Hybrid Deep Learning Model for Enhanced Intrusion Detection

SDN provides centralised control and programmability, but because of its open and centralised architecture, it is extremely susceptible to cyberattacks like Distributed Denial of Service (DDoS), infiltration, and botnets. In terms of accuracy and flexibility, traditional intrusion detection systems frequently fall short of the changing requirements of SDN settings. In order to solve this, we suggest a hybrid deep learning model that incorporates Long Short-Term Memory (LSTM) networks and Convolutional Neural Networks (CNN), augmented with an Attention mechanism. In order to increase accuracy and interpretability, CNN layers take out spatial information from traffic data, LSTM layers record temporal dependencies, and the Attention mechanism highlights important elements. The CICIDS 2017 dataset is used to train and assess the model, utilising pre - processing methods such as class balancing, label encoding, and normalisation. According to experimental results, our model outperforms conventional models such standalone CNNs and statistical techniques, achieving an accuracy of 93.43%. It performs admirably in a variety of attack scenarios, such as DDoS, probe, and penetration. This study establishes the foundation for real-time, scalable deployment and demonstrates the potential of hybrid deep learning models in SDN cybersecurity. Future research will concentrate on improving the detection of zero-day attacks and tailoring the model for edge computing settings with TensorFlow Lite. Key Words: SDN Security, Intrusion Detection, CNN-LSTM Hybrid, Attention Mechanism, Cyberattack Detection.

Distributed Denial of Service (DDoS) attacks are a persistent threat to network security, capable of disrupting critical services. This study proposes a hybrid deep learning model that combines Recurrent Neural Networks (RNN), Gated Recurrent Units (GRU), and Long Short-Term Memory (LSTM) networks to effectively detect DDoS attacks in network traffic. Each component of the hybrid model captures unique temporal dependencies—RNN for basic sequence patterns, GRU for efficient short-term memory, and LSTM for long-term memory retention. The model is evaluated using two standard Intrusion Detection System (IDS) datasets, CIC-DDoS2019 and UNSW-NB15, representing diverse attack scenarios. Preprocessing techniques, including feature selection, normalization, and class balancing with Synthetic Minority Over-sampling Technique (SMOTE), ensure high-quality input data. Experimental results demonstrate that the hybrid model outperforms standalone RNN, GRU, and LSTM models, achieving superior accuracy, precision, recall, and F1-score. Specifically, the hybrid model achieves 97.3% accuracy, 97.0% precision, 97.6% recall, and an AUC of 0.981 on the CIC-DDoS2019 dataset. These results underscore the model’s capability to detect complex DDoS patterns while maintaining low false positive rates. The proposed approach offers a scalable, adaptive, and robust solution for real-time intrusion detection in dynamic network environments, outperforming traditional methods.

Numerous Security experts agree that Intrusion Detection Systems (IDS) are inevitable in securing computer networks, especially against malicious attacks such as Distributed Denial of Service (DDoS). Another limitation of traditional IDSs, which involve both signature-based and anomaly-based models, is that they cannot detect new attacks and often produce many false positives. Signature-based systems are effective only with known attack patterns and are ineffective against unknown ones. In contrast, false positives greatly affect anomaly-based systems due to their high sensitivity levels. In this research, we aim to enhance the accuracy and efficiency of DDoS attack detection by combining Random Forest (RF) and Convolutional Neural Network (CNN)-Long Short-Term Memory (LSTM) models with attention mechanisms, thereby optimizing Intrusion Detection Systems (IDS). The CICIDS2017 dataset is used to train the model, comprising 23,659 benign data points and 17,258 DDoS records. As Random Forest and CNN-LSTM demonstrate their interpretation and temporal feature extraction capabilities, respectively, the hybrid approach combines them based on attention mechanisms over essential features. Moreover, our proposed model outperforms traditional models. The hybrid model’s accuracy, precision, recall, and F1 score are 99.25%, 99.15%, 99.34%, and 99.24%, respectively. Compared to this, our standalone Random Forest model achieves an accuracy of 99.93%, and the CNN-LSTM with attention mechanism scores 99.25%. It can also detect with excellent capabilities, with an AUC of 0.9993. The integration of the attention mechanism significantly enhances the model's effectiveness in real-time intrusion detection. Finally, the future scalability of the model for more complex attack scenarios and real-world deployments is left for further work.

The increasing connectivity of systems and the rapid growth of the Internet have intensified cybersecurity threats. It has been demonstrated that conventional signature-based intrusion detection methods are deficient, especially against Zero-Day attacks. An alternative approach involves the deployment of Intrusion Detection Systems (IDS) that are based on deep learning algorithms. However, these systems face a significant challenge in detecting minority classes of attacks, such as Remote-to-Local (R2L) and User-to-Root (U2R) attacks, which, although rare, are of critical importance. Misclassifying these attacks is costly. Therefore, the reduction of false negatives is achieved by coupling feature selection techniques (Chi square, correlation, information Gain, Extreme Gradient Boosting (XGBoost), Autoencoder), oversampling methods (Synthetic Minority Oversampling Technique (SMOTE), Adaptive Synthetic Sampling (ADASYN)) and deep learning models (Deep Neural Network (DNN), Convolutional Neural Network (CNN), Long Short-Term Memory (LSTM) and hybrid model CNN LSTM). The present study uses the NSL-KDD dataset, with a particular focus on the minority classes R2L, which represents 2.61% of the dataset, and U2R, representing 0.08% of the dataset. The findings indicate that data balancing is paramount. ADASYN facilitates 100% U2R detection, while SMOTE enhances R2L accuracy to above 95%. The application of correlation and autoencoder feature selection techniques proved to be the most effective. The effectiveness of CNN models in addressing U2R classification tasks has been extensively demonstrated, while the use of DNN or CNN-LSTM models has been shown to yield optimal results for R2L tasks. DNN remains the most stable model overall. For the two minority classes, the most effective pipelines are Correlation + SMOTE + DNN, achieving 93.84 % recall for U2R and 99.88 % for R2L, and Autoencoder + SMOTE + CNN-LSTM, achieving 89.66 % recall for R2L and 99.68 % for U2R.

Intrusion detection systems (IDSs) are critical for securing modern networks, particularly in IoT and IIoT environments where traditional defenses such as firewalls and encryption are insufficient against evolving cyber threats. This paper proposes an enhanced hybrid deep learning model that integrates convolutional neural networks (CNNs), Long Short-Term Memory (LSTM), and Gated Recurrent Units (GRU) in a multi-branch architecture designed to capture spatial and temporal dependencies while minimizing redundant computations. Unlike conventional hybrid approaches, the proposed parallel–sequential fusion framework leverages the strengths of each component independently before merging features, thereby improving detection granularity and learning efficiency. A rigorous preprocessing pipeline is employed to handle real-world data challenges: missing values are imputed using median filling, class imbalance is mitigated through SMOTE (Synthetic Minority Oversampling Technique), and feature scaling is performed with Min–Max normalization to ensure convergence consistency. The methodology is validated on the TON_IoT and CICIDS2017 dataset, chosen for its diversity and realism in IoT/IIoT attack scenarios. Three hybrid models—CNN-LSTM, CNN-GRU, and the proposed CNN-LSTM-GRU—are assessed for binary and multiclass intrusion detection. Experimental results demonstrate that the CNN-LSTM-GRU architecture achieves superior performance, attaining 100% accuracy in binary classification and 97% in multiclass detection, with balanced precision, recall, and F1-scores across all classes. Furthermore, evaluation on the CICIDS2017 dataset confirms the model’s generalization ability, achieving 99.49% accuracy with precision, recall, and F1-scores of 0.9954, 0.9943, and 0.9949, respectively, outperforming CNN-LSTM and CNN-GRU baselines. Compared to existing IDS models, our approach delivers higher robustness, scalability, and adaptability, making it a promising candidate for next-generation IoT/IIoT security.

This study introduces a sophisticated intrusion detection system (IDS) that has been specifically developed for internet of things (IoT) networks. By utilizing the capabilities of long short-term memory (LSTM), a deep learning model renowned for its proficiency in modeling sequential data, our intrusion detection system (IDS) effectively discerns between regular network traffic and potential malicious attacks. In order to tackle the issue of imbalanced data, which is a prevalent concern in the development of intrusion detection systems (IDSs), we have integrated the synthetic minority over-sampling technique (SMOTE) into our approach. This incorporation allows our model to accurately identify infrequent incursion patterns. The rebalancing of the dataset is accomplished by SMOTE through the generation of synthetic samples belonging to the minority class. Various strategies, such as the utilization of generative adversarial networks (GANs), have been put forth in order to tackle the issue of data imbalance. However, SMOTE (synthetic minority over-sampling technique) presents some distinct advantages when applied to intrusion detection. The SMOTE is characterized by its simplicity and proven efficacy across diverse areas, including in intrusion detection. The implementation of this approach is straightforward and does not necessitate intricate adversarial training techniques such as generative adversarial networks (GANs). The interpretability of SMOTE lies in its ability to generate synthetic samples that are aligned with the properties of the original data, rendering it well suited for security applications that prioritize transparency. The utilization of SMOTE has been widely embraced in the field of intrusion detection research, demonstrating its effectiveness in augmenting the detection capacities of intrusion detection systems (IDSs) in internet of things (IoT) networks and reducing the consequences of class imbalance. This study conducted a thorough assessment of three commonly utilized public datasets, namely, CICIDS2017, NSL-KDD, and UNSW-NB15. The findings indicate that our LSTM-based intrusion detection system (IDS), in conjunction with the implementation of SMOTE to address data imbalance, outperforms existing methodologies in accurately detecting network intrusions. The findings of this study provide significant contributions to the domain of internet of things (IoT) security, presenting a proactive and adaptable approach to safeguarding against advanced cyberattacks. Through the utilization of LSTM-based deep learning techniques and the mitigation of data imbalance using SMOTE, our AI-driven intrusion detection system (IDS) enhances the security of internet of things (IoT) networks, hence facilitating the wider implementation of IoT technologies across many industries.

The prevalence of internet usage leads to diverse internet traffic, which may contain information about various types of internet attacks. In recent years, many researchers have applied deep learning technology to intrusion detection systems and obtained fairly strong recognition results. However, most experiments have used old datasets, so they could not reflect the latest attack information. In this paper, a current state of the CSE-CIC-IDS2018 dataset and standard evaluation metrics has been employed to evaluate the proposed mechanism. After preprocessing the dataset, six models—deep neural network (DNN), convolutional neural network (CNN), recurrent neural network (RNN), long short-term memory (LSTM), CNN + RNN and CNN + LSTM—were constructed to judge whether network traffic comprised a malicious attack. In addition, multi-classification experiments were conducted to sort traffic into benign traffic and six categories of malicious attacks: BruteForce, Denial-of-service (DoS), Web Attacks, Infiltration, Botnet, and Distributed denial-of-service (DDoS). Each model showed a high accuracy in various experiments, and their multi-class classification accuracy were above 98%. Compared with the intrusion detection system (IDS) of other papers, the proposed model effectively improves the detection performance. Moreover, the inference time for the combinations of CNN + RNN and CNN + LSTM is longer than that of the individual DNN, RNN and CNN. Therefore, the DNN, RNN and CNN are better than CNN + RNN and CNN + LSTM for considering the implementation of the algorithm in the IDS device.

In response to the increasing volume of network traffic and the growing sophistication of cyber threats, this study examines the use of deep learning-based intrusion detection systems (IDSs) in large-scale network environments. Traditional IDS face challenges such as high false positive rates, complex feature engineering, and class imbalances in datasets, all of which impede accurate threat detection. To overcome these limitations, we implement various deep learning models, including multilayer perceptron (MLP), convolutional neural network (CNN), and long short-term memory (LSTM), alongside traditional machine learning algorithms such as logistic regression, naive Bayes, random forest, K-nearest neighbors, and decision trees. A significant contribution of this study is the application of the synthetic minority over-sampling technique (SMOTE) to address class imbalance, enhancing the representativeness of the learning process. Additionally, we conduct a comprehensive performance comparison of the models, incorporating correlation-based feature selection and hyperparameter tuning to maximize detection accuracy. Our results indicate that deep learning models, particularly CNN and LSTM, outperform traditional machine learning approaches in cyber threat detection, achieving accuracy rates of 98%. However, random forest achieves the highest accuracy at 99.9%, demonstrating its effectiveness in structured intrusion detection tasks. Moreover, we evaluate computational efficiency and practical deployment considerations, discussing trade-offs between accuracy and resource consumption. These findings highlight the potential of deep learning-based IDS for large-scale network security applications while addressing key challenges such as interpretability and computational overhead. The study provides actionable insights for selecting the most suitable IDS models based on specific network environments and security requirements.

STL-HDL: A new hybrid network intrusion detection system for imbalanced dataset on big data environment

With the growing frequency of network attacks, traditional anomaly-based intrusion detection models often fail to identify advanced attack patterns and suffer from high false positive rates. This paper proposes a hybrid deep learning model integrating Convolutional Neural Network (CNN), Long Short-Term Memory (LSTM), and an Attention Mechanism to enhance detection accuracy and robustness. Leveraging CNNs for spatial feature extraction, LSTMs for temporal pattern recognition, and Attention Mechanisms for prioritizing critical data, the model effectively identifies diverse intrusion types. Using the NF-UNSW-NB15-v2 dataset, this research incorporates advanced preprocessing techniques such as Recursive Feature Elimination with Cross-Validation (RFECV) and Synthetic Minority Oversampling Technique (SMOTE). Experimental results demonstrate improved performance across key metrics, offering a robust framework for real-time intrusion detection in complex network environments.

Distributed denial of service (DDoS) attacks pose a significant security risk, particularly with the increasing reliance on cloud computing and information technology (IT). These attacks not only allow unauthorized users to access services but also deny legitimate users the ability to utilize them. Traditional antivirus solutions and firewalls prove insufficient in detecting DDoS attacks within large networks. Intrusion detection systems (IDS) are essential for detecting unauthorized or malicious activities and ensuring the confidentiality, integrity, and availability of services. However, traditional IDS often rely on predefined signatures and patterns, making them susceptible to evasion tactics. In response, this research introduces a deep learning (DL)-based IDS that integrates convolutional neural networks (CNN) with principal component analysis (PCA) and explores the application of vision transformers (ViT). The proposed hybrid model was tested on the CICDDoS2019 dataset, achieving a notable improvement in detection accuracy. Specifically, the CNN-based model initially identified DDoS attacks with an accuracy of 99.72%. Upon integrating ViT, the model’s accuracy further improved to 99.99%. This innovative approach signifies a considerable advancement in the detection capabilities for DDoS attacks and underscores the potential for integrating more sophisticated DL models into cybersecurity defenses.

In this paper, we present an Intrusion Detection System (IDS) using the hybridization of the deep learning technique and the multi-objective optimization method for the detection of Distributed Denial of Service (DDoS) attacks in the Internet of Things (IoT) networks is proposed in this paper. IoT networks consist of different devices with unique hardware and software configurations communicating over different communication protocols, which produce huge multidimensional data that make IoT networks susceptible to cyber-attacks. In a network the IDS is a vital tool for securing it from cyber-attacks. Detection of new emerging cyber threats are becoming difficult for existing IDS, and therefore advanced IDS is required. A DDoS attack is a cyber-attack that has posed substantial devastating losses in IoT networks recently. In this paper, we propose an IDS founded on the fusion of a Jumping Gene adapted NSGA-II multi-objective optimization method for data dimension reduction and the Convolutional Neural Network (CNN) integrating Long Short-Term Memory (LSTM) deep learning techniques for classifying the attack. The experimentation is conducted using a High-Performance Computer (HPC) on the latest CISIDS2017 datasets on DDoS attacks and achieved an accuracy of 99.03% with a 5-fold reduction in training time. We evaluated our proposed method by comparing it with other state-of-the-art algorithms and machine learning algorithms, which confirms that the proposed method surpasses other approaches.

Intrusion Detection System (IDS) is the process of monitoring the events that occur in a system or network and process them for possible intrusions where as Intrusion Prevention System (IPS) has the capability to attempt to stop such possible intrusions. Combining the two systems will result in IDPS which not only detects the attacks but also prevent such attacks to occur in the networks. Distributed Denial of Service (DDOS) attacks are the major concern for security in the collaborative networks. Although non DDOS attacks are also make the network performances poor, the effect of DDOS attacks is severe. In DDOS attacks, flooding of the particular node as victim and jam it with massive traffic happens and the complete network performance is affected. In this paper, a novel Intrusion Detection and Prevention System is designed which detects the flooding DDOS attacks based on Firecol and prevents the attacks based on Dynamic Growing Self Organizing Tree (DGSOT) for collaborative networks. Simulation results show that DGSOT with Firecol (DGSOTFC) produces better intrusion detection and prevention system. Performance metrics based on the parameters delay and energy conservation are better in DGSOT-FC than the traditional IDPS systems.

Intrusion Detection System (IDS) in the cloud Computing (CC) environment has received paramount interest over the last few years. Among the latest approaches, Deep Learning (DL)-based IDS methods allow the discovery of attacks with the highest performance. In the CC environment, Distributed Denial of Service (DDoS) attacks are widespread. The cloud services will be rendered unavailable to legitimate end-users as a consequence of the overwhelming network traffic, resulting in financial losses. Although various researchers have proposed many detection techniques, there are possible obstacles in terms of detection performance due to the use of insignificant traffic features. Therefore, in this paper, a hybrid deep learning mode based on hybridizing Convolutional Neural Network (CNN) with Long-Short-Term Memory (LSTM) is used due to its robustness and efficiency in detecting normal and attack traffic. Besides, the ensemble feature selection, mutualization aggregation between Particle Swarm Optimizer (PSO), Grey Wolf Optimizer (PSO), Krill Hird (KH), and Whale Optimization Algorithm (WOA), is used to select the most important features that would influence the detection performance in detecting DDoS attack in CC. A benchmark dataset proposed by the Canadian Institute of Cybersecurity (CIC), called CICIDS 2017 is used to evaluate the proposed IDS. The results revealed that the proposed IDS outperforms the state-of-the-art IDSs, as it achieved 97.9%, 98.3%, 97.9%, 98.1%, respectively. As a result, the proposed IDS achieves the requirements of getting high security, automatic, efficient, and self-decision detection of DDoS attacks.

Distributed denial-of-service (DDoS) attacks represent one of the most damaging cybersecurity threats to modern network systems. The impact of this attack causes server failure and creates complaints about service inconvenience from users, thus reducing the company’s reputation and trust; more crucially, it is the loss of revenue. Although intrusion detection systems (IDSs) and other conventional security mechanisms have been widely deployed, many advanced DDoS attacks continue to bypass these defenses due to their evolving and complex patterns. This study aims to provide a state-of-the-art strategy to identify denial-of-service (DDoS) attacks more precisely using machine learning (ML) calculations. Creation of a modern deep learning (DL) strategy identifies DDoS attacks more precisely by combining the two best DL calculations and comparing their execution by actualizing them on the most challenging dataset. This research applies a combination strategy of two DL calculations models, convolutional neural network (CNN) and long short-term memory (LSTM). These calculations are actualized on the Network Security Laboratory–Knowledge Discovery and Data Mining (NSL-KDD) dataset, which is considered the most challenging dataset for DDoS attack discovery. The results show that the modern DL strategy created in this consideration outperforms other state-of-the-art strategies in terms of precision and discovery rate. The combination of CNN and LSTM results in superior execution than either calculation alone. This implies that the modern DL strategy created in this consideration is a feasible approach to identify DDoS attacks with high precision.