**6. Experimental setup**

### **6.1 Datasets**

In this section, the performance of the PHHMM based anomaly detection approach was tested on traffic combining DDoS attack data with normal data from the prepared dataset. We place the prepared dataset into our PHHMM model to identify DDoS

attack intentions and predict the possible attacks. The performance of implementing our proposed model is obtained through MATLAB R2020b simulations. To remove duplicate alerts, we wrote a script for extracting necessary fields such as IP Addresses, Alert ID, Destination Port, Source Port, and timestamp from Snort IDS alerts.

#### **6.2 Evaluation metrics**

We analyze and evaluate the performance on the common metrics for IDS performance evaluation; Accuracy (the rate of true results including true negatives and true positives), Precision (positive predictive value), Sensitivity (true positive rate), Specificity (false positive rate), and False Negative Rate (error rate) [27], all in an average sense (see **Table 2**).

After generating the likely state sequences, we compare them to the known state sequences to define true positive (TP), false positive (FP), true negative (TN), and false-negative (FN) parameters [27]. The accuracy (ACC) is obtained by the following equation:

$$\text{ACC} = \frac{\text{TP} + \text{TN}}{\text{TP} + \text{TN} + \text{FP} + \text{FN}} \tag{13}$$

The precision (PR), the fraction of the total number of positive cases that are correctly identified as attacks to the total number of attacks, is obtained by the following equation:

$$PR = \frac{TP}{TP + FP} \tag{14}$$

Sensitivity (SN) or the true positive rate, the fraction of the total number of classified true positive that are accurately identified as attacks to the total number of positive cases, is calculated by the following equation:

$$\text{SN} = \frac{\text{TP}}{\text{TP} + \text{FN}} \tag{15}$$

We use F*measure* to evaluate the model's overall accuracy considering both precision and sensitivity. Having a good F-measure value indicates that the model has low false positives and false negatives, which means that it correctly identifies attacks. It is calculated by the following equation:

$$F\_{measure} = 2 \times \frac{PR \times \text{SN}}{PR + \text{SN}} \tag{16}$$


**Table 2.**

*Two-Class Case Confusion Matrix.*

*An Effective Method for Secure Data Delivery in IoT DOI: http://dx.doi.org/10.5772/intechopen.104663*

The following equation is used to identify the error rate (ER) for false negative predictions:

$$ER = \frac{FP + FN}{TP + TN + FP + FN} \tag{17}$$
