Clustered negative selection algorithm and fruit fly optimization for email spam detection

Abstract

At present, spam is an actual and increasing problem that compromises email communications across the world. Thus, several solutions have been proposed to stop or reduce the amount of this threat. However, methods based on negative selection algorithm (NSA) lack continuous adaptability and suffer from low detection performance. Moreover, these methods require a large number of detectors to cover all non-self spaces. Thus, this study proposes a new e-mail detection approach based on an improved NSA called combined clustered NSA and fruit fly optimization (CNSA–FFO). The system combines actual NSA with k-means clustering and FFO to enhance the efficiency of classic NSA. Experiments results in spam benchmark show that the performance of CNSA–FFO is better than the classic NSA and NSA–PSO, especially in terms of detection accuracy, positive prediction, and computational complexity.

1 Introduction

E-mail is an important means of digital communication today; it is easy, quick, reliable, and lowest cost. However, e-mail spam is becoming a serious problem for e-mail users. The number of internet spam is continuously increasing daily. Various approaches and techniques have been proposed to resolve or reduce the amount of this threat. One of these techniques is artificial immune system (AIS), which is successfully applied for e-mail spam detection.

An AIS can be defined as a computational technique inspired by the principles and processes of the human immune system (HIS). Therefore, an AIS inspires ideas from HIS operations and applies them to computational problems (Forrest et al. 1994). Negative selection algorithm (NSA) is one of the main algorithms in AIS and has been successfully applied in various domains. The main focus of researchers in this field is to extract NSA properties that will be useful in designing an automatic solution for classification problems, such as detection of computer intrusions and anomaly detection.

The most important property of NSA is to distinguish the difference between self (normal) and non-self (abnormal) state using only normal data. This property has attracted the interest of the artificial intelligence community, and several methods have been proposed to improve the efficiency of such algorithms and extend their application. In an NSA-based spam detection approach, the self in the system is considered as non-spam, whereas the non-self is treated as spam.

In the present work, a new model based on NSA, called combined clustered NSA and fruit fly optimization (CNSA–FFO), is proposed to detect e-mail spam. This method initially employs k-means clustering to generate the self-set clusters and then uses the FFO algorithm (FFOA) for the training stage to optimize the random generated detectors. Two sets of detectors are generated, namely, the boundary self-detectors and non-self detectors. In the testing phase of the proposed CNSA–FFO, both cluster and detector sets are used to classify whether an e-mail sample is a spam. If the sample is undetected by any of the detectors, then it should be assigned to the nearest set and added as a new detector. This mechanism can resolve the problem of the existence of holes and ensure the continuous adaptability of the model. Furthermore, the training and testing processes are performed only in a small part of space, which is obtained by clustering technique. Restricting the search can significantly decrease the number of detectors, computation time, and space complexity compared with the classic NSA.

The rest of the paper is structured as follows. Section 2 discusses the background and related works in NSA and spam detection. Section 3 presents the proposed work and its constituent framework. Section 4 explains the experimental results. The paper is concluded in Sect. 5.

2 Background and related works

2.1 Fundamentals of AIS

The AIS is a bio-inspired computational Intelligence. It developed by (Forrest et al. 1994). An AIS uses ideas from HIS operation and applies them to computational problems. A more detailed presentation of the HIS and AIS can be found in (Shelly and Wolfgang 2010; Dasgupta et al. 2011; Forrest et al. 1994; De Castro and Timmis 2003). One of the interesting mechanisms of the adaptive immune system is the self/non-self recognition. HIS can recognize which cells are its own (self) and which are foreign (non-self). Hence, it can build its defense against an attacker instead of self-destructing. Currently, the major theories of AIS research include NSA, clone selection, immune network theory, danger theory and positive selection. The NSA is one of the most applied and discussed model especially in anomaly detection (Ramdane and Chikhi 2014).

2.1.1 NSA

The NSA was inspired from the negative selection process of the adaptive immune system; it is the main algorithm of the AIS. This algorithm has the capability to differentiate between self-space (e.g., cells that are owned by the system) and non-self space (e.g., foreign entities to the system). This capability is obtained by the T-cells, which are a set of non-self reactive detectors.

NSA was first proposed by Forrest et al. (1994) who presented a framework that discriminates normal and abnormal entities. This algorithm has a special characteristic, that is, it only requires normal data in the training stage.

Generally, classic NSAs consist of two stages. First, the NSAs generate a detector set in the non-self space. If the detector does not match with the known self states, then it becomes a mature detector and is added to the detector set. Second, the unseen states are tested by the detector set. If an unknown state is matched by any mature detector, then the NSA indicates the presence of an anomaly. Although a diverse family of NSA has been developed, the essential characteristics of the original NSA introduced by Forrest et al. (1994) still remain. However, the original NSA has large time and space complexities (Forrest et al. 1994). Self and non-self detector representations reveal two types of NSA, namely, binary NSAs (BNSA) and the real-valued NSAs (RNSA).

2.1.1.1 BNSA

The representing of self and detector is the basic step in designing NSA model. Forrest et al. (1994) developed the binary representation and R-Contiguous Matching Function, where both self and detectors elements are implemented as binary strings. The detector matches the self element or the tested sample if the binary strings have same bits in at least r contiguous places. For binary representation, there are several types of matching rules used to calculate this affinity: r-contiguous bits (rcb), r-chunks, landscape-affinity matching, Hamming distance and its variations. The BNSAs are suitable for the representation and search for discrete space. Despite its simplicity implementation, the binary representations of NSAs have some limitations for the real world problems (Ramdane and Chikhi 2014).

2.1.1.2 RNSA

The limitation of BNSAs motivated (Gonzalez et al. 2002, 2003) to develop RNSA. RNSA employs real-value representation and Euclidean distance matching rule in generating real detectors. This high-level representation provides certain advantages, such as increased expressiveness, the possibility of extracting high-level knowledge from generated detectors, and in some cases, improved scalability.

Two RNSA models are discussed in the literature, namely, NSA with constant-sized detectors and NSA with variable-sized detectors. In the first model, the radii size of detector is constant and requires a large number of detectors to cover all the non-self spaces. To overcome this problem, new models of NSA with variable-sized detector are proposed. The next model of RNSA was proposed by (Zhou and Dasgupta 2009) and is called the V-detector, which is the latest and most mature version of the NSA. This model considered the several advantages of other versions and is currently the framework for numerous studies.

2.1.1.3 Recent improvements in NSA

Recently, many variants of NSA have been proposed to overcome the drawbacks of the classic version, and most of them focused on detector generation mechanism. Researchers in this field aim to improve the algorithm efficiency by covering a non-self space with the optimal number of detectors and covering the holes by detectors with a small radius.

The following is the acronyms list of recent improvements and models of NSA:

• ANSA (Jinquan et al. 2009)

• EvoSeedRNSA (Jie et al. 2009)

• ORNSA (Guiyang et al. 2010)

• Optimized NSA (Aiqiang et al. et al. 2011)

• FtNSA (Maoguo et al. 2012)

• IVRNSA (Wu and and Zheng 2012)

• CB–NSA (Chen et al. 2013)

• PRR–2NSA (Zhenga et al. et al. 2013)

• EvoSeedRNSAII (Jie and Wenjian 2014)

• GF–RNSA (Wen et al. 2014)

• NSA–DE (Ismaila et al. 2014)

• HNSA–IDSA (Ramdane and Chikhi 2014)

• NSA–PSO (Ismaila et al. 2015)

• I-detector and OALI-detector (Li et al. 2015)

• IO–RNSA (Xiao et al. et al. 2015)

• BIORV–NSA (Lin et al. 2015)

• NSA-II (Abdolahnezhad and Banirostam 2016)

• OALFB–NSA and FB–NSA (Dong et al. 2016)

2.1.1.4 Applications of NSA

Since its emergence, NSA has attracted the attention of many researchers and has been applied in various real-world applications. Its application domains are generally similar of those of computational intelligence approaches, such as artificial neural networks, evolutionary algorithms, and fuzzy systems.

NSA is applied in computer security (Forrest et al. 1994; Kim 2002; Wang and Zhang 2007; Ramdane and Chikhi 2014; Ismaila and Ali 2014; Ismaila et al. 2015), anomaly detection (Li et al. 2015, 2016; Jinquan et al. 2009; Gonzalez et al. 2002), data mining (Puteh et al. 2008), and optimization (Vieira et al. 2008).

2.2 K-means clustering

Clustering is an unsupervised learning technique that aims to partition an unlabeled data set into groups according to the similarities among its objects. Clustering has been applied successfully in many applications, including text mining, social web analysis, information discovery, bio-informatics, and image segmentation (Gang et al. 1979). The most used clustering algorithms are k-means, fuzzy c-means, hierarchical clustering, and mixture of Gaussians. This section focuses solely on k-means, which is one of the oldest, simplest, and widely used clustering algorithm.

K-means algorithm requires a matrix of S data points in n dimensions and a matrix of K initial cluster centers in n dimensions as inputs. The number of data points in cluster C_j is denoted by NC_j. D (S_i, C_j) is the Euclidean distance between point S_i and cluster C_j. The general procedure is to search for a k-partition with locally optimal within-cluster sum of squares by moving points from one cluster to another (Hartigan and Wong 1979).

The main disadvantage of k-means algorithm is that it may take a large number of iterations through dense datasets before it can converge to produce the optimal set of centroids.

2.3 FFOA

FFOA is a new global optimization algorithm proposed by (Pan 2011) and (Bo and Wen-Jing 2014); it is a bio-inspired evolutionary algorithm inspired by the food finding behavior of fruit flies. The sensory perception of fruit flies is better than that of other species, especially the sense of smell and vision. The olfactory organ of a fruit fly can gather various smells from the air and even a food source 40 km away. Afterward, the insect flies toward the food, uses its acute vision to find the food and where its fellows gather, and then it flies in that direction (Pan 2011).

Compared to other intelligent optimization algorithms, FFOA is simpler to understand, its adjustment parameters are less, its convergence speed is faster, and it is easier to implement. FFOA has been successfully applied in solving various problems in different domains, including function optimization, generalized regression network parameter optimization, and gray neural network parameter optimization. In addition, it can be combined with other techniques, such as decision trees, Bayesian theorem, fuzzy math, gray system, neural network, and AIS. However, the original algorithm still has some disadvantages, such as being easily trapped into a local optimal value and low accuracy. To overcome these limitations and extend its application area, many improvements and variants have been proposed for FFOA, such as adaptive mutation FFOA (Han and Liu 2013), binary FFOA (Wang et al. 2013), and modified FFOA (Liu et al. 2012). More details about FFOA can be found in the study of (Hazim and Mesut 2015).

2.4 Spam emails detection and NSA

E-mails are one of the most used forms of communication; they are simple, reliable, and economical. This simplicity and low cost qualify it to be the preferable way for advertising and sometimes employed as a mean to launch threats. One of these threats is spam e-mails; they are a problem that almost every e-mail user suffers from (Raed and Adel 2013).

The word “spam” usually denotes a particular brand of luncheon meat; however, in recent times, spam is used to represent a variety of junk or unwanted e-mails. Sending thousands of unsolicited messages to thousands of users all over the world with approximately no cost is now possible (Raed and Adel 2013).

Nowadays, spam has the potential ability to become a serious problem for the internet community. Thus, anti-spam community offers a wide array of techniques designed to help stop or reduce the huge amount of spam; however, the amount of spam on the internet is still increasing.

The most common techniques are detecting techniques, which attempt to identify whether a message is a spam based on content and other characteristics of the message (Raed and Adel 2013). One of these techniques is NSA.

The possibility of using NSA in e-mail spam detection is incontestable. When NSA has emerged in the 1990s, it has been first applied in computer security and intrusion detection. Spam is often considered as a type of computer intrusion; thus, using NSA in spam detection automatically fits and has caught the attention of many researchers in this field. Ismaila et al. (2014) presented several techniques using NSA in spam detection. This study focuses on the few recent works that use optimization techniques in their mechanism.

Ismaila et al. (2014) proposed an improved NSA using differential evolution (DE) optimization called NSA–DE. In this method, the DE is implemented at the random generation phase of NSA. Local outlier factor (LOF) is implemented as a fitness function to maximize the distance of generated spam detectors from the non-spam space. The proposed framework was verified with spam dataset (Hopkins et al. 1999), and the results show that the detection accuracy of NSA–DE is better than the classic NSA model.

Another model combines NSA with particle swarm optimization (NSA–PSO; Ismaila et al. 2015; Ismaila and Ali 2014). This model was introduced to improve the random detector generation in the NSA. The combined NSA–PSO uses an LOF as the fitness function for detector generation. The evaluation results on spam base datasets (Hopkins et al. 1999) show that the accuracy of the NSA–PSO model is better than that of traditional NSA model.

Abdolahnezhad and Banirostam (2016) proposed an e-mail detection system based on the modified classic NSA called NSA-II. This model improves the random generation of a detector in NSA using spam and non-spam spaces. In the NSA-II training phase, two sets of detectors are generated, one for spam detectors and other for non-spam detectors. The detectors output from the two sets are used in the testing phase. If one of the spam detectors identified a new pattern, then the e-mail realizes the spam pattern; otherwise, the pattern is considered as a non-spam pattern. The experimental result in spam base dataset shows that the detection performance of NSA-II is higher than the conventional.

3 Constituents of the proposed approach

Hybrid systems have become extensively important in many real-world applications. Given the fact that an individual system has its weakness, a hybrid system is meant to avoid the weaknesses of these single intelligent systems; thus, the importance of a hybrid system is non-negotiable (Ismaila et al. 2014).

The classic NSA has several limitations that decrease its effectiveness in classification applications, especially in spam detection system. Its main drawbacks are: (I) generating a large number of detectors to cover all the non-self spaces; (II) using only non-self detectors in the testing stage and lacking of continuous adaptability; and (III) the existing problem of holes because obtaining a full coverage of self and non-self spaces is difficult.

Nevertheless, in practical situations, normal data are rarely distributed randomly in the entire system space; they are highly concentrated and occupied only a considerably small area of the space system.

In this study, a combination of NSA, and FFO using k-means clustering is realized to accumulate the strong points of the system component and reduce their individual drawbacks. In the proposed method, the self set should be initially clustered using k-means, there by establishing a set of clusters. Subsequently, the clustered self set is regarded as the initial evolutionary population of FFO. Then, the algorithm realizes FFO operations on this population and performs negative selection to obtain non-self detectors of the first level, locating far away from the self in the non-self space delimited by clusters where coverage rate is low. The process is repeated to obtain detectors of the second range, which are located close to the first-level detectors and away from the self region but nearer than the first-level detectors in the non-self space. In RNSA with variable-sized detectors, the detectors located far away from the self usually have a large radii and cover a large area of non-self space.

During the generation of non-self detectors, the self-elements located close to the generated detectors are assigned and saved as boundary self-detectors. At the end of the training stage of CNSA–FFO, three sets are obtained, namely, cluster set, non-self detector set, and self-boundary detector set. These sets are used together in the testing stage to classify whether a new e-mail is a spam. The CNSA–FFO algorithm adopts real detectors with variable size and maximum generated detectors of non-self space as the termination condition.

The stages of the proposed CNSA–FFO are as follows:

1. 1.

   Definition of the system state space

2. 2.

   Generation of self (non-self)

   1. (a)

      Training stage:

   2. (b)

      Generation of the cluster set

3. 3.

   Generation of the non-self detectors

4. 4.

   Detection phase

The details of each stage are as follows.

Stage 1: Definition of the system states space

For real-valued representation, self and non-self detectors are a real-valued vectors in n-dimensional space. These detectors can be viewed as a hyper sphere, where n is the number of parameters of the self or non-self detector. The center of this hyper sphere is the real-valued vector. The system state space, denoted by E=[0,1]ⁿ, is an n-dimensional space. The normal set is denoted as N ⊂ E, and AN ⊂ E is the complementary space of normal (abnormal) state, such that:

$$N\cap AN=\varPhi ,\quad N\cup AN=E,$$

A state of the system (i.e., e-mail messages) can be represented by a vector of features x = (x₁, x₂,…, x_n) ∈ E = [0,1]ⁿ, and each feature is normalized and scaled to [0,1] interval using maximum and minimum method. In (Ismaila et al. 2014 and; Hopkins et al. 1999) there are more details for features vector generation of e-mail messages.

Stage 2: Generation of self

In real applications, obtaining all the normal samples, such as non-spam messages for every e-mail, is impossible. To construct the self space, only a part of the normal states is used to construct the system profile.

The self set is defined as a collection S ∈ N of elements in space E, where S represents the subset of the normal system state that should be monitored. In the NSAs, a self-sample is composed of two parts, namely, a center s_c and a radius r_s. The center indicates the position of the self sample in E, and the radius determines its size or area covered by the sample. Self set S and self radius r_s should be determined before generating the detectors. In this study, the non-spam space is the normal state of the system, whereas the spam space is the abnormal state of the system.

• Assume the non-spam space to be N (S ∈ N in RNSA), and each self sample s = (s_c, r_s) has a center s_c ∈ [0, 1]ⁿ and a self-radius r_s, r_s ∈ IR;

Notably, the self-radius variance has a direct impact on the classification performance of RNSA.

Stage 3: Training stage

Two techniques are introduced in the training stage, namely, clustering and evolutionary optimization.

1. (a)

   Generation of clusters set

In this step, the self-elements are divided into k-clusters using k-means algorithm. In applying this algorithm, the number of k-clusters and the set of self data S should be initially provided. Then, the generating the cluster set is given as follows:

• Let S be a self-set, C be a cluster set, and k be a cluster number.

• Use Algorithm 1 to generate set C. Each element of C has a center c_c ∈ Eʹ and a radius r_c ∈ IR. This set will be used in the training and testing stages. Eʹ is a subspace of E that is covered by the generated clusters.

1. (b)

   Generation of detectors set using FFOA

In NSA, the detector coverage is necessary for obtaining a good classification accuracy, which is challenging to realize perfectly, because the problem of holes is difficult to resolve. In fact, many works have focused on generating the optimal detectors that cover the entire non-self space. Here, k-means clustering and real multidimensional FFO are used to generate detectors one after the other only in a part of space search. This architecture aims to obtain the best coverage with a small number of detectors. The steps of this process are given as follows:

1. 1.

   Let Eʹ be a subspace of E.

2. 2.

   Let S be a self-set; each self-sample s = (s_c, r_s) has a center s_c ∈ Eʹ and a self-radius r_s, r_s ∈ IR.

3. 3.

   Let BS be a boundary of self-detector set; BS is a subset of S that contains all the self-elements situated in the boundary of self, BS←Ø.

4. 4.

   Let C be a cluster set generated in stage 3-a; each cluster c = (c_c, r_c) has a center c_c ∈ Eʹ and a cluster radius r_c, r_c ∈ IR.

5. 5.

   Let D be a set of generated detectors, D← Ø.

6. 6.

   Generate a random element x ∈ S from the self-set; x is considered as the initial position of the fruit fly swarm.

7. 7.

   Use Algorithm 2 to obtain the best detector, with S, C, x, and D as input parameters and d_best as the output parameter; d_best is the best solution (optimal detector).

8. 8.

   If d_best ≠ Ø, add a new detector to detector set D←D∪{‹d_c, r_d ›}, d_c ∈ Eʹ is the center of d_best and r_d is its radius. Then go to Step 9. Otherwise, go back to Step 6.

9. 9.

   Calculate sb, which is the nearest self-element to d_best; add it to the boundary self-set BS←BS∪sb.

10. 10.

    If the number of detectors has not reached the maximum, then go to Step 6; otherwise, stop and return to D.

Fig. 1

Illustration of detectors generation in CNSA-FFO

• Fitness function in CNSA-FFO

In this study, a multi-objective fitness function is used to obtain the optimal detector in the population set generated by the mutation operation of FFA. A detector X is the best (optimal) if it is covered by clusters, unrecognizable by self, not covered by the generated detectors, and the farthest from the self. The fitness algorithm is presented as follows.

Fig. 2

Detector generation mechanism of CNSA-FFO

Fig. 3

Illustration of testing mechanism in CNSA-FFO

Fig. 4

Detection mechanism of CNSA-FFO

Stage 4: Detection phase

In the detection stage of CNSA–FFO, the cluster set (C), the boundary self-detectors (SB), and non-self detectors (D) are used to check whether testing sample t is normal (non-spam). The steps of this process are as follow (Figs. 1, 2):

1. 1.

   Let t be the testing sample (e-mail message) with the intention of determining whether it is a spam.

2. 2.

   Use cluster set C, non-self detector set D, and boundary self-set BS, which have been obtained in the previous stages.

3. 3.

   If sample t is not covered by any cluster (t₁ in Fig. 3), that is,

   $$D\left( {{t},{\text{c}}} \right)=\sqrt {\mathop \sum \nolimits_{{{\text{i}}=1}}^{{\text{n}}} {{\left( {{t_{\text{i}}} - {{\text{c}}_{\text{i}}}} \right)}^2}}>{r_c},$$

   then classify t as abnormal (spam) and go to Step 7; otherwise proceed to Step 4.

4. 4.

   If t is recognized by any self s in BS (t₂ in Fig. 3), that is,

   $$D\left( {t,{\text{s}}} \right)=\sqrt {\sum\limits_{{i=1}}^{n} {{\left( {{t_{\text{i}}} - {{\text{s}}_{\text{i}}}} \right)}^2}} \leqslant {r_{s,}}$$

   then consider t as normal (non-spam) and go to Step 7; otherwise, proceed to Step 5.

5. 5.

   If t is recognized by any detector d in D (Fig. 3, t₃), that is,

   $$D\left( {t,{\text{d}}} \right)=\sqrt {\mathop \sum \nolimits_{{{\text{i}}=1}}^{{\text{n}}} {{\left( {{t_{\text{i}}} - {{\text{d}}_{\text{i}}}} \right)}^2}} \leqslant {r_d},$$

   then classify t as abnormal (spam) and go to Step 7; otherwise, proceed to Step 6.

6. 6.

   If D (t, d) ≤ D (t, s), then t is classified as abnormal (spam), and a new detector d_new = < t, D (t, s) − r_s> is added to D. Otherwise, t is classified as normal (non-spam), and a new boundary self-element s_new should be added to BS:

   $${S_{new}}=\left\{ {\begin{array}{*{20}{l}} {\left\langle {t,~{r_s}} \right\rangle ,~if\;{r_s} \leqslant D\left( {t~,~d} \right) - {r_d}} \\ {\left\langle {t,~D\left( {t~,~d} \right) - {r_d}} \right\rangle ,~if\;{r_s} \geqslant D~\left( {t~,~d~} \right) - {r_d}} \end{array}} \right..$$

   Then, go to Step7.

7. 7.

   Return the t class (spam or non-spam).

The proposed CNSA–FFO model has specific characteristics compared with V-detectors and other models in the literature. (1) The training and testing stages are performed only in a small part of the system space. (2) Three types of detector are generated and used to check the test sample. (3) A system is adopted by a mechanism to eliminate the holes based on assigning the uncovered test sample to the nearest detectors. (4) The system can continuously update its profile.

4 Empirical study

The performance of the proposed model has been verified and evaluated using actual spam-based data set and has been compared with V-detectors (Zhou and Dasgupta 2009) and NSA–PSO (Ismaila et al. 2015).

4.1 Benchmark data analysis

The data used in this study were obtained from spam-based dataset of e-mail messages. This benchmark contains 4601 messages, in which 1813 (39%) of the messages are marked as spam, whereas 2788 (61%) are labeled as non-spam.

The proposed improved model was evaluated by dividing the dataset using a stratified sample approach with 70% training set and 30% testing set to investigate the performance of the new model on unseen data (Ismaila et al. 2015). More details about this benchmark are discussed by (Hopkins et al. 1999). The Table 1 gives a detail of training and testing samples of CNSA-FFO.

Table 1 Training and testing samples of CNSA-FFO

4.2 Criteria for performance evaluation

To evaluate the accuracy and performance of the proposed model for e-mail spam detection and compare it with RNSA (Zhou and Dasgupta 2009) and NSA–PSO (Ismaila et al. 2015), the same measures used by Ismaila et al. (2015) were utilized. The measures employed are sensitivity (SN), specificity (SP), positive prediction value (PPV), accuracy (ACC), negative prediction value (NPV), correlation coefficient (CC), and f-measure (F1). See Ismaila et al. (2014), Ismaila and Ali (2014) and Ismaila et al. (2015) for more detailed mathematical formulas. Moreover, the number of generated detectors, adaptability, and complexity are often used as measures in evaluating the NSA-based methods.

4.3 Experimental settings and implementation

The process of implementation did not use any ready-made code, and all required functions are coded using the same platform. The evaluation of the proposed hybrid model is implemented by dividing the data set using a stratified sample approach with 70% training set and 30% testing set to verify the performance of the new model on new data (Ismaila et al. 2015). The proposed model is implemented with a threshold value (self-radius) of 0.4, whereas the number of generated detectors is between 100 and 3500. In NSA-based models, the threshold value and number of generated detectors have a great impact on the final output measure. In the training stage, only the normal data (non-spam samples) are used in constructing the proposed model. The number of clusters is fixed at 30, and the size of fruit fly swarm is at 50. The performance of the model with both data of testing set (spam and non-spam messages) is evaluated.

5 Results and discussion

The proposed algorithm compares the classic NSA, NSA–PSO, and CNSA–FFO models. These models were evaluated using statistical measures to determine the best model for e-mail spam detection.

The testing results consist of the 2000 generated detectors and threshold value of 0.4 give summary and comparison of results in percentage for CNSA-FFO, NSA and NSA-PSO models in Table 2.

Table 2 Testing results of NSA, NSA–PSO, and CNSA–FFO at 2000 generated detectors

This table shows the values of the accuracy, correlation coefficient, F-measure, sensitivity, positive prediction value, specificity and negative prediction value, for NSA, NSA–PSO, and the proposed model. The results indicate that the proposed NSA can achieve a higher performance than that of the other two methods, specifically in accuracy, positive and negative prediction values, and correlation coefficient criteria (Fig. 4).

In the NSA-based models, the most important measures that are usually used to calculate and compare the performance are accuracy and positive prediction value. Table 3 and Figs. 5 and 6 show only the best accuracy and positive prediction value of the three models.

Table 3 Best accuracy and positive prediction value of NSA, NSA–PSO at 5000, and CNSA–FFO at 3500 generated detectors

Fig. 5

Accuracy comparison of NSA, NSA-PSO and CNSA-FFO

Fig. 6

Comparison of the positive prediction value of NSA, NSA–PSO and CNSA–FFO

For detection accuracy, the accuracy of the proposed model (93.88%) at only 3500 generated detectors is better than the classic NSA (68.86%) and NSA–PSO (82.62%) at 5000 generated detectors.

For positive prediction value, the CNSA–FFO is at 94.38%, whereas NSA–PSO is at 91.22%. Thus, CNSA–FFO is better than NSA–PSO in positive prediction value and close to that of classic NSA (94.53%).

From the obtained results and analysis, the CNSA– FFO model performs better than other existing detection models in many aspects. Therefore, the proposed spam detection mechanism was constructed based on the CNSA–FFO model. This model can be considered as a powerful tool and framework in detecting e-mail spam due to its architecture and adaptive nature.

6 Conclusion

In this study, a new and improved NSA has been proposed and implemented. The proposed model, CNSA–FFO, is applied in classifying whether e-mail messages are spam. CNSA–FFO is a hybrid method that combines NSA with k-means clustering and FFO. The goal is to enhance the performance of previously proposed solutions based on NSA.

The performance and accuracy test in the actual spam-based dataset has shown that the CNSA–FFO method can detect e-mail spam better than the conventional NSA method and other models. Also, the proposed model ensures continuous adaptability and significantly reduces the number of generated detectors.