components. The initial portion parameters of the layers were distributed, indicating that they underwent joint training across all iterations. In contrast, the latter portion is not shared and undergoes independent training during each iteration. In each iteration, the input comprises identical features, which allows us to utilise a shared layer for the common feature computation component. Subsequently, distinct layers can be employed to handle the attribute components of all steps. The proposed architecture can enhance the learning capabilities of the model and increase its capacity. The residual connection is employed and multiplied by 0.5 in the layer to ensure the network stability [35].

3.3.4. Decoder Architecture

The encoded form shown in Figure 8 represents the summation of the encoder’s vectors, excluding the FC layer. The decoder used the encrypted description as its input. The decoding process employs FT layers to transform the representation vectors into features. The reconstructed features were generated after incorporating many procedures. TabNet was employed in this study, along with pre-training of self-supervised. The self-supervised learning approach masks some aspects of the same sample and then utilises an encoding–decoding model to anticipate the masked features. When trained using this approach, the encoder model can accurately represent the characteristics of a sample, accelerate its convergence and improve its overall performance [36].

3.4. Hyperparameter Tuning and Optimisation of TabNet Using SFO

The proposed SFO algorithm was used to improve the hyperparameter tuning performance of TabNet. The SFO is a metaheuristic approach that operates on a population basis. The SFO emulates the hunting behaviour of sailfish, where they engage in alternating attacks on schooling sardine prey. SFO utilises two distinct groups of predator and prey populations to replicate the group hunting behaviour. Additionally, the approach under consideration employs the strategy of alternating attacks to undermine the shared protection mechanisms of the prey groups. Furthermore, the prey’s movements could be modified throughout the search space, enabling the hunters to capture suitable prey and enhance their fitness compared to previous encounters. The proposed method operates under the assumption that the sailfish represent potential solutions, and the problem variables correspond to the sailfish’s positions inside the search space. Consequently, the population inside the solution space is produced randomly. The sailfish can navigate their location vectors in several spatial dimensions, including one, two, three, or hyper-dimensional spaces [37].

Population initialisation: The populations of sardines and sailfish were initiated using a random process. The random location for each sailfish was denoted as $$, whereas the random location for each sardine was represented as $$. In this context, X ∈ {Sailfish}, y ∈ {Sailfish} and q ∈ {Iteration value}. One potential option for the qth iterations is to consider the spatial distribution of sailfishes $$ or sardines $$.

Elitism evaluation: Based on the fitness function (FF), the determination of the location for all the most recent populations, denoted as Fn, is based on the actions of all quest agents, namely, the sardine or sail. Sardine that has sustained an injury is classified as $$, inj ∈ {Sardineset}, such as $$, ∀q, which is considered the most efficient sardine within the sardine population. In addition, in the context of the impedance paradox $$, ∀q, the sailfish population sustains elite sailfish with reduced fitness, which is referred to as $$, elit ∈ {Sailfish set}.

Equation (9) represents the quantity of sardines as NM_sard and the quantity of sailfish as NM_sail. The number of primary sardines exceeded that of sailfish. It is anticipated to be NM_sard = 3 × NM_sail. The λ_q fluctuation value is of significant importance in the model because it is crucial to adaptively modify their location by increasing the λ_q fluctuation value [38].

Here, MS represents the count of misclassified samples, and TS represents the total number of samples. The SFO approach not only aims to optimise the accuracy of TabNet by developing an FF but also establishes a positive integer to indicate the improved efficiency of potential solutions. Here, an FF represents a decrease in the classification error rate. Table 3 shows the hyperparameter details of TabNet and SFO (see Algorithm 1).

4.1. Experimental Setup

This section presents a comprehensive experimental analysis of the proposed TabNet-SFO model regarding intrusion detection in SWM in SC applications. The research model TabNet was developed using the Keras API. The Keras library is an open-source software tool that provides a Python-based interface for implementing artificial neural networks. The Keras framework serves as an intermediary for the TensorFlow library. The experiment was conducted on a machine equipped with an 11th Generation Intel Core i7 @ 3.00 and 1.80 GHz processor with 12 GB RAM. The research model was evaluated based on accuracy, recall, specificity, precision and the F1 score. The dataset was split into testing and training sets. The training set was used to train and fine-tune the model’s hyperparameters, and the test set was used to evaluate the performance of the research model.

4.2. Performance Metrics

Both the collected real-time and the existing dataset’s data were used to evaluate the performance of the proposed TabNet-SFO model. The dataset was divided into a 70:30 ratio for evaluation, where 70% was used to train the research model and the remaining 30% was used to test the model. The TabNet model selected significant features in the dataset that enhanced the performance of the research model. The CIC-DDoS dataset contains 88 features, where the features selected from the dataset using TabNet comprise 10 features, as shown in Figure 9. The following sections present a performance analysis of the TabNet-SFO model and a comparison with existing models discussed in the literature review.

4.3. Performance Evaluation

This section presents an analysis of the performance results obtained using the proposed TabNet-SFO model based on the CIC dataset and real-time data collected using a smart water metre. The model was evaluated on training and test sets in terms of accuracy, recall, specificity, precision and f1 score. The obtained performances were compared to those of the other models for research validation.

Table 4 presents the results obtained using the CIC-DDoS dataset. The training and test sets were both applied for performance evaluation. The research model obtained an accuracy of 99.28% in training and 98.90% in testing. Both of these performances are nearly close, with a slight difference of 0.38%.

The recall or detection rate is a key parameter of the intrusion detection model, where the research model has a recall value of 99.10% in training and 98.85% in testing, which represents a difference of 0.25%. The specificity of the research model was 99.16% in training and 98.82% in testing.

The precision rate of the TabNet-SFO model was 99.25% in training and 98.80% in testing. The research model obtained an F1 score of 99.07% in training and 98.78% in testing. Based on these results, we found that the research model TabNet-SFO is better at detecting attacks while generating the minimum number of false positives. Figure 10 shows a graphical plot of the TabNet-SFO model performance on the CIC-DDoS dataset. Table 5 presents the results of the proposed TabNet-SFO model evaluated on real-time data gathered using a smart water metre implemented for the SWM system. The proposed model used the gathered data to test the TabNet-SFO model, which extracted important features that characterise system activity and help detect intrusions. The comprehensive analysis of real-time data improves the model’s efficiency in promptly detecting and responding to security threats in an SWM system. The research model TabNet-SFO obtained a 99.40% accuracy in training and a 99.21% accuracy in testing, which demonstrates a similar accuracy result. The recall performance of the research model was 99.23% in training and 99.02% in testing.

The research model had a specificity rate of 99.14% in training data and 99.10% in test data. The precision rates of the proposed TabNet-SFO model were 99.38% in training and 99.05% in test evaluation. The model obtained an f1 score of 99.25% in training and 99.18% in testing. The performance of the research model obtained greater than 99% for all evaluation parameters; thus, the TabNet-SFO model is effective in attack detection. Figure 11 shows a graphical plot of TabNet-SFO’s findings with real data.

The performance analysis results of the proposed TabNet-SFO and existing models are compared in Table 6. All the current models were either employed to detect DDoS attacks or evaluated using the CIC-DDoS dataset. Compared to the performance obtained from the research model using this dataset, the TabNet-SFO model outperformed all existing models in terms of accuracy by 98.90%. This indicates that the research model has attained 0.3%–2% improved accuracy compared to the current models. The LightGBM model obtained the second-best accuracy score of 98.60%, and the lowest score was 96.91% for MDLIDS-SSE. The detection rate/recall of the research model was 98.85%, which is 0.03%–0.9% higher than that of the compared models.

In this recall comparison, compared to the TabNet-SFO model, the IDCPRO-DLM method demonstrated a very close range of 98.82%. The precision score of the research model was 98.80%, ranging from 0.16% to 1.8%, which is better than the current methodologies. The specificity rate of TabNet-SFO was 98.82%, which was 0.08%–0.56% higher than the other models compared to the two models. Most current models use only four metrics: accuracy, F1 score, recall and precision, for performance analysis. The specificity parameter is not often used in many research works. The f1 score of the TabNet-SFO model was 98.78%, which represents a 0.19%–2.53% improvement over the current model.

By comparing the TabNet-SFO dataset performance with the real-time data performance, the results obtained on real-time data demonstrate better output scores than those obtained on the CIC-DDoS dataset. Figure 12 presents the result comparison analysis of the research model with the current models. Overall, the proposed TabNet-SFO model outperformed all existing models in terms of all performance metrics and validated its efficiency in attack detection.

Table 7 presents the time taken to execute the process of detecting attacks by the models. As can be seen, the proposed research model consumed the minimum amount of time to process the data, outperforming all the compared models. Figure 13 shows a graphical plot of the time consumption comparison. The proposed TabNet model is a DL methodology with a compact architecture comparatively related to the other DL models such as CNN, LSTM and DNN. This model typically results in reduced memory consumption in both training and evaluation. Efficient preprocessing and FS processes help the developed model reduce memory usage.

4.4. Pros and Cons of the Proposed Model

The proposed TabNet-SFO model offers several advantages relative to intrusion detection in SWM for SC applications. First, the model’s ability to identify significant features in complex datasets is enhanced by using the TabNet architecture combined with the SFO. This, in turn, improves detection accuracy and reliability. The model’s performance in real-time data collected from smart water metres is demonstrated by its adaptability and effectiveness in dynamic environments. These qualities are crucial for ensuring the security and integrity of SC water infrastructure. By outperforming existing models across multiple performance metrics, the TabNet-SFO model was demonstrated to adapt to IDSs in SC applications. This suggests that it offers robust and efficient solutions for securing critical water resources.

The effectiveness of the TabNet-SFO model depends on several factors, including data availability, quality and the specific characteristics of the SWM system. The computational complexity of training and optimising the model is also recognised as a potential challenge, particularly in resource-constrained environments or large datasets. Further validation across diverse SC contexts is required to ensure the model’s generalisability beyond the analysed scenarios. However, the TabNet-SFO model represents a significant advancement in intrusion detection for SWM, and it offers a promising approach to enhance the security and resilience of SC water infrastructure in the context of an SC environment.