8499-Article Text-9477-2-10-20231102

International Journal on Recent and Innovation Trends in Computing and Communication
ISSN: 2321-8169 Volume: 11 Issue: 10

DOI: https://doi.org/10.17762/ijritcc.v11i10.8499
Article Received: 31 July 2023 Revised: 22 September 2023 Accepted: 08 October 2023
___________________________________________________________________________________________________________________
Enhancing Intrusion Detection Systems with a Hybrid

Deep Learning Model and Optimized Feature
Composition
Dr. Dilip Motwani1, Dr Vidya Chitre2, Dr Varsha Bhosale3, Sonaali Borkar4, D.K.Chitre5
1,2,3,4Professor,
Vidyalankar institute of Technology, Wadala, Mumbai, Maharashtra, India
5Terna
college of Engineering, Navi Mumbai, Maharashtra, India
dilip.motwani @vit.edu.in1, [email protected], [email protected], [email protected], [email protected]
Abstract: Systems for detecting intrusions (IDS) are essential for protecting network infrastructures from hostile activity. Advanced methods
are required since traditional IDS techniques frequently fail to properly identify sophisticated and developing assaults. In this article, we suggest
a novel method for improving IDS performance through the use of a hybrid deep learning model and feature composition optimization. RNN
and CNN has strengths that the proposed hybrid deep learning model leverages to efficiently capture both spatial and temporal correlations in
network traffic data. The model can extract useful features from unprocessed network packets using CNNs and RNNs, giving a thorough picture
of network behaviour. To increase the IDS's ability to discriminate, we also offer feature optimization strategies. We uncover the most pertinent
and instructive features that support precise intrusion detection through a methodical feature selection and engineering process. In order to
reduce the computational load and improve the model's efficiency without compromising detection accuracy, we also use dimensionality
reduction approaches. We carried out extensive experiments using a benchmark dataset that is frequently utilized in intrusion detection research
to assess the suggested approach. The outcomes show that the hybrid deep learning model performs better than conventional IDS methods,
obtaining noticeably greater detection rates and lower false positive rates. The performance of model is further improved by the optimized
feature composition, which offers a more accurate depiction of network traffic patterns.
Keywords: Intrusion Detection System, GRU framework, Optimization, Deep Learning, CNN, RNN
I. INTRODUCTION developed by human expertise. These techniques make use of

expert systems, finite-state machines, and description
Information exchange has been changed and made seamless
languages. Knowledge-based IDS may efficiently identify
and practical by the worldwide rapid rise of information
abnormalities based on specified rules and patterns by
technology. But even with these improvements,
utilizing human knowledge.
communication networks still have a lot of problems,
especially with breaches and cyberattacks. Intrusion Detection The development of anomaly-based IDS is frequently done
Systems (IDS), which use a variety of detection techniques, using machine learning techniques. Unsupervised learning and
have become crucial tools for locating and categorizing supervised learning are its two main subcategories. Without
potential assaults on a network or host. The two basic kinds of depending on labelled examples, unsupervised learning
IDS are signature-based IDS (SIDS) and anomaly-based IDS locates anomalies by locating patterns that differ from the
(AIDS). Network traffic patterns are compared with pre- system's typical behaviour. Contrarily, supervised learning
established attack signatures or patterns by SIDS to identify needs labelled examples in order to train the model to
assaults. In contrast, AIDS tracks network traffic patterns and correctly recognize anomalies. Learning from a mixture of
contrasts them with typical or regular patterns to spot any huge numbers of unlabelled cases and a smaller collection of
deviations or anomalies, successfully identifying fresh and tagged instances is called semi-supervised learning. The usage
previously undiscovered attacks. of machine learning algorithms to detect cyber intrusions is on
the rise due to the former's autonomy and rapid response
The constraints [3] of Signature-based IDS (SIDS) can be
times. However, due to the dynamic nature of cyber-attacks,
solved using a variety of development strategies, and
scalable and adaptable detection systems must be developed.
researchers are becoming more and more interested in AIDS.
Deep learning (DL) techniques allow for the creation of such
By examining statistical parameters can identify intrusions. To
scalable systems as a real possibility. Intruder detection in
apply Statistical IDS, invariant, multivariate, and time-series
both supervised and unsupervised systems can benefit from
models are used. These models offer efficient tools for
DL's use [6, 7].
examining and spotting irregularities in network traffic. The
foundation of knowledge-based approaches is a set of rules
369
IJRITCC | October 2023, Available @ http://www.ijritcc.org
___________________________________________________________________________________________________________________
This problem has been solved by long-term dependency in which they are used. Using the UGR'16 dataset, the authors
handling techniques included in existing deep learning assessed the performance of these models with an emphasis on
solutions. We used the GRU framework, a kind of recurrent four different types of attacks: Denial of Service and a botnet
neural network (RNN), to address this problem. Long-term attacks. The results of their study offer the scientific
dependency issues can be solved by gated recurrent unit by community useful information, particularly with regard to the
adaptively updating and resetting its memory state. We creation of better Network Intrusion Detection System (NIDS)
wanted to improve the long-term contextual information solutions. It is crucial to remember that the study's main
acquisition and utilization of our deep learning model by objective was to assess how well the models performed
integrating gated recurrent unit. Our proposed IDS gets more against the four chosen attacks. This research did not go into
adept at identifying assaults by utilizing the advantages of great detail about the wider landscape of potential attacks and
CNN for extracting spatial information and proposed model their detection.
for managing sequential dependencies. A comprehensive
SVM, KNN, were among the machine learning algorithms
framework that can assess both the local patterns and the
used in a study by Iram et al. [12] to design an intrusion
temporal dynamics present in network traffic data is created
detection system (IDS). Dimensionality reduction was
by combining these two designs, and the result is better
accomplished using a random selection of features from the
intrusion detection performance.
NSL-KDD dataset. All three classifiers (DT, extra-tree, and
II. REVIEW OF LITERATURE RF) performed at or above 99% accuracy. However, the use of
optimisation methods was not the focus of the research. With
Based on their findings, Achmad et al. [15] proposed a mixed
DT, RF, and XGBoost classifiers in mind, Abdulsalam et al.
approach to intrusion detection, one that makes use of both
[13] focused on developing IDS for SDN. The NSL-KDD
supervised feature optimisation and unsupervised data
dataset was used to evaluate the performance of the models.
reduction strategies. Attribute Importance Decision Tree (DT)
The XGBoost classifier outperformed the competition on
with recursive feature removal was utilised as a feature
several metrics, including the F1 score, the precision, and the
optimisation strategy to select useful and significant
recall.
characteristics. They also employed the Local Outlier Factor
(LOF) method to identify unusual data points. The researchers For dataset optimization [14], the GIWRF model, an
tested their methods on the NSL-KDD and UNSW-NB15 embedded feature selection method, was used. In the
datasets, two of the most popular in the field. According to investigation, the decision tree classifier performed better than
their findings, their hybrid model is more accurate than other other models. It should be emphasized, nonetheless, that this
intrusion detection systems. However, they acknowledged that study did not evaluate multiclass classification. Some research
the system's false acceptance rate (FAR), sensitivity, and missed optimization techniques or certain elements, such
specificity may use improvement. By integrating supervised multiclass classification, while getting high accuracy scores
and unsupervised methods, the hybrid approach described by and investigating various classifiers. To improve IDS
Achmad et al. aimed to boost the intrusion detection system's performance and solve real-world intrusion scenarios, future
efficiency. Attribute significance DT-based feature research might concentrate on merging optimization
optimisation and the LOF technique for outlier detection techniques and tackling particular issues.
increased the model's ability to accurately identify and classify
Mario et al.'s study [21] involved studies to contrast several
incursions. The study authors emphasised the need for further
neural-based methods with an emphasis on Artificial Neural
development to target specific performance measures and
Networks (ANN). Their model's performance was assessed
boost the method's overall effectiveness. The experimental
using the KDD99 and CICIDS2017/2018 datasets. According
results validated that the interpretations generated by their
to the researchers, most of the time, ANN-based approaches
framework accurately reflect the key features of the attacks.
displayed exceptional performance. However, because ANN
The decision-making process of the IDS and the underlying
employs the backpropagation technique, these models have
issues affecting its forecasts were made more transparent
poor processing speeds. It is significant to remind that their
thanks to the framework's deemed-simple explanations.
study did not include a feature optimization step, which would
Even though there are many ways to improve Intrusion have decreased the classifier's time complexity. While Mario
Detection Systems (IDS), there is still room for development. et al.'s work focused on the excellent performance of ANN-
In contrast to conventional approaches, there has been an based approaches, it disregarded the inclusion of feature
increasing tendency in recent years to design IDSs based on optimization, which may have advantages in terms of
machine learning. However, the effectiveness of IDSs might computing effectiveness. Shi et al.'s research, on the other
change based on the particular technique used and the settings hand, demonstrated the application of a Semi-Supervised
370
___________________________________________________________________________________________________________________
Deep Reinforcement approach, but it also brought to light the It has a wide range of features that were taken from network
SSDDQN model's shortcomings in terms of optimization and traffic, including as statistical features, flow-based features,
spotting specific kinds of anomalous attack traffic. and features based on transport layer protocols. These features
record crucial data about network behavior and
As opposed to using features obtained through a classification
communication.
strategy directly, Joohwa et al.'s research [24] offered an
approach for deep learning classification by leveraging Class Imbalance: The dataset displays class imbalance, where
features acquired through a pre-processing technique. They some attack types are more common than others, just like in
used the Random Forest (RF) classification algorithm along real-world network environments.
with an unsupervised deep learning autoencoder model. A
Size: The dataset is big, with millions of network traffic
deep sparse autoencoder was employed to extract the features.
examples, making it appropriate for developing and testing
The CICIDS 2017 dataset was used for the studies. The
IDS models based on machine learning.
authors asserted that their suggested strategy outperformed
current feature extraction techniques. They did observe that Available Protocols: The collection contains information
the approach's performance was rather subpar for the about the existence of widely used protocols as Email, HTTP,
network's unusual class. A multi-stage optimised Machine FTP, HTTPS and SSH. This guarantees that the dataset covers
Learning (ML)-based Network Intrusion Detection System a wide range of network communication protocols.
(NIDS) framework was introduced by Mohammadnoor et al. Attack Diversity: Based on the 2016 McAfee study, the
[25]. In order to establish the minimum training sample size dataset includes a range of attack types. Web-based assaults,
necessary, they looked into the effects of oversampling brute-force attacks, Heartbleed attacks, bot attacks, and scan
techniques on model training instance sizes. Gain-based and attacks are among them. The evaluation and testing of
correlation-based feature selection methods were contrasted intrusion detection systems under multiple assault scenarios is
by the researchers. To assess their model, CICIDS 2017 and made possible by the comprehensive attack diversity.
UNSW-NB 2015 datasets were employed. They asserted that
their framework used just up to 50% of the features at hand Heterogeneity: The dataset records system calls and memory
and still had an accuracy rate of above 90%. dumps from each victim machine as well as network activity
from the main switch while the assaults were being carried
The many methods of implementing an Intrusion Detection out.
System have been covered in the cited research. Many of these
research, like KDDCUP and NSL-KDD, evaluate their models Feature Set: Using the CICFlowMeter, more than 80 network
on datasets with limited attribute variability. To address this flow features were retrieved from the generated network
problem and guarantee a comprehensive analysis, our efforts traffic. The dataset's foundation is made up of several features,
are focused on the CICIDS-2017 dataset, which gives more which offer comprehensive information about the network
features and has a more diverse variety of risks than the KDD flows. The dataset is often offered in CSV file format, making
dataset. Our suggested work focuses on reducing the quantity analysis of it simple.
or size of input features by using a reliable feature MetaData: Detailed information regarding the time of the
optimisation method. By cherry-picking the most relevant and captured network traffic, the sorts of assaults that were
instructional data points from the dataset, this approach aims present, the network flows, and the accompanying labels are
to strengthen the reliability and performance of the intrusion all included in the dataset's extensive metadata. In order to
detection mechanism. ensure transparency and promote a deeper comprehension of
III. PUBLICALLY AVAILABLE DATASETS the dataset's contents, this metadata is often supplied in the
published paper that goes along with the dataset.
The dataset was specifically created to incorporate a more
varied range of attack types and traffic patterns in order to Table 1: Description of Dataset
solve the shortcomings of earlier datasets like KDDCUP and Dataset Name CICIDS-2017
NSL-KDD. Used Protocol Email protocols, HTTP, SSH, HTTPS and
The following are some of the primary qualities and traits of FTP
the CICIDS-2017 dataset: Diversity of DoS, Web-based, DDoS, Infiltration, Brute
Attack force, Heartbleed, and Scan
The dataset was created using actual network traffic that was Heterogeneity System calls, memory dumps, and captures
recorded in a regulated setting, giving a true depiction of from the main switch
network behavior. Feature Set More than 80 network flow features
371
___________________________________________________________________________________________________________________
MetaData Time, Attack, Labels, Time and flows
The analysis of network behaviour and attack patterns is made

easier by these features, which give precise information about
the network flows. A deeper comprehension of the dataset's
contents is made possible by the inclusion of extensive
metadata, such as the period during which network traffic was
gathered, the sorts of attacks that were active, network flows,
and associated labels.
IV. PROPOSED SYSTEM
The CNN-RNN model and the feature optimization technique
make up the two main portions of the proposed work. The
workflow shown in figure 1, the proposed method and it Figure 1: Proposed model for IDS
consist of two major component such as: classification and 1. Data Gathering and Pre Processing :
data pre-processing. The workflow's initial phase is centred on
The dataset ICIDS 2017 as assess and used for the efficacy of
feature optimization. This entails removing redundancy and
proposed method. This dataset allowed for a thorough
choosing the best feature set for the analysis that follows. The
investigation of 25 users' abstract behaviour based on several
objective is to improve the caliber and relevance of the
protocols. Five days of continuous data collection allowed for
features utilized in the model by employing an efficient
a thorough investigation of network activity. In the ICIDS
feature optimization technique.
2017 dataset, a variety of attack types are covered, including
The data must be organized and prepared for classification in DoS/DDoS attacks, brute force assaults, and web attacks,
this step. The data can be more effectively analysed and attempts at penetration, botnet activity, port scans, and more.
identified by categorizing them. The next step in the workflow The dataset offers a wide range of assault situations, which
entails comparing the performance of the suggested technique makes it ideal for testing and gauging the effectiveness of our
against that of other available algorithms. The purpose of this approach. The attack distribution inside the ICIDS 2017
evaluation is to ascertain the superiority and efficacy of the dataset, offering insightful data on the prevalence and
suggested method for identifying and categorizing intrusions. frequency of various attack types. The ICIDS 2017 dataset is
strongly advised for testing and validating intrusion detection
models because of its thorough coverage of multiple attack
categories.
Table 2: Different types of attacks
Sub-Dataset Attacks
Tuesday Samples benign, ftpPatator_Attack, sshPatator_Attack
Sample on Wednesday Safe from GoldenEye, Hulk, Slow HTTP Test,
Slow Loris, and Heartbleed Attacks
Thursday Morning Samples benign, bruteForce_Attack, SqlInjection_Attack,
XSS_Attack
Thursday Afternoon Samples benign, infiltration_Attack
Friday Morning Samples benign, bot_Attack
Samples on Afternoon of Friday ddos_Attack and benign,
Samples on Afternoon of - PortScan portscan_Attack and benign
372
___________________________________________________________________________________________________________________
Figure 2: Representation of Dataset number of Instance with Redundancy
Figure 3: Representation of Dataset number of Instance with Redundancy
A feature optimization approach was used to identify the most category. BruteForce, DoS/DDoS, WebAttacks, Infiltration,
pertinent features while lowering the input dimension. This Bot, DDoS, and PortScan were the classes taken into
tactic used the (PCC) Pearson's Correlation Coefficient filter consideration. We started with a total of 77 attributes
approach to find out discriminative features during attribute available for study for each class. The amount of attributes
selection and collection. Correlation by Pearson The was nevertheless reduced by the attribute selection procedure
correlation or similarity between various aspects or qualities to a more manageable and useful subset. The purpose of the
in the dataset is measured by the coefficient. A correlation attribute selection process was to determine the characteristics
coefficient value between [-1, 1] is provided. Strong positive that are most helpful in identifying and classifying each
correlation is shown by a coefficient value of 1, whilst strong individual attack type.
negative correlation is denoted by a value of -1. An almost-
2. LSTM improved framework as Gated Recurrent Unit:
zero coefficient value denotes a poor or non-existent link
between the features. To combat the vanishing/exploding gradient problem,
researchers have developed a newer architecture for recurrent
(X, Y)
ρX, Y = neural networks called the Gated Recurrent Unit (GRU). The
σXσY
LSTM framework (Long Short-Term Memory) has been
Ei(xiyi) − Ej(xi) Ek(yi) enhanced. GRU employs a gate structure to manage data flow
𝑃𝐶𝑅 =
in a manner analogous to that of LSTM. There are, however,
√Ei(𝑥12 ) − 𝐸𝑗 2 (x2)√B(𝑦 2 ) − E2(𝑦)
notable differences between the two. In contrast to LSTM,
GRU doesn't have an output gate, hence the hidden state is
exposed. GRU consists of just two gates, the reset gate and
In our study, we looked at many categories of network attacks the update gate. The update gate controls how much of the
and used attribute selection to find the best features for each
373
___________________________________________________________________________________________________________________
previous concealed state is shown, while the reset gate input sequences and corresponding target sequences
determines how much of it is forgotten. must be created, where input sequences represent a
succession of prior network states and target
RTi = Sigmoid(Wt XrXt + Wt HrHt − 1 + 𝐵𝑟 )
sequences represent the occurrence of an attack or
ZT(l) = Sigmoid(Wt XrXt + Wt HrHt − 1 + 𝐵𝑧 ) regular behaviour.
H(t) = TanH(Wt XrXt + Wt HrHt(RTi ⊙ Ht − 1) + 𝐵ℎ ) • Design an RNN architecture for the model to use in
intrusion detection. This normally entails deciding on
H(t) = ZT(l) ⊙ Ht − 1 + (1 − ZT(l)) ⊙ H(t) the right kind of RNN cells (such as LSTM or GRU)
One advantage of GRU over LSTM is that it has a simpler and the network's layer and neuron count. The issue
structure and fewer parameters, both of which can improve of the vanishing/exploding gradient should be taken
performance. GRU's computational efficiency and propensity into account.
for overfitting are improved by the smaller number of • Model training: Apply the prepared dataset to the
parameters. Additionally, the lack of an output gate makes it RNN model training. The input sequences are fed
possible for GRU to transfer information more directly, into the RNN during training, and then the output
potentially enabling faster learning and greater temporal predictions are calculated and compared to the target
dependency capture in sequential data. sequences. Utilize optimization strategies such as
backpropagation
• Model evaluation: Use the testing dataset to assess
the trained RNN model. Determine different
performance criteria, such as accuracy, precision,
recall, and F1-score, to evaluate how well the model
detects network intrusions.
• Optimization and fine-tuning: Boost the model's
performance by fine-tuning its hyperparameters,
such as learning rate, batch size, and regularization
methods. To prevent overfitting, think about
adopting strategies like early stopping or learning
rate decay.
Figure 4: Gated Recurrent Architecture • Deploy the model for intrusion detection in a real-
3. Recurrent Neural Network (RNN): time or almost real-time scenario once you are
pleased with its performance. Make predictions
In order to implement the algorithm, Recurrent Neural about whether the observed behavior is malicious or
Networks (RNNs) are used in intrusion detection. An outline normal by continuously monitoring network traffic
of the procedures for employing RNN for intrusion detection and feeding it into the deployed RNN model.
is provided below:
• Continuous Improvement: Track the model's
• Gather the dataset comprising information on performance over time and make periodic updates to
network traffic, including both legitimate and make it flexible to changing attack
malicious instances. This dataset needs to have the 4. CNN Model:
appropriate attack kinds annotated.
• Pre-processing the data involves cleaning it up, The Convolutional Neural Network (CNN), often known as a
normalizing the features, and handling any missing ConvNet, is a type of deep learning system that processes
values that may be there. input data by giving various layers of the network distinct
• Feature Extraction: Take the preprocessed dataset biases and weights. After that, it performs the steps of
and extract the pertinent features. This stage tries to Algorithm 1 to divide the input into its constituent parts. One
record the crucial aspects of network traffic that can of CNN's key advantages over competing algorithms is its
aid in differentiating between legitimate and ability to cut down on the amount of pre-processing required
malicious activity. before data is ready to be used. This is because filters may be
automatically learned and improved by CNN.
• Create sequences from the collected features that are
appropriate for RNN training. In order to do this,
374
___________________________________________________________________________________________________________________
Figure 5: CNN Architecture
Proposed Model Algorithm:

𝐶𝑁𝑁 − 𝑅𝑁𝑁 𝐹𝑒𝑎𝑡𝑢𝑟𝑒 − 𝐿𝑒𝑣𝑒𝑙 𝑂𝑝𝑡𝑖𝑚𝑖𝑠𝑎𝑡𝑖𝑜𝑛
𝐼𝑛𝑝𝑢𝑡: 𝐷𝑎𝑡𝑎 𝑒𝑥𝑎𝑚𝑝𝑙𝑒𝑠
𝐶𝑜𝑛𝑓𝑢𝑠𝑖𝑜𝑛 𝑀𝑎𝑡𝑟𝑖𝑥 (𝐴𝑐𝑐𝑢𝑟𝑎𝑐𝑦, 𝑃𝑟𝑒𝑐𝑖𝑠𝑖𝑜𝑛, 𝑅𝑒𝑐𝑎𝑙𝑙, 𝐹𝑎𝑙𝑠𝑒 𝑃𝑜𝑠𝑖𝑡𝑖𝑣𝑒 𝑅𝑎𝑡𝑒, 𝑇𝑟𝑢𝑒 𝑃𝑜𝑠𝑖𝑡𝑖𝑣𝑒 𝑅𝑎𝑡𝑒)
𝑂𝑝𝑡𝑖𝑚𝑖𝑠𝑖𝑛𝑔 𝐷𝑎𝑡𝑎𝑠𝑒𝑡𝑠
𝐺𝑒𝑡 𝑟𝑖𝑑 𝑜𝑓 𝑡ℎ𝑒 𝑑𝑢𝑝𝑙𝑖𝑐𝑎𝑡𝑒𝑠.
𝐶ℎ𝑜𝑜𝑠𝑒 𝐴𝑚𝑜𝑛𝑔 𝐹𝑒𝑎𝑡𝑢𝑟𝑒𝑠
𝐶𝑎𝑙𝑐𝑢𝑙𝑎𝑡𝑒 𝑡ℎ𝑒 𝑎𝑡𝑡𝑟𝑖𝑏𝑢𝑡𝑒 𝑠𝑒𝑡 ′ 𝑠 𝑐𝑜𝑟𝑟𝑒𝑙𝑎𝑡𝑖𝑜𝑛 𝑢𝑠𝑖𝑛𝑔 𝑃𝑒𝑎𝑟𝑠𝑜𝑛′ 𝑠 𝐶𝑜𝑟𝑟𝑒𝑙𝑎𝑡𝑖𝑜𝑛 𝑓𝑜𝑟𝑚𝑢𝑙𝑎.
𝐼𝑓 𝑐𝑜𝑟𝑟_𝑣𝑎𝑙𝑢𝑒 𝑖𝑠 𝑚𝑜𝑟𝑒 𝑡ℎ𝑎𝑛 0.8, 𝑡ℎ𝑒𝑛 𝑠𝑒𝑡 𝐶𝑓.
𝑖𝑛𝑠𝑒𝑟𝑡 𝑎𝑡𝑡𝑟𝑖𝑏𝑢𝑡𝑒 𝑖𝑓 𝐶𝑓 𝑒𝑥𝑖𝑠𝑡𝑠, 𝑜𝑡ℎ𝑒𝑟𝑤𝑖𝑠𝑒 𝑖𝑛𝑐𝑟𝑒𝑎𝑠𝑒 𝑎𝑡𝑡𝑟𝑖𝑏𝑢𝑡𝑒 𝑐𝑜𝑢𝑛𝑡 𝐶𝑓 𝐶 𝑟𝑒𝑡𝑢𝑟𝑛
𝐶𝑙𝑎𝑠𝑠𝑖𝑓𝑖𝑐𝑎𝑡𝑖𝑜𝑛
𝐵𝑢𝑖𝑙𝑑 𝑡ℎ𝑒 𝑑𝑎𝑡𝑎𝑠𝑒𝑡′𝑠 𝑡𝑟𝑎𝑖𝑛𝑖𝑛𝑔 𝑎𝑛𝑑 𝑡𝑒𝑠𝑡 𝑠𝑒𝑡𝑠.
67% 𝑖𝑛 𝑡ℎ𝑒 𝑡𝑟𝑎𝑖𝑛𝑖𝑛𝑔 𝑠𝑒𝑡
𝐷𝑎𝑡𝑎 𝑠𝑎𝑚𝑝𝑙𝑒 𝑠𝑖𝑧𝑒: 33%
𝑀𝑜𝑑𝑒𝑙 𝑤𝑖𝑡ℎ 𝑡ℎ𝑟𝑒𝑒 𝐶𝑜𝑛𝑣𝑜𝑙𝑢𝑡𝑖𝑜𝑛 𝑙𝑎𝑦𝑒𝑟𝑠 𝑤𝑖𝑡ℎ 𝑟𝑒𝑙𝑢 𝑎𝑐𝑡𝑖𝑣𝑎𝑡𝑖𝑜𝑛
𝑎𝑛𝑑 𝑡𝑤𝑜 𝐺𝑅𝑈 𝑙𝑎𝑦𝑒𝑟𝑠 𝑤𝑖𝑡ℎ 𝑟𝑒𝑙𝑢 𝑎𝑐𝑡𝑖𝑣𝑎𝑡𝑖𝑜𝑛.
𝑇ℎ𝑒 ′𝑐𝑎𝑡𝑒𝑔𝑜𝑟𝑖𝑐𝑎𝑙_𝑐𝑟𝑜𝑠𝑠𝑒𝑛𝑡𝑟𝑜𝑝𝑦′ 𝑙𝑜𝑠𝑠 𝑓𝑢𝑛𝑐𝑡𝑖𝑜𝑛 𝑤𝑎𝑠 𝑢𝑠𝑒𝑑 𝑑𝑢𝑟𝑖𝑛𝑔 𝑚𝑜𝑑𝑒𝑙 𝑐𝑜𝑚𝑝𝑖𝑙𝑎𝑡𝑖𝑜𝑛.
𝑜𝑝𝑡𝑖𝑚𝑖𝑧𝑒𝑟 = ′𝑎𝑑𝑎𝑔𝑟𝑎𝑑′
𝑡𝑟𝑎𝑖𝑛𝑖𝑛𝑔 𝑀𝑒𝑡ℎ𝑜𝑑𝑠 𝑓𝑟𝑜𝑚 𝑡ℎ𝑒 𝐶𝑁𝑁 − 𝐺𝑅𝑈 𝑡𝑟𝑎𝑖𝑛𝑖𝑛𝑔 𝑠𝑒𝑡 𝑎𝑟𝑒 𝑎𝑝𝑝𝑙𝑖𝑒𝑑 𝑡𝑜 𝑡ℎ𝑒 𝐶𝑁𝑁 − 𝐺𝑅𝑈 𝑡𝑒𝑠𝑡 𝑠𝑒𝑡.
𝑟𝑒𝑡𝑢𝑟𝑛 𝑇ℎ𝑒 𝑀𝑎𝑡𝑟𝑖𝑥 𝑜𝑓 𝐶𝑜𝑛𝑓𝑢𝑠𝑜𝑛 𝐶𝑚 ∗ 𝑚
375
___________________________________________________________________________________________________________________
5. Evaluation Metrics: values to all correctly positive and wrongly negative projected
Following is a summary of the four performance evaluation values. The mathematical notation is as follows.
measures that were utilised to evaluate the proposed illness True Positive (FP)
The Recall =
prediction model: True Positive (TP) + False Negative (FN)
• True positives (TP) are the number of precise
The number of true positives, or TP, in this equation denotes
forecasts when the model correctly recognises a
the accuracy of patients with chronic conditions' forecasts.
patient as having a chronic illness.
False negatives, or FP, are the number of instances where a
• True negatives (TN) are the proportion of precise patient was incorrectly classified as healthy.
predictions in which the model correctly identifies
individuals who are free of any diseases. c) F1 Score:
• False Positives (FP): The quantity of inaccurate The performance evaluation statistic known as the F-measure
predictions in which the model misdiagnoses a (F) combines the precision and recall criteria through a
healthy person as having a condition. weighted average. It is especially useful when the distribution
• False Negatives (FN): The proportion of inaccurate of classes is uneven or the ranges of false positives and false
predictions in which the model incorrectly classifies negatives are wide. When recall and precision are equally
a patient as healthy when, in reality, they are important, the F1-Score, a particular variation of the F-
suffering from a chronic illness. measure, is frequently employed. It is denoted mathematically
as follows:
The model's precision, recall, and overall performance in
predicting the presence or absence of chronic diseases are all 𝐹1 Value score
valuable insights revealed by these metrics. 2 ∗ The Recall Value × The Precision Value
=
(The Recall Value + The Precision Value)
a) Precision:
The precision or positive predictive value (PPV), a This equation uses precision to stand in for accuracy, also
performance evaluation measure, determines the percentage of known as positive predictive value, and recall, also known as
accurate forecasts to all correct values, including both true and true positive rate. Precision defines the relative weights of
false values. Mathematically, it is represented as follows: accuracy and recall.
True Positive V. RESULT AND DISCUSSION
The Precision =
True Positive + False Positive To evaluate the trained RNN model, use the testing dataset. To
In other words, precision describes how accurate or precise the assess how well the model detects network intrusions,
model is at foreseeing favorable events. With a high precision, determine various performance parameters like accuracy,
the model is less likely to misclassify negative cases as specificity, sensitivity, and F1-score. Optimization and fine-
positive, or have a high rate of false positives. tuning, boost the model's performance by fine-tuning its
hyperparameters, like different batch size, the different
b) Recall:
learning rate, and regularization methods. To prevent
The quantity of true positives, or TP, in this equation
overfitting, think about adopting strategies like early stopping
represents the precision of the forecasts made by patients with
or learning rate decay. Deploy the model for intrusion
chronic diseases. The number of times a healthy person was
detection in a real-time or almost real-time scenario once you
incorrectly diagnosed as having a disease is known as false
are pleased with its performance. Make predictions about
positives (FP). By dividing the total number of true positives
whether the observed behaviour is malicious or normal by
by the sum of true positives and false positives, the accuracy
continuously monitoring network traffic and feeding it into the
or positive predictive value is determined. Recall, also known
deployed RNN model. Continuous Improvement: Track the
as sensitivity or true positive rate (TPR), is a performance
model's performance over time and make periodic updates to
evaluation metric that calculates the ratio of correctly expected
make it flexible to changing attack
Table 3: Evaluation parameters metrics of different algorithm

Model Accuracy in Model Precision in Model Recall Model F1-
Algorithm
(%) (%) in (%) Score in (%)
CNN 93.78 93.23 91.76 92.55
RNN 90.21 91.33 90.31 91.87
Hybrid Approach (CNN and RNN) 99.73 94.22 99.16 98.92
376
___________________________________________________________________________________________________________________
As intrusion detection algorithms, CNN, RNN, and a hybrid combining CNN and RNN outperformed both individual
CNN-RNN technique (shown in table 3) were assessed based algorithms, achieving accuracy of 99.73%, precision of
on measures for accuracy, precision, recall, and F1-score. 94.22%, recall of 99.16%, and an F1-score of 98.92%. The
CNN had a 93.78% accuracy rate, 93.23% precision rate, higher classification accuracy of the hybrid technique for
91.76% recall rate, and a 92.55% F1-score, according to the intrusion detection highlighted the synergistic advantages of
results. RNN achieved a 91.87% F1-score, 90.21% accuracy, integrating CNN and RNN.
91.33% precision, and 90.31% recall. The hybrid technique
Figure 6: Representation for Comparison of Performance metrics for Deep learning method
Table 4: Statistical Analysis of Attacks (DDoS)
Evaluation metrics BENIGN Goldeneye Hulk Slowhttptest Slowloris Heartbleed
The Precision 94.4 77.02 96.77 98.88 80.96 0
The Recall 95 74 95 88 79 0
True Negative 59202.98 198336 142083 200466.1 200366 202377
False Positive 5019.98 622.96 2950.02 223.14 273.97 4
True Positive 134433 2660.96 53510.02 1252.14 1434.97 0
False Negative 3728.98 764.96 3842.02 444.14 309.97 4
(FPR) 58 02 4 14.1 3 0
(TPR) 95.3 73.67 95.3 87.82 79.23 0
Figure 7: Accuracy and classification
377
___________________________________________________________________________________________________________________
The accuracy of the CNN model [18], which used 77 Table 5: Performance of proposed model with Existing model
attributes, was 95.26 percent. This shows that it can correctly No. of
categorize incursions using the supplied dataset. With 78 Model Accuracy
Attributes
attributes and a greater accuracy of 98.67%, the CNN-AE CNN [18] 77 95.26%
model [36] showed increased performance in intrusion CNN-AE [36] 78 98.67%
detection. A second CNN model [19] used 77 attributes and CNN [19] 77 98.72%
had a 98.72% accuracy rate. This shows that it was successful LSTM [20] 74 98.87%
in correctly categorizing incursions in the dataset. While using
Proposed CNN-
74 attributes, the LSTM model [20] achieved a slightly better 41 99.73%
RNN
accuracy of 98.87%, demonstrating its capability to efficiently
detect intrusions.
Accuracy
99.73%
100.00% 98.67% 98.72% 98.87%
99.00%
98.00%
97.00%
96.00% 95.26%
95.00%
94.00%
93.00%
CNN [18] CNN-AE CNN [19] LSTM [20] Proposed
[36] CNN-RNN
Figure 8: Comparison Performance of proposed model with Existing model
The proposed CNN-RNN model had the best accuracy of data using the CNN and RNN architectures, resulting in
99.73% among the tested models and used a smaller set of 41 enhanced detection accuracy. The hybrid model performed
attributes. This shows that, when compared to previous exceptionally well, attaining an accuracy of 99.73%. We used
models, the suggested approach performs better at reliably feature optimization approaches to minimize the
classifying intrusions. Overall, great accuracy in intrusion dimensionality of the input data in order to further increase the
detection was shown by the CNN-AE, CNN [19], LSTM, and model's efficacy. We determined and chose the most pertinent
suggested CNN-RNN models. The proposed CNN-RNN features by using Pearson's correlation coefficient, which also
model outperformed the previous models despite having less increased the model's efficiency and calculation speed while
features, demonstrating how well it can detect intrusions. keeping high accuracy. The experimental examination of our
These results demonstrate how deep learning models can be suggested strategy against a number of benchmark datasets
applied to intrusion detection systems to improve security and demonstrated its superiority to earlier approaches. In terms of
defend against online attacks. accuracy, the hybrid CNN-RNN model outperformed the
standalone CNN and RNN models as well as other cutting-
VI. CONCLUSION
edge algorithms. This demonstrates the beneficial synergy
IDSs (intrusion detection systems) are essential for defending between the CNN and RNN designs in capturing complex
organizational borders against online dangers. In order to dependencies and patterns in network traffic data.
successfully detect and categorize intrusions, new techniques
Future research directions might include examining various
are becoming necessary given the complexity and frequency
deep learning architectures, adding further data sources and
of attacks. In this study, we suggested an optimal feature
characteristics, and examining how generalizable the
composition method and a hybrid deep learning model to
suggested strategy is in various network contexts.
improve IDS performance. Using their respective advantages
Additionally, work can be done to incorporate real-time
in feature extraction and sequence modeling, Convolutional
monitoring tools and create defences against emerging and
Neural Networks (CNN) and Recurrent Neural Networks
zero-day assaults.
(RNN) were merged in our method. We attempted to capture
both local and temporal dependencies inside network traffic
378
___________________________________________________________________________________________________________________
REFERENCES [12] J. Lansky et al., "Deep Learning-Based Intrusion Detection
Systems: A Systematic Review," in IEEE Access, vol. 9, pp.
[1] G. De Carvalho Bertoli et al., "An End-to-End Framework for
101574-101599, 2021, doi: 10.1109/ACCESS.2021.3097247.
Machine Learning-Based Network Intrusion Detection System,"
[13] X. Wang, L. Wang and Q. Wang, "Local Spatial–Spectral
in IEEE Access, vol. 9, pp. 106790-106805, 2021, doi:
Information-Integrated Semisupervised Two-Stream Network
10.1109/ACCESS.2021.3101188.
for Hyperspectral Anomaly Detection," in IEEE Transactions on
[2] Z. A. El Houda, B. Brik and S. -M. Senouci, "A Novel IoT-
Geoscience and Remote Sensing, vol. 60, pp. 1-15, 2022, Art
Based Explainable Deep Learning Framework for Intrusion
no. 5535515, doi: 10.1109/TGRS.2022.3196409.
Detection Systems," in IEEE Internet of Things Magazine, vol.
[14] Meryem, A.; Ouahidi, B.E.L. Hybrid intrusion detection system
5, no. 2, pp. 20-23, June 2022, doi:
using machine learning. Netw. Secur. 2020, 2020, 8–19.
10.1109/IOTM.005.2200028.
[15] S. A. Bajpai and A. B. Patankar, "A Study on Self-Configuring
[3] A. Pandit, A. Gupta, M. Bhatia and S. C. Gupta, "Filter Based
Intrusion Detection Model based on Hybridized Deep Learning
Feature Selection Anticipation of Automobile Price Prediction
Models," 2023 7th International Conference on Computing
in Azure Machine Learning," 2022 International Conference on
Methodologies and Communication (ICCMC), Erode, India,
Machine Learning, Big Data, Cloud and Parallel Computing
2023, pp. 303-309, doi: 10.1109/ICCMC56507.2023.10084290.
(COM-IT-CON), Faridabad, India, 2022, pp. 256-262, doi:
[16] Abrar, I.; Ayub, Z.; Masoodi, F.; Bamhdi, A.M. A machine
10.1109/COM-IT-CON54601.2022.9850615.
learning approach for intrusion detection system on NSL-KDD
[4] C. -M. Ou, "Host-based Intrusion Detection Systems Inspired by
dataset. In Proceedings of the 2020 International Conference on
Machine Learning of Agent-Based Artificial Immune Systems,"
Smart Electronics and Communication (ICOSEC), Trichy, India,
2019 IEEE International Symposium on INnovations in
10–12 September 2020.
Intelligent SysTems and Applications (INISTA), Sofia,
[17] Alzahrani, A.O.; Alenazi, M.J. Designing a network intrusion
Bulgaria, 2019, pp. 1-5, doi: 10.1109/INISTA.2019.8778269.
detection system based on machine learning for software
[5] P. Widulinski and K. Wawryn, "Parameter Efficiency Testing
defined networks. Future Internet 2021, 13, 111.
for an Intrusion Detection System Inspired by the Human
[18] Disha, R.A.; Waheed, S. Performance analysis of machine
Immune System," 2022 29th International Conference on Mixed
learning models for intrusion detection system using Gini
Design of Integrated Circuits and System (MIXDES), Wrocław,
impurity-based weighted random forest (GIWRF) feature
Poland, 2022, pp. 208-212, doi:
selection technique. Cybersecurity 2022, 5, 1.
10.23919/MIXDES55591.2022.9838210.
[19] Megantara, A.A.; Ahmad, T. A hybrid machine learning method
[6] Khraisat, A.; Gondal, I.; Vamplew, P.; Kamruzzaman, J.,
for increasing the performance of Network Intrusion Detection
“Survey of intrusion detection systems: Techniques, datasets
Systems. J. Big Data 2021, 8, 142.
and challenges”, Cybersecurity 2019, 2, 20
[20] Ho, S.; Jufout SAl Dajani, K.; Mozumdar, M. A Novel Intrusion
[7] D. Dal, S. Abraham, A. Abraham, S. Sanyal and M. Sanglikar,
Detection Model for Detecting Known and Innovative
"Evolution Induced Secondary Immunity: An Artificial Immune
Cyberattacks Using Convolutional Neural Network. IEEE Open
System Based Intrusion Detection System," 2008 7th Computer
J Comput Soc. 2021, 2, 14–25.
Information Systems and Industrial Management Applications,
[21] Priyanka, V.; Gireesh Kumar, T. Performance Assessment of
Ostrava, Czech Republic, 2008, pp. 65-70, doi:
IDS Based on CICIDS-2017 Dataset. In Information and
10.1109/CISIM.2008.31.
Communication Technology for Competitive Strategies (ICTCS
[8] V. Hnamte and J. Hussain, "An Extensive Survey on Intrusion
2020); Lecture Notes in Networks and Systems; Joshi, A.,
Detection Systems: Datasets and Challenges for Modern
Mahmud, M., Ragel, R.G., Thakur, N.V., Eds.; Springer:
Scenario," 2021 3rd International Conference on Electrical,
Singapore, 2022; Volume 191.
Control and Instrumentation Engineering (ICECIE), Kuala
[22] Sun, P.; Liu, P.; Li, Q.; Liu, C.; Lu, X.; Hao, R.; Chen, J. DL-
Lumpur, Malaysia, 2021, pp. 1-10, doi:
IDS: Extracting features using CNN-LSTM hybrid network for
10.1109/ICECIE52348.2021.9664737.
intrusion detection system. Secur. Commun Netw. 2020, 2020,
[9] J. Zhang, M. Zulkernine and A. Haque, "Random-Forests-Based
8890306.
Network Intrusion Detection Systems," in IEEE Transactions on
[23] Mauro, M.D.; Galatro, G.; Liotta, A. Experimental Review of
Systems, Man, and Cybernetics, Part C (Applications and
Neural-based approaches for network intrusion
Reviews), vol. 38, no. 5, pp. 649-659, Sept. 2008, doi:
management. IEEE Trans. Netw. Serv. Manag. 2020, 17, 2480–
10.1109/TSMCC.2008.923876.
2495.
[10] Kwon, D.; Kim, H.; Kim, J.; Suh, S.C.; Kim, I.; Kim, K.J. A
[24] Dong, S.; Xia, Y.; Peng, T. Network abnormal traffic detection
survey of deep learning-based network anomaly
model based on semi-supervised Deep Reinforcement
detection. Clust. Comput. 2017, 22, 949–961.
Learning. IEEE Trans. Netw. Serv. Manag. 2021, 18, 4197–
[11] W. Cao, H. Zhang, W. He, H. Chen and E. H. Tat, "Autoencoder
4212.
in Autoencoder Network Based on Low-Rank Embedding for
[25] Pelletier, C.; Webb, G.I.; Petitjean, F. Deep learning for the
Anomaly Detection in Hyperspectral Images," IGARSS 2022 -
classification of sentinel-2 Image time series. In Proceedings of
2022 IEEE International Geoscience and Remote Sensing
the IGARSS 2019—2019 IEEE International Geoscience and
Symposium, Kuala Lumpur, Malaysia, 2022, pp. 3263-3266,
Remote Sensing Symposium, Yokohama, Japan, 28 July–2
doi: 10.1109/IGARSS46834.2022.9884142.
August 2019.
379
___________________________________________________________________________________________________________________
[26] Lee, J.; Pak, J.G.; Lee, M. Network intrusion detection system
using feature extraction based on deep sparse autoencoder. In
Proceedings of the 2020 International Conference on
Information and Communication Technology Convergence
(ICTC), Jeju, Korea, 21–23 October 2020.
380

8499-Article Text-9477-2-10-20231102

Uploaded by

Copyright:

Available Formats

8499-Article Text-9477-2-10-20231102

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

8499-Article Text-9477-2-10-20231102

Uploaded by

Copyright:

Available Formats

International Journal on Recent and Innovation Trends in Computing and Communication

ISSN: 2321-8169 Volume: 11 Issue: 10

Enhancing Intrusion Detection Systems with a Hybrid

I. INTRODUCTION developed by human expertise. These techniques make use of

The analysis of network behaviour and attack patterns is made

Figure 2: Representation of Dataset number of Instance with Redundancy

Figure 3: Representation of Dataset number of Instance with Redundancy

Figure 5: CNN Architecture

Proposed Model Algorithm:

Table 3: Evaluation parameters metrics of different algorithm

(TPR) 95.3 73.67 95.3 87.82 79.23 0

Figure 7: Accuracy and classification

Figure 8: Comparison Performance of proposed model with Existing model

You might also like