www.nature.com/scientificreports OPEN Advanced mathematical modeling of mitigating security threats in smart grids through deep ensemble model Sanaa A. Sharaf1, Mahmoud Ragab2, Nasser Albogami2, Abdullah AL-Malaise AL-Ghamdi3, Maha Farouk Sabir3, Louai A. Maghrabi4, Ehab Bahaudien Ashary5 & Hashem Alaidaros6 A smart grid (SG) is a cutting-edge electrical grid that utilizes digital communication technology and automation to effectively handle electricity consumption, distribution, and generation. It incorporates energy storage systems, smart meters, and renewable energy sources for bidirectional communication and enhanced energy flow between grid modules. Due to their cyberattack vulnerability, SGs need robust safety measures to protect sensitive data, ensure public safety, and maintain a reliable power supply. Robust safety measures, comprising intrusion detection systems (IDSs), are significant to protect against malicious manipulation, unauthorized access, and data breaches in grid operations, confirming the electricity supply chain’s integrity, resilience, and reliability. Deep learning (DL) improves intrusion recognition in SGs by effectually analyzing network data, recognizing complex attack patterns, and adjusting to dynamic threats in real-time, thereby strengthening the reliability and resilience of the grid against cyber-attacks. This study develops a novel Mountain Gazelle Optimization with Deep Ensemble Learning based intrusion detection (MGODEL-ID) technique on SG environment. The MGODEL-ID methodology exploits ensemble learning with metaheuristic approaches to identify intrusions in the SG environment. Primarily, the MGODEL-ID approach utilizes Z-score normalization to convert the input data into a uniform format. Besides, the MGODEL-ID approach employs the MGO model for feature subset selection. Meanwhile, the detection of intrusions is performed by an ensemble of three classifiers such as long short-term memory (LSTM), deep autoencoder (DAE), and extreme learning machine (ELM). Eventually, the dung beetle optimizer (DBO) is utilized to tune the hyperparameter tuning of the classifiers. A widespread simulation outcome is made to demonstrate the improved security outcomes of the MGODEL-ID model. The experimental values implied that the MGODEL-ID model performs better than other models. Keywords Smart Grid, Mathematical models, Deep learning, Intrusion detection system, Artificial Intelligence An SG is commonly made of many smart devices, with intellectual metering and gathering and observing methods that spread vast data over the Internet1. SG structures signify a development over predictable electricity grids with enlarged constancy and efficiency to deliver companies and houses with constant power. It contains an energy system and communication among users and power businesses2. The SG structure depends on Advanced Metering Infrastructure (AMI) that includes smart meters, edge devices, data aggregation cloud servers, and bi-directional communication links for gathering data, handling, and using control measures such as remote appliance control in innovative residences3. Gratefully, 5G wireless communication technology always increases and provides quick broadcast speed, a comprehensive bandwidth communication system, and little broadcast 1Department of Computer Science, Faculty of Computing and Information Technology, King Abdulaziz University, Jeddah 21589, Saudi Arabia. 2Present address: Information Technology Department, Faculty of Computing and Information Technology, King Abdulaziz University, Jeddah 21589, Saudi Arabia. 3Information Systems Department, Faculty of Computing and Information Technology, King Abdulaziz University, Jeddah 21589, Saudi Arabia. 4Department of Software Engineering, College of Engineering, University of Business and Technology, Jeddah 21448, Saudi Arabia. 5Electrical and Computer Engineering Department, Faculty of Engineering, King Abdulaziz University, Jeddah 21589, Saudi Arabia. 6Department of Cybersecurity, School of Engineering, Computing and Design, Dar Al-Hekma University, Jeddah 22246, Saudi Arabia. email: mragab@kau.edu.sa Scientific Reports | (2024) 14:23069 | https://doi.org/10.1038/s41598-024-74733-6 1 www.nature.com/scientificreports/ postponement4. It creates SG and 5G incorporation as a development pathway in the future. On the other hand, the standard communication rules want simple safety measures, like authentication and encryption, which makes SGs mainly weak to assaults5. With the constant upsurge in tools, commercial kinds, and measures linked to the SG, the safety control of the power communication system is becoming very challenging6. It is vital to precisely and rapidly discover the safety of network threats to the SG. An IDS is an efficient method of certifying the network’s security7. Presently, using methods for IDS has become the SGs area; the IDS based on DL has attained few research outcomes like the custom of enhanced great RT classifiers to attain a multilayer network security valuation of SG, which also establishes the present IDS of network safety utilizing machine learning (ML), etc8. The IDS based on Artificial Intelligence (AI) was widely executed to upsurge the capability to recognize the IDS owing to the growth of AI9. To accomplish the desires of an actual IDS, the researchers discovered the probability of utilizing ML and DL methods. Both the models come below the vast authority of AI and the intention to learn beneficial data from the big data10. In recent years, these approaches have enlarged a considerable reputation in network security due to the creation of a great graphics processor unit (GPU)11. ML and DL are considered effectual tools for acquiring beneficial features from the network traffic and forecasting abnormal and normal actions dependent upon the learned forms12. The ML-based IDS relies greatly on feature engineering to absorb beneficial data from network traffic. SGs are rapidly growing to improve the efficiency and reliability of power delivery by combining advanced technologies and communication systems13. However, their enhanced complexity and connectivity also present substantial safety difficulties. The effectual reduction of these safety threats is significant for confirming the continuous and reliable operation of the power grid14. This study aims to address these threats by utilizing advanced mathematical modelling and deep ensemble models to strengthen the safety of SGs, ultimately protecting critical infrastructure and enhancing overall resilience against cyberattacks15. This study develops a novel Mountain Gazelle Optimization with Deep Ensemble Learning based intrusion detection (MGODEL-ID) technique on SG environment. The MGODEL-ID methodology exploits ensemble learning with metaheuristic approaches to identify intrusions in the SG environment. Primarily, the MGODELID approach utilizes Z-score normalization to convert the input data into a uniform format. Besides, the MGODEL-ID approach employs the MGO model for feature subset selection. Meanwhile, the detection of intrusions is performed by an ensemble of three classifiers such as long short-term memory (LSTM), deep autoencoder (DAE), and extreme learning machine (ELM). Eventually, the dung beetle optimizer (DBO) is utilized to tune the hyperparameter tuning of the classifiers. A widespread simulation outcome is made to demonstrate the improved security outcomes of the MGODEL-ID model. The significant contribution of the MGODEL-ID model is listed below: • The MGODEL-ID technique uses Z-score normalization to standardize the data, which improves the consistency and accuracy of the method’s input features. This normalization approach contributes to more reliable model training by mitigating bias and discrepancies in the dataset. As a result, it enhances the approach’s comprehensive performance and prediction ability. • MGO-based feature subset selection is utilized to locate and retain the most relevant features, improving the method’s performance and mitigating computational complexity. This methodology streamlines data processing by concentrating on the most influential features, enhancing the technique’s effectiveness and accuracy. Moreover, it reduces redundant data, contributing to rapid training and more efficient threat recognition. • The MGODEL-ID approach incorporates ensemble learning models to integrate various classifiers, improving the overall accuracy and robustness of threat recognition. This model employs the strengths of several techniques to enhance performance and reliability. Integrating anticipations improves the model’s capability to precisely detect and respond to safety threats. • The MGODEL-ID model uniquely incorporates DBO-based parameter tuning with advanced methods, namely Z-score normalization and MGO-based feature selection (FS), averting a novel model for optimizing SG safety methods. This combination enhances the model’s accuracy and streamlines the optimization process, setting a new standard in safeguarding SGs. The innovative use of these models together addresses complex safety threats more efficiently than conventional approaches. Existing threat mitigation approaches in SG In16, an ID and mitigation system (IDMS) was projected utilizing the DL neural networks (DLNNs) method. The IDMS has been planned to analyze the intrusion and categorize the attack into a solitary point or synchronized intrusion. Then, the technique discovers and separates the impure IED model and forecasts its present waveform using the LSTM technique. Menon and Radhika17proposed a method to represent and legalize the secure HAN network. At this point, an innovative Trust-Based Iterative Energy-Efficient Routing Protocol (TBIEERP) was projected with a data encryption method for protected data broadcast in HAN. Lastly, to identify the intrusion, a DAE was employed for attack recognition and to defend HAN besides cyberattacks. Li et al.18 developed an adaptive DL model with a data preprocessing part, an NN pre-training component, and a classifier unit. The projected adaptive DL (ADL) model determines the number of layers and neurons per layer by defining the typical aspect of the system traffic. The projected ADL model executes extraction utilizing transfer learning (TL). The technique also united DL techniques with traditional ML-based classification methods. Mhmood et al.19 projected an innovative SG IDS, incorporating SI, Game Theory, and DL to defend against difficult cyber-attack. This technique trains models by using DL and employing CGAN and Game Theory. The Aquila optimizer (AO) model picks features, represents them on the database, and adapts them into RGB colour imageries for training VGG-19 networks. Dairi et al.20 intended dual semi-supervised hybrid DL-based anomaly recognition models. The 1st technique is a GRU-based stacked AE (AE-GRU), and the 2nd was built utilizing a GAN method with a recurrent neural network (RNN) for both discriminator and generator, namely GAN-RNN. Scientific Reports | (2024) 14:23069 | https://doi.org/10.1038/s41598-024-74733-6 2 www.nature.com/scientificreports/ In21, an FDIA recognition model based on protected federated DL is presented by uniting federated learning (FL), Transformer, and Paillier cryptosystem. By utilizing the FL structure, the method uses the information from every node to collectively train a recognition method. A safe FL structure is intended by examining the Paillier crypto-system with FL. In22, a new and efficient DL-based structure is proposed. The projected method contains a fused convolutional neural network (CNN) method with the Bi-GRU technique to identify and categorize intruders. An attention mechanism was included in the Bi-GRU method to discover the main features that are liable for recognizing the attack of DDoS. Moreover, the accuracy of the classifier method was enhanced by utilizing a Wild Horse Optimizer (WHO) technique. Zhai et al.23 projected a distributed IDS based on CNN– GRU–FL. This method intended an IDS and a local training procedure dependent upon the CNN-GRU model. The approach also intends a novel parameter aggregation mechanism. Ghadi et al.24 explore several ML methods to address safety issues in wireless sensor networks and their applications across diverse fields. It also investigates how these models can improve sensor functionality within network settings. Haq et al.25 evaluate how network coverage, customer service, video calls, and downloading speed affect customer satisfaction with 3G and 4G services. Aurangzeb et al.26 introduce a novel technique for benchmarking SG safety against deep black box attacks, incorporating quantum voting ensemble methods for advanced threat recognition and addressing privacy issues in blockchain (BC)-based infrastructures. Mazhar et al.27 concentrate on improving SG safety and building comfort through IoT and AI, accentuating the requirement for energy-efficient, remotely monitorable devices and exploring incorporating these technologies in SG and IoT research. Vakili et al.28 present a service composition approach employing the Grey Wolf Optimization (GWO) method within the MapReduce framework for optimizing Quality of Service (QoS) in service compositions. Heidari et al.29 aims to improve understanding of (1) deepfake generation and recognition, (2) recent advancements, (3) limitations in current safety models, and (4) areas requiring additional exploration. In30, BC-based FL enhances deepfake detection while safeguarding data source anonymity. It integrates SegCaps and CNN for efficient image feature extraction, employs capsule network training for improved generalization, and presents a novel data normalization model. TL and preprocessing models additionally improve performance in recognizing deepfake content. Amiri et al.31 comprehensively compute DL models at the intersection of IoT with bio- and medical informatics, classifying them by methods such as CNNs, RNNs, Generative Adversarial Networks (GANs), Multilayer Perceptron (MLPs), and hybrids. Heidari, Navimipour, and Otsuki32review and address the difficulties and merits of Cloud Non-destructive Characterization Testing (CNDCT) related to conventional testing techniques in cloud-based environments. In33, a BC-based radial basis function neural networks (RBFNNs) method is introduced to improve data integrity and storage for smart decision-making across diverse Internet of Devices (IoD) applications. Heidari et al34. present a method integrating artificial bee colony, genetic operators, and density correlation degree to build an optimum spanning tree based on hop count distances, residual energy, and mobility probabilities of devices from a base station. Amiri et al.35 examine the synergy between nature-inspired computational models and IoT in healthcare, concentrating on incorporation threats, real-world implementation, and technique efficacy through a systematic literature review. Zhang and Sikdar36present the Ensemble and Transfer Adversarial Attack (ETAA) method, utilizing Adversarial ML (AML) procedures. The general ETAA framework incorporates diverse gradient-based adversarial attack techniques to enhance attack transferability across diverse detection models. The detection approaches are improved through Gaussian noise injection, latent feature combination, and probability margin enlargement. Bhavsar et al.37 introduce an ensemble learning framework for power system intrusion detection, integrating Random Forest (RF), Decision Tree (DT), and Logistic Regression (LR) models. Moreover, it combines data compression approaches such as FS to reduce memory usage. In38, a novel methodology, namely BlockDeepNet, is presented, which incorporates DL and BC technology. Abdelkader et al.39 explore and enhance cybersecurity strategies for modern power systems amid enhancing vulnerabilities due to digitalization and cyber-attacks. By examining several cyber threats and defence mechanisms, the study aims to give recommendations for strengthening the resilience and reliability of power infrastructure, confirming continuous power supply, and safeguarding critical grid assets. Shrestha et al.40 propose a framework for detecting anomalies in industrial data. The technique utilizes LSTM and autoencoders, with Mean Standard Deviation (MSD) and Median Absolute Deviation (MAD) techniques for anomaly detection. FL method is used to confirm data privacy by allowing cooperative model training without data disclosure, while homomorphic encryption based on the Paillier approach also improves safety and confidentiality. Shafin et al.41 introduce a Blended Ensemble learning method that employs tree-based models to detect and classify complex MITM attacks effectually. Using its base classifiers’ unique strengths, the model enhances performance, reduces overfitting, and minimizes latency. Dayarathne et al.42 introduce a novel methodology for cyber-attack detection in power grids utilizing wide-area network monitoring. The study trains neural network approaches comprising CNNs, Transformers, and LSTM networks. Raja et al.43 aim to develop a robust ML-based IDS for real-time infrastructure. It encompasses setting up an Advanced Metering Infrastructure (AMI) with lamp and resistive loads, sensors, an AtMega controller, Raspberry Pi, and a server employing Modbus TCP/IP and MQTT protocols. Qazzafi and Stiphen44explore improving power grid resilience by incorporating advanced cybersecurity measures with dynamic fault diagnosis models. The approach comprises an overall technique integrating theoretical frameworks with practical enhancements in a simulated power grid environment. Varshini and Latha45developed an adaptive defence strategy for Cyber-Physical Power Systems (CPPS) to address coordinated attacks. It presents a framework incorporating STATCOM-based Adaptive Model Predictive Controller with RPME and time delay compensators and evaluates attack impact, detection, and mitigation utilizing data-driven methodologies such as CNN, SVM, RF, and KNN through time and frequency domain simulations. Bitirgen and Filik46 present a novel stealth attack-defence game to evaluate the impact of attacks. The proposed solution employs a partially observed Markov game with an improved Shapley Q-value and a multi-agent reinforcement learning framework. Scientific Reports | (2024) 14:23069 | https://doi.org/10.1038/s41598-024-74733-6 3 www.nature.com/scientificreports/ Recent enhancements in cybersecurity and network optimization feature a range of innovative models, each with its limitations. For instance, DL approaches and LSTM for intrusion detection might need help with real-time adaptability, while trust-based routing protocols for home area networks may not scale effectually. Adaptive DL techniques integrating conventional ML and TL could encounter threats in generalizing to new threats. Intrinsic techniques combining game theory and DL might be computationally intensive, and hybrid anomaly detection methodologies could have problems balancing learning models. FL model with cryptographic systems presents privacy but may impact effectiveness and scalability. Moreover, fusion techniques employing convolutional and bidirectional GRU networks might be constrained by computational demands, and diverse ML techniques for sensor networks might only address some safety concerns effectually. The limitations also comprise threats in real-time adaptability and scalability for DL models in intrusion detection, which can find difficulty with model complexity and processing effectiveness. Frameworks integrating FL and cryptographic systems might need help with computational demands and efficiency. Moreover, adaptive defence strategies for CPPS and hybrid techniques incorporating game theory and DL may need assistance in practical implementation and balancing computational complexity. Finally, stealth attack-defense games, while innovative, may be constrained by computational intensity and multi-agent management complexities. Existing studies have presented novel techniques for improving cybersecurity and network safety: DL-based IDSs, safe network representations, energy-effectual routing protocols, and adaptive DL techniques. Despite these enhancements, a standard limitation is the need for comprehensive insights on scalability, real-world deployment efficiency, and comparative analysis with established methodologies. These gaps delay the validation against intrinsic cyber-attacks, clarity in practical implementation guidelines, and the availability of overall performance metrics. Closing these research gaps is significant in improving the applicability and flexibility of these techniques in practical cybersecurity scenarios. In particular, there is a substantial requirement for rigorous validation and comparative evaluation to address scalability issues, navigate real-world deployment threats, and strengthen defences against advanced cyber threats. This effort is crucial in advancing the implementation and efficacy of cybersecurity outcomes in safeguarding against growing cyber risks across various operational landscapes. Figure 1 depicts the structure of SGs. Materials and methods This article proposes a new MGODEL-ID methodology for the SG environment. The methodology exploits ensemble learning with metaheuristic approaches to identify intrusions in the SG environment. It involves distinct stages, such as Z-score normalization, MGO-based feature subset selection, ensemble learning, and DBO-based parameter tuning. Figure 2 determines the workflow of the MGODEL-ID method. Z-score normalization At the initial stage, the MGODEL-ID approach utilizes Z-score normalization to convert the input data into a uniform design47. Z-score normalization is selected for its capability to standardize data by transforming it to a common scale with a mean of zero and a standard deviation (SD) of one, making it efficient for handling outliers and varying data dispersions. This methodology confirms that features contribute equally to the technique, enhancing its performance and stability. Z-score normalization is specifically relevant as it assists in preprocessing diverse and potentially skewed data from smart grid environments. Standardizing data improves the accuracy and effectualness of the deep ensemble technique in detecting and reducing safety threats, confirming that the predictions of the approach are not biased by differences in feature scales or dispersions. Z-score normalization is highly efficient for standardizing data and improving features’ consistency and comparability across diverse scales. Unlike other normalization models, Z-score normalization is less sensitive to outliers, making it robust for datasets with changing dispersions. It also simplifies the application of statistical and ML models that assume data is usually dispersed. These models are beneficial in enhancing the model’s performance and ensuring reliable outcomes by mitigating bias presented by disparate feature scales. Z-score normalization, called standardization, is a statistical approach employed for rescaling and centring data near the mean, with an SD of 1. This normalization process has been executed on all the features individually, subtracting the mean of the feature and dividing by its SD. It allows data to take a consistent scale, making it easier to relate and interpret distinct variables within data and assisting the convergence of specific ML methods. Dimensionality reduction using the MGO approach Next, the MGODEL-ID technique designs an MGO method to elect an optimal feature subset48. Selecting the MGO model over other optimization approaches presents various notable advantages. MGO is motivated by the natural behaviour of gazelles, giving a robust mechanism for exploring and exploiting search spaces with high effectualness. Its strengths are balancing exploration and exploitation, which assists in avoiding local optima and improves global search capabilities. Furthermore, the adaptability of the MGO technique to dynamic environments makes it appropriate for intrinsic optimization issues where conditions frequently change. Related to conventional methods, MGO mostly attains faster convergence and improved solution quality due to its innovative methodology for replicating natural movement patterns. This can result in an enhanced accomplishment in diverse applications, encompassing those with large, multidimensional search spaces. The approach’s ability to adaptively navigate large and multidimensional feature spaces improves its ability to find optimal feature subsets effectively. In the context of smart grids, where the data is primarily vast and variable, the robustness of the MGO in handling growing conditions and averting local optima makes it specifically appropriate for choosing features that accurately represent system behaviours and enhance the performance of the prediction. This results in more efficient data processing and better decision-making for smart grid management. Figure 3 shows the steps involved in the MGO model. Scientific Reports | (2024) 14:23069 | https://doi.org/10.1038/s41598-024-74733-6 4 www.nature.com/scientificreports/ Fig. 1. Structure of SGs. The MGO approach presents various merits over other optimization techniques due to its unique approach inspired by the natural movement patterns of gazelles. Its advantages comprise robust global search abilities, which assist in averting local optima and enhancing convergence to the global optimum. The adaptive mechanism of the MGO model alters its search strategy dynamically, improving effectualness in complex and high-dimensional spaces. Moreover, its capacity to balance exploration and exploitation makes it efficient for a wide range of optimization issues, leading to more precise and reliable outcomes related to conventional optimization models. The MGO was one of the newly progressed nature-stimulated population‐based optimizer models, which initiated its stimulation after the social hierarchical form of the mountain gazelle group. The structure of the MGO method contains four actions of mountain gazelles: Maternity Herds (MH), Territorial Solitary Males Scientific Reports | (2024) 14:23069 | https://doi.org/10.1038/s41598-024-74733-6 5 www.nature.com/scientificreports/ Fig. 2. Workflow of MGODEL-ID technique. (TSM), Migration in Search for Food (MSF), and Bachelor Male Herds (BMH). Every gazelle signifies a solution to the optimizer issue (X) with the D solution parameter. Numerous randomly generated integers are definite in the MGO model, and their representations are given below. The r describes randomly generated numbers that endure even distribution within the range of [0 and 1], vectors of arbitrary numbers drawn from a usual distribution with an SD of 1 and mean of 0 are fixed as N (D), with D being several elements. Arbitrary numbers in the [1 and 2] range are set as ri. To describe four behaviours, initially, four coefficients are needed to define that given below: Scientific Reports | (2024) 14:23069 | https://doi.org/10.1038/s41598-024-74733-6 6 www.nature.com/scientificreports/ Fig. 3. Steps involved in the MGO model. Where α = −1 + iter · a + 1 + r1 a · N (D) 1 Cof = r (D) 2 N (D) · N (D)2 · cos (2r · N (D)) 2 3 3 4 −1 max− iter , (1) . Then, vector F is expressed in Eq. (2): F = N5 (D) · exp 2 − iter · 2 . (2) max−iter Next, the multiplication of F begins with values greater than one (dependent on the maximum interaction count) and rapidly meets to 1, exiting a simple, usual arbitrary vector in the latter iteration. Now, every relevant value is definite to compute a vector of young male heard coefficient, which is expressed in Eq. ( 3): BH = Xra · r1 + Mpr · r2, (3) Whereas Xra refers to an arbitrarily nominated solution from the previous 3rd of the populace, the solutions are kept in the assenting order, which signifies the poorest 33% of solutions in the populace. Mpr denotes the mean value for the nominated 33% of the populace. The TSM feature of the method forms the performance of adult male gazelles that create and protect lands. It is employed to improve the exploitation skill, permitting the optimizer to hunt thoroughly around the finest solution until now: T SM = X1 − |(ri1 · BH − ri2 · Xt) · F | · Cofr , (4) X1 denotes the finest solution gained so far, Xt represents the presently upgraded agent, and Cofr refers to a randomly nominated coefficient. The MH behaviour consists of females and their offspring, imitating a balance between exploitation and exploration in the technique. This device makes sure of assortment in the solution space and averts early converge: M H = BH + Cofr + (ri3 · X1 − ri4 · Xrand) · Cofr , (5) Meanwhile, Xrand signifies a nominated solution at random from the populace. The parameter Dist wants to be computed for perfecting the behaviour of Bachelor Male Herds: Dist = |Xt − X1| (2r6 − 1) . (6) Scientific Reports | (2024) 14:23069 | https://doi.org/10.1038/s41598-024-74733-6 7 www.nature.com/scientificreports/ The BMH behaviour signifies that the young male gazelles are employed to discover novel regions in the searching space, contributing to their search abilities. BM H = Xt − Dist + (ri5 · X1 − ri6 · BH) · Cofr , (7) Lastly, MSF behaviour is demonstrated with an arbitrary search device, which permits the method to evade local optimal and certify a complete survey of searching space: M SF = (lb − ub) · r7 + lb, (8) Meanwhile, ub and lb denote the upper and lower boundaries of the parameter space. M SF is an even random sample of values, which permits MGO to hunt the complete parameter space even if the early solutions need to be better made. The fitness function (FF) deployed in the MGO model can be assumed to proceed a balance among the chosen feature counts in all the results (smaller), and the classifier accuracy (greater) developed by deploying these desired features, Eq. (9) demonstrates the FF to measure results. F itness = α γ R (D) + β |R| (9) |C| Whereas γ R (D) implies the classifier error value of the provided classifiers. |R| denotes the count of the chosen subset, and |C| signifies the total feature counts from the data; α and β represent the two constraints equivalent to the impact of classifier quality and subset length. ∈ [1,0] and β = 1 − α . Ensemble model selection At this stage, an ensemble of three classifiers, LSTM, DAE, and ELM, can detect intrusions. The LSTM networks are highly efficient for sequence prediction tasks because they can capture long-term dependencies and handle temporal data with vanishing gradient issues addressed by their gating mechanisms. DAE outperforms at learning robust feature representations by reconstructing data from noisy inputs, enhancing generalization and reducing overfitting. The ELM method presents fast training times and high performance by utilizing a singlehidden layer feedforward neural network with random weights, simplifying the learning process while attaining competitive accuracy. These classifiers provide a comprehensive technique for handling sequential data, learning robust features, and optimizing training effectiveness. LSTM model The LSTM network is chosen explicitly for intrusion detection due to its robust capability to capture and learn from temporal dependencies in sequential data49. This is significant for detecting advanced intrusions that emphasize intrinsic, time-based patterns. Unlike conventional methodologies that may find difficulty with timeseries data, LSTMs efficiently manage long-term reliabilities and fluctuations in network traffic, enhancing their ability to recognize subtle anomalies and growing challenges. Their advancement in handling sequences makes them appropriate for detecting attacks that unfold over time, giving a crucial edge over static or less adaptive models. LSTM’s robust temporal evaluation improves detection accuracy and reliability in dynamic and complex intrusion scenarios. The LSTM layer has feedback links permitting data usage from preceding inputs. In each time-step t, current input (x) and information from previous input(s) are grabbed to calculate the existing output (ht). Figure 4 portrays the structure of the LSTM technique. There are numerous extensions of LSTM cells dependent on the learning procedure and cell structure. The standard LSTM cell is employed to calculate a mapping from an input x = (x1, . . . , xT ) to a hidden sequence h = (h1, . . . , hT ) by utilizing the below-mentioned set of calculations iteratively from t = l to T : it = σ (wixxt + wihht−1 + bi) , input gate (10) ft = σ (wx + wfhht−1 + bf ) , f orget gate (11) ot = σ (woxxt + wohht−1 + bo), output gate (12) ∼ c t = tanb (wcxxt + wchht−1 + bc) , candidate memory (13) ∼ ct = ft ⊙ ct−1 + it ⊙ c t, memory cell (14) ∼ ht = ot c ttanh (ct) . hidden state(15) Here, wjx and wjh (j = i, f, o, c) denote the input and hidden weight matrices, and bj (j = i, f, o, c) signifies the biases. ct refers to the memory data at time step t. ⊙ represents element-wise multiplication. σ and tanh indicate the sigmoid and hyperbolic tangent activation functions. As shown in Eqs. (10) to (15), an LSTM unit contains input, forget, and output gates measured as regulation structures and a candidate memory. The gates normalize data movement into and out of the memory cell, permitting the system to control what data to forget, recall, and output. Training is rotating the weight matrices to minimize the complete prediction error. The most general model utilized to train LSTMs is BP. Over Time (BPTT) is an addition of BP employed in traditional neural networks. BPTT involves unfolding the system in time and spreading error signals backwards over these time Scientific Reports | (2024) 14:23069 | https://doi.org/10.1038/s41598-024-74733-6 8 www.nature.com/scientificreports/ Fig. 4. Structure of the LSTM technique. steps. To upgrade the weights, BPTT calculates the inclines of total prediction error with esteem to every weight (∂ Etot/∂ W ). Etot denotes a total error function determined as the difference between the predictive and actual outputs in every time step. It can be computed utilizing a cost function like mean squared error or cross-entropy loss. DAE model Choosing the DAE model for intrusion detection is highly efficient due to its ability to learn and reconstruct intrinsic data patterns, which improves its capability to detect anomalies and outliers in network traffic. DAEs outperform feature learning by denoising and compressing input data, making them adept at discriminating between normal and malevolent activities, even in noise. Unlike conventional methodologies, DAEs can adaptively uncover complex structures within the data, which enhances the detection of subtle or novel attack patterns. Their capability to reconstruct corrupted data allows for robust anomaly detection, giving substantial merit in detecting previously unseen or advanced intrusions. Overall, DAEs’ merit in feature extraction and anomaly detection makes them a powerful tool for enhancing the accuracy and resilience of IDSs. Figure 5 illustrates the infrastructure of DAE. As an unsupervised DL framework, AE primarily consists of two components: the encoding and the decoding parts50. It is most commonly adopted for feature extraction and data dimensionality reduction tasks. The DAE integrates many stacked encoding-decoding layers to project the similarity matrix into the low-dimension space. For the microbe-side AE, these two encoder layers are set to 128 and 64, and the two decoder layers are set to 64 and 128, correspondingly. For the AE, the two encoder layers are set to dimensions of 512 and 128, and the two decoder layers are set to the dimensions of 128 and 512, correspondingly. This technique filters out extraneous noise and successfully captures the correct representation of microbes. The linear conversion maps the similarity feature matrix of input into the compressed space within the encoder. H = gθ 1 (X) = ψ (w1X + b1) , (16) ψ (X) = 1 , (17) 1 + exp (−X) Where H represents the compressed features based on the encoder module, w1 and b1 are the trainable weight and the bias matrices. Using linear transformations, the low-dimensional feature was reconstructed at the decoder stage. = gθ 2 (H) = ϕ (w2H + b2) , (18) X shows the reconstruction node feature, w2 and b2 are the adaptable weight and the bias matrices. In Eq. (18), X i, and the overall nodes are N ; the For node I, the original feature is meant as Xi, the reconstructed feature is X MSE loss function is utilized for measuring the difference between the reconstructed and features input. Scientific Reports | (2024) 14:23069 | https://doi.org/10.1038/s41598-024-74733-6 9 www.nature.com/scientificreports/ Fig. 5. Structure of DAE. N i)2. (19) = 1 L X, X (Xi − X i=1 N ELM model The ELM model proved an effective alternative to training neural networks with the backpropagation (BP) model51. The ELM approach is chosen for intrusion detection due to various key merits. ELMs are prevalent for their rapid training speed and high effectiveness due to their simple architecture, contrasting with the longer training times needed by more complex techniques. Their capability to achieve high generalization performance with lesser tuning makes them specifically efficient for handling various and large-scale datasets. Furthermore, ELMs can effectively handle noisy and high-dimensional data, which is common in network traffic. Their straightforward implementation and adaptability enable quick adjustments to new attack patterns, making the ELM technique a robust and practical choice for improving the accuracy and responsiveness of IDSs. Figure 6 portrays the architecture of the ELM model. ELM can address the limitations related to the Single Layer Feedforward Network (SLFN) through BP, such as time limitations and local minima. ELM learning has two essential stages: (1) assign weight randomly for the relationship between the input and hidden layers (HL), together with bias, then by the generation of the H output matrix. (2) Determine the outcome weights using the least square model. Notably, ELM decreases computation effort by changing the learning process into the linear system’s solution. Search is performed for the least square solution β of the linear system Hβ = T to train SLFN effectively. Assume that N samples (xi, ti), K neurons in the HL, and activation function g (x) will be utilized during the SLFN training. xi = [xi1, xi2, xin]T refers to the n-dimensional input vector of ith samples. The resulting vector is ri = [ti1, t2, ti1]T . This includes the HL bias (the input and output weights). k fK (x) = β j hj (x) = h (x) β (20) j=1 In Eq. (20), the weighted vector connecting the output neurons (≥ 1) with the hidden neuron j is represented as β j . The consolidated weight vector is represented by β = [β 1, β 2, . . . , β K ], which connects the HL to the output layer with at least one neuron, and the output of HL is h (x) = [h1 (x) , h2 (x) , . . . , hK (x)]. hj (x) = G (wj , bj , x) , wi, x ∈ Rd, bi ∈ R (21) Scientific Reports | (2024) 14:23069 | https://doi.org/10.1038/s41598-024-74733-6 10 www.nature.com/scientificreports/ Fig. 6. Structure of ELM approach. In Eq. (21), G represents the piecewise continuous, non-linear function. The activation function is utilized in the HL neuron. The sigmoid function, sine function, and hard limit function are the commonly used ones. x represents the training sample’s single instance, and the configuration variables of the jk hidden neuron are represented by (wj and bj ). Equation (20) is formulated by Hβ = T , with HN × K representing the output matrix of HL. h (x1) h (x1) . . . hK (x1) ... = H = ... h (xN ) h (xN ) . . . hK (xN ) G(w1, b1, x1) . . . G(wκ , bκ , x1) x1 + bM . . . .. .. (22) = .. G(w1, b1, xN ) . . . G(wκ , bκ , xN ) x N + bM In Eq. (22), the weighted vector linking the input neuron to the ith hidden neurons is characterized as Wi = [Wi1, W 12, . . . Wi]T . A sample at the ith location during the training set is indicated as xi = [xi1, . . . xin] , T indicates the desired results, β refers to the output weight matrix and bi for the bias values of the ith hidden neurons. ELM obtains the low output weight norm and the low training error to enhance the generalization efficiency of FFNN. Minimize: ||Hβ − T ||2, ||β ||(23) Scientific Reports | (2024) 14:23069 | https://doi.org/10.1038/s41598-024-74733-6 11 www.nature.com/scientificreports/ The ELM-prepared SLFN has randomly initialized weight and bias linking the input and hidden neurons. The weights between the output layer and the hidden neurons are evaluated by the least square solution, β = H †T , with H † representing the MP generalized inverse of the matrix. Model optimization Eventually, the hyperparameter tuning of the classifiers was executed by the DBO model52. This technique was chosen for its effectual global search capabilities inspired by the natural foraging behaviour of dung beetles. DBO outperforms at balancing exploration and exploitation, which is significant for navigating intrinsic and multimodal search spaces effectively. This balance allows DBO to escape local optima and converge on high-quality solutions more efficiently than conventional optimization techniques. Moreover, the unique approach of the DBO model in implementing both local and global data improves its capability to find optimal solutions across diverse problem domains. Its adaptability and mitigated computational complexity related to conventional techniques make DBO a robust choice for addressing diverse optimization challenges, specifically in scenarios where complex and dynamic search landscapes are present. The DBO model is also chosen for its capability to self-organize and adapt to complex optimization landscapes, employing an innovative methodology that replicates ecological behaviors for effectual problem-solving. This unique mechanism allows DBO to dynamically reconfigure its search parameters, giving exceptional flexibility and precision in handling diverse and growing optimization challenges. Figure 7 demonstrates the overall structure of the DBO model. This section primarily presents the DBO approach, inspired by the social behaviours observed in populations of dung beetles (DB) in their natural habitat. It classifies these populations into breeding, rolling, small, and thief DB. Depending on the place upgrade formulas for all the population subsets, it implements local exploitation and global exploration. Rolling dung beetles DB is inclined to roll adopts into a ball and carry them to a safely stored place. DB deploys celestial cues to control their way around in the ball rolling. The upgrade equation for the position is defined as: xi (t + 1) = xi (t) + α × k × xi (t − 1) + b × ∆x (24) ∆x = xi (t) − X worst(25) Fig. 7. Overall structure of the DBO model. Scientific Reports | (2024) 14:23069 | https://doi.org/10.1038/s41598-024-74733-6 12 www.nature.com/scientificreports/ Meanwhile, xi (t) stands for the position data of the ith beetle under the tth cycle. α defines the natural coefficient, k demonstrates the deviation co-efficient, b signifies the constant from the range of 0 and 1 , X worst defines the worse position and ∆x exhibits modifications in illumination. If facing obstacles in the dung ballrolling model, DB rises to carry out a dancing performance, defining their movement way. The place upgrade formula is expressed as: xi (t + 1) = xi (t) + tan (θ ) |xi (t) − xi (t − 1)| (26) In which, θ ∈ [0, π ]. The position could not upgrade if θ = 0, π /2, and π . Breeding dung beetles In a natural environment, the female DB rolls the dung ball to a safe and suitable place for spawning, arranging balls of eggs to replicate their offspring. DB production is strictly limited to the spawning area, and spawning happens only if breeding DB is the safe region for spawning. Xi (t + 1) = X * + b1 × Xi (t) − Lb* + b2 × Xi (t) − U b* (27) Lb* = max X * × (1 − R) , Lb (28) U b* = min X * × (1 + R) , U b (29) In which Xi (t) stands for the location of breeding DB, X ∗ defines the current local optimum place, b1 and b2 demonstrate the random vectors whose magnitude is 1xD, and D depicts the problem dimensionality. Lb∗ and U b∗ denote the spawning region’s lower and upper bounds correspondingly. R = 1 − t/Tmax and Tmax indicate the upper bound for the iteration counts. Lb and U b demonstrate the optimizer problem’s lower and upper boundaries correspondingly. Small dung beetles Specific mature DB emerge from underground to search for food, earning them the designation of “small DB.” Their foraging actions are strongly limited from the ideal foraging area. The small DB starts with forage in its surroundings. xi (t + 1) = xi (t) + C1 × xi (t) − Lbb + C2 × xi (t) − U bb (30) Lbb = max X b × (1 − R) , Lb (31) U bb = min X b × (1 + R) , U b (32) whereas X b signifies the global optimum place, Lbb and U bb represent the lower and upper bounds of the foraging regions; correspondingly, xi (t) stands for the location data of the ith small DB under the tth iteration, C1 signifies the random number that follows a normal distribution, and C2 implies the random vector fitting to (0,1). Thief dung beetles Some DB employ the natural process of pilfering dung balls in the fellow beetles. Thief DB will employ stealing action if they are approximately an optimum food source, and their positional upgrade equation is defined as: xi (t + 1) = X b + S × g × xi (t) − X * + xi (t) − X b (33) Whereas xi (t) signifies the place of ith thief DB in the tth iteration, g stands for the random vector of dimensional 1xD following a normal distribution, and S defines the constant. Fitness choice is a significant aspect of controlling the performance of the DBO method. The parameter choice procedure contains the encoded result to calculate the performance of candidate outcomes. During this case, the DBO approach assumes that accuracy is a primary condition for designing the FF, which is defined as: F itness = max (P ) (34) P = TP (35) TP + FP Where F P and T P demonstrate the false and true positive rates. Result analysis and discussion The experimental validation outcomes of the MGODEL-ID technique are examined using the CIC-DDoS2019 database53. The CIC-DDoS2019 dataset is an extensive resource for assessing IDSs, comprising 50,063,112 records with a detailed breakdown into 50,006,249 rows for DDoS attacks and 56,863 rows for benign traffic. Every record is characterized by 86 features, which capture diverse network attributes and behaviours, giving a robust foundation for computing detection techniques. The dataset encompasses training and test data, with Scientific Reports | (2024) 14:23069 | https://doi.org/10.1038/s41598-024-74733-6 13 www.nature.com/scientificreports/ Type No. of Instances Benign 67,343 DDoS 45,927 Total Instances 113,270 Table 1. Details of the database. Fig. 8. Confusion matrices of MGODEL-ID approach (a-f) Epochs 500–3000. the training set comprising 12 distinct DDoS attack types: PortMap, NetBIOS, LDAP, MSSQL, UDP, UDP-Lag, SYN, NTP, DNS, and SNMP. The data is accumulated from a realistic environment, capturing network traffic analysis outcomes with labelled flows. Furthermore, the dataset integrates modern reflective and exploitationbased DDoS attacks, confirming a diverse and realistic representation of network threats. The elaborated dataset mirrors true real-world conditions through PCAPs and traffic analysis and gives a robust foundation for analyzing and enhancing intrusion detection models. In the context of the presented study, the dataset’s utility is additionally exemplified by the specific instance dispersion: 67,343 records of benign traffic and 45,927 records of DDoS attacks, totalling 113,270 instances. This balance between benign and malevolent instances eases the development and analysis of detection models in both binary and multi-class classification scenarios. By implementing this dataset, researchers can thoroughly evaluate the effectualness of ML and DL methodologies in discriminating between normal and attack traffic, specifically for Smart Grid networks where precise and reliable intrusion detection is substantial. The detailed dataset comprehensively evaluates how well several techniques can handle real-world attack patterns and confirm robust protection against state-of-the-art DDoS threats. The dataset description is given in Table 1. The suggested method is simulated using the Python 3.6.5 tool on a PC with an i5-8600k, 250GB SSD, GeForce 1050Ti 4GB, 16GB RAM, and 1 TB HDD. The parameter settings are learning rate: 0.01, activation: ReLU, epoch count 50, dropout: 0.5, and batch size: 5. Figure 8 reports a set of confusion matrices produced by the MGODEL-ID methodology at distinct epochs. On 500 epochs, the MGODEL-ID methodology has recognized 65,917 instances as benign and 44,945 instances Scientific Reports | (2024) 14:23069 | https://doi.org/10.1038/s41598-024-74733-6 14 www.nature.com/scientificreports/ as DDoS. Afterwards, on 1000 epochs, the MGODEL-ID approach recognized 66,029 instances as benign and 45,024 instances as DDoS. Furthermore, on 1500 epochs, the MGODEL-ID approach has recognized 66,105 instances as benign and 45,041 instances as DDoS. Besides, in 2000 epochs, the MGODEL-ID approach has recognized 66,220 instances as benign and 45,114 instances as DDoS. In the meantime, on 2500 epochs, the MGODEL-ID technique has recognized 66,251 instances as benign and 45,119 instances as DDoS. Eventually, on 3000 epochs, the MGODEL-ID method recognized 66,304 instances as benign and 45,083 instances as DDoS. Table 2; Fig. 9 report a classification result of the MGODEL-ID approach. The outcomes implied that the MGODEL-ID approach attains effectual performance under all epochs. With 500 epochs, the MGODEL-ID methodology obtains an average accuy of 97.87%, precn of 97.73%, recal of 97.87%, Fscore of 97.80%, and Gmeasure of 97.80%. In addition, with 1000 epochs, the MGODEL-ID methodology attains an average accuy of 98.04%, precn of 97.91%, recal of 98.04%, Fscore of 97.97%, and Gmeasure of 97.97%. Followed by, with 1500 epochs, the MGODEL-ID method accomplishes an average accuy of 98.12%, precn of 98.00%, recal of 98.12%, Fscore of 98.06%, and Gmeasure of 98.06%. Then, with 2000 epochs, the MGODEL-ID method reaches an average accuy of 98.28%, precn of 98.18%, recal of 98.28%, Fscore of 98.23%, and Gmeasure of 98.23%. Besides, with 3000 epochs, the MGODEL-ID method achieves an average accuy of 98.31%, precn of 98.25%, recal of 98.31%, Fscore of 98.28%, and Gmeasure of 98.28%. The efficiency of the MGODEL-ID approach is projected in Fig. 10 in the method of training accuracy (TRAAC) and validation accuracy (VALAC) outcomes at 3000 epochs. The outcome exposes a beneficial interpretation of the MGODEL-ID method under various epochs, representing its learning method and generalized abilities. Noticeably, the result is a stable improvement from TRAAC and VALAC with a maximum in epochs. It guarantees the MGODEL-ID approach from the pattern recognition method on both data. The increasing trend in VALAC outlines the proficiency of the MGODEL-ID approach in adjusting to the TRA data and excelling in the contribution of particular classifiers on unnoticed data, exposing the robust generalized proficiencies. Figure 11 illustrates a complete analysis of the MGODEL-ID method’s training loss (TRALS) and validation loss (VALLS) curves at 3000 epochs. The slow reduction in TRALS highlights how the MGODEL-ID method optimizes the weights and diminishes the classifier error on both data. The outcome signifies a clear knowledge of the MGODEL-ID models related to the TRA data, highlighting its capability to capture designs from both data. Noticeably, the MGODEL-ID approach constantly enhances its parameters to decrease the variances among the real and predictive TRA classes. Scrutinizing the PR curve, as exhibited in Fig. 12, the outcomes guaranteed that the MGODEL-ID approach gradually achieves higher PR values under two classes at 3000 epochs. It validates the improved proficiencies of the MGODEL-ID methodology from detecting distinct classes and the representative ability to detect classes. Classes Accuy Precn Recal F 1Score GM easure Epoch − 500 Benign 97.88 98.53 97.88 98.21 98.21 DDoS 97.86 96.92 97.86 97.39 97.39 Average 97.87 97.73 97.87 97.80 97.80 Epoch − 1000 Benign 98.05 98.65 98.05 98.35 98.35 DDoS 98.03 97.16 98.03 97.60 97.60 Average 98.04 97.91 98.04 97.97 97.97 Epoch − 1500 Benign 98.16 98.68 98.16 98.42 98.42 DDoS 98.07 97.32 98.07 97.70 97.70 Average 98.12 98.00 98.12 98.06 98.06 Epoch − 2000 Benign 98.33 98.79 98.33 98.56 98.56 DDoS 98.23 97.57 98.23 97.90 97.90 Average 98.28 98.18 98.28 98.23 98.23 Epoch − 2500 Benign 98.38 98.80 98.38 98.59 98.59 DDoS 98.24 97.64 98.24 97.94 97.94 Average 98.31 98.22 98.31 98.26 98.26 Epoch − 3000 Benign 98.46 98.74 98.46 98.60 98.60 DDoS 98.16 97.75 98.16 97.95 97.95 Average 98.31 98.25 98.31 98.28 98.28 Table 2. Classifier outcome of MGODEL-ID method under various epochs. Scientific Reports | (2024) 14:23069 | https://doi.org/10.1038/s41598-024-74733-6 15 www.nature.com/scientificreports/ Fig. 9. Average outcome of MGODEL-ID technique under distinct epochs. Likewise, in Fig. 13, ROC outcomes created by the MGODEL-ID approach are displayed in the cataloguing of distinct labels at 3000 epochs. This suggests a detailed understanding of the exchange among TPR and FRP over distinct recognition threshold values and several epochs. The outcomes underline the higher classifier results of the MGODEL-ID method in 2 class labels, outlining the solution to addressing distinct classifier issues. Table 3; Fig. 14the comparison investigation of the MGODEL-ID approach with other existing methods3,54. The outcomes depicted that the MGODEL-ID approach has exhibited optimum performance. Based on accuy , the MGODEL-ID technique obtains a maximum accuy of 98.31%, where the ANN, SVM, Hybrid Deep belief, NB, RF, KNN, and LR models have minimum accuy of 96.94%, 97.80%, 94.14%, 97.74%, 94.00%, 94.60%, and 90.70%, respectively. In addition, based on precn, the MGODEL-ID technique attains a higher precn of 98.25%, whereas the ANN, SVM, Hybrid Deep belief, NB, RF, KNN, and LR approaches have lesser precn of 94.05%, 93.96%, 91.59%, 93.30%, 97.17%, 93.34%, and 93.94%, correspondingly. Furthermore, based on recal , the MGODEL-ID methodology accomplishes maximal recal of 98.31%, where the ANN, SVM, Hybrid Deep belief, NB, RF, KNN, and LR techniques have minimal recal of 96.20%, 96.72%, 91.91%, 93.21%, 97.68%, 96.92%, and 94.33%, correspondingly. Finally, with F 1score , the MGODEL-ID approach gains a superior F 1score of 98.28%, whereas the ANN, SVM, Hybrid Deep belief, NB, RF, KNN, and LR methodologies have lower F 1score of 96.90%, 97.80%, 93.68%, 92.80%, 93.69%, 93.43%, and 97.85%, correspondingly. Therefore, the proposed model correctly determines the attacks in the SG environment. Conclusion This article proposes a new MGODEL-ID methodology for the SG environment. The MGODEL-ID methodology exploits ensemble learning with metaheuristic approaches to identify intrusions in the SG environment. Primarily, the MGODEL-ID approach utilizes Z-score normalization to convert the input data into a uniform design. Besides, the MGODEL-ID approach designs an MGO model to elect a better subset of features. Meanwhile, an ensemble of three classifiers, LSTM, DAE, and ELM, can detect intrusions. Eventually, DBO will execute the hyperparameter tuning of the classifiers. A widespread simulation outcome is made to demonstrate the enhanced security outcomes of the MGODEL-ID approach. The experimental outcomes implied that the MGODEL-ID approach performs better than other methodologies. The limitations of the MGODEL-ID model comprise potential sensitivity to outliers despite Z-score normalization and the computational complexity of Scientific Reports | (2024) 14:23069 | https://doi.org/10.1038/s41598-024-74733-6 16 www.nature.com/scientificreports/ Fig. 10. Accuy curve of MGODEL-ID approach at 3000 epochs. Fig. 11. Loss curve of MGODEL-ID method at 3000 epochs. Scientific Reports | (2024) 14:23069 | https://doi.org/10.1038/s41598-024-74733-6 17 www.nature.com/scientificreports/ Fig. 12. PR curve of MGODEL-ID method at 3000 epochs. MGO-based feature subset selection. Another limitation of the MGODEL-ID model is its potential difficulty in handling highly imbalanced datasets, paving the way to biased outputs and mitigating model efficiency. Future work should focus on incorporating techniques to manage class imbalance better and ensure more accurate predictions across different classes. Future work should focus on improving robustness to outliers and mitigating computational demands for massive datasets. Furthermore, exploring alternative parameter tuning methods beyond DBO and integrating more diverse ensemble learning strategies could enhance the model’s performance. Addressing these limitations will contribute to the efficiency and scalability of the technique in practical applications. Scientific Reports | (2024) 14:23069 | https://doi.org/10.1038/s41598-024-74733-6 18 www.nature.com/scientificreports/ Fig. 13. ROC curve of MGODEL-ID technique at 3000 epochs. Approaches Accuy Precn Recal F 1Score ANN 96.94 94.05 96.20 96.90 SVM 97.80 93.96 96.72 97.80 Hybrid Deep belief 94.14 91.59 91.91 93.68 Naïve Bayes 97.74 93.30 93.21 92.80 RF 94.00 97.17 97.68 93.69 KNN 94.60 93.34 96.92 93.43 LR 90.70 93.94 94.33 97.85 MGODEL-ID 98.31 98.25 98.31 98.28 Table 3. Comparative outcome of MGODEL-ID approach with existing models3,54. Scientific Reports | (2024) 14:23069 | https://doi.org/10.1038/s41598-024-74733-6 19 www.nature.com/scientificreports/ Fig. 14. Comparative outcome of MGODEL-ID approach with existing models. Data availability The datasets used and analyzed during the current study available from the corresponding author on reasonable request. Received: 27 June 2024; Accepted: 30 September 2024 References 1. Labrador Rivas, A. E. & Abrão, T. Faults in Smart Grid systems: monitoring, detection and classification. Electr. Power Syst. Res. 189, 106602 (2020). 2. Salas, M., Shao, S., Salustri, A., Schroeck, Z. & Zheng, J. Securing Smart Grid enabled Home Area Networks with Retro-reflective visible light communication. Sensors. 23, 1245 (2023). 3. Diaba, S. Y. & Elmusrati, M. Proposed Algorithm for Smart Grid DDoS Detection based on deep learning. Neural Netw. 159, 175–184 (2023). 4. Sarker, M. A. A., Shanmugam, B., Azam, S. & Thennadil, S. Enhancing smart grid load forecasting: An attention-based deep learning model integrated with federated learning and XAI for security and interpretability. Intelligent Systems with Applications, 23, 200422 (2024). 5. Nafees, M. N., Saxena, N., Cardenas, A., Grijalva, S. & Burnap, P. Smart Grid Cyber-physical situational awareness of complex operational technology attacks: a review. ACM Comput. Surv. 55, 215 (2023). 6. Gunduz, M. Z. & Das, R. Cyber-security on Smart Grid: threats and potential solutions. Comput. Netw. 169, 107094 (2020). 7. Siniosoglou, I., Radoglou-Grammatikis, P., Efstathopoulos, G., Fouliras, P. & Sarigiannidis, P. A unified deep learning anomaly detection and classification approach for smart grid environments. IEEE Trans. Netw. Serv. Manage. 18 (2), 1137–1151 (2021). 8. Baz, A., Logeshwaran, J., Natarajan, Y. & Patel, S. K. Deep fuzzy nets approach for energy efficiency optimization in smart grids. Applied Soft Computing, 161, 111724 (2024). 9. Mohan, S. N., Ravikumar, G. & Govindarasu, M. Distributed intrusion detection system using semantic-based rules for SCADA in smart grid. In 2020 IEEE/PES transmission and distribution conference and exposition (T & D) 1–5 (2020). 10. Hashim, M., Khan, L., Javaid, N., Ullah, Z. & Shaheen, I. Enhancing Smart City Functions through the Mitigation of Electricity Theft in Smart Grids: A Stacked Ensemble Method. International Transactions on Electrical Energy Systems (1), 5566402 (2024). 11. Mazhar, T. et al. M.T. and The role of ML, AI and 5G technology in smart energy and smart building management. Electronics, 11(23), 3960 (2022). Scientific Reports | (2024) 14:23069 | https://doi.org/10.1038/s41598-024-74733-6 20 www.nature.com/scientificreports/ 12. Mazhar, T. et al. Analysis of cyber security attacks and its solutions for the smart grid using machine learning and blockchain methods. Future Internet, 15(2), 83 (2023). 13. Ghadi, Y. Y. et al. Security risk models against attacks in smart grid using big data and artificial intelligence. PeerJ Comput. Sci. 10, e1840 (2024). 14. Elsisi, M., Su, C. L. & Ali, M. N. Design of reliable IoT systems with deep learning to support resilient demand side management in smart grids against adversarial attacks. IEEE Trans. Ind. Appl. (2023). 15. Lahon, P. et al. Deep Neural Network-Based Smart Grid Stability Analysis: Enhancing Grid Resilience and Performance. Energies, 17(11), 2642 (2024). 16. Aljohani, A., AlMuhaini, M., Poor, H. V. & Binqadhi, H. A deep learning-based Cyber Intrusion Detection and Mitigation System for Smart Grids. IEEE Trans. Artif. Intell. (2024). 17. Menon, D. M. & Radhika, N. A Trust-based Framework and Deep Learning-based attack detection for Smart Grid Home Area Network. Int. J. Intell. Eng. Syst., 15(1) (2022). 18. Li, X. J., Ma, M. & Sun, Y. An Adaptive Deep Learning Neural Network Model to Enhance Machine-Learning-Based Classifiers for Intrusion Detection in Smart Grids. Algorithms, 16(6), 288 (2023). 19. Mhmood, A. A., Ergül, Ö. & Rahebi, J. Detection of cyber-attacks on smart grids using improved VGG19 deep neural network architecture and Aquila optimizer algorithm. Signal. Image Video Process. 18 (2), 1477–1491 (2024). 20. Dairi, A., Harrou, F., Bouyeddou, B., Senouci, S. M. & Sun, Y. Semi-supervised deep learning-driven anomaly detection schemes for cyber-attack detection in smart grids. In Power Systems Cybersecurity: Methods, Concepts, and Best Practices (265–295). Cham: Springer International Publishing. (2023). 21. Li, Y., Wei, X., Li, Y., Dong, Z. & Shahidehpour, M. Detection of false data injection attacks in smart grid: a secure federated deep learning approach. IEEE Trans. Smart Grid. 13 (6), 4862–4872 (2022). 22. Kethineni, K. & Pradeepini, G. Intrusion detection in internet of things-based smart farming using hybrid deep learning framework. Cluster Comput. 27 (2), 1719–1732 (2024). 23. Zhai, F., Yang, T., Chen, H., He, B. & Li, S. Intrusion detection method based on CNN–GRU–FL in a smart grid environment. Electronics, 12 (5), p.1164. (2023). 24. Ghadi, Y. Y. et al. A. and Machine learning solution for the security of wireless sensor network. IEEE Access. (2024). 25. Haq, I. et al. Impact of 3G and 4G technology performance on customer satisfaction in the telecommunication industry. Electronics, 12(7), 1697 (2023). 26. Aurangzeb, M. et al. Enhancing cybersecurity in smart grids: deep black box adversarial attacks and quantum voting ensemble models for blockchain privacy-preserving storage. Energy Rep. 11, 2493–2515 (2024). 27. Mazhar, T. et al. Analysis of challenges and solutions of IoT in smart grids using AI and machine learning techniques: A review. Electronics, 12 (1), 242 (2023). 28. Vakili, A. et al. A new service composition method in the cloud‐based internet of things environment using a grey wolf optimization algorithm and MapReduce framework. Concurrency Computation: Pract. Experience. 36 (16), e8091 (2024). 29. Heidari, A., Jafari Navimipour, N., Dag, H. & Unal, M. Deepfake detection using deep learning methods: a systematic and comprehensive review. Wiley Interdisciplinary Reviews: Data Min. Knowl. Discovery. 14 (2), e1520 (2024). 30. Heidari, A., Navimipour, N. J., Dag, H., Talebi, S. & Unal, M. A novel blockchain-based deepfake detection method using federated and deep learning models. Cogn. Comput., 1–19 (2024). 31. Amiri, Z., Heidari, A., Navimipour, N. J., Esmaeilpour, M. & Yazdani, Y. The deep learning applications in IoT-based bio-and medical informatics: a systematic literature review. Neural Comput. Appl. 36 (11), 5757–5797 (2024). 32. Heidari, A., Navimipour, N. J. & Otsuki, A. Cloud-based non-destructive characterization. Non-destructive material characterization methods, 727–765 (2024). 33. Heidari, A., Navimipour, N. J. & Unal, M. A secure intrusion detection platform using blockchain and radial basis function neural networks for internet of drones. IEEE Internet Things J. 10 (10), 8445–8454 (2023). 34. Heidari, A., Shishehlou, H., Darbandi, M., Navimipour, N. J. & Yalcin, S. A reliable method for data aggregation on the industrial internet of things using a hybrid optimization algorithm and density correlation degree. Cluster Comput., 1–19. (2024). 35. Amiri, Z., Heidari, A., Zavvar, M., Navimipour, N. J. & Esmaeilpour, M. The applications of nature-inspired algorithms in internet of things‐based healthcare service: a systematic literature review. Trans. Emerg. Telecommunications Technol. 35 (6), e4969 (2024). 36. Zhang, G. & Sikdar, B. A novel adversarial FDI attack and defense mechanism for Smart Grid demand-response mechanisms. IEEE Trans. Industrial Cyber-Physical Syst. (2024). 37. Bhavsar, A. et al. July. EL-FAM: Power System Intrusion Detection with Ensemble Learning for False Alarm Mitigation. In 2024 International Conference on Computer, Information and Telecommunication Systems (CITS) 1–5. IEEE. (2024). 38. Jeyaraj, P. R., Samuel Nadar, R. & Mihet-Popa, L. E. and Deep-block network for cyberattack mitigation and assessment in smart grid power system with resilience indices. Electr. Power Compon. Syst., 1–17 (2023). 39. Abdelkader, S. et al. Securing modern power systems: implementing comprehensive strategies to enhance resilience and reliability against cyber-attacks. Results Eng., 102647 (2024). 40. Shrestha, R. et al. Anomaly detection based on lstm and autoencoders using federated learning in smart electric grid. Journal of Parallel and Distributed Computing, 193, 104951 (2024). 41. Shafin, S. S., Rahman, Q. A., Gondal, I., Karmakar, G. & Mondal, M. R. H. September. Blended Ensemble Learning for Robust MITM Attack Detection and Classification in Smart Grid. In 2023 33rd Australasian Universities Power Engineering Conference (AUPEC) (pp. 1–6). IEEE. (2023). 42. Dayarathne, M. A. S. P. et al. May. Deep learning-based Cyber Attack Detection in Power Grids with increasing renewable energy penetration. In 2024 IEEE World AI IoT Congress (AIIoT) (521–526). IEEE. (2024). 43. Raja, D. J. S., Sriranjani, R., Arulmozhi, P. & Hemavathi, N. Unified Random Forest and Hybrid Bat Optimization based Manin-the-Middle Attack Detection in Advanced Metering Infrastructure. IEEE Transactions on Instrumentation and Measurement. (2024). 44. Qazzafi, A. & Stiphen, G. Navigating cyber threats: enhancing power grid resilience through advanced cybersecurity and dynamic fault diagnosis techniques. Int. J. Adv. Eng. Technol. Innovations. 1 (3), 1–31 (2023). 45. Varshini, G. S. & Latha, S. Detection and mitigation of coordinated cyber-physical attack in CPPS. Heliyon, 10(4). (2024). 46. Bitirgen, K. & Filik, Ü. B. Markov game based on reinforcement learning solution against cyber–physical attacks in smart grid. Expert Systems with Applications, 255, 124607. (2024). 47. Imron, M. A. & Prasetyo, B. Improving algorithm accuracy k-nearest neighbor using z-score normalization and particle swarm optimization to predict customer churn. J. Soft Comput. Explor. 1 (1), 56–62 (2020). 48. Jokić, A., Petrović, M. & Miljković, Z. Integrated Process Planning and Scheduling of Production Systems Based on Mountain Gazelle Optimizer. In Proceedings of the 20th International May Conference on Strategic Management (IMCSM24), Smart miner Section, May 2024 (Vol. 20, No. 1), pp. 142–151). University of Belgrade-Technical Faculty in Bor. (2024). 49. Nosrati, N. & Navabi, Z. Analysis and enhancement of Resilience for LSTM Accelerators using Residue-based CEDs. IEEE Access. (2024). 50. Zhou, Z., Zhuo, L., Fu, X. & Zou, Q. Joint deep autoencoder and subgraph augmentation for inferring microbial responses to drugs. Brief. Bioinform. 25(1), 483 (2024). 51. Feda, A. K., Adegboye, O. R., Agyekum, E. B., Hassan, A. S. & Kamel, S. Carbon Emission Prediction through the harmonization of Extreme Learning Machine and INFO Algorithm. IEEE Access. (2024). Scientific Reports | (2024) 14:23069 | https://doi.org/10.1038/s41598-024-74733-6 21 www.nature.com/scientificreports/ 52. Wu, Q., Xu, H. & Liu, M. Applying an Improved Dung Beetle Optimizer Algorithm to Network Traffic Identification. Computers Mater. Continua, 78(3). (2024). 53. https://www.unb.ca/cic/datasets/ddos-2019.html 54. AlHaddad, U., Basuhail, A., Khemakhem, M., Eassa, F. E. & Jambi, K. Ensemble model based on hybrid deep learning for intrusion detection in smart grid networks. Sensors, 23 (17), 7464 (2023). Acknowledgements This Project was funded by the Deanship of Scientific Research (DSR) at King Abdulaziz University (KAU), Jeddah, Saudi Arabia, under grant no. (GPIP: 1319-612-2024). Therefore, the authors acknowledge with thanks the DSR at KAU for technical and financial support. Author contributions Conceptualization: Mahmoud Ragab, Sanaa A. Sharaf; Data curation and Formal Analysis: Abdullah AL-Malaise AL-Ghamdi, Louai A. Maghrabi; Investigation and Methodology: Nasser Albogami, Maha Farouk Sabir, Ehab Bahaudien Ashary, Project Administration and Resources: Mahmoud Ragab; Supervision: Sanaa A. Sharaf; Validation and Visualization: Ehab Bahaudien Ashary, Hashem Alaidaros, Louai A. Maghrabi, Abdullah AL-Malaise AL-Ghamdi; Writing—original draft: Sanaa A. Sharaf, Mahmoud Ragab, Writing—review and editing, Maha Farouk Saber, Hashem Alaidaros, Ehab Bahaudien Ashary, Nasser Albogami. All authors have read and agreed to the published version of the manuscript. Declarations Competing interests The authors declare no competing interests. Additional information Correspondence and requests for materials should be addressed to M.R. Reprints and permissions information is available at www.nature.com/reprints. Publisher’s note Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations. Open Access This article is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License, which permits any non-commercial use, sharing, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if you modified the licensed material. You do not have permission under this licence to share adapted material derived from this article or parts of it. The images or other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/ licenses/by-nc-nd/4.0/. © The Author(s) 2024 Scientific Reports | (2024) 14:23069 | https://doi.org/10.1038/s41598-024-74733-6 22