© Z. Chen and B. Zhang, Published by EDP Sciences 2026

1 Introduction

Due to growing influences and technological breakthroughs, modern public transportation systems are experiencing a tremendous transition. Included in this transformation is the incorporation of vehicles into network collaboration [1]. V2X technology improves transportation efficiency, safety, and mobility by enabling cars to speak with pavement and each other. This integration may give rise to new worries, mainly about the safety of car networks [2]. Intelligent infrastructure is an attractive use case for permanent computing, which has seen extensive adoption [3]. Due to the grave risks that malfunctioning vehicles present to transportation and human safety, the maximum priority is preserving secure transportation networks. Cars increasingly speak with roadside infrastructure and every different via Vehicle-to-Everything (V2X) networks [4]. Since then, independent and networked automobiles have proliferated. Using these networks, we may additionally implement independent use, better manage visitors, and reduce the likelihood by running collectively [5]. The interconnected shape of V2X networks makes them liable to cyber assaults, including DDoS and DoS attacks. Threats like this jeopardize not just the traveler's efficiency and personal safety but also the safety of data sent across networks and the motor's capability to interact with diverse equipment [6]. The studies propose that Network Intrusion Detection Systems (NIDS) hire AI algorithms to cope with these new protection threats. When detecting and mitigating cyberattacks in real time, NIDS, driven by AI, has been distinctly powerful [7,8]. By tracking community traffic styles for indications of malicious interest, cyber-assault detection attempts to discover suspicious behaviors. The recommended NIDS model uses deep mastering methods like SCNN to enhance its detection skills, Bidirectional Long Short-Term Memory Architecture (BiLSTM) for category, and feature extraction. Optimizing NIDS's overall performance additionally entails fine-tuning the SCNN and BiLSTM additives with the assistance of the IMV-GBO. Furthermore, IMV-GBO permits parameter tuning for the model, mainly for better detection accuracy and fewer fake positives. As a result, the NIDS can provide higher guard against cyberattacks [9]. This study's particular promoting point is that it contains feature learning with IMV-GBO-based total attribute extraction. Because of the combination, the model can better locate and lessen risks [10]. The principal goal of this study is to utilize bidirectional long and short-term memory networks and artificial intelligence algorithms to enhance the protection of automobile-street collaboration structures [11]. They look at making public transit extra dependable and stable [12].

With the rapid development of Internet of Vehicles technology, the communication capabilities between vehicles and road infrastructure have been significantly enhanced, bringing revolutionary improvements to traffic efficiency and safety. However, this highly interconnected environment also exposes vehicle-road cooperative systems to serious network security threats. Existing network intrusion detection systems are mostly based on traditional methods and show certain limitations when dealing with complex and dynamically changing attack patterns, such as insufficient feature extraction, low classification accuracy, and poor adaptability to new attacks. In addition, some current deep learning models fail to effectively integrate spatial structure and temporal dependencies when processing spatiotemporal data, resulting in limited detection performance.

To address the limitations of existing NIDS in V2X systems, such as insufficient feature extraction, poor adaptability to dynamic attacks, and weak spatiotemporal data modeling capabilities when responding to complex attack patterns, as well as the difficulty of traditional methods in balancing real-time performance and accuracy, and their inability to effectively respond to emerging security threats in V2X networks, this paper proposes an integrated feature extraction and learning solution that integrates and improves IMV-GBO. This solution also incorporates optimization mechanisms into the standard deep learning pipeline to improve model performance. Unlike traditional deep learning models that rely on fixed structures for feature extraction and classification, this approach uses SCNN to extract spatial features and BiLSTM to capture temporal features. It then optimizes the fused feature parameters using IMV-GBO, dynamically adjusting model weights to minimize the loss function. This allows the feature extraction process to leverage both the network structure and the optimization algorithm to enhance feature representation. Experimental results show that on the KDD-99 dataset, this method achieves a detection accuracy of 94% compared to mainstream methods such as ELM, IAROEL-TFMS, and GCN-BiLSTM, 4 percentage points higher than the highest value of GCN-BiLSTM. The false positive rate is reduced to 4%, and the false negative rate is as low as 0.08, providing an efficient and reliable solution for the network security of vehicle-road cooperative systems.

2 Related works

2.1 Existing approaches to network security in vehicle-road collaborative systems

A learning-based approach for collaborating and estimating intelligent vehicle systems was proposed by Gao et al. [13] using data gathered from a network of linked automobiles. Protecting identifying information, including car registration numbers, is the method's declared purpose, which should assuage concerns about privacy infringement. A single privacy-preserving architecture allows linked automobiles to enhance estimations through sequential measurements. This strategy has been shown to be effective through numerical simulations; moreover, it does not increase communication/computation overhead or decrease accuracy. Subsequently, it was introduced by Ragab et al. [14]. Intelligent Transportation Systems (ITS) rely on traffic flow monitoring to ensure efficient management and optimization. Data collection and analysis are typically done manually in traditional ways. The research suggests an ITS-based Improved Artificial Rabbits Optimization with Ensemble Learning (IAROEL-TFMS). The IAROEL-TFMS method employs optimum ensemble learning and feature subset selection to forecast traffic flow. With a minimum RMSE of 16.4539, the IAROEL-TFMS methodology consistently beats other simulation approaches.

The goal of intelligent city Machine Learning (ML) has been to manage traffic without congestion for 10 yr, as demonstrated by Hassan et al. [15]. Machine learning algorithms enhance capability and intelligence, but they come at a cost and require more data than is necessary. Using a multiple-layer Extreme Learning Machine (ELM), this deep learning method smooths a signal over congestion details at all possible connection points. This idea will improve congestion and traffic flow. Cooperation driving systems are an essential area of study, and Wang et al. [16] suggested an intelligent linked vehicle cooperative control system. The main areas of recent research on these systems are the control of collaborative queues, decision-making, and positioning of vehicles. Infrastructure for vehicle and road terminals, communication security, delay, and optimization are all covered. This study defines the boundaries of the system and future trends in intelligent vehicle cooperative driving development.

2.2 Artificial intelligence algorithms and bidirectional long short-term memory networks

Artificial intelligence algorithms and bidirectional long short-term memory networks can realize real-time anomaly detection and intrusion protection in vehicle-road cooperative systems, improve vehicle communication security and system reliability, and ensure the stability and safety of intelligent transportation operations. Christy, C [17]. proposed a multi-stage lightweight intrusion detection system that uses a random forest algorithm for feature selection and an integration model to improve the security of vehicle networks. This method enhances the detection process through multi-step processing and machine learning, reducing processing overhead and response time. Ashfaq [18] proposed a bidirectional long short-term memory network model based on a dual attention mechanism to predict lane change behavior of vehicles on highways. The model takes into account the past and future context of the input data and achieves a test accuracy of 86%. Khan [19] proposed a new method to detect malicious traffic in smart devices by optimizing deep learning models, using a deep learning method based on BiLSTM-CNN.

2.3 Network security with artificial intelligence

Aerospace, smart manufacturing, autonomous vehicles, and smart city transportation are among the potential application areas of artificial intelligence and digital twins. When it comes to uncrewed flight, failure warning, digital twins, and aircraft assembly, the implications of combining AI with digital twins are far-reaching. You can save time and money while increasing test accuracy and decreasing maintenance expenses by using virtual simulations. By simulating actual road conditions, smart city traffic allows for better control of urban traffic and reduces the frequency and severity of accidents. The article expresses a positive outlook on the future of digital twins and AI. Olugbade et al. [20] discussed using AI and ML to reduce road accidents. Doing so highlights the challenges associated with reducing the incidence of road transport accidents and potential solutions to this problem. The primary focuses of the research are safety, event detectors, road management, and wireless communication technology. The results stress the need for real-time vehicle tracking, predictive fleet maintenance, route optimization, traffic management, and cargo volume forecasting to secure road transportation networks. Highlighting research trends, unresolved concerns, and significant research conclusions, the article helps plan and administer road transport networks.

2.4 Applications of bidirectional long short-term memory networks in security systems

Wang X and Wang Q [21] proposed the GCN-BiLSTM-Attention method to address the issues brought about by the present methods' lack of class parity in recognizing intrusions in in-vehicle networks. For geographical correlations, the study uses Graph Convolutional Networks (GCNs); for temporal correlations, the study uses BiLSTMs; and to extract meaningful information, the study exploits an attention mechanism. If applied to the IoV setting, the approach identifies anomalous traffic better than competing methods while maintaining the properties of local traffic data. The importance of secure vehicle networks, particularly VANETs, in protecting pedestrians and drivers has been highlighted by Manderna et al. [22]. DDoS assaults can cripple VANETs even in 2016. This article introduces a neural information detection system (NIDS) built on artificial intelligence (AI) that employs Deep Learning methods such as SA-BiLSTM and CRNs. For trustworthy datasets such as KDD-CUP 99 and ToN-IoT, the model attained an astounding 99% accuracy rate.

3 Proposed methodology

3.1 System overview and methodological framework

Improved network security in vehicle-road collaboration systems is the goal of this project, which aims to develop an AI-based NIDS using Deep Learning algorithms, namely BiLSTM for classifications and SCNN for feature extraction. IMV-GBO will be employed to optimize the capabilities of the NIDS to identify and respond to security risks. The NIDS's feature learning method will also contain IMV-GBO-based feature extraction for action detection and prevention. To protect these systems from constantly changing cyber threats and improve the reliability and safety of existing transportation networks, our research aims to contribute to advancing network security for vehicle-road collaborative systems.

Figure 1 shows that AI algorithms and BiLSTM networks boost network protection in automobile-road collaboration systems. Data streams are sourced, preprocessed for analysis, extracted excessive-stage features using an SCNN, categorized using a BiLSTM model, optimized using IMV-GBO, and incorporated into the characteristic learning procedure. Using improved SCNN and BiLSTM components, an AI-powered NIDS detects and responds to device protection threats. Based on detection and categorization effects, the NIDS sends protection alerts, notifications, or programmed movements to address risks quickly.

Fig. 1 Enhancing network security in vehicle-road collaborative systems.

3.2 Data preprocessing

Data pretreatment guarantees the IDS's effectiveness, dependability, and quality in improving network safety in vehicle-road collaborative structures using artificial intelligence algorithms and BiLSTM networks. Based on the provided studies, the subsequent steps detail the approaches that should be used for information preprocessing.

KDD-99 is a dataset designed for traditional network attacks and lacks protocols and attack types specific to V2X communications. To improve applicability, feature selection, data enhancement, and scenario adaptation are introduced in the data preprocessing stage. By filtering irrelevant fields, synthesizing Internet of Vehicles-related attack samples, and combining real traffic communication data for transfer learning, the model's security detection capabilities for vehicle-road collaborative environments are enhanced.

Preparation is based heavily on information cleansing, which complements the reliability and quality of raw data accumulated from automobile networks. The steps of this method embody lowering noise, rectifying errors, filling in missing data, and preserving uniform data. To save intrusion detection from returning false positives or negatives, data cleansing is a vital step for V2X systems. This patch fixes issues like faulty sensor information series, unsuccessful data exchange, and missing records due to communication delays or malfunctioning sensors.

Data normalization is a key component of V2X protection detection. Data layout standardization and information scaling to a given variety or dispersion are essential to achieve this goal. Since normalization renders various functions homogenous and comparable, it's far more useful for synthetic intelligence (AI) models and detection strategies. Normalization is essential for V2X network security because it can detect malicious styles. Because of this, the technique can better deal with anomalies, accelerate education version convergence, increase feature contrasts, and make breach detection much less hard.

Data homogeneity is a further critical approach for detecting V2X community safety. If the dataset is not normal, with a median of 0 and a standard deviation of 1, the method will not set its parameters. Machine learning models are more effective once they use standardized data to perceive patterns and anomalies, which might indicate the presence of assaults. It improves the machine's capability to cope with outliers, continues regular recognition thresholds, and discovers intrusions in V2X situations. The cautioned machine increases the model's accuracy and efficacy in detecting intrusions, enhancing the dependability and reliability of vehicle-road collaboration systems. Data cleaning, standardization, and normalization are some of the comprehensive pretreatment strategies used to achieve this purpose.

3.3 Feature extraction

Feature extraction is a pivotal step in enhancing the network security of vehicle-road collaborative systems [23]. This study proposes a comprehensive method to achieve the objectives outlined in the introduction. It transforms raw data into specific features that preserve critical information, aiming to identify recognizable patterns indicative of cyberattacks such as DDoS and DoS. The process is detailed in the following Table 1.

This integrated approach leverages the SCNN's ability to capture spatial hierarchies and the BiLSTM's capacity to model long-term temporal dependencies. The subsequent optimization by IMV-GBO enhances the feature representation, leading to improved detection accuracy and robustness for the intrusion detection system.

3.4 Classification

The core formulas discussed in this article are derived and constructed based on the classic theoretical framework of deep learning and optimization algorithms, and adapted to the specific characteristics of V2X network intrusion detection scenarios. The spatial feature extraction formula for the SCNN model draws on the fundamental definition of convolution operations in deep learning. By expanding the multi-channel input dimension to accommodate the multidimensional properties of network traffic data, the convolution kernel parameter calculation logic continues the feature extraction paradigm in computer vision. The temporal feature capture formula for the BiLSTM model is derived from the gating mechanism of the LSTM unit, supplementing the forward and backward propagation formulas with time step weight coefficients to strengthen the modeling of the temporal correlation of attack behavior. The feature fusion formula utilizes the classic construction method of concatenating sample dimensions, ensuring the effective splicing of spatial and temporal features through dimensional matching constraints. The objective function of the IMV-GBO model is based on the loss minimization principle of the gradient descent algorithm and introduces a multivariable collaborative optimization term. Its derivation process refers to the solution logic of the convex quadratic programming problem. The cross-entropy loss function formula directly adopts the standard form used in classification tasks, meeting the probabilistic modeling requirements of network attack type identification.

Data classification is the act of dividing unprocessed data into pre-described sets defined by shared traits. This study aims to precisely recognize and classify compromises within automotive networks using BiLSTM classification, which intends to increase dependability and safety.

BiLSTM Forward Pass equation:

$$i_t=\sigma \left(w_{ix}x{\hspace{0.17em}}_t+w_{ih}h{\hspace{0.17em}}_{t-1}+b_i\right)$$(1)

$$f_t=\sigma \left(w_{fx}x{\hspace{0.17em}}_t+w_{fh}h{\hspace{0.17em}}_{t-1}+b_f\right)$$(2)

$$o_t=\sigma \left(w_{ox}x{\hspace{0.17em}}_t+w_{oh}h{\hspace{0.17em}}_{t-1}+b_o\right)$$(3)

$$g_t=tanh\left(w_{gx}x{\hspace{0.17em}}_t+w_{gh}h{\hspace{0.17em}}_{t-1}+b_g\right)$$(4)

$$c_t=f_t\odot c_{t-1}+i_t\odot g_t$$(5)

$$o_t=o_t\odot \text{tanh}\left(c_t\right).$$(6)

Equations (2)–(7) denote the first forward pass of the BiLSTM network, which manages the input data sequentially from the beginning to the end of the sequence. In this progression, the current inputs x _t and the previous hidden states h _t−1 are utilized to compute the number of gates, such as the input gates i_t, forget gates f_t, output gates o_t, and candidate gates g_t. By deciding what data to keep and what to reject, these gates manage the data flow in the network. Every time step's outputs h _t−1) show the latest concealed states, which preserve the circumstances and interconnection in the supplied sequences until that moment.

BiLSTM Backward Pass equation:

$$i{\text{'}}_t=\sigma \left(w{\text{'}}_{ix}x{\hspace{0.17em}}_t+w{\text{'}}_{ih}h{\hspace{0.17em}}_{t+1}+b{\text{'}}_i\right)$$(7)

$$f{\text{'}}_t=\sigma \left(w{\text{'}}_{fx}x{\hspace{0.17em}}_t+w{\text{'}}_{fh}h{\hspace{0.17em}}_{t+1}+b{\text{'}}_f\right)$$(8)

$$o{\text{'}}_t=\sigma \left(w{\text{'}}_{ox}x{\hspace{0.17em}}_t+w{\text{'}}_{oh}h{\hspace{0.17em}}_{t+1}+b{\text{'}}_o\right)$$(9)

$$g{\text{'}}_t=tanh\left({w^{\prime }}_{gx}x{\hspace{0.17em}}_t+w{\text{'}}_{gh}h{\hspace{0.17em}}_{t+1}+b{\text{'}}_g\right)$$(10)

$$c{\text{'}}_t=f{\text{'}}_t\odot c{\text{'}}_{t-1}+i{\text{'}}_t\odot g{\text{'}}_t$$(11)

$$o{\text{'}}_t=o{\text{'}}_t\odot \text{tanh}\left(c{\text{'}}_t\right).$$(12)

The BiLSTM network processes the input data in reverse order, starting at the end of the pattern and working its way to the beginning. In equations (8)–(13), the backward pass. The computation of the gates, such as the input gate i ' _t, forget gate f ' _t, output gate o ' _t, and nominee gate g ' _t, is done using the present input value x _tt and the next hidden state h _t+1, just like in the forward pass. With the help of this backward manufacturing, the network can supplement the data it collected during the forward pass by capturing temporal relationships in the opposite direction. The output h _t+1. Each step reflects the revised hidden state, integrating information from future steps to capture both forward and backward context and interconnections within the input sequence.

Figure 2 demonstrates that BiLSTM, a recurrent neural network, analyzes data in both the forward and backward directions to capture persistent dependencies in sequential data. A Long Short-Term Memory cell consists entirely of three key gates: the input gate, the forget gate, and the output gate, which regulate the flow of information through the cell. In this context, x denotes the input at each time step of the sequence, representing the observed data fed into the model. h represents the hidden state, which carries the learned temporal context from previous steps in both forward and backward directions, allowing the model to maintain a dynamic understanding of the sequence. M refers to the size of the output layer, corresponding to the number of categories in classification tasks or the dimension of the predicted output in regression problems. By processing the sequence in both directions, BiLSTM effectively captures dependencies from past and future contexts, making it well-suited for tasks requiring comprehensive sequential understanding.

By performing forward processing (from past to future) and backward processing (from future to past) on the input sequence x, BiLSTM (Bidirectional Long Short-Term Memory) can capture dependencies from both earlier (past) and later (future) time steps. This bidirectional architecture enables the model to maintain richer contextual representations, which aids in mitigating the vanishing gradient problem and enhances its ability to handle long-term dependencies. As a result, BiLSTM excels in tasks such as sequence labeling, sentiment analysis, and time series prediction. Applications including sequential data modelling, time series data analysis, and natural language understanding frequently employ BiLSTM, as these tasks require comprehensive context—both historical and future information—to make accurate predictions and classifications.

Fig. 2 Bidirectional long short-term memory architecture.

3.5 Optimization with improved multi-verse optimizer − gradient-based optimizer

The NIDS's SCNN and BiLSTM additives are fine-tuned using the IMV-GBO method. A neural network's settings can be fine-tuned to improve the model's capability to determine and mitigate protection risks. As the distributions of the loss measure approximately these variables trade, iteratively updating the SCNN and BiLSTM model parameters is approximately what IMV-GBO optimization is all about. This represents the general rule for updating to maximize θ variables using gradient descent.

$${\theta }_{t+1}={\theta }_t-\eta \nabla J\left({\theta }_t\right).$$(13)

Equation (14) states the settings at iteration t as θ_t. η controls the amplitudes of the variable changes and signifies the learning rate. The loss function utilized to evaluate the performance model is J (θ_t). Specifically, the NIDS optimizes the parameters of its SCNN and BiLSTM models using the IMV-GBO technique. This approach seeks to improve the model's findings and resolve safety flaws. The method enhances the parameters in response to the loss feature's gradients. The NIDS's SCNN and BiLSTM components may be best tuned by following the steps mentioned within the block diagram: beginning, passing records beforehand, calculating losses, backpropagation, changing variables, and repeating. This incremental improvement strengthens the safety of road-vehicle collaboration structures, making the NIDS extra sensitive to network breaches.

Unlike standard CNNs, SCNN focuses more on modeling the spatial structure of input data and is suitable for processing features with temporal dependencies. It introduces sequence information in the convolution process, making feature extraction more context-aware. Compared with traditional CNNs, SCNN can better capture local and global correlations when processing data in complex scenarios such as the Internet of Vehicles.

SCNN extracts spatial features of input data through convolutional layers and pooling layers, and introduces activation functions to increase nonlinear expression capabilities. SCNN first performs convolution operations on the input data, uses multiple filter sliding windows to extract local features, and generates multiple feature maps. Then, a pooling layer (max pooling) is applied to reduce the dimension and enhance translation invariance. Finally, the activation function (ReLU) is used to enhance the nonlinear fitting ability of the model. This structure is particularly suitable for extracting key features from Internet of Vehicles data and providing high-quality input for subsequent BiLSTM.

IMV-GBO [24,25] iteratively updates model parameters to minimize the loss function. State estimation techniques can enhance the robustness of optimization algorithms in dynamic environments [26]. Specifically, in each iteration, forward propagation is first performed to calculate the output result, and then the weight is adjusted by backpropagation based on the error between the predicted value and the true label. IMV-GBO introduces a dynamic learning rate mechanism, which enables the step size to be adaptively adjusted during the optimization process, thereby accelerating convergence and reducing false positive rates.

The pseudocode is shown in Figure 3.

Fig. 3 Pseudocode.

3.6 Network intrusion detection system

A NIDS aims to determine and preclude unsafe or malicious moves by attempting to analyze all data transmitted over a network. To ward off cyberattacks, tuning community site visitors for symptoms of abuse, illegal admission to, or questionable moves is vital. NIDS aims to defend the community property's supply, confidentiality, or integrity by detecting and counteracting opposed or suspicious community activity. NIDS constantly scans network traffic to do its task, seeking signs of identified attacks or uncommon behavior in the payload data and packets. When NIDS reveals suspicious behavior, it notifies system administrators of potential safety incidents. Based on the configuration, NIDS can isolate infected machines, avert malicious traffic, or trigger computerized responses to reduce risks. There are three network intrusion detection systems: signature-based, hybrid, and anomaly-based. A signature-based system can detect such attacks by comparing the network's incoming traffic patterns to an existing database. We use anomaly-based solutions to set a standard for typical network behavior. Hybrid systems combine signature-driven and anomaly-based detection techniques to achieve comprehensive threat detection. The components that comprise NIDS are alarm systems, analyzers, sensors, logging and reporting, and so on. Flexibility encoding and false alarms are some of the troublesome challenges. Businesses can enhance their cybersecurity and reduce the effect of cyberattacks by deploying NIDS successfully.

3.7 Performance evaluation metrics

To quantitatively evaluate the performance of the proposed network intrusion detection system, several standard metrics are employed. These metrics are widely used in the field of network security and intrusion detection as documented in previous studies.

Detection accuracy measures the proportion of correctly identified instances among all instances and is calculated as [27]

$$\text{Detection} \text{Accuracy}=\frac{\text{Number} \text{of} \text{correctly} \text{Detected} \text{Instances}}{TotalNumberofInstances}\times 100\%.$$(14)

In equation (15), the number of instances the system has appropriately identified is the number of correctly detected cases. Instances that the system has reviewed are referred to as the total number of cases.

The false positive rate FPR represents the proportion of negative cases incorrectly classified as positive and is defined as

$$\begin{array}{c}\hfill FPR=\frac{FP}{N_{\text{actual} \text{negatives}}}\hfill \end{array}.$$(15)

In equation (16), FP represents the number of false optimistic predictions made by the model. TN denotes the total number of actual negative instances in the dataset.

The false negative rate FNR represents the proportion of positive cases incorrectly classified as negative and is defined as

$$\begin{array}{c}\hfill FNR=\frac{FN}{FN+TP}\times 100\%\hfill \end{array}.$$(16)

In equation (17), FN represents false negatives or instances of the positive class wrongly categorized as unfavorable. TP stands for the number of cases accurately identified as positive or true positives.

Additional metrics include accuracy, precision, recall, and F1-score, which provide a comprehensive evaluation of the system's performance [28]

$$\begin{array}{c}\hfill Acc=\frac{TP+TN}{TP+TN+FP+FN}\hfill \end{array}$$(17)

$$\begin{array}{c}\hfill P=\frac{TP}{TP+FP}\hfill \end{array}$$(18)

$$\begin{array}{c}\hfill R=\frac{TP}{TP+FN}\hfill \end{array}$$(19)

$$\begin{array}{c}\hfill F1 Score=2\times \frac{Precision \times Recall}{Precision+Recall}\hfill \end{array}.$$(20)

These metrics collectively provide a thorough assessment of the detection system's effectiveness balancing the trade-offs between different types of errors and correct detections.

4 Result and discussion

4.1 Experimental design and result analysis

In collaborative vehicle-road systems, the experimental results show that the suggested methodology improves network security. A new AI-driven NIDS that extracts features using Deep Learning methods like SCNN and BiLSTM improves the system's accuracy and dependability. When detecting and responding to security threats, IMV-GBO makes the NIDS better. Methods for data preparation provide consistent and high-quality data, which boosts system performance. The detection capabilities are enhanced by combining geographical and temporal factors, and network intrusions are consistently identified by BiLSTM classification. The network intrusion detection system uses hybrid, signature-based, or anomaly-based detection methodologies to monitor all network activity and identify threats closely. Optimism over the reliability and safety of CTSs is borne out by the results of the trials, which show that the suggested solution enhances network security.

The relevant dataset was utilized during the Third International Conference on Knowledge Discovery and Data Mining Tools, KDD-99 [29]. The tournament occurred during the Fifth Annual International Data Mining and Knowledge Discovery Conference. The competition's fundamental goal was to develop a prediction model distinguishing between bad and good connections. This model would then serve as a network intrusion detector. Several mock intrusions into military network infrastructures are part of this database's auditable data set.

The number of model training rounds in this paper is set to 100, the initial learning rate is 0.01, the batch size is 32, and the early stopping mechanism is used to terminate the training when there is no improvement in the validation set for 5 consecutive rounds to prevent overfitting and ensure stable model convergence.

A comparative study with existing algorithms: Contrast its performance with other models to emphasize the proposed model's advantages and enhancements. Several current algorithms are selected for comparison studies using criteria such as detection accuracy, false positive rate, response time, scalability, and robustness. These algorithms include Improved Artificial Rabbits Optimization with Ensemble Learning − Traffic Flow Monitoring System (IAROEL-TFMS) [14], Extreme Learning Machine (ELM) [15], Graph Convolutional Network − Bidirectional Long Short-Term Memory (GCN-BiLSTM) [21], and Sequential Convolutional Neural Network − Bidirectional Long Short-Term Memory (SCNN-BiLSTM).

4.2 Detection accuracy

One way to measure a detection system's efficacy in spotting and classifying possible security risks is by looking at its detection accuracy. Divide the instances by the number of correctly detected cases to get the percentage. The calculation remains the same as before. Reducing the number of false alarms and zeroing in on the most critical security vulnerabilities allows for very accurate detection.

Using the standard evaluation metrics described in Section 3.7, the detection accuracy results are presented in Figure 4.

In Figure 4, one of the most important performance metrics is called detection accuracy, and it is used to measure the capability of a detection system to identify and categorize occurrences of interest within a dataset effectively. The ability of the system to identify genuine instances of the target class while simultaneously reducing the number of incorrect classifications is evaluated. This finding points to a reliable system that can correct classifications when the detection accuracy is good. The columnar data shows the obtained accuracy values, while the row data represents the corresponding experiment in the graph that shows the detection accuracy values for various approaches.

Fig. 4 Detection accuracy.

4.3 False positive rate reduction

An indicator of performance, the false positive rate (FPR) counts the number of negative cases that a binary classification model erroneously labels as positive. This metric is also known as the false alarm rate. This metric considers the regularity with which the model makes an inaccurate prediction about something that did not indeed happen. One way to calculate the rate of false positives is to add up all the incorrect forecasts that were positive and then divide that total by the total number of actual adverse incidents in the dataset.

Based on the evaluation framework established in Section 3.7, the false positive rate reduction performance is shown in Table 2.

Based on the results shown in Table 2, several methods were able to reduce the false positive rate throughout multiple iterations. Both ELM and IAROEL-TFMS exhibit a steady decline, the former from 12% to 6% and the latter from 10% to 5%, respectively. A constant drop from 11% to 6% indicates successful optimization in GCN-BiLSTM. With a 10% to 4% decrease, SCNN-BiLSTM outperforms all other networks in reducing false alarms, improving detection accuracy, and reliability.

4.4 False negative rate minimization

Number of False Positives: Eliminating or drastically lowering the number of false negatives generated by a detection system is crucial. A decrease in false positives and omissions is the target. Particularly in mission-critical contexts like security screening and medical diagnostics, a low FNR value indicates that the detection system successfully identifies the most joyous events.

The false negative rate minimization results, calculated according to the metrics defined in Section 3.7, are presented in Table 3.

Among the algorithms provided, the SCNN-BiLSTM method has the lowest false negative rate, which indicates that it performs better in minimizing the number of false negatives. It is possible to view this data in Table 3, which is up there. Given this, it follows that our algorithm SCNN-BiLSTM performs better than the competition.

4.5 Scalability improvement

The scalability of a system is defined as its ability to manage increasing workloads or traffic volumes without compromising performance or efficiency. Systematically, it is crucial for systems with dynamic demand. A popular scalability metric is speedup, which quantifies how much a system's performance improves when the workload or number of processing elements increases. The measure determines how well a system can adapt to changing necessities without compromising performance or efficiency.

Concerning Figure 5, Scalability refers to a system's capability to address growing workloads while improving efficiency and performance. In this context, workload levels are defined as Low (100–500 concurrent connections), Medium (501–1000 concurrent connections), and High (>1000 concurrent connections). The ECM algorithm indicates consistent improvements in detection accuracy with growing workload, whereas the IAROEL-TFMS approach indicates moderate drops in accuracy at low workloads however it profits from it dramatically at high workloads. The SCNN-BiLSTM approach often complements detection accuracy while maintaining ordinary performance excessively, and the GCN-BiLSTM algorithm suggests unpredictable behavior across various workload degrees.

Fig. 5 Scalability improvement (in %).

4.6 Robustness enhancement

Robustness scores measure a machine's ability to respond to attacks, including DDoS, malware, and spoofing. This paper tested the robustness of different methods, and the results are shown in Figure 6.

In Figure 6, Robustness denotes the ability of a system to maintain functioning and act successfully despite the presence of barriers or adverse situations. The results of the ECM and IAROEL-TFMS algorithms show moderate robustness across numerous workload levels, while the former demonstrates small robustness. While the GCN-BiLSTM method has only a moderate level of Robustness, the SCNN-BiLSTM algorithm shows a high level of Robustness through its ability to sustain good performance even when subjected to higher workload conditions.

Fig. 6 Robustness enhancement.

4.7 Performance metrics

The comprehensive performance metrics, as formally defined in Section 3.7, are illustrated in Figure 7 and discussed below.

Figure 7 shows ELM, IAROEL-TFMS, GCN-BiLSTM, and SCNN-BiLSTM benchmarks. ELM strikes a good compromise between the metrics with its 76% precision, 75% recall, and 75% F1 score. The accuracy, recall, and F1-score for IAROEL-TFMS are 78%, 76%, and 77%, respectively. GCN-BiLSTM's 80% accuracy shows a well-rounded performance, 80% recall, and 80% F1 score. SCNN-BiLSTM strikes a good mix between the two metrics with its 90% accuracy, 85% recall, and 87% F1 score.

Fig. 7 Performance metrics.

5 Conclusion and future study

This study proposes a network intrusion detection system that integrates SCNN, BiLSTM, and IMV-GBO to enhance the network security of V2X cooperative systems. Experimental results on the KDD-99 dataset demonstrate that the system outperforms mainstream models such as ELM, IAROEL-TFMS, and GCN-BiLSTM, achieving a detection accuracy of up to 94%, a false positive rate reduced to 4%, and a false negative rate as low as 0.08. The system also maintains excellent scalability and robustness across low, medium, and high workload scenarios. This system effectively addresses the challenges of existing detection systems, such as insufficient feature extraction, weak spatiotemporal data modeling, and difficulty balancing real-time performance and accuracy, providing an efficient and reliable solution for V2X network security. However, this research has limitations. The KDD-99 dataset lacks V2X-specific protocols and attack types, edge device deployment verification has not been conducted, and defense against adversarial attacks is insufficient. Future work requires the construction of a real-world hybrid dataset of connected vehicles, the design of lightweight models, enhanced robustness to adversarial examples, and the exploration of cross-scenario transfer learning techniques to adapt to the dynamic security requirements of cooperative V2X systems.

Funding

This work was supported by Hubei Provincial Department of education scientific research project, which the number is B2022309; Humanity and Social Science Youth Found of Ministry of Education: Research on the Module Construction of “Telling China's Stories Well” From the Perspective of Precise Ideological Education—Taking the “English Public Speaking Course” as an Example (Project No.: 24YJC740075).

Conflicts of interest

The authors declare no conflict of interest.

Data availability statement

This article has no associated data generated and/or analyzed / Data associated with this article cannot be disclosed due to legal/ethical/other reasons.

Author contribution statement

Zengze Chen and Bo Zhang wrote the manuscript. All authors contributed to editorial changes in the manuscript. All authors read and approved the final manuscript.

References

All Tables

All Figures

	Fig. 1 Enhancing network security in vehicle-road collaborative systems.
In the text

	Fig. 2 Bidirectional long short-term memory architecture.
In the text

	Fig. 3 Pseudocode.
In the text

	Fig. 4 Detection accuracy.
In the text

	Fig. 5 Scalability improvement (in %).
In the text

	Fig. 6 Robustness enhancement.
In the text

	Fig. 7 Performance metrics.
In the text