Detection of Middlebox-Based Attacks in Healthcare Internet of Things Using Multiple Machine Learning Models

The huge number of network traffic data, the abundance of available network features, and the diversity of cyber-attack patterns mean that intrusion detection remains difficult even though many earlier efforts have succeeded in building the Internet of Healthcare Things (IoHT). The implementation of an effective algorithm to filter out most of the probable outliers of Round Trip Time (RTT) of packets recorded in the Internet environment is urgently required. Congestion and interference in networks can arise when numerous biosensors in an IoHT system all attempt to communicate at once. Internet of Health Things networks are susceptible to both intra- and internetwork interference. In this research, the Server-Side Includes (SSI) attack is a key issue because it allows for network compromise as part of Internal Attacks. Despite recent advancements, SSI detection remains difficult due to the vast amounts of network traffic data, the abundance of network features, and the diversity of cyber-attack patterns (DDoS, DoS, Satan, spoofing, etc.). With the help of sensors, physiological data may be collected and sent to distant servers, where they can be analyzed in real time by doctors to help them catch diseases in their earliest stages. This is made possible by the Internet of medical things (IoMT). Wireless data transfer, however, leaves it vulnerable to hackers, especially if the data being transferred are particularly private or sensitive. Security measures designed for devices with more storage space and processing power will not work on those with less. However, machine learning for intrusion detection can give a tailored security response to the needs of IoMT systems. For SSI detection, current methods are either inefficient because of the large number of packets that need to be caught and analyzed or unsuccessful because of outlier values in the RTTs obtained from the captured TCP packets. To the same end, “downstream detection” refers to the process of calculating the total length of all connections made after a certain point. As a means of improving the SSI detection algorithm's throughput in a network environment, packet RTT outliers will be eliminated. Flow records are used as inputs by flow-based NIDS to determine whether or not a given flow is malicious. In order to detect middlebox-based attacks from two Medical Health IoT datasets, this paper proposes a unique architecture of explainable neural networks (XNN). The model's accuracy in classifying attacks in dataset 1 of the IoHT is 99.7%t, besides achieving 99.4% accuracy in categorising attacks on IoHT dataset 2.


Introduction
As IoT technologies continue to advance rapidly, attack methods are getting increasingly sophisticated in their ability to penetrate systems and elude generic signature-based defenses [1]. Machine learning techniques may be a viable option for resolving such complicated and tough problems due to their capacity to quickly adapt to new and unexpected conditions. In computer and information security, various machine learning techniques have been used successfully [2]. New methods to detect and prevent attack trafc from IoT botnets are being developed in response to this expanding risk. It has been shown that machine learning (ML) can be useful for spotting malicious Internet trafc [3]; thanks to recent studies focusing on anomaly detection. Still, there has not been much work done to develop ML models with features tailored to IoT attack trafc or IoT device networks. However, the trafc from IoT devices is typically diferent from that of other Internet-connected devices (such as laptops and smart phones) [4]. IoT devices, for instance, often only interact with a limited number of endpoints, as opposed to a wide range of web servers.
Also, because of the increased frequency with which IoT devices communicate, network trafc from these gadgets is more likely to exhibit predictable patterns, such as the transmission of brief packets at regular intervals.
Although many previous works have successfully developed Internet of Healthcare [5], intrusion detection is still challenging due to the high volume of network trafc data, numerous available network features, and various cyberattack patterns [6]. Despite this, there have been many previous works that have made some progress. Implementing an efective algorithm that can get rid of the majority of the probable outliers in the round-trip times of packets collected in an Internet environment is an urgent necessity at this point [7]. As a result of the simultaneous communication of a great number of biosensors, there is a potential for network congestion and interference in IoHT. Inter-and intranetwork interference are the two types of network interference that occur most frequently in the Internet of Tings (IoT) [3].
As a part of an Internet of Tings (IoT) solution, machine learning refers to the ability of an intelligent device to change or automate a knowledge-based state or behaviour. ML algorithms are utilised in tasks like regression and classifcation because they can infer useful knowledge from data supplied by devices or humans [4]. ML can also be utilised to deliver security services in an IoT network. Employing machine learning in cybersecurity applications is becoming increasingly common, and this trend is expected to continue shortly [8][9][10][11]. Many studies have employed ML algorithms to determine the best ways to detect attacks; however, research on efcient detection methods suitable for IoT environments is still restricted in number.
Te contributions of this study are as follows: (a) Using a recent IoHT dataset, this paper evaluates the performance of various machine learning methods for detecting middlebox attacks in IoT networks. (b) Improving the performance of the machine learning algorithm by extracting new features from the dataset and selecting the most applicable features. (c) In light of the lack of research on the Bot-IoT dataset, this research can be regarded a potentially major contribution.

Related Work
Since there is no foolproof method of stopping these attacks, researchers have tried a variety of methods. Te nature and severity of attacks are constantly evolving, necessitating the use of novel methods to counter them [12][13][14][15]. Standard network analysis approaches are insufcient to ensure the security of network resources, and some researchers have turned to machine learning to learn the various models for attack detection. Te NIDS only checks inbound and outbound trafc and does not inspect internal trafc [15][16][17]. To solve this problem, an intrusion detection and prevention system must be widely deployed across the network. Tere has been some development in the design of IDSs, but despite this, intrusion detection remains a difcult challenge [6,18] [19] due to the vast volume of network trafc, the variety of network features available, and the plethora of attacking patterns. It is obvious that false-negative mistakes could happen when using network-based detection algorithms. In order to ascertain the length of the upstream connection, a technique known as "upstream detection" must frst be performed. Similar to upstream detection, downstream detection identifes how many links are next in a chain. Because the intruder's host sends Send and Echo packets independently of one another, upstream detection is more difcult and complex [20][21][22]. Te identifcation of an attacker's Echo packets has no relation to the detection of the attacker's Send packets from the upstream connection. Tis makes it harder to determine the duration of an upstream link, a persistent problem in SSI detection. If there are no other hosts in the way, the distance between a sensor machine and a target host is essentially the same. It is impossible to detect hostile incursions at this time due to the false-negative errors inherent in network-based detection approaches. If every link in the chain is at least one unit in length and every link is at least two units in length, then the minimum length of the connecting chain is three.
Due to the presence of two downstream connections, it may be concluded that the target host is now under assault and that the session is being manipulated by the attackers. Tis was the only criterion for the vast majority of networkbased detection strategies. Most current network-based detection approaches simply ignore connection chains that are too long to be identifed. Conversely, existing networkbased SSI detection algorithms are either inefective or inefcient in the Internet context due to the presence of outlier values in the RTTs produced from intercepted TCP packets.
Intercepted packets will always have RTTs with abnormally high or low values due to the vast variety caused by the intermediary routers in the Internet environment. At frst, the authors of this study provide a workable algorithm for removing most of the troublesome RTTs from Internet packets. Te authors then employ an improved version of machine learning methods and network trafc mining to develop a reliable SSI detection method. Teir proposed SSI detection system for the Internet is said to be precise, effcient, and efective. [23][24][25][26]. Flow-based network intrusion detection systems (NIDSs) [27][28][29] use fow records as an input to determine if a given fow is benign or malicious.
Recently, research has proposed using machine learning (ML) and deep learning (DL) techniques to improve fowbased NIDSs. Positive results have been observed due to the high detection rates achieved by these methods (DRs). It is the author's understanding that the majority of existing solutions rely on the assumption that fow records are derived from a subset of the stream's packets rather than the entire stream itself. For this reason, we have no way of knowing how efectively current ML/DL-based techniques will function in practise. Using a real-world scenario, we examine the impact of sampling, outlier elimination, and packet fow on ML-based NIDS (i.e., when sampling is inevitable).

2
Computational Intelligence and Neuroscience In order to enhance the Internet system's discriminative capacity and classifcation performance, the new Deep SDOSVM variant takes into account subclasses within the target class, which is the regular class. Te suggested deep SDOSVM method utilises a Dynamic Autoencoder Model (DynAE) for subclasses formation to address limitations in traditional clustering techniques and improve classifcation performance [30]. It was put through its paces against other state-of-the-art one-class classifers by being applied to the TON IoT dataset in the real world. Experiments showed the proposed method to be superior to existing related oneclass classifers when applied to network intrusion detection.
A wealth of healthcare records contains information crucial to the continuation of the human race. Te analysis of healthcare data is crucial because of the huge potential it has to save lives and improve people's quality of life. Te Internet of Tings has had a profound impact on modern health care systems and administration (IoT). Te IoT is the most promising area for healthcare innovation. Tis lecture will concentrate on the use of healthcare analytics for the prevention of cardiovascular disease. Recognizing outliers is an essential element of healthcare analytics. Te detection of aberrant events in high noise environments helps reduce false-negative alarms (low signal-to-noise ratio). In this example, we will show how smartphone-based cardiac abnormality detection can be used to illustrate the promise of cellphones as a platform for accessible, low-cost m-health [31].
Internet of Medical Tings (IoMT) devices, both wearable and nonwearable, are being utilised to improve the accuracy of diagnosis and the speed with which patients can begin receiving treatment for a wide range of conditions. As IoMT devices become more widespread, cybercriminals and other bad actors present a greater risk to human life through actions like data breaches, theft of personally identifable information, and compromised medical equipment. Dataheavy IoMT devices can keep tabs on your personal and social life, as well as your regular health. Anomalies in this setting may occur as a result of unexpected human behaviour, a faulty sensor, or malicious/compromised device data [32]. Protecting the smart health care infrastructure with a framework that can identify and lessen the impact of abnormalities is essential for addressing this problem. In this research, we introduce an anomaly detection model for RPM that makes use of IoMT and conventional smart home technologies. Te authors introduced a hidden Markov model (HMM) based anomaly detection system that analyses regular user behaviour in the context of the RPM, which comprises both smart home and smart health devices. Tey used information gathered from a variety of IoMT gadgets and home sensors, including information about user networks and behaviour. An anomaly detection approach based on hidden Markov models was devised, and it achieved a 98.6 percent success rate when applied to RPM data.
Te Internet of Tings (IoT) and its potential applications in healthcare systems are a topic of intense interest to academics. Tanks to IoT innovations, healthcare facilities and patient records may now be tracked and managed in real time. Corporations are creating IoT-based devices with limited data analysis capabilities to compete with one another. In this research, a healthcare system based on the Internet of Tings and utilising biomedical sensors was built. Tis investigation also explores cloud data from biomedical sensors [12] using signal analysis methods for anomaly identifcation.
In order to keep tabs on patient health and the facility's environment while simultaneously keeping an eye out for network intrusion, an IoT anomaly detection system (ADS) is proposed [33] for usage in smart hospital IoT systems. Having a centralised solution that can track and report on both network performance and EHRs is a huge time saver. Tus, improved choices regarding patient treatment and environmental adaptations may be possible. When data are processed locally, like at the edge, latency is kept to a minimum. Te suggested ADS is developed and evaluated with the help of the Contiki Cooja simulator, and the detection of e-health events is based on a study of realistic data sets. Te outcomes show a high degree of detection accuracy for both e-health events and IoT network breaches.
Te healthcare industry is rapidly adopting IoT solutions to improve efciency, lower costs, and provide better care to patients. Common components of IoT systems include edge devices such as glucose monitors, ventilators, and pacemakers, gateway devices that aggregate data from the edge devices, and cloud-based systems that analyse the device data to draw conclusions, display information, or direct the connected devices to take action. If this strategy leads to misunderstandings, patient concerns, and treatments may be delayed. Te study's [34] focus is on how to leverage Internet of Tings (IoT) technology to eliminate these holdups and give patients access to urgent care right away. Wearable device data for patients' health can be monitored and processed using an IoT cloud platform and a model. With the goal of detecting anomalies in patient health data, an ofine machine learning model will be constructed and deployed on IoT devices or IoT gateways. Real-time health data will be evaluated locally on the device, with outliers sent to the cloud for further investigation and action.
Te medical feld's use of the Internet of Tings has had a profound impact on patients' lives. Hackers can take over a device and use it to steal information, such as personal health records, or to provide unauthorised access to services. As a result of these limitations, IoT security has been seriously degraded, putting at risk the management of essential infrastructure services. In order to tackle these issues, an anomaly detection of illegal behavior (DIB) system developed for medical IoT contexts is proposed and examined in [10]. Te DIB system can learn the rules of operation by analysing data packets from medical IoT devices and it can notify administrators when a device is in an abnormal operating state. Tey also provided a model using rough set (RS) theory and fuzzy core vector machine to improve DIB anomaly categorization (FCVM). It has been demonstrated that the R-FCVM works well in the lab.

Computational Intelligence and Neuroscience
In reference [35], the authors suggest a method that can help healthcare aides in assisted living facilities (ALFs) for people with physical or cognitive handicap carry out their daily responsibilities. Tis solution bundles together wearable and mobile technologies to improve the quality of support requests and anomaly identifcation. With the use of this healthcare infrastructure, caregivers can be alerted to any potentially dangerous situations that may arise when residents are out of sight. Plus, no matter where they are in the building, occupants always have access to an emergency call system. Tere were two types of testing conducted on the system.
With the proliferation of IoT networks in recent years, malicious intrusions attempting to disrupt services and gain access to sensitive patient data have become increasingly widespread. Tis study demonstrates one approach to improve the safety of networks for medical cyber-physical systems (MCPS) by proposing the creation of new aggregation tiers. Two adversarial neural network (GAN) models trained on the MCPS dataset are provided [36]. Following extensive investigation, scientists concluded that the models developed in the Federated system were superior to those taught in traditional systems when it came to identifying possible security vulnerabilities in a network.
Te growing implementation of IoT technology throughout the healthcare industry has led to the development of HealthCare 4.0. In this model, patients' health statuses can be tracked in real-time by RHM software. However, RHM applications frequently experience false alarms. Te extreme sensitivity of the monitoring technology, along with genuine variations in the reported vital signs that are unrelated to any impending danger to the patient's health or wellbeing, all contribute to this anomaly. In order to distinguish genuine emergencies from other scenarios, the research presented here [37] employs a wireless body sensor network as its network infrastructure and derives a risk prediction from each piece of sampled data. Te experimental results showed an average accuracy and detection rate of 93% and 87.2%, respectively, and the energy consumption profle of the suggested system was found to be compliant with WBSN parameters.
Te IoT has given us more leeway in many areas of our lives, such as when dealing with unexpected situations, travelling, managing a building, or receiving medical care. Our study, dubbed wireless body area network (WBAN) [38], focuses on the use of tiny medical sensors. Body-worn sensors like this can record and relay a wide variety of health data. Te wireless network makes these apps particularly susceptible to a wide variety of external attacks and anomalies, therefore protecting them is of paramount importance. Jamming attacks can disrupt communication between medical sensors in a WBAN system. Tis study proposed a novel intrusion detection system (IDS) based on network measurements [39] to distinguish between false alarms caused by jamming conditions and normal state. Our suggested method identifes three types of jamming to lessen false positives and increase detection rates. Tis IDS method is then simulated using the Castalia platform, which is based on the OMNET++ emulator.
Internet of Tings (IoT) advancements in healthcare hold great promise for improving the sector's technological, social, and economic future and thereby ensuring a healthy future for all. Tanks to wireless connectivity between devices in the medical feld and the Internet, patients can monitor their health status from afar [40][41][42][43][44][45][46]. Real-time patient monitoring, enhanced diagnostic precision, and more efcient treatment are all made feasible by the IoMT. Te obvious benefts of these devices should not obscure the fact that they also pose serious privacy and security concerns. Attacks on Internet-connected medical devices could cause major injury or even death to victims. In paper [7], author created a game-changing mobile agent-based intrusion detection system to safeguard the medical device network. It is hierarchical, self-sufcient, and makes use of machine learning and regression algorithms to identify network-level intrusions and anomalies in sensor data. Subsets of IoMT are subjected to extensive testing, such as wireless body area networks and other related medical devices [47][48][49][50][51][52][53]. Trough simulations, this research demonstrates the potential for achieving high detection accuracy with little resource use.
In recent years, the healthcare business has witnessed dramatic shifts because of the proliferation of IoT devices and the introduction of IoMT technology. Te goal of this adjustment is to enhance the comfort of our patients. IoMT networks are vulnerable in a variety of ways because of their heterogeneity and limited resources. Because of their unique characteristics, IoMT networks require novel security approaches, such as highly accurate and efcient anomalybased intrusion detection systems (AIDSs), to reach their full commercial potential. Anomaly-based intrusion detection (AIDS) was proposed by [39] as a viable security measure for IoMT networks. It is planned to use a combination of hostand network-based technologies to collect logs from IoMT devices and gateways, as well as data from the edge of the network. Despite the computational burden, the proposed AIDS uses machine learning (ML) techniques to spot outliers in the data and, in turn, malicious incidents in the IoMT network. Table 1 shows the comparative analysis of previous state of art algorithm.

Proposed Model
Dataset description, data processing, data cleansing, data preprocessing, feature engineering, model construction with deep learning methods, model performance evaluation, and evaluation of model accuracy are all covered here. Te procedure for this study is shown graphically in Figure 1. Figure 1 illustrates that the CSV fle was provided by IoHT DATASET 1 and IoHT DATASET 2. Te preprocessing of the data made use of data balance and handling outliers. Cross-validation has been used to ensure the validity of the results. An XNN (explainable neural network) was designed to classify data. Tis model uses a combination of multilayer perceptron and artifcial neural network parameters. In-depth explanations are provided for each of the components. Datasets include generic, shell code and DOS accomplishments as well as snooping and backdoor achievements. An average of 3500 occurrences per year was found to be within the normal range. Figure 3 shows repartition of attack types.
Using Kaggle, these data were gathered (an online data source). Unrelated variables and a single related variable are included in the dataset (Outcome).
IoHT DATASET 2 is the second dataset we have used in this project. IoHT DATASET 2 dataset concerns have been addressed by the IoHT DATASET 2 data collection.   [21]. Training and test sets for IoHT DATASET 2 have enough data. Due to this beneft, studies can be conducted on the complete dataset without the need to randomly select a small portion of the population. Researchers will be able to compare the fndings of various investigations as a result of this. Figure 4 shows IoHT DATASET 2 Visualization. Table 2 shows the sample distribution.

Raw Data Processing.
Te unprocessed data were obtained. In the end, a number of methods were used to remove duplicates and null values, among them.
In data mining, this technique is used to turn raw data into a format that can be interpreted. However, in some circumstances, there are discrepancies and/or gaps in the realworld data. Preprocessing procedures include the following:

Data Balancing.
Skewed classifcation is a hindrance to predictive modelling. In most categorization machine learning approaches, each class has the same number of instances. As a result, models from underrepresented groups are underrepresented. When you consider that minorities are more likely to be misclassifed than the dominant group, this raises a warning fag. As a result, the study's dataset has been tidied up by eliminating any outliers. Tese studies have had a considerable impact on the way resampling is done. Under sampling by collecting records from each cluster, for example, can help in conserving information. More varied synthetic samples can be created through over sampling, rather than exact duplicates of minority class data.

Removing of Outliers.
We require a well-rounded and homogeneous dataset for doing data mining research. "Outliers" can be found in a dataset. Outliers are values in a dataset that stand out from the norm. A human error, a misreading, or the use of malfunctioning equipment could result in outliers in the data. Before undertaking any statistical analysis or research, it must be removed from the data. Incomplete or erroneous conclusions from data outlines can have an impact on future processing.
When the boxplot data exceed a certain range, the IQR technique is used to eliminate outliers. Te interquartile range measures the diference between the upper and lower quartiles (IQR). In order to discover outliers in the data, this study makes use of statistical methods like IQR, Z-Score, and Data Smoothing. Te IQR is calculated by taking the 25th and 75th percentiles from a data set and summing them together. (1)

Feature Engineering.
Tis is the process of using data from a certain domain to develop functions that may be used by learning machines. It is the process of taking raw data and transforming it into representations suitable for deep learning.

K Means
Clustering. It is our goal to make k-means clustering and its variants more understandable by developing a new method for calculating the importance of features. Supervised machine learning makes signifcant use of the concept of feature importance to make even the most complex models easy to understand. K-Means uses the Euclidean distance metric to account for the difculties of scaling. Principal component analysis relies heavily on the ability to scale (PCA). Due of the signifcant variance of

One Hot Encoding.
Categorical data variables can be converted to machine and deep learning algorithms via a hot encoding procedure, which increases the accuracy of a model's predictions. Machine learning is prevented from thinking that larger numbers are more signifcant by using one-hot coding. Tis does not imply, however, that 8, despite being larger, is of greater importance. No matter how important "laughing" is, it is not more important than "laughing".

Proposed Classifcation Algorithms.
Neural networks should take the role of machine learning models since they are more efcient (XNNs). With these features and nonlinear modifcations learned by the network, anyone may interpret its output in a clear and concise manner (predictions). With the help of this model, researchers may better understand and visualize the relationships between input data and output functions in more complex neural networks. Typical neural networks have a hard time dealing with data that is sequential. System calls are followed by host calls in the IoHT DATASET 1. Normal call sequences and sub-sequences might accompany strange behaviour. As system calls are made sequentially, intrusion detection in IoT must take this into account. Classifying input data in this manner requires that past and current data, as well as their shifted or scaled features, be considered. In order to detect intrusions, f (x) generates input instances with normal and aberrant sequences, makes adjustments to KMEANS clustered data features to meet the proposed XNN constraints. XNN employs the Additive Index Model, which is: Adding up the parameters of Shifting, rotating and scaling of data instances, then equation (2) becomes as follows: where μ is the shift parameter used for model ftting and c is the scaling parameter used for ftting as well. Te architectural diagram of XNN can be seen in Figure 5: Data sets in this study can be analyzed with more efciency when the XNN model has rotating and shifting parameters.
Te function F is responsible for classifying output variables like attacks (x). Gamma is the input characteristic. K MEANS provides a value based on K Using clustering, so you can keep track of all of your traits in one place. Te feature's value is represented by the number x in each instance. As Beta increases, so does the scalability coefcient, T. Equation introduces a scaling parameter to the neural network (3). Equation (3) includes the gamma shift parameter with the coefcient of shifting, sigma, and h serves as the hyper-parameter transfer function for model over and under ftting.
Weights for each integer in the network are multiplied before they are sent to the next layer of neurons. To arrive at the sigmoid activation function, the weighted sums of each neuron's activation functions must be added up. Te weighted connections between layers two and three are now divided by these values. Each subsequent layer is completed in this manner. In a weighted directed network, neurons are  Computational Intelligence and Neuroscience represented as nodes, with weighted edges linking them together. An external environment is fed into a neural network model, which then uses the vectors to store the data. To denote the number of inputs, x (n) is commonly used. Te weights of each input are then added together. In solving a problem, the neural network benefts from the use of weights. Te weight of a neural network is frequently used to represent the strength of the connections between neurons in that network. Once all of the inputs have been weighted, total up the weighted sum of all of them (artifcial neuron). In order to improve the system's responsiveness, a bias is imposed if the total weighted weighting is zero. Te bias is set to "1" for both the weight and the input. Any number from 0 to infnity can be included in the sum. Only if the threshold is sufciently high can the response match the desired value. An activation function f advances the total (x). Te activation function is activated by transferring control from the transfer function. Te activation function might be linear or nonlinear. Below is the pseudocode for neural network.

Model Evaluation Parameters.
Te tactics under consideration were evaluated based on the accuracy, precision, recall, and F1 Score criteria. A confusion matrix has been used to show the diference between classed and misclassifed clauses. Table 3 lists the results of the calculations made for each of the metrics considered:

Results and Discussion
Tis section summarizes the model's implementation and assessment outcomes. Te XNN model was found to be accurate after testing it on both sets of data. In the frst step, the study puts the proposed model to be tested against nine attacks from the IoHT DATASET 1. Here, the results of the XNN model and the implementation of the model are shown. Experimentation was carried out using a GPU-based system with Jupyter as the compiler and two 3.2 GHz processors. As a preliminary step, the experiment evaluated the accuracy, precision, recall, and F1 of our model's classifcation of nine attacks from the IoHT DATASET 1 dataset. Figure 6 illustrates that when K-Means-clustering is employed to score features and the XNN model performs well on IoHT DATASET 1. Te y-axis shows accuracy and the x-axis shows precision, recall, and F1 scores. In the network-based dataset, the model has an accuracy of 99.7 percent in classifying attacks. When using only one hot encoding method (as illustrated in Figure 7), this model's accuracy drops by 75%.  Computational Intelligence and Neuroscience     Tis is lower than the accuracy achieved using feature scoring with KMEANS clustering, which is depicted in Figure 8, despite having a precision of 91.5%.

Performance of XNN on IoHT DATASET 1 Dataset.
Tere are four diferent axes on the graph: accuracy, precision, recall and F1 score. Tis matrix of confusion is shown in three diferent ways: with KMEANS, with only one hot encoding, and without feature scoring. Figure 9 shows how much higher the true positive rate is when KMEANS is used for feature rating. To yet, the most accurate deeplearning model, XNN, has shown promising results. Figure 10 compares the classifcation of IoHT DATASET 1 attacks using deep-learning models. Te y-axis shows the percentage of accuracy, while the x-axis shows the model's accuracy histogram.   Figure 11 shows the confusion matrix without feature scoring. Figure 12 shows the comparison of deep learning models on IoHT dataset 1 with KMEANS.

Performance of XNN on IoHT DATASET 2.
When K-Means-clustering is employed to score features, as shown in Figure 13, the XNN model does well on IoHT DATASET 2. Te y-axis shows accuracy, and the x-axis shows precision, recall, and F1 scores. In the network-based dataset, the model has an accuracy of 99.7 percent in classifying attacks. Figure 14 shows how inaccurate it is when using just one hot encoding strategy for feature scoring. Figure 15 shows that the accuracy of IoHT DATASET 2 maintains 99.7 without feature scoring.
Tere are four diferent axes on the graph: accuracy, precision, recall and F1 score. Confusion matrices with KMEANS, One hot encoding, and without feature scoring are depicted in Figures 16 and 17. When KMEANS feature scoring is employed, the true positive rate increases signifcantly, as seen in Figure 16. Comparison of deep-learning models for classifying attacks is depicted in Figure 17. Te y-axis shows the percentage of accuracy, while the x-axis shows the model's accuracy histogram. Figure 17 shows the confusion matrix with one hot encoding. Figure 18 shows the confusion matrix without feature scoring while Figure 19 shows the comparison of deep learning models on IoHT DATASET 2 with KMEANS. Figure 19 shows the comparison of deep learning models on IoHT DATASET 2 with KMEANS. DNN shows 98% accuracy, CNN shows 98.5% accuracy, LSTM shows 91.332% accuracy and XNN on the highest note shows 99.72% accuracy.

Conclusions
Intrusion detection is difcult because of the large volumes of network trafc data, the abundance of network characteristics, and the diversity of attacking methods. Tere needs to be a plan put in place to reduce the number of times when Internet packets have extremely diferent RTTs. When many IoHT biosensors are all trying to communicate with one another, it can lead to network congestion and interference.
Internal and external network interference is a typical issue with the IoHT. It is challenging to detect SSIs due to the enormous amount of network trafc data, the diferent features of networks, and the complexity of attacker patterns. Low detection accuracy and signifcant false alarms are the result of out-of-date reference models, ambiguous boundaries between normal and abnormal trafc patterns, and unbalanced data in the face of enormous data volumes. Current SSI detection methods are either inefcient or useless due to outlier RTT values in intercepted TCP packets. Te downstream detection technique allows for a preliminary estimation of the downstream connection chain length. By reducing packet RTT outliers, the author has improved the online throughput of the SSI detection algorithm. For detecting malicious fows, NIDS takes fow records as inputs. Te author has proposed an XNN architecture for detecting middlebox attacks in Healthcare IoT. (Explainable neural networks). In both experiments, XNN outperformed the baseline models as an efcient technique. In IoHT dataset 1, the model obtains a 99.7 percent accuracy in classifying attacks, whereas in dataset 2, it achieves a 99.4 percent accuracy. To make the system more efective and to help the healthcare sector, it is possible to continue this work on realtime machines and with reinforcement learning in the future.

Data Availability
Te datasets used to support the fndings of this study are available from the corresponding author upon request.

Conflicts of Interest
Te author declares that he has no conficts of interest. Computational Intelligence and Neuroscience 13