DIAMOND: A Structured Coevolution Feature Optimization Method for LDDoS Detection in SDN-IoT

Software-defined networking for IoT (SDN-IoT) has become popular owing to its utility in smart applications. However, IoT devices are limited in computing resources, which makes them vulnerable to Low-rate Distributed Denial of Service (LDDoS). It is worth noting that LDDoS attacks are extremely stealthy and can evade the monitoring of traditional detection methods. Therefore, how to choose the optimal features to improve the detection performance of LDDoS attack detection methods is a key problem. In this paper, we propose DIAMOND, a structured coevolution feature optimization method for LDDoS detection in SDN-IoT. DIAMOND is consisted of a reachable count sorting clustering algorithm, a group structuring method, a comutation strategy, and a cocrossover strategy. By analysing the information of SDN-IoT network features in the solution space, the relationship between different SDN-IoT network features and the optimal solution is explored in DIAMOND. Then, the individuals with associated SDN-IoT network features are divided into different subpopulations, and a structural tree is generated. Further, multiple structural trees evolve in concert with each other. The evaluation results show that DIAMOND can effectively select optimal low-dimension feature sets and improve the performance of the LDDoS detection method, in terms of detection precision and response time.


Introduction
Internet of Things (IoT) ecosystem is one of the most critical aspects of human lives, which facilitates a wide variety of applications in different domains such as smart homes, agriculture, healthcare, smart cities, smart grids, industrial automation (Industry 4.0), smart driving, and elderly assistance [1]. Hence, guaranteeing communication quality for IoT devices is an issue worth exploring. In this work, WiFi is utilized as the communication protocol between IoT devices and access points (APs), which are implemented through Mininet-wifi. In fact, WiFi provides low latency and low latency jitter necessary for IoT applications such as industrial production lines, IP telephony, video conferencing, and virtual desktop infrastructures. However, the computing resources, storage resources, and network capacity of IoT devices are limited to carry high-speed data transmission.
Recently, SDN-IoT is proposed to improve transmission quality [2]. Figure 1 shows the SDN-IoT architecture. In SDN-IoT, SDN changes the limitation of the network infrastructure, gives the network more flexibility, and simplifies policy implementation and network configuration [3]. SDN-IoT is anticipated to smartly route traffic and use underutilized network resources to deliver IoT data to the Internet. However, due to the stronger flexibility that SDN gives to the network, SDN-IoT faces many security threats [4].
LDDoS (Low-rate Distributed Denial of Service) attack is a serious threat for SDN-IoT, which exploits the vulnerabilities in network protocols to launch attacks and often realizes superior attack effects at a smaller attack cost. LDDoS attacks can elude the monitor of the traditional detection approach by sending low-rate packets in the way of periodic pulse to a victim [5]. Hence, how to effectively detect LDDoS is a huge challenge [6]. Feature selection makes an outstanding contribution to overcoming the invisibility of LDDoS, exploring LDDoS-related features, and improving the efficiency of LDDoS detection.
(1) Existing EA-based feature optimization methods usually evolve individuals in a population, leading to the loss of diversity when evolving individuals (2) The existing methods do not consider the coevolution of similar individuals during evolution, which leads to the reduction of convergence ratio In order to overcome the shortcomings mentioned above, a structured coevolution feature optimization method for LDDoS detection in SDN-IoT (DIAMOND) is proposed. The main contributions are concluded as below: (1) By dividing the population into several subpopulations based on the proposed reachable count sorting clustering algorithm and a group structuring method and executing coevolution based on the designed comutation strategy and cocrossover strategy, DIA-MOND is proposed (2) A reachable count sorting clustering algorithm (BONNET) is designed to divide the population into subpopulations with different SDN-IoT network feature information, and each subpopulation is considered as a suboptimal solution set in the solution space (3) A group structuring method is designed to further structure a subpopulation into structural trees in order to sort the individuals in the subpopulation orderly based on SDN-IoT network information, where multiple structural trees evolve in concert (4) A comutation strategy is proposed based on the optimal subpopulation guidance direction, amount of information on SDN-IoT network features, and the evolutionary trajectory of the subpopulation, to move the individual towards the optimal solution in an orderly manner (5) A cocrossover strategy is designed to facilitate information exchange between different structural trees by exchanging individuals between different structural trees and the genes of individuals in the same tree

Related Works
This section presents a review of intrusion detection systems for malicious traffic detection in SDN-IoT networks as well as the deployment of malicious network attack detection technologies for feature selection tasks. Mafarj and Mirjalili [7] proposed a new wrapper feature selection approach based on whale optimization algorithm (WOA). In this work, two binary variants of the WOA algorithm are proposed to search the optimal feature subsets for classification. Emary et al. [8] proposed a new grey wolf optimization (GWO) algorithm. In that approach, the sigmoidal function is responsible for squeezing the continuously updated position; then, these values are stochastically compared with a threshold to find the updated binary grey wolf position. Abdel-Basset et al. [9] proposed a new grey wolf optimizer algorithm integrated with a two-phase mutation to solve the feature selection for classification problems based on the wrapper methods. Mafarja and Mirjalili [10] used two hybridization models to design different feature selection techniques based on WOA. In the first model, simulated annealing (SA) algorithm is embedded in WOA, while it is used to improve the best solution found after each iteration of WOA in the second model.
Roopak et al. [11] have implemented the nondominated sorting algorithm with its adapted jumping gene operator to solve the optimization problem. The proposed method exploits an extreme learning machine as the classifier for feature selection based on six important objectives for an IoT network. Mafarja et al. [12] presented a novel wrapper feature selection approach based on augmented WOA, which was adopted in the context of IoT attacks detection. Transfer functions (sigmoid function and tanh function) are applied in the real-value step vector such that a high probability of change is given to the dimension with a large value. Haddadpajouh et al. [13] proposed a multikernel support vector machine (SVM) for IoT cloud-edge gateway malware hunting, using the GWO technique. Table 1 describes the advantages and limitations of the related works. As shown in Table 1, the common limitations in these literatures are the high complexity of the models and the tendency of falling into local optimal solutions. This is because the existing methods do not consider the coevolution of similar individuals during evolution, leading to a complex model, which in turn leads to the decrease of the convergence rate. Likewise, existing methods lose diversity  2 Wireless Communications and Mobile Computing in populations during evolution, due to the fact that they usually evolve individuals in only one population, leaving the model trapped in a local optimum solution. The performance of the algorithm is limited by these problems. Therefore, DIAMOND is designed to solve these problems in this work.

DIAMOND: A Structured Coevolution
Feature Optimization Method for LDDoS Detection in SDN-IoT 3.1. Motivation. As a result of the rapid increase in the number of mobile-connected devices such as smartphones and tablets, SDN-IoT is attracting more and more attention from industry and academia. Therefore, the security of SDN-IoT becomes a serious issue [14]. Feature selection methods for network attack detection methods have been a hot research topic among researchers in recent years. However, the existing feature selection methods have some limitations such as follows: (1) Existing EA-based feature optimization methods usually evolve individuals in a population, leading to the loss of diversity when evolving individuals (2) The existing methods do not consider the coevolution of similar individuals during evolution, which leads to the reduction of convergence ratio Existing feature selection methods all have the common limitations of high model complexity and the tendency to fall into local optimal solutions. Therefore, in order to solve these problems, this work enables multiple subpopulations to coevolve and makes subpopulations into ordered popula-tions. In this way, multiple subpopulations can tract each other to avoid falling into local optimal solutions. At the same time, individuals within subpopulations are clearly distinguished to reduce the consumption of computational resources.

3.2.
Overall Structure. Figure 2 shows the overall structure of DIAMOND in SDN-IoT. DIAMOND is deployed on the SDN controller and collects network traffic by sending collect traffic instructions to the switch. Generally, DIAMOND includes the following steps: (i) Step 1. DIAMOND sends the instruction to collect network traffic information.
(ii) Step 2. Once the SDN controller receives the instruction, it sends OFPT_STATS_REQUEST messages to the switches to get the statistics of flow entries.
(iii) Step 3. The switches will reply OFPT_STATS_ REPLY messages to the SDN controller. These messages contain the stream data in the flow entries of the switches.
(iv) Step 4. After the controller receives the OFPT_ STATS_REPLY messages, it deencapsulates these messages and sends the collected statistic data to DIAMOND. (v) Step 5. In DIAMOND, the statistic data of flow entries collected from switches are used to calculate the initial SDN-IoT network features. Subsequently, these features will be coded using the binary coding method to generate the initial population that is consisted of some individuals. More time and resources are consumed.
[8] Binary grey wolf optimization It is efficient in exploration and development.
This highly complex method potentially occupies more time and resource consuming.
[9] Grey wolf optimizer algorithm, twophase mutation The two-stage mutation operator contributes to enhanced exploration.
More parameters need to be determined.
[10] Hybrid whale optimization algorithm, simulated annealing The algorithm reaches high accuracy by using a fewer number of features.
It has a high complexity and a tendency to fall into local optimal solutions.
[11] Nondominated sorting algorithm adapted jumping gene operator The jumping gene operator contributes to improve the detection accuracy.
Falling into local optimal solutions is a possible limitation. [12] The augmented whale optimization algorithm It can search a more comprehensive range. The convergence speed may be a little slow.
[13] Multikernel SVM, gray wolf optimization The multikernel SVM enhances the accuracy of the algorithm.
The multi-kernel SVM method may lead to overfitting.

DIAMOND
A structured coevolution feature optimization method for LDDoS detection in SDN-IoT The model enables ordered individuals and coevolution of multiple subpopulations, reducing redundant computations.
How to coevolve subpopulations is an issue need to be addressed.

Wireless Communications and Mobile Computing
(vi) Step 6. The population is divided into several subpopulations by BONNET.
(vii) Step 7. The structuring factor is calculated based on the fitness factor and the membership factor, which structures the individuals in the subpopulation into a structural tree. (viii) Step 8 and Step 9. Multiple structural trees evolve collaboratively with each other through the mutation and crossover strategies. (ix) Step 10 and Step 11. After evaluation and selection, the dominant individuals are retained to the next generation.

(x)
Step 12, Step 13, and Step 14. After several iterations, the individual with maximum fitness will be identified as the best individual. Subsequently, the best individual will be decoded into the corresponding feature set.
As described above, we use binary coding to translate the original SDN-IoT network feature set to the individual used in DIAMOND. We assume that the original feature set x i includes d-dimensional gene sequences. Hence, we set d -dimensional gene sequences as follows: x i is an individual, which presents a network feature set of SDN-IoT. When gene x i,j = 1, it means j-numbered feature is selected. Conversely, when gene x i,j = 0, it means j-numbered feature is not selected.

BONNET: Reachable Count Sorting Clustering
Algorithm. In SDN-IoT, the subset SDN-IoT network features are encoded as binary individuals. The initialized individuals are defined as data points that are distributed in the solution space ℝ n . When individuals share the same or similar SDN-IoT network features, the distribution of these data points in the solution space is relatively aggregated. Then, when individuals distributed in the solution space are clustered into a subpopulation, it means that SDN-IoT network features in individuals are related to the solution closest to the subpopulation. Therefore, we divide the individuals into several subpopulations in order to extract information about SDN-IoT network features in subpopulations and explore the relationship between SDN-IoT network features and optimal solutions. As a result, we design a reachable count sorting clustering algorithm (BONNET) to divide the population into several subpopulations. In BONNET, the following definition is proposed: (1) A data point ðx i , ϵÞ is defined as a reachable point, which is within the hypersphere region with a certain data point x i . Here, x i is defined as the center of the sphere, and the length ϵ is recognized as the radius of the neighborhood (2) A subpopulation centrosome ҡ is defined as an individual located at the center of the subpopulation Ҡ Further, the distance distribution between individuals in the population is denoted as   Wireless Communications and Mobile Computing μ means the mean value of S, and σ stands for the variance of S. We measure the distribution density of the population in terms of the number of times each individual is utilized as a reachable point. Hence, x * i is defined as the number of times that x i is utilized as a reachable point. Then, Fðx * i Þ means the set of descending order of x * i , and Mðx * i Þ stands for obtaining the corresponding individual. Further, the initial queue QðxÞ is defined as follows, where x * i of the individuals decreases sequentially.
Subsequently, the individual x i is selected as the subpopulation centrosome f ҡ i which is removed from QðxÞ in turn, and the reachable points within the neighborhood radius ϵ of the individual f ҡ i are formed as a subpopulation {f ҡ i }. Then, the reachable points of f ҡ i are removed from QðxÞ. Finally, {f ҡ i } is joined to the subpopulation queue ҡðҡÞ. As shown in Equation (4), c is the number of subpopulations.
An example is shown in Figure 3, where x * 1 = 3, x * 2 = 2. When x 1 is removed from the initial queue and denoted Input: Population number: N; Individuals: x; Sub-populations number: c Output: The sub-population: ҠðҡÞ QðxÞ, ҠðҡÞ, SðsÞ ⟵ fg, ϵ = 0 ⟵: the add element operation. ðx i , ϵÞ: the reachable points of x i . R: the distance function. T : the function that take out first element. Fðx * i Þ: the set of descending order of x * i . Mðx * i Þ: the function that obtain the corresponding individual. HðҠðҡÞ, cÞ: the function that get the largest c sub-populations in ҠðҡÞ.  4 , and x 5 in ðx 1 , ϵÞ are joined to the subpopulation fҡ 1 g. It is worth noting that there are still outliers and smaller subpopulations around the main subpopulations. Therefore, we merge these outliers and smaller subpopulations into the surrounding main subpopulations. Algorithm 1 describes the detailed steps of BONNET.
3.4. Group Structuring Method. In the subpopulations divided by BONNET, individuals are relatively close together, but it lacks group coordination during evolution. In order to distinguish the importance of different SDN-IoT network features among common individuals and enable important SDN-IoT network features to provide guidance to individuals in a subpopulation, we propose a group structuring method. During the group structuring, we combine the fitness and membership of the individuals construct the structural tree.
As shown in Equation (5), f i stands for the fitness of individual x i , and the fitness factor ρ i reflects the guidance ability of the individual x i in the subpopulation. When the individual x i is close to the optimal solution, ρ i of x i has a larger value. As shown in Equation (6), s j,i means the distance from the individual x i to the subpopulation centrosome f ҡ j . Then, n means the number of individuals in the subpopulation, and the membership factor γ i means the degree to which the individual belongs to the subpopulation centrosomeҡ j . As shown in Figure 4, γ i stratifies individuals in the subpopulation {f ҡ i } by distance, and there is some genetic similarity between individuals at the same level. However, individuals in the same layer have different ρ values depending on whether they have the SDN-IoT network features associated with the optimal solution.
Generally, the optimal solution is distributed on one side of the subpopulation rather than inside the subpopulation, and individuals close to the optimal solution are provided with greater fitness. Hence, we design fitness factor minus membership factor as a structural factor.
As shown in Figure 5, the individuals at the same level share an identical degree of membership and gene similarity. The closer an individual is to the optimal solution, the stronger the ability to guide. As a result, the structured factor ζ i integrates individual guidance ability and gene similarity. We build a structural tree L i based on the value of ζ i in descending order, and the individuals with the same score are sibling nodes. As shown in Equation (8), c is the number of structural trees.
When the structural tree coevolves, the sibling nodes have equivalent evolutionary guidance ability and similar genes. Therefore, only partial individuals of sibling nodes are randomly selected to calculate the fitness to reduce the consumption of computing resources and accelerate the convergence rate. Figure 5 shows the diversity of different structural trees. Δf indicates the gradient change of fitness. Δf 3 > Δf 2 indicates that the SDN-IoT network features in the individuals of information h − 1 and h layers are more different. Due to the width of the structural tree b is greater than the width of the structural tree a, there are more individuals in the same layer, indicating that the gene pool of the structural tree b is rich in network feature information. In the process of the iterative evolution of the population, when the fitness of an individual in the h layer is greater than the average fitness of the node in the h − 1 layer, the individual will transition to the h − 1 layer.
To evaluate the convergence and stability of the structural tree, we define Equation (9) for the diversity of the structural tree: As shown in Equation (9), w presents the number of nodes in the h layer, H means the depth of the tree, and f h stands for the average fitness of the nodes in the h layer. When the width of the structural tree and fitness gradient change greatly, the structural tree has stronger diversity.

Comutation Strategy.
In DIAMOND, the balance between global search and local optimization is extremely important. Therefore, we design a comutation strategy to guide the evolution of the population. In this strategy, we define the movement trajectory of the subpopulation centrosome γ, the disturbance factor δ, and the diversity factor β of  Wireless Communications and Mobile Computing the population structural tree. It is worth noting that the subpopulation centrosomeҡ is characterized as the evolutionary benchmark of the individuals in the subpopulation fҡg. Therefore, the evolutionary trajectory and evolutionary route of the subpopulation centrosomeҡ have important contributions to the evolution of the subpopulation fҡg.
The movement trajectory of the subpopulation centrosomẽ ҡ is defined as Equation (10). In Equation (10), γ t−1 means the last predicted position, andҡ t stands for the current position, and then, for ϕ, we design it as the weight ϕ = ϕ 0 /e −t . Finally, t is the population generation.
In Equation (11), u g+1 i means that the mutation individual generated by x g i . g denotes the g-th generation of the population. γðҡÞ stands for the movement trajectory of the subpopulation centrosomeҡ. χðҡ best Þ is designed as the direction of the winning subpopulation. Furthermore, δðx g i Þ presents the disturbance factor generated by the x g i . The comutation strategy ensures global search capability while accelerating convergence.
As shown in Figure 6, the movement trajectory γðҡÞ of the subpopulation centrosomeҡ and the winning subpopulation χðҡ best Þ guides the search direction for the individual x g i . Further, x g i projects the direction that is the sum of direction with the subpopulation centrosome movement trajectory γðҡÞ and the winning subpopulation χðҡ best Þ. The diversity factor β regulates the evolutionary step length of individual x g . The larger the diversity of the structural tree is, the stronger the overall optimization ability will be, and each individual in the structural tree should be given a larger explore step size. However, the weaker the diversity of the structural tree is, the stronger the local optimization ability will be, and each individual in the structural tree should be given a smaller step size. The disturbance factor ϱðx g i Þ pro-duced by x g i can prevent the population from falling into a locally optimal solution.
In summary, the mutation individual u g+1 i is directed to the direction of the optimal solution, which contains a large amount of network feature information related to the optimal solution. It is worth noting that the SDN-IoT network features related to the optimal solution in u g+1 i , which carries more information than the SDN-IoT network feature unrelated to the optimal solution. Therefore, in order to reduce redundant features, we retain features closest to the optimal solution according to the network feature information carried by the mutation individual u i,j = 0 otherwise: As in Equation (12), 3.6. Cocrossover Strategy. We propose a cocrossover strategy to facilitate information exchange between different structural trees. The cocrossover strategy includes a crossover strategy between multiple subpopulations and a crossover strategy for structural trees within a subpopulation. As shown in Equations (15) and (16), w g is a crossover intermediate set that contains all individuals generated by the crossover operation.
(1) As shown in Equation (15), individuals at the same level in multiple structural trees are randomly selected for exchange. For instance, individual x k and individual x m are randomly selected from the h -th level individuals of structural tree L i and L j for exchange, which can increase the information interaction between subpopulations and avoid falling into local optimum (2) Individuals at the h − 1 layer and h layer of the structural tree L i are randomly selected for single-point crossover. For instance, the k-th gene of the x i individual is exchanged with the allele of the x j individual 3.7. Detailed Design of DIAMOND. The IoT devices may include cameras, smartwatches, smartphones, various activity sensors, smart speakers, and so on. These IoT devices are connected to SDN switches, which are the endpoints of the service provider's network [15]. In SDN-IoT, the LDDoS detection method needs to highly adaptively, fast, and accurately detect LDDoS. Hence, in DIAMOND, the AUC of detector performance, detection time (time), accuracy (ACC), and feature dimensions (DIM) are considered as the optimization objective, which is defined as follows: Each individual within the population has its binary coded genotype. In Equation (18), g is the number of iterations. N is the population number. d is the feature dimension.   The convective byte asymmetry rate of a flow Byte_count The total number of bytes in the flow Byte_rate The byte growth rate of a flow Byte_pkt The average number of bytes of a packet in a flow Duration The duration of flow eth_type The Ethernet type of the flow dst_host_srv_diff_ host_ratio The percentage of connections with different source hosts in the same service and the same target host src_byte_ratio The percentage of the number of bytes transferred by the current connection in that of bytes transferred by the same source host connection srv_diff_host_ratio The percentage of connection number of different target hosts in that of the same service Byte_asym_inter The convective byte asymmetry rate in the cycle Input The entering port dst_ip The serial number of destination IP src_ip The serial number of source IP pkt_count_inter The total number of packets of flow in the cycle Output The forwarding port Packet_count The total number of packets in the flow pkt_asym The convective packet asymmetry rate Packet_rate The packet growth rate Priority The flow priority Same_dst_count The total number of same destination IP connections src_pkt_ratio The percentage of the number packets in packets of same source host connection Same_src_count The total number of same source IP connections pkt_asym_inter The convective packet asymmetry rate in the cycle Same_srv_ratio The percentage of connections that have the same target hosts and the same services as the current connection byt_count_inter The total number of bytes in the flow in the cycle diff_srv_ratio The percentage that connects different services in which is the connection of the same target hosts Byte_pkt_inter The average number of bytes of a packet in the cycle Byte_rate_inter The growth rate of the byte in the cycle pkt_rate_inter The growth rate of the packet in the cycle src_port_count The total number of same source port connections dst_port_count The total number of same destination port connections ip_proto The protocol type tcp_src The serial number of source TCP tcp_dst The serial number of destination TCP udp_src The serial number of source UDP udp_dst The serial number of destination UDP

Wireless Communications and Mobile Computing
After encoding the individuals, DIAMOND executes BONNET and group structuring method using Equations (2)- (8). Then, the comutation strategy is executed through Equations (11)- (14), and the cocrossover strategy is executed through Equations (15) and (16). In addition, by comparing the corresponding advantages and disadvantages of the new generation of the individual with the contemporary population, individuals who are more suitable for survival are selected as the new generations. As shown in Algorithm 2, individuals are encoded in lines 1~4. BONNET and group structuring in lines 6 and 7. The comutation strategy in lines 7~11. The cocrossover strategy and optimal individuals selecting strategy are implemented in lines 12~20.
The flow features are shown in Table 2. These features are extracted and calculated for each flow. Here, a flow is defined as traffic with the same source/destination MAC/IP address and the same source/destination port number.

Experiment Environment.
To verify the logic of the program and evaluate its performance, DIAMOND is implemented on the RYU controller. In this work, Mininet-wifi implements the communication between IoT devices and access points (APs), using WiFi as the communication protocol between them. As shown in Figure 7, Mininet-wifi is utilized to simulate an SDN-IoT network that consists of eighty IoT endnotes, eight access points, and eight links, as previous work in [16]. The background traffic is to simulate the traffic environment of the IoT in the campus, which includes 40% HTTPS, 10% HTTP, 10% TCP, 10% SSDP, 5% DNS, and 5% NTP [17]. Specifically, the traffic is generated by applications on some IoT devices that require latency and low latency jitter, such as IP telephony and video conferencing. Further, the attack traffic consists of traffic generated by 20 IoT endnotes to launch LDDoS attacks against IoT servers. The attackers, victims, and service requests are all randomly generated. At the same time, the attack traffic accounts for 20% of normal traffic.
Further, in order to verify the detection ability of the optimized feature subset, eight different classifiers including support vector machine (SVM), K-Nearest Neighbor (KNN), Naïve Bayes (NB), Logistic Regress (LR), decision tree (DT), C4.5, Random Forest (RF), and AdaBoost (AB) have been applied to evaluate the feature optimization methods. In addition, DIAMOND is compared with other related state-of-the-art algorithms, which are BDIE [18] and BGDE3 [19]. As shown in Table 3, it describes the initial parameter settings in the DIAMOND. Figure 8 shows the fitness curve of DIA-MOND in the first 50 iterations. DIAMOND_FA, DIA-MOND_FB, and DIAMOND_FL, respectively, represent the average fitness value, the best fitness value, and the lowest fitness value of DIAMOND. According to Figure 8, it can be seen that after several iterations, the average fitness DIA-MOND_FA steadily increases and reaches high values in all  Figure 9 exposes the convergence curve of DIAMOND. DIAMOND_1-3, respectively, stand for the convergence value of DIAMOND in 3 runs. DIAMOND_FA is the average convergence value of DIA-MOND in 3 runs. DIAMOND_FA is the average convergence value. The convergence values of DIAMOND converge rapidly in the first half but gradually stabilize in the second half. The convergence value of DIAMOND decreases rapidly before 20 generations, while it stabilizes and decreases slowly after 20 generations. This indicates that the strong global search ability of DIAMOND leads to the exploration of an excellent solution set before 20 generations. Therefore, the population can converge to the outstanding individual quickly. Then, after 20 generations of iteration, DIAMOND performs an exact local exploration on the outstanding set of solutions that have been explored.

Dimension
Reduction Ratio. Figure 10 shows the dimension reduction ratio of DIAMOND using eight classifiers, respectively. From Figure 10, it can be seen that the highest feature reduction ratio was 94.78%. Further, we compared the average feature reduction ratio of DIAMOND with BDIE and BGDE3. As shown in Figure 11, the average feature reduction ratio of BDIE, BGDE3, and DIAMOND are 91.67%, 48.72%, and 56.09%, respectively. The dimension reduction ratio indicates that applying DIAMOND in the actual SDN-IoT environment can effectively reduce the computational resource consumption of SDN controllers subject to LDDoS attacks.

Detection
Performance. Table 4 shows the detection performance of different classifiers when using DIAMOND, BDIE, and BGDE3. AVG and STD represent the average detection performance and standard deviation of the algorithm, respectively. If the AVG values of the algorithms are equal, the algorithm with a smaller STD value is better. Besides, bold values in the table indicate the best value. The main purpose of Table 4 is to verify the robustness of the proposed algorithm on different classifiers. Obviously, DIAMOND performs better than BDIE and BGDE3 in most cases. It means that the features selected by the DIAMOND contain the key classification information. For instance, the average accuracy of DIAMOND is 92.30%, which is higher than 89.11% of BEID and 85.88% of BGDE3. In addition, all STD of DIAMOND is quite better than BDIE and BGDE3, which means that DIAMOND is more stable.

Detection Time.
To evaluate the performance of DIA-MOND in terms of detection time, the detection time is calculated in this evaluation. Table 5 describes the detection time of eight classifiers when using the BDIE, BGDE3, and DIAMOND. The detection efficiency of DIAMOND is quite better than that of BDIE and BGDE3. For instance, when using SVM, the detection time of DIAMOND is 106.72 ms, which is lower than 174.50 ms of BDIE and 164.59 ms of BGDE3. The detection time of DIAMOND is decreased by 39%, 35% compared to BDIE and BGDE3.

Conclusions
In this paper, we proposed DIAMOND, a structured coevolution feature optimization method for LDDoS detection in SDN-IoT. More specifically, a reachable count sorting clustering algorithm, a group structuring method, a comutation strategy, and a cocrossover strategy are proposed. The evaluation demonstrates that DIAMOND can effectively improve the detection accuracy, reduce the size of feature subsets, and achieve shortened detection time compared with the baseline methods.

Data Availability
The experimental data used to support the findings of this study are available from the corresponding author upon request.