A Hybrid Intrusion Detection System for Secure Vehicular Ad-Hoc Network Communications: Integrating Signature Filtering with a Modified War Optimization Algorithm–Optimized Deep Recurrent Neural Network

Vehicular Ad-Hoc Networks (VANETs) have become foundational to intelligent transportation systems by enabling continuous data exchange between vehicles and roadside infrastructure for collision avoidance and emergency dissemination [1]. However, decentralized control, high mobility, and open wireless links make VANETs vulnerable to cyber threats, including false message injection, Sybil identities, and Distributed Denial-of-Service (DDoS) attacks. Traditional Intrusion Detection Systems (IDSs) primarily employ signature‑based or anomaly‑based strategies [2]. While hybrids offer complementary strengths [3], they often struggle to meet VANETs’ latency and accuracy constraints. Recent deep learning models (e.g., Long Short-Term Memory (LSTM), Gated Recurrent Unit (GRU)) [4-10] capture temporal patterns in traffic flows but depend on careful hyperparameter tuning for reliable performance. To bridge these gaps, we introduced an adaptive Deep Recurrent Neural Network–Modified War Optimization Algorithm (DRNN-MWOA) based hybrid IDS. A lightweight signature filter handles known threats, and an MWOA‑tuned DRNN classifies unmatched traffic, improving both detection robustness and computational efficiency [7, 8]. We evaluate the system on CIC-IDS2017 [11-15] and benchmark it against Recurrent Neural Network (RNN), One-Dimensional Convolutional Neural Network (1D‑CNN) models, and DRNN, using conventional and extended metrics like Cohen’s Kappa.

The proposed IDS framework (see Figure 1) begins with the collection of raw real-world data (CIC-IDS2017). In the preprocessing stage, redundant flows are removed and essential header features are extracted for analysis. The system then applies a two-stage detection strategy. First, signature matching is performed to quickly identify traffic corresponding to known attack patterns; any matches are immediately flagged as malicious. Unmatched traffic is forwarded to the second stage, where a DRNN optimized with the MWOA [23] learns temporal dependencies and classifies the data. Finally, the system outputs the decision as benign or malicious, with alerts generated for suspicious activity. This layered design ensures both efficiency and adaptability in detecting diverse VANET threats. In this Hybrid method, we can improve the accuracy level of the Deep RNN network with the help of an improved heuristic algorithm, War Optimization Algorithm, a metaheuristic that alternates between attack (exploitation), defense (exploration), and soldier‑replacement steps to avoid premature convergence.

The proposed IDS operates in two sequential stages.

The end-to-end workflow is:

1) Preprocess flows (deduplication, header extraction, normalization),

2) Signature matching for known threats,

3) DRNN classification tuned by MWOA,

4) Alert generation and logging.

As opposed to other conventional metaheuristic optimization algorithms like Particle Swarm Optimization (PSO) and Genetic Algorithm (GA), which tend to need a lot of parameter-tuning and are prone to premature convergence, the MWOA uses adaptive attack, defense, and replacement strategies that actively adjust the balance between the exploration and exploitation of solutions. This is exceptionally beneficial to optimizing DRNN architecture, the loss surface of which is extremely non-convex because of repetitive connectivity and time-delays. The rank/weight-based update scheme in MWOA allows an update step-size to be used in a controlled way, between different iterations, which allows effective exploration of the complex error landscapes and enhances stability of convergence. Subsequently, MWOA offers a stronger optimization framework of RNN-based intrusion detection in VANETs.

Figure 1. Flowchart of the proposed methodology

3.1 Signature model

A deep learning model was used in the construction of the proposed IDS for VANET. The training and testing phases are the two stages of this deep learning model's progression [16]. The proposed classifier and the signature module are used by the training model to create the learned patterns. The signature module's (training module) learned pattern is used to categorize assaults in the VANET as either unknown or known attacks. The vast amount of VANET data in the VANET architecture reduces the effectiveness of the CIDS. As a result, in the training phase, redundant and duplicate data are removed from network traffic and detected. The signature module receives the pre-processing module's deleted data. The header information is separated from the data using this module to streamline the analysis process, reduce processing overhead, and enhance the accuracy of intrusion detection by focusing on the payload where malicious activities are often encoded. This information is used to test the suggested classifier, which creates the trained patterns in the IDS's training model. The vehicle node is affected by the known attacks in the VANET. The collected database is sent to the classifier for detecting the intruder based on known and unknown attacks.

The signature-based module, which is a component of the proposed two-stage IDS architecture, serves as a first line of network filtering gateway on top of the pre-processed network flows, comparing them to a collection of known attack signatures. Matched signatures of traffic are classified as malicious immediately and logged, whereas the ones that cannot be matched are identified as suspicious and sent to the second-stage anomaly detection module. These filtered flows were transformed into sequential feature vectors and normalized, and given as input to the DRNN classifier. This architecture makes sure that only uncertain instances of traffic reach the DRNN, hence it minimizes the computational burden and allows the DRNN to concentrate on the learning of temporal patterns related to unfamiliar or dynamic attacks.

3.2 Deep Recurrent Neural Network

The RNN is used in this study to detect intrusions in VANET. The processing of data by RNNs is not restricted to one direction. RNNs can cycle through different layers and can also store data temporarily for use at a later time. Figure 2 shows how an RNN is designed. In this design, $H_t$ is the output, $X_t$ is an input.

 

The RNN is referred to as a deep neural network and has various layers that are used to analyze input. The Back Propagation Through Time (BPTT) method is used to acquire the RNN model's learning process. Multilayer perceptron (MLP) neural networks frequently employ this strategy. The weight link connecting the present hidden layer and the following hidden layer is denoted as $W_{H H}$. The connection weight between the input and the first connected hidden layer is defined as $W_{H x}$. The weight between the last hidden layer and its output layer is defined as $W_{H Y}$. The biases of the hidden layer and output layer are denoted as $B_H$ and $B_Y \cdot H_t$ is defined as the hidden state at period $\boldsymbol{t}$. The function $\mathrm{G}(\cdot)$ represents a nonlinear activation function, commonly implemented using tanh or ReLU.

$H_t=G\left(H_{(t-1)}, X_t\right)$              (1)

$H_t=G\left(W_{H X} X_t+W_{H H} H_t-1+B_H\right)$             (2)

$\bar{Y}_t=G\left(W_{H Y} H_t+B_Y\right)$             (3)

where, $\overline{Y_t}$ is defined as a predicted outcome. The suggested classifier is trained sequentially. The difference between the actual and expected output parameters is calculated at each stage. Error loss (L) function reduction is the main goal of the training process. Low-loss parameters will be obtained by the best model. The mathematical formulation of the training process is as follows:

$L\left(\overline{Y_P}, y\right)=\sum_{t=1}^n L\left(\overline{Y_t}-Y_t\right)$                (4)

where, $n$ is defined as the maximum learning period. During the learning process, this classifier is known to produce explosive gradients or vanishing gradient problems.

The size of the input dataset is always a factor in this problem.

$\frac{\partial L}{\partial w}=\sum_{t=1}^n \frac{\partial L_t}{\partial w}$               (5)

From the above Eq. (5), the chain rule is applied, and it is reformulated as follows:

$\frac{\partial L}{\partial w}=\sum_{t=1}^n\left(\frac{\partial L_t}{\partial H_t}\right) \sum_{k=1}^t\left(\prod_{i=k+1}^t \frac{\partial H_i}{\partial H_{i-1}}\right) \partial H k / \partial w$                  (6)

The above Eq. (6) shows that the gradient at a given time depends on the product of partial derivatives across successive hidden states, which explains the vanishing and exploding gradient problems in standard RNNs. The use of GRU and LSTM in the RNN has helped to mitigate the bursting and vanishing gradients problems. The following is a presentation of the LSTM and GRU mathematical formulations. It describes the LSTM architecture, in which gating mechanisms regulate information flow and preserve the long-term dependencies.

$\left\{\begin{array}{c}f_t=\sigma\left(W_f \cdot\left[H_{t-1}, X_t\right]+B_f\right) \\ i_t=\sigma\left(W_i \cdot\left[H_{t-1}, X_t\right]+B_i\right) \\ C_t^{\prime}=\tanh \left(W_c \cdot\left[H_{t-1}, X_t\right]+B_c\right) \\ C_t=f_t * C_{t-1}+i t * C_t^{\prime}\\ O_t=\sigma\left(W_o \cdot\left[H_{t-1}, X_t\right]+B_o\right) \\ H_t=O_t * \tanh \left(C_t\right)\end{array}\right.$            (7)

where, $B$ as biases, $w$ as weights, $v$ as output vector, $\sigma_a= \frac{a}{1+e^{-a}}$ as sigmoid, $\tanh (a)=\frac{1-e^{-2 a}}{1+e^{-2 a}}$ is a hyperbolic tangent activation function and $s$ is defined as the cell state.

$\left\{\begin{array}{c}Z_t=\sigma\left(W_z \cdot\left[H_{t-1}, X_t\right]+B z\right) \\ r_t=\sigma\left(W_r \cdot\left[H_{t-1}, X_t\right]+B r\right) \\ H_t^{\prime}=\tanh \left(W h \cdot\left[r_t * H_{t-1}, X_t\right]+B h\right) \\ H_t=\left(1-Z_t\right) * H_{t-1}+Z_t * H_t^{\prime}\end{array}\right.$               (8)

The above Eq. (8) represents the GRU architecture, where update and reset gates control information flow and alleviate vanishing gradient problems.

where, $Z_t$ is defined as the update gate, $r_t$ is defined as the reset gate, $X_t$ is defined as the input vector, and the related weight is denoted by $W$. The GRU regulates the flow of information using the sigmoid activation function for the update and reset gates. The hyperbolic tangent function is used for computing the candidate hidden state. To improve the performance of the VANET, the optimal weighting parameter is selected by using enhanced WOA.

3.3 Modified War Optimization Algorithm

This optimization is a metaheuristic approach, and it maintains a military to defend itself from attackers (see Figure 3). This army consists of different forces like elephants, chariots, and infantry. In every iteration, whole soldiers have a similar probability of becoming either commanders or kings based on their combat strength [23]. In this strategy, the commander and king are considered the leaders. The changes in the commander and king in the war field will manage the remaining soldiers. There is a requirement for the commander or king to face competition from the soldiers.

Figure 3. Modified War Optimization Algorithm (MWOA)

The optimization algorithm and the mathematical formulation of the strategy are presented below.

1. Initialization

• Define population size N (number of solutions/warriors).

• Randomly initialize each warrior’s position (candidate DRNN parameters).

• Set maximum iterations, T.

2. Fitness Evaluation

For each warrior:

• Train the DRNN with the candidate parameters.

• Compute fitness (e.g., classification error).

3. Attack Phase (Exploitation)

• Select the current best warrior (lowest error).

• Update positions of warriors close to the best solution to exploit promising areas.

4. Defense Phase (Exploration)

• Allow some warriors to move randomly in the search space.

• Ensures diversity and avoids local optima.

5. Replacement Strategy

• Replace the weakest warriors (worst solutions) with new random solutions.

• Maintains population diversity.

6. Update DRNN Parameters

• Assign the best warrior’s position as the new set of optimized DRNN parameters.

7. Termination Check

• If maximum iterations T is reached or convergence achieved → stop.

• Else, go back to Step 2.

8. Final Classification

• Use optimized DRNN to classify VANET traffic as Benign or Malicious.

3.3.1 Attack strategy

Two methods are being used in this process. Each soldier in the initial scenario positioned themselves relative to their commander and king. The monarch recommends the best location from which to launch a powerful assault on the opposition. The soldier having the highest attack force or fitness, based on the results, is related to the king. In the early stages of a battle, the weight and rank of all soldiers will be comparable. His rank will rise if the soldier uses the tactic to its full potential. In this algorithm, the oppositional function is also considered for empowering the WOA. Additionally, the update procedure is designed as follows [24]:

$\begin{gathered}x_i(t+1)=x_i(t)+2 \times \rho \times(c-k) +\operatorname{rand} \times\left(w_i \times k-x_i(t)\right)\end{gathered}$               (9)

where, $w_i$ is a weight, $k$ is a king position, $x_i$ is the last position, $x_i(t+1)$ is a novel position.

3.3.2 Fitness evaluation

The best weighting parameter is chosen in this evaluation process by taking fitness functions into account. This is how it is put together:

$F E= Min (training\ error)$             (10)

Based on this fitness function evaluation, the optimal weight parameter is selected, which increases the prediction accuracy of the classifier.

3.3.3 Weight and rank update

In this updating process, the search agent is related to the position of the king, the commander, and the rank of every soldier. Each soldier's rank is related to their success history in the war, which will similarly affect the weighting factor. The rank of every soldier reflects how close the soldier is to the final target [24]. If the attack force in the novel position is lower than that of the last position, the soldier considers it as the last position.

$\begin{gathered}\left.x_i(t+1)=x_i^{\prime}(t+1)\right) \times\left(f_n \geq f_p\right) +\left(x_i(t) \times\left(f_n<f_p\right)\right)\end{gathered}$                  (11)

where, $f_n$ is fitness of novel position, $f_p$ is fitness of previous position. $\boldsymbol{r}_i$ is the rank of ith soldier. Based on the above formulation, the soldier's position is updated optimally. After that, the rank $r_i$ of the soldier will be upgraded.

$\begin{aligned} r_i(t+1)=\left(r_{i(t)}\right. & +1)) \times\left(f_n \geq f_p\right)  +\left(r_{i(t)} \times\left(f_n<f_p\right)\right)\end{aligned}$                (12)

$W_i$ is the weight of i^th soldier. Let maximum iteration is T. α is a control parameter. The new weight of soldiers is computed by:

$w_i=w_i \times\left(1-\frac{r_i}{T}\right)^\alpha$              (13)

3.3.4 Defense strategy

The position of the king, the army commander, and a random soldier are all factors in the following process for updating positions [24]. $\rho$ is the control parameter. k & c are king and commander position respectively. The mechanism for updating the rankings and weights is similar to the first method.

$\begin{gathered}x_i^{\prime}(t+1)=x_i(t)+2 \times \rho \times\left(k-x_{\text {rand }}(t)\right)  +\operatorname{rand} \times w_i \times\left(c-x_i(t)\right)\end{gathered}$                (14)

3.3.5 Replacement or transfer of weak soldiers

Find the weak warriors in each iteration and judge them to be the least fit. Here, we verified several replacement methods. The straightforward method of substituting a random soldier for a weak soldier is written as follows:

$x_w(t+1)=L B+r$ and $\times(U B-L B)$                 (15)

The next tactic is to replace the weak soldier in the middle of an entire army in a combat zone, as shown in the Eq. (16) below. The algorithm's convergence properties are improved by this method.

$\begin{aligned} & x_w(t+1)=-(1-\operatorname{rand} n) \times\left(x_w(t)-\operatorname{median}(X)\right)+k\end{aligned}$            (16)

Soldiers with higher fitness levels are assigned lower weights, and a larger weight if their fitness level is poor. Each soldier takes high steps during the early stages of the conflict, which causes weight shifts. When the fight is over, the soldiers consider taking small steps to accomplish the goal and adjusting the weight gradually. The soldiers move in random directions and do not strictly follow the king, as this strategy is randomly selected to enhance the algorithm’s exploratory capability. At the end of the war, the army personnel are able to identify the final optimal location. This approach effectively balances exploration and exploitation, leading to improved optimization performance.