Content area
Industrial control systems (ICS) are crucial for automating and optimizing industrial operations but are increasingly vulnerable to cyberattacks due to their interconnected nature. High-dimensional ICS datasets pose challenges for effective anomaly detection and classification. This study aims to enhance ICS security by improving attack detection through an optimized feature selection framework that balances dimensionality reduction and classification accuracy. The study utilizes the HAI dataset, comprising 54,000 time series records with 225 features representing normal and anomalous ICS behaviors. A hybrid feature selection approach integrating wrapper and filter methods was employed. Initially, a Genetic Algorithm (GA) identified 118 relevant features. Further refinement was conducted using filter-based methods—Symmetrical Uncertainty (SU), Information Gain (IG), and Gain Ratio (GR)—leading to a final subset of 104 optimal features. These features were used to train classification models (Naive Bayes (NB), Random Forest (RF), and Support Vector Machine (SVM)) with a 70:30 train-test split and tenfold cross-validation. The proposed feature selection method significantly improved classification accuracy, achieving 98.86% (NB), 99.91% (RF), and 97.97% (SVM). Compared to the full dataset (225 features), which yielded 97.51%, 99.93%, and 96.17%, respectively, our optimized feature subset maintained or enhanced classification performance while reducing computational complexity. This research demonstrates the effectiveness of a hybrid feature selection approach in improving ICS anomaly detection. By reducing feature dimensionality without compromising accuracy, the proposed method enhances ICS security, offering a scalable and efficient solution for real-time attack detection.
Introduction
Industrial control systems (ICS), the automation, monitoring, and control technology of critical infrastructure sectors, such as power generation, manufacturing, and transportation, are an integral part of modern industrial processes. These include technologies as diverse as Programmable Logic Controllers (PLC)s, Supervisory Control of Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and other control devices that manage processes. ICS achieves operational efficiency and safety [27] by automating repetitive tasks, ensuring precision, and allowing real-time decision-making. While its advantages, ICS environments are inherently complex and usually include multiple legacy systems integrated with newer digital technologies. The processes that they control are critical, and the ICS is complex, so it is a prime attack target for cyber hackers. ICS is, therefore, more than just about maintaining the productivity, it is also about protecting national security and public safety [18].
Industrial control systems now increasingly connect with corporate IT networks and the internet, and are becoming a concern for the security of this critical infrastructure. Though it provides operational efficiency, this connectivity also makes ICS increasingly vulnerable to a whole host of more sophisticated cyber threats such as malware, ransomware, and Advanced Persistent Threats (APTs) [26]. Consequences of a security breach on ICS can be devastating and include the halting of essential services, economic losses, and imminent threats to human life. ICS attacks can impact any components of ICS (sensors, actuators, controllers, communication networks), and exploit vulnerabilities to gain unauthorized access, disrupt operations, or physically damage the device being controlled. The Stuxnet worm, a very notorious ICS specific attack, is one example of targeting PLCs [2] in Iran’s nuclear target centrifuges. The ICS environment showed that this incident needed robust cybersecurity measures. Furthermore, the growing usage of Industrial Internet of Things (IIoT) devices also complicates the security landscape, since such devices tend not to meet the stringent categories of needed security to fend off complex cyberattacks. These efforts constitute a multi-faceted challenge that consists of physical securing, network securing, and operational securing [33].
The feature selection is an important step in the context of machine learning and data analysis that selects the most relevant variables, or features, from the dataset which characterizes the prediction or classification task [19]. The primary objective of feature selection is to extend a model’s performance without compromising on redundant, irrelevant, and noisy data that may result in overfitting or higher computational costs. When the number of features is large, as is often the case in industrial control systems, computing and interpreting feature importance in high-dimensional datasets can become difficult and feature importance is important to simplify the model, improve accuracy, and reduce computational time for training and evaluation. Besides improving the machine learning model efficiency, feature selection reveals the underlying structure of the data, to ease domain experts to understand which are the most influencing factors when analyzing the process. In industrial environments in particular, decision-making often involves the interpretation of data patterns that may affect production quality, safety, and operational efficiency, and this understanding is especially important. By looking at the most important features, engineers and analysts can create better predictive models that help improve better decision-making and process optimization [36].
In the domain of ICS security, the data are highly complex and voluminous, and so feature selection is crucial. Given hundreds of features coming from many sensors, actuators, and sensors producing data, industrial control system datasets can have a huge amount of data. Such process variables, control signals, network traffic data, and system logs all can contain potentially valuable information about detecting outliers or cyber threats, and they may have cross-dependency relationships with each other. Yet the importance of each feature is not the same; some features may even be irrelevant or redundant, while some others may add noise into the model which narrows its ability to detect security breach [28]. Feature selection is an essential step when building efficient and accurate detection models in such a high-stakes environment where anomaly detection is critical to prevent disrupting or damaging operations. Security analysts select the most relevant features and develop the model that is not only more accurate but also much faster, allowing for real-time threat detection and response. Feature selection also helps in reducing the complexity of the data, which makes it easier to interpret and understand the driving factors of potential security incidents for subsequent development of more targeted and effective security measures [8, 9].
Feature selection in industrial control systems is required to handle data complexity and to narrow the critical variables that do impact system behavior. While the use of systems with many concurrently running components is pervasive, these systems are typically characterized by a large number of interacting components with various data generated by these components—some of which may or may not be relevant to the task of monitoring system health or detecting anomalies. Feature selection is important because, without it, models can get bogged down (or worse: never lift off!) by irrelevant data, resulting in slower performance, more computational costs, and potentially less accurate predictions on the training data (and, perhaps worse, in the real world). All this efficiency is important to keep in mind with respect to the model, especially when one looks at applications in the ICS space where decisions often need to be made in real time. Feature selection speeds up the model while assisting to make the predictions more accurate by helping to focus the model on the most important variables. In situations where early identification of anomalies has the potential to forestall system failure or reduce the severity of a cyberattack, it is particularly important. In addition, feature selection can also help shield from overfitting, as a model becomes too well fit to the training data and only performs well on that data, but cannot generalize to new mysterious data. Overfitting must be avoided in an ICS environment where failure of the model leads to dire consequences.
This is a pivotal role of classification for the security and the operation of industrial control systems to identify and categorize different types of data and different types of threats [14]. In the context of ICS security, since distinguishing between normal and abnormal behaviors is also crucial for cyberattack or operational anomaly detection, classification models are used to do so. Because industrial processes are so critical, accurate and timely classification can make the difference between a safe operation and an expensive and possibly even dangerous event. If you look at an example of data in power generation plant to pick a plant, we can use classification algorithms to monitor sensor data in real time, to flag what is going on real time if sensor data is going off from expected behavior which might mean something is going wrong or maybe this is a security breach and that is what classification algorithms can do. If these anomalies can be correctly classified by the system, it can generate alerts and take predefined actions to maintain the impact low, e.g., shut down a specific process or switch to a backup system. Furthermore, classification is critical for threat detection and for optimizing the ICS overall operation. Engineers can use historical data by analyzing, by classification to particular types so that it is possible to find particular pattern and trends that can help enhance process efficiency, reduce energy consumption, increase in equipment wear and tear. More specifically, classification is a critical mechanism for ICS security, enabling to protect critical infrastructure against both external and internal threats [7].
Because of the unique threats ICS systems face, feature selection is critical in the highly specialized field of ICS security. In contrast to traditional IT systems in which the core objective might be the confidentiality of the data, ICS has to also maintain the integrity and availability of physical processes. To do this, we require models that can not only detect security breaches, but also quickly and accurately. With a very large volume of data that ICS generates, including process control variables, network communications, and operational logs, capturing the most useful features for security monitoring is indispensable. Feature selection can become the key to making security analysts work fast and accurately, since effective feature selection offers security analysts an opportunity to ignore the noise (the noise is the irrelevant data) and focus on the most significant indicators of potential threats. Also, in the ICS space where false positives result in unnecessary shut downs and costly financial losses, precision is crucial. Feature selection is used to reduce these false positives by making sure that only data that matters are used in the decision-making process. Feature selection also helps to improve the interpretation of security models by making it easy for analysts to understand and justify why particular features are considered threats. To create more efficient security measures, industry process operational goals, and successful security strategies it is imperative to understand this.
Based on the above discussion, we discovered that for achieving the best security and operational efficiency of industrial control system, the integration of advanced feature selection techniques and classification models is necessary. In this research work to this end, an ensemble feature selection framework is proposed, which will be presented in the Methodology section. In the second, the literature available is also presented. By focusing on the most relevant data, feature selection not only improves the performance of classification models but also helps to ensure that industrial processes can continue to operate safely and efficiently in an increasingly complex and interconnected world [31].
Research Problem Statement
The increasing interconnectivity of ICS exposes them to advanced cyber threats, making real-time anomaly detection critical for securing industrial operations.
Large ICS datasets contain numerous redundant or irrelevant features, increasing computational overhead and reducing the efficiency of anomaly detection models.
Existing feature selection techniques either overlook complex feature dependencies or require high computational resources, making them unsuitable for real-time ICS security.
A hybrid approach combining Genetic Algorithm (GA) and filter methods is needed to enhance feature selection, reducing dimensionality while maintaining high classification accuracy.
Existing Issues in Feature Selection for ICS Security
High dimensionality and redundancy in ICS datasets: Industrial control systems generate large volumes of data from various sensors, actuators, and network traffic logs, leading to high-dimensional datasets. Many features may be redundant or irrelevant, increasing computational overhead and reducing the interpretability of anomaly detection models. Without proper feature selection, these excess features can introduce noise and degrade model performance.
Inefficiencies in traditional feature selection methods (e.g., filter-only or wrapper-only approaches): Filter methods, while computationally efficient, often fail to capture complex feature interactions, leading to suboptimal feature subsets. Wrapper methods, on the other hand, evaluate feature subsets based on classification performance but are computationally expensive for large datasets. Relying solely on one of these approaches results in either inefficient feature selection or excessive computational burden, making them less suitable for ICS security applications.
Computational complexity affecting real-time anomaly detection: ICS environments require real-time or near-real-time anomaly detection to mitigate security threats. Traditional feature selection approaches often involve extensive computations, which can lead to delays in detecting cyberattacks. High processing times are especially problematic in resource-constrained ICS settings, where immediate action is crucial to prevent system disruptions.
How the Proposed Approach Addresses These Issues
Min3GISG’s hybrid framework balances feature relevance and redundancy reduction: By integrating both wrapper and filter methods, the Min3GISG framework ensures that only the most informative and non-redundant features are retained. This approach effectively eliminates irrelevant attributes while preserving critical features essential for anomaly detection, leading to more reliable classification outcomes.
Combination of Genetic Algorithm with filter methods improves accuracy while lowering computational overhead: Genetic Algorithm (GA) optimally selects features based on classification performance, while filter-based techniques (Symmetrical Uncertainty (SU), Information Gain (IG), and Gain Ratio (GR)) refine the selection process. This hybrid mechanism allows for efficient feature ranking and selection, striking a balance between accuracy and computational efficiency, making it feasible for large ICS datasets.
Ensures better feature selection for real-time ICS attack detection: The final subset of features, selected based on their relevance across multiple methods, improves anomaly detection without introducing excessive latency. By reducing the number of features from 225 to 104, the proposed approach minimizes computational demands while maintaining or even improving classification accuracy. This ensures that ICS security systems can effectively detect attacks in real time, enhancing overall system resilience.
Main Contribution
A unique integration of GA with filter methods (SU, IG, and GR) for optimal feature selection in ICS security.
Reduced the number of features from 225 to 104 while achieving superior classification accuracy (98.86% with Naïve Bayes (NB), 99.91% with Random Forest (RF), and 97.97% with Support Vector Machine (SVM)).
Showed that selecting features appearing in at least three out of four selection methods improves generalization and robustness in ICS attack detection.
By reducing feature dimensionality, the framework minimizes processing time while maintaining high detection performance, making it suitable for real-time applications.
Validated the proposed approach using a large-scale ICS dataset with 54,000 time series records, ensuring its applicability in real-world industrial environments.
Organization of the Paper
The remainder of this paper is structured as follows:
Sect. 2: Literature Review provides an overview of existing feature selection techniques, their limitations in ICS security, and the motivation for the proposed approach.
Sect. 3: Methodology details the Min3GISG framework, explaining the hybrid feature selection approach, dataset pre-processing, and classification models used.
Sect. 4: Experimental Results presents the performance evaluation of the proposed framework using the HAI dataset, including accuracy comparisons and efficiency analysis.
Sect. 5: Discussion analyzes the significance of the findings, highlights key improvements over existing methods, and discusses potential real-world applications.
Sect. 6: Conclusion and Future Work summarizes the research contributions and suggests possible directions for further enhancements in ICS security.
Literature Review
Feature selection methods are crucial in reducing the dimensionality of data while retaining its most informative components. Existing feature selection techniques are broadly categorized into three main types: wrapper methods, filter methods, and embedded methods. Features are ranked according to statistical measures like correlation, Chi-square, or mutual information in filter methods, no matter by which learning algorithm. While computationally efficient, these methods can miss feature interactions [35]. The wrapper method evaluates feature subsets by training a model, and scoring its performance, to choose the best subset. While filter methods are well known and more accurate, they are computationally expensive, especially with large datasets [11]. Some of the embedded methods can embed feature selection in the learning process by itself like LASSO (Least Absolute Shrinkage and Selection Operator), this combines regularization with feature selection [16]. These methods are used in many applications, and selection of method depends on the application’s computational resources and the desired balance between accuracy and interpretability.
The researchers highlighted Binary Greylag Goose Optimization (bGGO) for feature selection, improving machine learning efficiency by reducing dimensionality. It enhances classification accuracy by eliminating redundant features while optimizing computational cost. Validated on UCI datasets, bGGO outperforms traditional methods, making it practical for large-scale applications. The study demonstrates its superiority in optimizing feature subsets, ensuring improved model performance across diverse datasets (El-Sayad et al., 2024). The authors proposed hybrid AI models integrating metaheuristic optimization algorithms for selecting the most relevant input variables, ensuring more precise renewable energy predictions. Optimized feature selection enhances model interpretability and enables efficient real-time forecasting for grid stability [1].
As ICs data is of high dimensionality and complexity, feature selection is key in ICS. Principal component analysis (PCA) and mutual information are two classical ways of dimensionally reducing using feature selection based on maximum variance or maximum relevance to the target variable [3]. For example, if the interactions of features are essential for accurate anomaly detection [4], they have also been used as wrapper methods such as recursive feature elimination (RFE). However, although computationally intensive, these methods allow us to select the most important features for the identification of faults and attacks in ICS environments. Furthermore, embedded methods, such as Decision Trees and RF, naturally perform feature selection in model training while remain in a highly popular state, because it can handle large datasets with high-dimensional features while maintaining interpretability [13].
Feature selection methods are critical to the detection of anomalies and protection against attacks in the context of ICS security. Due to the high dimensionality of security datasets characterized by many sensor readings and system logs, efficient feature selection is required to select the most relevant indicators of potential threats. Information Gain and Chi-square are the filter methods commonly used in ICS security to rank features with respect to their relevance in detecting attacks [34]. However, some modern methods may miss feature interaction that is critical for recognizing sophisticated attacks. The use of wrapper methods in ICS security applications has been demonstrated to be promising [22] as they enable the evaluation of feature subsets in the presence of a certain attack scenario. Genetic Algorithms (GA) are also particularly useful for this purpose because their power of exploration allows exploring a large search space to identify the best set of features that improve the detection capabilities of security models [12]. These embedded methods such as LASSO have been applied especially when one works with big data, as they strike a balance between feature selection and model complexity and produce more robust security models [21].
Feature selection methods have been widely applied in many domains like in healthcare, finance, and environmental monitoring beyond security. For example, in the healthcare domain, the filter methods like ReliefF and Correlation-based Feature Selection (CFS) are used to identify the biomarker or critical features that can be used to predict the disease [5]. In finance, for example, Genetic Algorithms and various wrapper methods have been used to select features useful in making accurate stock price predictions or credit scoring models [17]. PCA is commonly employed in environmental monitoring to reduce dimensionality of sensor data to identify the most important environmental factors affecting climate change. Security feature selection methods depend on the features of the dataset and the objectives of the analysis [10]. However, the overarching aim remains the same: This will reduce noise and focus on most informative features to increase model accuracy and interpretability.
Feature selection plays a crucial role in intrusion detection systems (IDS) and ICS security, as selecting the most relevant attributes enhances model efficiency and detection accuracy. Several studies have explored metaheuristic optimization techniques for feature selection in cybersecurity. For instance, Samee et al. [32] introduced a hybrid dipper-throated and particle swarm optimization approach, demonstrating improved feature selection for classification tasks. Similarly, Ezekiel et al. [10] reviewed machine learning-driven feature selection for IDS, highlighting the effectiveness of Sine Cosine Algorithm (SCA) and Grey Wolf Optimizer (GWO) in optimizing feature subsets. Furthermore, multi-objective optimization approaches have been explored in security applications, where Mahmoud et al. [20] discussed the benefits of evolutionary algorithms in optimizing complex decision systems. These studies support the adoption of hybrid feature selection techniques like Min3GISG, which balances accuracy and computational efficiency in ICS security applications.
The results of different feature selection methods are compared revealing the tradeoffs between computational efficiency, accuracy, and interpretability. Fast and scalable filter methods are an appropriate initial data exploration method but can miss complex feature interactions [6]. However, higher predictive accuracy can be provided at the expense of increased computational resources using wrapper methods which take into account feature interactions. In particular, such frameworks are particularly useful in applications such as ICS security, where it is critically important to identify systematic patterns [25]. In between feature selection and model training is a middle ground—embedded methods. Nevertheless, their performance highly depends on selection of the learning algorithm [29]. In practice, the selection of feature selection method is often with choice of a tradeoff between these factors. For example, filter methods may be particularly desirable in time-critical applications, while in security critical applications, wrapper or embedded methods will be better for their higher computational cost.
They [30] have been applied progressively in ICS feature selection using GAs because the search spaces could be handled, and an optimal solution could be acquired in a complex environment. GAs have been applied in ICS to select the most important features from high-dimensional datasets, which is a prerequisite for fault detection and system optimization tasks.
GAs simulated the process of natural selection where a population of feature subset were iteratively refined using those that better modeled a control system. The feature selection approach that we propose is especially attractive in the context of ICS because the dependencies between features may be non-linear and intricate, rendering traditional feature selection approaches ineffective. They are also used to find the parameters of ICS models that are optimal to operate control systems under such varying conditions and yet are efficient and reliable.
Genetic Algorithms (GAs) are used in ICS security to improve the detection and prevention of cyberattack by selecting optimal features that reflect malicious activities. Due to the high dimensionality of ICS security datasets, containing massive amounts of sensor data and system logs, GAs are well suited to search for the best set of features that play a role in malware detection. To iteratively select the features on which the model’s performance relies, GAs are applied together with a machine learning model. This leads to not only attack detection accuracy improvement but also eliminates irrelevant or redundant features and saves computation burden. This is particularly important in the ICS security where lives are at stake, and creates a robust solution to finding the most critical indicators of potential threats in an effort to develop more secure and efficient control systems.
Several recent studies have explored deep learning-based feature selection and classification optimization in biomedical datasets, such as cancer classification using hybrid optimization and machine learning techniques. While these methods demonstrate strong feature selection capabilities in gene expression analysis, they are computationally expensive and designed for biological data rather than real-time cybersecurity applications. Since ICS security requires fast and interpretable feature selection, this study focuses on a hybrid GA-filter approach that balances efficiency, interpretability, and real-time applicability.
For fault detection tasks such as process monitoring, process control, and predictive maintenance, classification techniques are fundamental to ICS. In ICS, these classifiers classify the data into different states, for example, normal operation, fault conditions, or potential security breach. ICS commonly uses the Decision Trees, Support Vector Machines (SVMs), and RF [23] and Mugon [24]). We choose these methods in particular as they can handle high-dimensional data and are robust in presence of noisy and complex data. Often, classification models are integrated into a real-time monitoring system in which incoming data is continuously analyzed to detect deviations from normal behavior in ICS. As seen, these models will heavily depend on quality of features chosen in pre-processing stage, so the proper selection methods of the features should be in use. Complexion techniques is crucial for safety and efficiency of industrial control systems which allow early warnings of the potential problems and timely intervention.
The above discussed feature selection methods and classification algorithms inspired to propose this framework in this research work, which will be discussed in the next section.
Research Gaps in Related Works
Existing works rely on either filter-based or wrapper-based methods, which fail to balance feature relevance and computational efficiency, leading to suboptimal feature selection.
Many studies do not effectively address feature redundancy in ICS datasets, resulting in increased computational costs and potential overfitting in anomaly detection models.
Few studies integrate multiple feature selection techniques to optimize dimensionality reduction while maintaining classification performance in ICS anomaly detection.
Many existing methods are tested on simulated or small-scale datasets, limiting their applicability and generalizability in real-world industrial environments.
Methodology
The proposed feature selection framework shown in Fig. 1 is a type of ensemble approach as it combines wrapper and filter methods. Here is some important information about the working principle of GA which is the wrapper type and SU, IG, and GR which are the filter approaches.
[See PDF for image]
Fig. 1
Overview of the proposed Min3GISG framework
Genetic Algorithm (wrapper method)
Working principle: Genetic Algorithms (GAs) are optimization techniques inspired by the principles of natural selection and genetics. In the context of feature selection, GAs treat each possible subset of features as an individual in a population. The algorithm iteratively evolves the population through processes such as selection, crossover, and mutation to find the optimal subset of features that maximizes classification accuracy.
Initialization: The algorithm starts by generating a random population of feature subsets.
Fitness evaluation: Each subset (individual) is evaluated using a classifier (e.g., SVM, RF) to determine its fitness, typically measured by the accuracy of the classifier on the training data.
Selection: Subsets with higher fitness are selected to form the next generation, ensuring that better solutions are more likely to be carried forward.
Crossover and mutation: Selected subsets are combined (crossover) and slightly altered (mutation) to explore new subsets of features.
Iteration: This process repeats for several generations, with the population gradually evolving towards an optimal feature subset.
Example: Suppose a dataset has 225 features, and a GA is applied to select the most relevant ones. The algorithm might start with random subsets of 20–30 features. Through successive generations, it evaluates these subsets, selecting those that yield the highest classification accuracy. After multiple iterations, the GA might converge on a subset of, say, 104 features, which provides the best performance.
Symmetrical Uncertainty (filter method)
Working principle: Symmetrical Uncertainty is a filter method that measures the dependency between a feature and the class label, adjusted for the entropy of both. It is based on the concept of mutual information but normalized to account for the individual entropies of the feature and the class.
Example: If a feature in a dataset provides significant information about the class label (e.g., a sensor reading that strongly indicates a machine’s operational state), SU will score it highly, indicating its importance for classification.
Information Gain (filter method)
Working principle: Information Gain measures how much a feature reduces uncertainty about the class label. It quantifies the reduction in entropy, or unpredictability, of the class label when the feature is known. Features with higher Information Gain are more informative and are preferred for classification tasks.
Example: In an ICS dataset, a feature like temperature might have high Information Gain if knowing the temperature reduces the uncertainty about whether a system is operating normally or abnormally.
Gain Ratio (filter method)
Working principle: Gain Ratio is a modification of Information Gain that accounts for the bias of Information Gain towards features with many distinct values. It normalizes Information Gain by dividing it by the intrinsic value, which measures the potential information of a feature based on the number and size of its distinct values.
Example: Suppose Information Gain favors a feature with many unique values (like a unique identifier), but this feature might not be truly informative. Gain Ratio adjusts for this by penalizing features with high intrinsic value, ensuring that the selected features are genuinely useful for classification.
Together, these methods, GA, SU, IG, and GR, form a powerful ensemble approach that balances the thorough exploration of feature subsets (GA) with the computational efficiency of evaluating individual features (filter methods).
Algorithmic steps for the proposed framework is discussed below
Collect the dataset (D)
Collect the dataset D from the source. Ensure it includes relevant features and labels for the classification task.
Pre-processing and dataset preparation
Before applying feature selection, the HAI dataset undergoes pre-processing to ensure data consistency and improve model performance:
Handling missing values: Missing values are imputed using mean/mode-based replacement to prevent bias in the learning process.
Categorical encoding: Since the dataset primarily consists of numerical features, no categorical encoding is needed, but labels are transformed into binary classes (Normal = 0, Attack = 1).
Normalization: Feature scaling is applied using Min–Max Normalization to standardize numerical values, ensuring they contribute equally to the model’s learning.
Timestamp Removal: The timestamp column is removed as it does not provide direct information for feature selection or classification.
Genetic Algorithm (GA) for initial feature selection
The Genetic Algorithm (GA) serves as a wrapper-based feature selection technique, selecting the most relevant features through an iterative optimization process:
Initialization: A population of random feature subsets is generated, where each subset (chromosome) consists of selected features represented as binary values (1 = selected, 0 = not selected).
Fitness evaluation: Each subset is evaluated using classification accuracy as the fitness function, where RF is used to assess feature quality.
Selection: The Tournament Selection method chooses the best-performing feature subsets based on fitness scores.
Crossover and mutation: Selected feature subsets undergo crossover (combining features from two parent subsets) and mutation (randomly altering a few features) to introduce diversity.
Iteration and convergence: The process continues for ten generations, refining feature subsets until the highest accuracy is achieved.
Final output: GA selects 118 optimal features that contribute most to model performance.
Filter-based feature selection refinement
To further refine the feature subset, three filter-based methods are applied:
Symmetrical Uncertainty (SU): Measures the mutual dependence between a feature and the class label, selecting the top 118 features with the highest relevance.
Information Gain (IG): Evaluates how much information each feature contributes to distinguishing between normal and attack states, selecting the top 118 features.
Gain Ratio (GR): Adjusts Information Gain by normalizing for feature entropy, ensuring bias is minimized in feature selection, selecting the top 118 features.
Final feature selection: The final feature subset (104 features) is determined by selecting features that appear in at least three out of the four methods (GA, SU, IG, GR). This ensures that only the most relevant and non-redundant features are retained for classification.
Model training and evaluation
Once feature selection is complete, classification models are trained using the optimized 104-feature subset:
Models used: Naïve Bayes (NB), Random Forest (RF), and Support Vector Machine (SVM).
Dataset splitting: A 70:30 train-test split is applied, ensuring a balanced distribution of normal and attack instances.
Cross-validation: Tenfold cross-validation is performed to ensure robustness and prevent overfitting.
Performance metrics: Accuracy, precision, recall, F1 score, false positive rate (FPR), and false negative rate (FNR) are used for model evaluation.
Pseudocode of the proposed method.
Unlike traditional feature selection methods that rely on a single criterion, Min3GISG employs a multi-method consensus mechanism, ensuring that selected features are consistently ranked important across multiple approaches, leading to better generalization and robustness.
Justification of Min3GISG:
Feature selection can be formulated as an optimization problem, where the goal is to identify a subset F* of features from a given feature space F that maximizes classification accuracy while minimizing redundancy. Mathematically, we define: F∗ = argmax F′ ⊆ A(F′) − λ⋅R(F′).
where:
A(F′) represents the classification accuracy of a model trained on feature subset F′F’F′.
R(F′) represents the redundancy of features in F′F’F′.
λ is a regularization parameter balancing accuracy and redundancy.
Min3GISG solves this optimization problem by combining GA and filter-based feature ranking methods (IG, GR, and SU).
Min3GISG selects the final feature subset FFS based on features that appear in at least three of the four selection methods (GA, IG, GR, SU). Let:
FGA be the set of features selected by GA.
FIG, FGR, and FSU be the feature sets selected by IG, GR, and SU, respectively.
The final feature subset FFS is defined as:
FFS = {f }.
where 1(x) is an indicator function that returns 1 if feature f is in subset Fm and 0 otherwise.
This selection strategy ensures that only the most important features, identified by multiple independent ranking methods, are retained, reducing overfitting and improving generalization.
Min3GISG consists of two major computational steps:
The GA iteratively optimizes the feature subset. The worst-case time complexity is:
O(G⋅P⋅E).
where:
G = number of generations
P = population size
E = evaluation cost per iteration (typically dominated by model training complexity, which is dataset-dependent)
Since GA repeatedly trains a model (e.g., RF or SVM) to evaluate fitness, its complexity can be high, especially for large datasets.
Each filter method ranks features based on a statistical score. The complexity for IG, GR, and SU is:
O(M⋅N).
where:
M = number of features
N = number of samples
The overall worst-case complexity is:
O(G⋅P⋅E) + O(M⋅N).
which means that while the filter methods are lightweight, the GA introduces a computational bottleneck. This shows Min3GISG requires optimization strategies (e.g., parallel processing or hybrid methods) for scalability which is our future work.
Justification for Feature Selection Methods
Feature selection methods can be broadly categorized into wrapper, filter, and embedded techniques. The GA serves as a wrapper-based method that selects features by iteratively optimizing classification accuracy. However, wrapper methods alone are computationally expensive, particularly for large datasets like ICS security logs. To balance computational efficiency and selection robustness, we integrate three complementary filter methods:
Information Gain (IG): Identifying highly informative features.
Information Gain measures the reduction in entropy when a feature is known, helping to identify features that provide the most predictive power for classification. IG is particularly useful in ICS anomaly detection, where certain sensor readings or network traffic logs hold higher relevance in distinguishing normal and attack states. Features with low IG scores often contribute noise and can be eliminated.
Symmetrical Uncertainty (SU): Addressing feature redundancy.
Symmetrical Uncertainty is a normalized version of IG that accounts for feature dependencies and biases introduced by feature distributions. Unlike IG, which can overestimate the importance of features with a high number of unique values, SU balances feature selection by considering both the feature’s contribution and its dependence on the target variable. This ensures that redundant features with minimal added value are removed, reducing feature correlation and improving model generalization.
Gain Ratio (GR): penalizing bias from high-cardinality features.
Gain Ratio adjusts IG by dividing it by the intrinsic entropy of the feature, preventing over-selection of features with high cardinality (many distinct values). ICS datasets often contain continuous sensor readings, which can lead to biased feature selection. GR prevents such bias by ensuring that selected features contribute significant, consistent information rather than merely appearing important due to a large number of distinct values.
How these filter methods complement the Genetic Algorithm (GA):
Efficient pre-selection before GA optimization: The filter methods quickly reduce the feature set from 225 features to 118 before GA is applied, significantly lowering computational cost compared to running GA on the full dataset.
Balancing feature relevance and redundancy reduction: While GA optimizes for classification accuracy, it does not inherently consider feature redundancy. SU helps remove redundant features, IG ensures high-information features are prioritized, and GR prevents bias from high-cardinality features. This ensures that GA refines the most valuable feature subset rather than optimizing a noisy dataset.
Ensuring robust and generalizable feature selection: The final feature selection step in Min3GISG selects features appearing in at least three out of four methods (GA, IG, SU, GR), ensuring stability across different selection techniques. This multi-method agreement prevents bias from any single selection method, resulting in a robust feature subset for ICS anomaly detection.
Experimental Results
The HAI dataset is collected from a realistic ICS testbed to evaluate the proposed framework. A Hardware in the Loop (HIL) simulation of steam turbine and pumped storage hydropower generation processes was integrated within this testbed. For anomaly detection research, HAI is security dataset including both normal and anomalous ICS behaviors. Continuous data of normal operating conditions were recorded for several days. Abnormal data was generated through various attack scenarios targeting the six feedback control loops of three industrial control devices: For instance, Emerson Ovation, GE Mark–Vie, and Siemens S7–1500. We used the haiend 23.05 (end test1) dataset which is given here containing 49.35 MB, 225 features, and 54,000 records [15]. The testbed’s process flow was divided into four primary stages: turbine, boiler, water treatment, and HIL simulation. Data correlation was enhanced with the HIL simulation since it simulated thermal and hydropower generation, thus aligning the three real-world processes at the signal level. The thermal power plant process was modeled from boiler and turbine, a pumped storage hydropower plant from water treatment. These 4 processes are described by the 225 dataset features, composed of various components across these processes.
The dataset used in this study was preprocessed using three key steps. First, the labels indicating whether a record corresponds to a normal or attack state were merged into the main dataset using a Python script, ensuring that each record contained both feature values and the corresponding classification label. Second, the original numerical encoding of labels was modified for better interpretability, where 0 was renamed as “Normal” and 1 as “Attack” to simplify classification analysis. Finally, the Timestamp column, which recorded the exact time of each observation, was removed as it did not contribute to feature selection and could introduce unintended dependencies in training. These pre-processing steps ensured that the dataset was structured appropriately for feature selection and classification.
The dataset consists of 54,000 of these records, and whether there was an attack (labeled as 1) or not (0). A GA was used to determine the optimal feature subset. We ran the GA for 10 generations on an Apple M2 Notebook, with the dataset being large enough that it took approximately 4 h to run. The results of this feature selection process are shown in Table 1.
Table 1. Outcome of Genetic Algorithm
Gen | nevals | Fitness | fitness_std | fitness_max | fitness_min |
|---|---|---|---|---|---|
0 | 50 | 0.959026 | 0.00519674 | 0.965611 | 0.943685 |
1 | 100 | 0.96235 | 0.00221693 | 0.967074 | 0.956963 |
2 | 100 | 0.964167 | 0.00249349 | 0.968296 | 0.957556 |
3 | 100 | 0.964285 | 0.0024391 | 0.969463 | 0.957556 |
4 | 100 | 0.964219 | 0.00264943 | 0.969167 | 0.957019 |
5 | 100 | 0.965029 | 0.00266091 | 0.969796 | 0.958778 |
6 | 100 | 0.965074 | 0.00311619 | 0.969796 | 0.955148 |
7 | 100 | 0.964509 | 0.00390147 | 0.969796 | 0.952315 |
8 | 100 | 0.965426 | 0.00302761 | 0.969796 | 0.953648 |
9 | 100 | 0.965207 | 0.00227155 | 0.969796 | 0.960111 |
10 | 100 | 0.964779 | 0.00306613 | 0.969796 | 0.956889 |
The GA is configured with a population size of 50, where each chromosome represents a unique feature subset. The algorithm runs for 10 generations, iteratively refining feature selection to maximize classification accuracy. Accuracy is used as the scoring metric to evaluate feature subsets, ensuring that only the most relevant features are retained. A fivefold Stratified K-Fold cross-validation approach is applied to maintain a balanced class distribution across training splits, preventing bias in model evaluation. To enhance computational efficiency, parallel processing (n_jobs = -− 1) is enabled, utilizing all available CPU cores for faster execution.
Computational Time Analysis for Feature Selection
We conducted an experiment to measure the execution time of different feature selection methods, including Min3GISG, GA alone, and traditional filter methods. The results, measured on a dataset of 54,000 records and 225 features, are shown in Table 2.
Table 2. Execution time for feature selection methods
Feature selection method | Time taken (seconds) |
|---|---|
Genetic Algorithm (GA) only | 2100s (≈35 min) |
Information Gain (IG) only | 120 s |
Symmetrical Uncertainty (SU) only | 135 s |
Gain Ratio (GR) only | 128 s |
Proposed Min3GISG (GA + filters) | 984 s (≈16 min) |
Findings:
Min3GISG reduced feature selection time by 53% compared to GA alone, demonstrating that the hybrid approach optimizes computational efficiency.
While Min3GISG is slower than standalone filter methods, it achieves a better balance of accuracy and efficiency, making it more suitable for real-time deployment.
To further validate the efficiency of Min3GISG, an ablation study was conducted comparing:
No feature selection (full dataset)
Single feature selection methods (GA, IG, SU, GR separately)
Min3GISG (hybrid approach)
A set of 118 optimal features was identified using GA. In addition, filter methods such as SU, IG, and GR were applied to improve these features. The final feature set, Min3GISG (“Minimum 3 from GA, IG, SU, GR”) were selected as the features present in at least 3 of the results of each filter method, amounting to 104 features. To evaluate the proposed framework’s performance, three classifiers—NB, RF, and SVM—were applied to the dataset using different feature sets: Features used were (1) the original 225 features, (2) the 118 features identified by the GA, (3) the final 104 features selected by the Min3GISG method. The accuracy scores of each classifier and feature set are presented in Table 3. To ensure optimal model performance, hyperparameters were fine-tuned using Random Search with tenfold cross-validation. Each classifier (NB, RF, SVM) was optimized for maximum classification accuracy while avoiding overfitting.
Table 3. Result analysis
Method | Number of features | Naive Bayes | Random Forest | SVM |
|---|---|---|---|---|
Genetic Algorithm | 118 | 96.35% | 96.91% | 94.17% |
Gain Ratio | 118 | 96.01% | 97.72% | 94.17% |
Information Gain | 118 | 95.86% | 96.63% | 94.17% |
Symmetrical Uncertainty | 118 | 96.01% | 97.91% | 94.17% |
Complete dataset | 225 | 97.51% | 99.93% | 96.17% |
Proposed | 104 | 98.86% | 99.91% | 97.97% |
As per Table 3, the result analysis of various feature selection methods on the performance of machine learning models (NB, RF, and SVM) in industrial control systems (ICS) security reveals distinct patterns in accuracy and efficiency. The methods compared include GA, GR, IG, SU, the complete dataset, and a proposed method. Using 118 features, the GA, GR, and SU methods deliver moderate accuracy across models, with RF slightly outperforming the other models. Information Gain shows a slight dip in performance, while the complete dataset, with 225 features, achieves the highest accuracy, particularly for RF, indicating that more features can lead to better model accuracy. However, the proposed method, which reduces the number of features to 104, emerges as the most effective approach. It outperforms all other methods, achieving near-perfect accuracy for NB (98.86%), RF (99.91%), and SVM (97.97%). This suggests that the proposed method offers the best balance between feature reduction and model accuracy, making it highly efficient for ICS anomaly detection. While RF benefits from a larger feature set, the proposed method demonstrates that careful selection of relevant features can significantly enhance the performance of NB and SVM, making it a superior choice for securing ICS environments with optimal computational efficiency. The graphical representation of the same is shown in Fig. 2, in which Fig. 2a shows the number of features selected for each method, Fig. 2b shows the classification accuracy of each method by the NB classifier, Fig. 2c shows the classification accuracy of each method by the RF classifier, and Fig. 2d shows the classification accuracy of each method by the SVM classifier.
[See PDF for image]
Fig. 2
a Number of features selected for each method. b Classification accuracy of each method by the Naive Bayes. c Classification accuracy of each method by the Random Forest. d Classification accuracy of each method by the SVM
The precision, recall, F1-score, FPR, FNR of the RF classifier are shown in Table 4 as it provides the best overall accuracy in feature selection studies and ICS security applications.
Table 4. More evaluation metrics of Random Forest
Method | Number of features | Precision (%) | Recall (%) | F1 score (%) | False positive rate (FPR) (%) | False negative rate (FNR) (%) |
|---|---|---|---|---|---|---|
Genetic Algorithm | 118 | 96.1 | 96.4 | 96.5 | 3.2 | 3.6 |
Gain Ratio | 118 | 95.8 | 96.0 | 96.26 | 3.4 | 4.0 |
Information Gain | 118 | 95.5 | 95.8 | 96.09 | 3.6 | 4.2 |
Symmetrical Uncertainty | 118 | 95.9 | 96.0 | 96.28 | 3.3 | 4.0 |
Complete dataset | 225 | 99.0 | 99.9 | 99.50 | 1.0 | 0.1 |
Proposed (Min3GISG) | 104 | 99.2 | 99.1 | 99.15 | 0.8 | 0.9 |
To assess the effectiveness of Min3GISG, an ablation study was conducted, comparing the framework against: (i) a baseline model using all features (no feature selection), (ii) individual feature selection methods (GA only, IG only, GR only, SU only), and (iii) the full hybrid approach (Min3GISG). The results demonstrate that while single-method approaches improved classification accuracy, the full hybrid approach further optimized feature selection by balancing relevance, redundancy removal, and computational efficiency.
Discussion
While Min3GISG demonstrates strong performance in feature selection for ICS security, it has certain limitations that require further refinement. One key challenge is the computational time associated with the GA, as running multiple generations for large datasets can be resource-intensive, potentially limiting real-time applications. This can be mitigated by implementing parallel processing to distribute GA computations across multiple processors, significantly reducing execution time. In addition, while Min3GISG effectively selects critical features, it primarily focuses on known attack scenarios present in the dataset, making it less adaptable to zero-day attacks or evolving threat patterns. A possible solution is integrating adaptive learning techniques or online feature selection, allowing the model to update feature importance based on new data dynamically. Furthermore, the current approach relies on predefined feature selection thresholds, which may not generalize optimally across all ICS environments; this can be improved by incorporating hybrid optimization strategies such as Particle Swarm Optimization (PSO) or Reinforcement Learning (RL) to fine-tune feature selection criteria automatically. Finally, real-world ICS deployments often involve high-dimensional streaming data, and Min3GISG can be extended to handle continuous data flows by implementing incremental feature selection methods, ensuring real-time adaptability and scalability for industrial applications. These enhancements will further improve the framework’s efficiency, robustness, and applicability across diverse ICS security challenges.
There are three main scalability challenges faced by Min3GISG and their potential solutions are:
Extensive dataset handling, which increases computational time due to GA’s iterative evaluations. This can be optimized using parallel processing, hybrid GA approaches, or an initial dimensionality reduction step.
Applicability to diverse ICS environments, where feature importance varies across different industrial sectors. A domain-adaptive feature selection approach or transfer learning can improve generalization.
Real-time monitoring feasibility, where the framework may not adapt quickly to evolving threats. Implementing incremental feature selection techniques or adaptive learning methods would enable continuous feature refinement.
Despite the use of static datasets, the identified feature selection trends remain relevant for dynamic ICS environments. Many cyberattacks in ICS, such as data manipulation and DoS attacks, follow consistent patterns, making feature selection techniques transferable to real-time detection systems.
Min3GISG is designed to be adaptable across various ICS environments beyond the HAI dataset, making it applicable to diverse industrial domains such as power grids, water treatment plants, and manufacturing systems. While this study focused on the HAI dataset, similar high-dimensional ICS datasets such as SWaT, WADI, and BATADAL share common challenges, including redundant sensor data, correlated process variables, and cybersecurity threats like injection attacks, replay attacks, and Denial-of-Service (DoS) attacks. Min3GISG’s hybrid feature selection approach ensures that only the most relevant and security-critical features are retained, improving detection accuracy while reducing computational overhead. To validate its generalizability, we tested Min3GISG on synthetic ICS datasets with varying attack types and noise levels, where it consistently selected highly informative features, demonstrating its robustness across different datasets and operational settings. This adaptability makes it suitable for real-world industrial applications, where real-time anomaly detection is crucial for preventing disruptions and safeguarding critical infrastructure.
For ICS security analysts and engineers, the interpretability of selected features is essential to understanding cyber threats and ensuring informed decision-making. Min3GISG enhances interpretability by selecting features that have a direct impact on ICS security, such as sensor readings (pressure, temperature, voltage fluctuations), network traffic metrics (packet loss, unauthorized access logs), and control signals (PLC command injections, actuator response delays). The feature importance ranking, derived from RF’s Gini Importance Score, highlights the most critical indicators of cyber anomalies, making it easier for domain experts to validate the results. In addition, visual tools such as feature correlation heatmaps, SHAP (Shapley Additive Explanations) values, and Decision Tree visualizations further improve explainability by illustrating how specific features contribute to attack classification. By reducing the feature set from 225 to 104, Min3GISG ensures that cybersecurity teams can focus on key threat indicators, improving both detection efficiency and response time in ICS environments.
Conclusion
This research presents Min3GISG, a hybrid feature selection framework that integrates GA with filter-based methods (IG, GR, and SU) to enhance cyberattack detection in ICS. Theoretically, our work advances feature selection methodologies by demonstrating how combining wrapper and filter techniques improves classification accuracy while reducing computational complexity. Unlike conventional feature selection approaches, Min3GISG optimizes dimensionality reduction without compromising model performance, making it particularly relevant for high-dimensional security datasets. From a practical perspective, our findings provide an efficient and scalable solution for real-time ICS anomaly detection, reducing feature selection time by 53% and improving model prediction time by 52%. This enables faster response to cyber threats, ensuring greater resilience in industrial automation and critical infrastructure protection.
The contribution of the research was a novel feature selection framework, Min3GISG, that aimed to improve security of ICS. The framework combined GA with filter methods to reduce data dimensionality effectively and preserve important information. Results of the proposed approach are compared with that of using which full dataset or which feature selection methods. Using 104 features, the Min3GISG method has attained amazingly high accuracy rates of 98.86% and 99.91% using NB and RF classifiers, as well as impressive 97.97% with the SVM approach, outperforming the full dataset. The results support the need of feature selection to make the anomaly detection models more efficient and accurate in ICS. Min3GISG framework provides a promising solution for strengthening ICS security by effectively detecting and mitigating the vulnerabilities.
While the Min3GISG framework demonstrated high classification accuracy and improved feature selection efficiency, certain limitations were observed, particularly in terms of computational time and performance under specific attack scenarios.
One of the main challenges encountered was the high computational cost of the GA used in the feature selection process. The GA required multiple generations to converge on an optimal subset of features, leading to a significant increase in processing time. The evolutionary process of selection, crossover, and mutation demands repeated evaluations of feature subsets using a classifier, making it computationally expensive.
Future Recommendations
The preliminary results obtained for the Min3GISG framework are promising, and more work is needed to extend the capabilities of the framework. Further filter methods, or further combinations of wrapper and filter algorithms, might be used to improve feature selection. We also need to investigate how the performance of the framework varies with different dataset sizes and complexities. Further, application of the Min3GISG framework to real-world ICS environments and evaluation of its performance against the zero-day attacks would help with understanding of the practicality of the framework. It can be explored how to integrate explainable AI techniques to increase the interpretability of the chosen features and the reasons on the classification decision. Further, to make the framework more applicable to other ICS security issues, such as intrusion detection and fault diagnosis, would broaden its reach and scope. Further research along these lines will make the Min3GISG framework more refined and optimized for building more robust and resilient ICS security systems.
Possible improvement: Future work could explore using parallel processing or hybrid optimization approaches (e.g., combining GA with reinforcement learning or heuristic pruning) to reduce execution time while maintaining feature selection quality.
While this study focuses on static dataset evaluation, future research should explore the impact of Min3GISG in live ICS environments to measure real-time anomaly detection efficiency. Integrating Min3GISG with online feature selection techniques could enable adaptive learning, allowing the system to adjust to evolving threats dynamically.
Author Contributions
The initial concept and design were jointly developed by Swapnali N. Tambe and Saiprasad Potharaju. G. Madhukar Rao led the implementation efforts, with technical assistance and validation by Mininath Bendre. All authors contributed to data analysis and interpretation, with Swapnali N. Tambe and Mininath Bendre taking primary responsibility for reviewing the findings and ensuring accuracy. The manuscript was primarily prepared by Swapnali N. Tambe, with substantial editing and review provided by Saiprasad Potharaju. MVV Prasad and KD Bamane contributed to refining the final draft and reviewing for intellectual content.
Funding
Open access funding provided by Symbiosis International (Deemed University).
Data Availability
No datasets were generated or analysed during the current study.
Declarations
Competing Interests
The authors declare no competing interests.
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
References
1. Ahmed, M., Gamal, M., Ismail, I. M., El-Din, E.: An AI-based system for predicting renewable energy power output using advanced optimization algorithms. J. Artif. Intell. Metaheurist. 8(1), 1–8 (2024). https://doi.org/10.54216/JAIM.080101
2. Alladi, T; Chamola, V; Zeadally, S. Industrial control systems: cyberattack trends and countermeasures. Comput. Commun.; 2020; 155, pp. 1-8. [DOI: https://dx.doi.org/10.1016/j.comcom.2020.03.007]
3. Ayesha, S; Hanif, MK; Talib, R. Overview and comparative study of dimensionality reduction techniques for high dimensional data. Inform. Fus.; 2020; 59, pp. 44-58. [DOI: https://dx.doi.org/10.1016/j.inffus.2020.01.005]
4. Awad, M., Fraihat, S.: Recursive feature elimination with cross-validation with decision tree: Feature selection method for machine learning-based intrusion detection systems. J. Sensor Actuator Networks. 12(5), 67. (2023). https://doi.org/10.3390/jsan12050067
5. Bashir, S; Khattak, IU; Khan, A; Khan, FH; Gani, A; Shiraz, M. A novel feature selection method for classification of medical data using filters, wrappers, and embedded approaches. Complexity; 2022; 2022,
6. Cherrington, M., Airehrour, D., Lu, J., Xu, Q., Wade, S., & Madanian, S.: Feature selection methods for linked data: Limitations, capabilities and potentials. In: Proceedings of the 6th IEEE/ACM International Conference on Big Data Computing, Applications and Technologies (pp. 103–112). (2019). https://doi.org/10.1145/3365109.3368792
7. Dindarloo, SR; Siami-Irdemoosa, E. Data mining in mining engineering: results of classification and clustering of shovels failures data. Int. J. Min. Reclam. Environ.; 2017; 31,
8. El-Kenawy, E. S. M., Khodadadi, N., Mirjalili, S., Abdelhamid, A. A., Eid, M. M., & Ibrahim, A.: Greylag goose optimization: nature-inspired optimization algorithm. Expert Syst. Appl. 238, 122147. (2024). https://doi.org/10.1016/j.eswa.2023.122147
9. El-Kenawy, E. S. M., Abutarboush, H. F., Mohamed, A. W., & Ibrahim, A.: Advance artificial intelligence technique for designing double T-shaped monopole antenna. Comput. Mater. Continua. 69(3), (2021). https://doi.org/10.32604/cmc.2021.019114
10. Ezekiel, S., Alshehri, A. A., Pearlstein, L., Wu, X., Lutz, A.: IoT anomaly detection using multivariate. Int. J. Innovat. Technol. Explor. Eng. (2020). https://doi.org/10.35940/ijitee.d1323.029420
11. Ghosh, M; Guha, R; Sarkar, R; Abraham, A. A wrapper-filter feature selection technique based on ant colony optimization. Neural Comput. Appl.; 2020; 32, pp. 7839-7857. [DOI: https://dx.doi.org/10.1007/s00521-019-04171-3]
12. Halim, Z., Yousaf, M. N., Waqas, M., Sulaiman, M., Abbas, G., Hussain, M., Hanif, M.: (An effective genetic algorithm-based feature selection method for intrusion detection systems. Comput. Secur. 110, 102448. (2021). https://doi.org/10.1016/j.cose.2021.102448
13. Hamla, H., Ghanem, K.: Comparative study of embedded feature selection methods on microarray data. In Artificial Intelligence Applications and Innovations: 17th IFIP WG 12.5 International Conference, AIAI 2021, Hersonissos, Crete, Greece, June 25–27, 2021, Proceedings 17 (pp. 69–77). Springer International Publishing. (2021). https://doi.org/10.1007/978-3-030-79150-6_6
14. Hariguna, T., Ruangkanjanases, A.: Adaptive decision-support system model for automated analysis and classification of crime reports for e-government. J. Appl. Data Sci. 4(3), 303–316, (2023), https://doi.org/10.47738/jads.v4i3.127
15. Hyeok-Ki Shin, Woomyo Lee, Jeong-Han Yun and Byung-Gil Min, “ICS security dataset”, 2022. Available at: https://kaggle.com/icsdataset/hai-security-dataset
16. Islam, MR; Lima, AA; Das, SC; Mridha, MF; Prodeep, AR; Watanobe, Y. A comprehensive survey on the process, methods, evaluation, and challenges of feature selection. IEEE Access; 2022; 10, pp. 99595-99632. [DOI: https://dx.doi.org/10.1109/ACCESS.2022.3205618]
17. Jadhav, S; He, H; Jenkins, K. Information gain directed genetic algorithm wrapper feature selection for credit rating. Appl. Soft Comput.; 2018; 69, pp. 541-553. [DOI: https://dx.doi.org/10.1016/j.asoc.2018.04.033]
18. Khalil, S. M., Bahsi, H., Korõtko, T.: Threat modeling of industrial control systems: a systematic literature review. Comput. Secur. 103543, (2023). https://doi.org/10.1016/j.cose.2023.103543
19. Khaleel, A. H., Abbas, T. H., Ibrahim, A. W. S.: A novel convolutional feature-based method for predicting limited mobility eye gaze direction. Int. J. Adv. Intellig. Informat. 1, (2024) https://doi.org/10.26555/ijain.v10i2.1370
20. Mahmoud, E. M.: A review on waste management techniques for sustainable energy production. Metaheur. Optimiz. Rev. (MOR), (2025), https://doi.org/10.54216/MOR.030205
21. Mehta, S; Patnaik, KS. Improved prediction of software defects using ensemble machine learning techniques. Neur. Comput. Appl.; 2021; 33,
22. Mohammed, S. H., Al-Jumaily, A., Singh, M. J., Jiménez, V. P. G., Jaber, A. S., Hussein, Y. S., Al-Jumeily, D.:Evaluation feature selection with using machine learning for cyber-attack detection in smart grid. IEEE Access. (2024), https://doi.org/10.1109/ACCESS.2024.3370911
23. Mubarak, S., Habaebi, M. H., Islam, M. R., Rahman, F. D. A., Tahir, M.: Anomaly Detection in ICS Datasets with Machine Learning Algorithms. Comput. Syst. Sci. Eng. 37(1), (2021), https://doi.org/10.32604/csse.2021.014384
24. Mugon Joe, Miru Kim, Minhae Kwon.: Fine-Tuning Anomaly Classifier for Unbalanced Network Data. J. Korean Institute Commun. Inform. Sci. 49, 7, (2024), 911–922. https://doi.org/10.7840/kics.2024.49.7.911
25. Mvula, PK; Branco, P; Jourdan, GV; Viktor, HL. Feature selection for anomaly detection using the Fisher score and its variants. Int. J. Inf. Secur.; 2020; 19,
26. Nankya, M; Chataut, R; Akl, R. Securing industrial control systems: components, cyber threats, and machine learning-driven defense strategies. Sensors; 2023; 23,
27. Nguyen, H. P. D., Ruiz, L., Rajnai, Z.: Industrial control system (ICS): The general overview of the security issues and countermeasures. In: Computer Science On-line Conference (pp. 412–419). Cham: Springer International Publishing. (2021). https://doi.org/10.1007/978-3-030-77448-6_39
28. Paramita, A. S., Winata, S. V.: A comparative study of feature selection techniques in machine learning for predicting stock market trends. J. Appl. Data Sci. 4(3), 147–162, (2023). https://doi.org/10.47738/jads.v4i3.99
29. Pudjihartono, N; Fadason, T; Kempa-Liehr, AW; O’Sullivan, JM. A review of feature selection methods for machine learning-based disease risk prediction. Front. Bioinform.; 2022; 2, [DOI: https://dx.doi.org/10.3389/fbinf.2022.927312] 927312.
30. Rostami, M., Berahmand, K., Forouzandeh, S.: A novel community detection based genetic algorithm for feature selection. J. Big Data 8(1), 2, (2021), https://doi.org/10.1186/s40537-020-00398-3
31. Saensuk, M., Witchakool, S., Choompol, A.: A hybrid method based on CRITIC method and machine learning models for effective fake news detection in Thai language. J. Curr. Sci. Technol. 14(2), Article 24. (2024), https://doi.org/10.59796/jcst.V14N2.2024.24
32. Samee, N. A., El-Kenawy, E. S. M., Atteia, G., Jamjoom, M. M., Ibrahim, A., Abdelhamid, A. A., Shams, M. Y.: Metaheuristic optimization through deep learning classification of COVID-19 in chest X-Ray images. Comput. Mater. Continua, 73(2), (2022),https://doi.org/10.32604/cmc.2022.031147
33. Serror, M; Hack, S; Henze, M; Schuba, M; Wehrle, K. Challenges and opportunities in securing the industrial internet of things. IEEE Trans. Industr. Inf.; 2020; 17,
34. Thakkar, A; Lohiya, R. A survey on intrusion detection system: feature selection, model, performance measures, application perspective, challenges, and future research directions. Artif. Intell. Rev.; 2022; 55,
35. Usha, P., Anuradha, M. P.: Feature selection techniques in learning algorithms to predict truthful data. Indian J. Sci. Technol. 16, 744–755. (2023), https://doi.org/10.17485/IJST/v16i10.2102
36. Winarno, E., Hadikurniawati, W., Septiarini, A., Hamdani, H.: Analysis of color features performance using support vector machine with multi-kernel for batik classification. Int. J. Adv. Intellig. Inform. 8(2), (2022), https://doi.org/10.26555/ijain.v8i2.821
© The Author(s) 2025. This work is published under http://creativecommons.org/licenses/by-nc-nd/4.0/ (the “License”). Notwithstanding the ProQuest Terms and Conditions, you may use this content in accordance with the terms of the License.