Intrusion detection with HACDT-Net and TRBM-Net using a hybrid deep learning framework with enhanced sampling techniques.

In modern era, the most pressing issue facing modern society is protection against cyberattacks on networks. The frequency of cyber-attacks in the present world makes the problem of providing feasible security to the computer system from potential risks important and crucial. Network security cannot be effectively monitored and protected without the use of intrusion detection systems (IDSs). DLTs (Deep learning methods) and MLTs (machine learning techniques) are being employed in information security domains for effectively building IDSs. These IDSs are capable of automatically and timely identifying harmful attacks. IntruDTree (Intrusion Detection Tree), a security model based on MLTs that detects attacks effectively, is shown in the existing research effort. This model, however, suffers from an overfitting problem, which occurs when the learning method perfectly matches the training data but fails to generalize to new data. To address the issue, this study introduces the MIntruDTree-HDL (Modified IntruDTree with Hybrid Deep Learning) framework, which improves the performance and prediction of the IDSs. The MIntruDTree-HDL framework predicts and classifies harmful cyber assaults in the network using an M-IntruDtree (Modified IDS Tree) with CRNNs (convolution recurrent neural networks). To rank the key characteristics, first create a modified tree-based generalized IDSs M-IntruDTree. CNNs (convolution neural networks) then use convolution to collect local information, while the RNNs (recurrent neural networks) capture temporal features to increase IDS performance and prediction. This model is not only accurate in predicting unknown test scenarios, but it also results in reduced computational costs due to its dimensionality reductions. The efficacy of the suggested MIntruDTree-HDL schemes was benchmarked on cybersecurity datasets in terms of precisions, recalls, fscores, accuracies, and ROC. The simulation results show that the proposed MIntruDTree-HDL outperforms current IDS approaches, with a high rate of malicious attack detection accuracy.

Intrusion Detection Systems (IDS) play a crucial role in modern cybersecurity by identifying and mitigating malicious activities in network traffic. However, existing IDS models suffer from high false positive rates, class imbalance issues, and inefficient feature selection, which hinder their ability to detect sophisticated cyber threats. In this study, study proposes Bi-GAN-LDA IDS, a novel hybrid deep learning framework that integrates Bidirectional Generative Adversarial Networks (Bi-GANs) for synthetic attack sample generation and Linear Discriminant Analysis (LDA) for optimized feature selection. Additionally, a custom focal loss function is introduced to enhance the classification of minority attack classes. The efficacy of the proposed Bi-GAN-LDA intrusion detection framework was rigorously validated using a diverse set of benchmark datasets, namely NSL-KDD, UNSW-NB-15, CICIDS-2017, ADFA-LD, and UNR-IDD. Notably, on the ADFA-LD dataset, the model achieved an F1-score of 99.5%, marking a 2.8% performance gain over existing GAN-based IDS frameworks. Furthermore, a substantial 22% reduction in false positive rates was observed when compared to conventional deep learning-based detectors. These improvements underscore the robustness of the proposed method, particularly in addressing the challenge of class imbalance, minimizing false alarms, and enhancing the reliability of real-time anomaly detection in contemporary IDS environments.

Intrusion detection systems (IDSs) are critical for securing modern networks, particularly in IoT and IIoT environments where traditional defenses such as firewalls and encryption are insufficient against evolving cyber threats. This paper proposes an enhanced hybrid deep learning model that integrates convolutional neural networks (CNNs), Long Short-Term Memory (LSTM), and Gated Recurrent Units (GRU) in a multi-branch architecture designed to capture spatial and temporal dependencies while minimizing redundant computations. Unlike conventional hybrid approaches, the proposed parallel–sequential fusion framework leverages the strengths of each component independently before merging features, thereby improving detection granularity and learning efficiency. A rigorous preprocessing pipeline is employed to handle real-world data challenges: missing values are imputed using median filling, class imbalance is mitigated through SMOTE (Synthetic Minority Oversampling Technique), and feature scaling is performed with Min–Max normalization to ensure convergence consistency. The methodology is validated on the TON_IoT and CICIDS2017 dataset, chosen for its diversity and realism in IoT/IIoT attack scenarios. Three hybrid models—CNN-LSTM, CNN-GRU, and the proposed CNN-LSTM-GRU—are assessed for binary and multiclass intrusion detection. Experimental results demonstrate that the CNN-LSTM-GRU architecture achieves superior performance, attaining 100% accuracy in binary classification and 97% in multiclass detection, with balanced precision, recall, and F1-scores across all classes. Furthermore, evaluation on the CICIDS2017 dataset confirms the model’s generalization ability, achieving 99.49% accuracy with precision, recall, and F1-scores of 0.9954, 0.9943, and 0.9949, respectively, outperforming CNN-LSTM and CNN-GRU baselines. Compared to existing IDS models, our approach delivers higher robustness, scalability, and adaptability, making it a promising candidate for next-generation IoT/IIoT security.

Nowadays, network attacks are the most crucial problem of modern society. All networks, from small to large, are vulnerable to network threats. An intrusion detection (ID) system is critical for mitigating and identifying malicious threats in networks. Currently, deep learning (DL) and machine learning (ML) are being applied in different domains, especially information security, for developing effective ID systems. These ID systems are capable of detecting malicious threats automatically and on time. However, malicious threats are occurring and changing continuously, so the network requires a very advanced security solution. Thus, creating an effective and smart ID system is a massive research problem. Various ID datasets are publicly available for ID research. Due to the complex nature of malicious attacks with a constantly changing attack detection mechanism, publicly existing ID datasets must be modified systematically on a regular basis. So, in this paper, a convolutional recurrent neural network (CRNN) is used to create a DL-based hybrid ID framework that predicts and classifies malicious cyberattacks in the network. In the HCRNNIDS, the convolutional neural network (CNN) performs convolution to capture local features, and the recurrent neural network (RNN) captures temporal features to improve the ID system’s performance and prediction. To assess the efficacy of the hybrid convolutional recurrent neural network intrusion detection system (HCRNNIDS), experiments were done on publicly available ID data, specifically the modern and realistic CSE-CIC-DS2018 data. The simulation outcomes prove that the proposed HCRNNIDS substantially outperforms current ID methodologies, attaining a high malicious attack detection rate accuracy of up to 97.75% for CSE-CIC-IDS2018 data with 10-fold cross-validation.

Network and cloud environments must be fortified against a dynamic array of threats, and intrusion detection systems (IDSs) are critical tools for identifying and thwarting hostile activities. IDSs, classified as anomaly-based or signature-based, have increasingly incorporated deep learning models into their framework. Recently, significant advancements have been made in anomaly-based IDSs, particularly those using machine learning, where attack detection accuracy has been notably high. Our proposed method demonstrates that deep learning models can achieve unprecedented success in identifying both known and unknown threats within cloud environments. However, existing benchmark datasets for intrusion detection typically contain more normal traffic samples than attack samples to reflect real-world network traffic. This imbalance in the training data makes it more challenging for IDSs to accurately detect specific types of attacks. Thus, our challenges arise from two key factors, unbalanced training data and the emergence of new, unidentified threats. To address these issues, we present a hybrid transformer-convolutional neural network (Transformer-CNN) deep learning model, which leverages data resampling techniques such as adaptive synthetic (ADASYN), synthetic minority oversampling technique (SMOTE), edited nearest neighbors (ENN), and class weights to overcome class imbalance. The transformer component of our model is employed for contextual feature extraction, enabling the system to analyze relationships and patterns in the data effectively. In contrast, the CNN is responsible for final classification, processing the extracted features to accurately identify specific attack types. The Transformer-CNN model focuses on three primary objectives to enhance detection accuracy and performance: (1) reducing false positives and false negatives, (2) enabling real-time intrusion detection in high-speed networks, and (3) detecting zero-day attacks. We evaluate our proposed model, Transformer-CNN, using the NF-UNSW-NB15-v2 and CICIDS2017 benchmark datasets, and assess its performance with metrics such as accuracy, precision, recall, and F1-score. The results demonstrate that our method achieves an impressive 99.71% accuracy in binary classification and 99.02% in multi-class classification on the NF-UNSW-NB15-v2 dataset, while for the CICIDS2017 dataset, it reaches 99.93% in binary classification and 99.13% in multi-class classification, significantly outperforming existing models. This proves the enhanced capability of our IDS in defending cloud environments against intrusions, including zero-day attacks.

Traffic classification is an automated technique that divides computer network traffic into several categories depending on different factors like protocol or port number. In a complicated context, traffic categorization is an important tool for network and system security. A monitoring system called intrusion detection looks for abnormal activity and sends out notifications. In order to safeguard a system from network-based attacks, Network Intrusion Detection Systems (NIDS) play a crucial role in monitoring and analyzing network traffic. Active and passive intrusion detection systems (IDS), network intrusion detection systems (NIDS), host intrusion detection systems (HIDS), knowledge-based (signature-based) IDS, and behaviorbased (anomaly-based) IDS are some of the numerous types of intrusion detection systems (IDS). Passive IDS is just designed to monitor and analyze network traffic behaviour and notify an operator of potential vulnerabilities and attacks, whereas Active IDS is also known as Intrusion Detection and Prevention System. A network's malicious traffic is identified using a network-based intrusion detection system (NIDS). A host-based IDS monitors system activity and seeks for indications of abnormal behaviour. For networks with unidentified traffic, the intrusion detection system designed using flow and payload statistical characteristics and clustering approach needs additional clusters. The present intrusion detection system however is affected by false alarm rate, poor detection rate, imbalanced datasets and response time which lead to misclassification of intrusions in various scenarios. Hence, there is a requirement for developing an automated intrusion detection system that works well in different scenarios. The proposed system uses supervised and unsupervised intrusion detection and classification methods to increase the classification accuracy. To categorize the intrusions, dimensionality reduction strategies are used in conjunction with the classification procedure of logistic regression. Performance of intrusion detection system using PCA as dimensionality reduction algorithm has been evaluated with different classifiers such as Logistic Regression (LR), K-Nearest Neighbors (K-NN), Random Forest (RF), Support Vector Machine (Kernel SVM), Decision Tree (DT) using CIC IDS 2022 dataset. An automated way to detect intrusions has been proposed with cluster formation using adaptive weight butterfly optimization algorithm.

The rapid expansion of Internet of Things (IoT) devices presents unique challenges in ensuring the security and privacy of interconnected systems. As cyberattacks become more frequent, developing an effective and scalable Intrusion Detection System (IDS) based on Federated Learning (FL) for IoT becomes increasingly complex. Current methodologies struggle to balance spatial and temporal feature extraction, especially when dealing with dynamic and evolving cyber threats. The lack of diversity in datasets used for FL-based IDS evaluations further impedes progress. There is also a noticeable tradeoff between performance and scalability, particularly as the number of edge devices in communication increases. To address these challenges, this article introduces a horizontal FL model that combines Convolutional Neural Networks (CNN) and Bidirectional Long-Term Short Memory (BiLSTM) for effective intrusion detection. This hybrid approach aims to overcome the limitations of existing methods and enhance the effectiveness of intrusion detection in the context of FL for IoT. Specifically, CNN is used for spatial feature extraction, enabling the model to identify local patterns indicative of potential intrusions, while the BiLSTM component captures temporal dependencies and learns sequential patterns within the data. The proposed IDS follows a zero-trust model by keeping the data on local edge devices and sharing only the learned weights with the centralized FL server. The FL server then aggregates updates from various sources to optimize the accuracy of the global learning model. Experimental results using CICIDS2017 and Edge-IIoTset demonstrate the effectiveness of the proposed approach over centralized and federated deep learning-based IDS.

The rapid growth of cyberattacks, especially Distributed Denial of Service (DDoS), has exposed the limitations of conventional Intrusion Detection System (IDS). These systems often struggle to cope with evolving attack strategies. In recent years, deep learning has provided new opportunities for improving IDS, as it can automatically discover hidden structures in complex data without extensive manual feature engineering. This study develops and evaluates three models, Convolutional Neural Network (CNN), Long Short-Term Memory (LSTM), and a Hybrid CNN-LSTM for intrusion detection using the CIC-DDoS2019 dataset. Preprocessing involved normalization, label encoding, and class balancing using Synthetic Minority Oversampling Technique (SMOTE). Feature selection was carried out using the information gain algorithm performance, the models were trained and evaluated using key metrics such as accuracy, precision, recall, f1-score and Area Under the Curve (AUC) to improve model performance. Experimental results shows that CNN achieved an accuracy of 99.94%, while LSTM performed slightly better with 99.96%, the hybrid CNN-LSTM outperformed both with 99.97% accuracy, precision, and recall, confirming that combining CNN’s spatial learning with LSTM’s temporal sequence modeling leads to superior detection. This study highlights the advantage of hybrid deep learning in network security, reducing both false positives and false negatives. It also provides a practical framework for building IDS capable of adapting to modern attack patterns. Future extensions could focus on real-time implementation, multi-class detection of different attack categories, and explainable AI for improved transparency.

Chapter 26 - Intrusion Prevention and Detection Systems

Chapter 5 - Intrusion Prevention and Detection Systems

Unprecedented security challenges were offered by the rapid evolution of 6G networks. These unprecedented security challenges, especially segmented attacks (SA), exploit network susceptibilities. Here, advanced detection and migration methods are needed to ensure robust security. Here, the limited potential of the limited feature extraction (FE) and feature classification of the intrusion detection (ID) systems (IDS) may result in the lack of real‐time (RT) adaptability. This IDS also fails to detect advanced segmentation‐based threats accurately. For 6G networks, an AI‐driven intrusion detection system (IDS) with deep packet inspection (AI‐IDS‐DSP) is suggested in this paper. This suggested method will assist in overcoming those limitations. Then, the digital signal processing (DSP) techniques are also integrated into this suggested method, and this integration will help in analyzing signal anomalies. Those DSP methods include wavelet transforms (WT) and Fourier transforms (FT). Then, the hybrid AI model (CNN + Transformer) is utilized by the suggested method for the purpose of anomaly detection (AD). The application of reinforcement learning (RL) may enhance the adaptive security measures in the RT. Finally, the sensitive financial transactions are secured by the suggested robust network security (NS) method. This suggested NS application will help in preventing single account (SA) issues and offers proactive detection. The data integrity (DI) in university financial management systems were also implemented by this suggested NS method.

Blockchain and federated learning-based intrusion detection approaches for edge-enabled industrial IoT networks: a survey

Accurate identification of network intrusions is one of the biggest challenges of Network Intrusion Detection (NID) systems. In recent years Machine learning classification techniques have been used to precisely identify network intrusion. However, the multi class distribution in network intrusion detection system has found to be highly skewed, leading to classification accuracy problem due to class imbalance data set. The work presented in this paper not only explores the role of the attribute selection in improving classification accuracy but also investigates the problem of class imbalance using the Synthetic Minority Over-sampling (SMOTE) and under sampling of major classes. The classification performance is then evaluated over several types of classifiers. The outcome of this work is that for the class imbalance data set the under-sampling technique is more effective than SMOTE in detecting minor classes. It has also found during this research work that the decision tree algorithms (JRIP) and Naïve Bayes are more accurate classifiers as compared to the Radial basis neural network and support vector machine. However no single algorithm can be used for the classification of multiclass and it is proposed in this research work that combination of classifier consisting of Naïve Bayes and JRIP could be used for the classification of minor classes in an imbalance class data set of intrusion detection system.

The network security is getting more important due to the wide-spread computer viruses and increasing network attacks. Nowadays, more and more security mechanisms, such as firewalls and intrusion detection systems (IDS), are introduced to protect the network from malicious attacks. This paper proposes an agent and service based intrusion detection and response system for active network. In contrast to a traditional passive network, an active network gives the nodes programmable ability to exercise various active network technologies. The intrusion response, service deployment, and service update mechanisms are centered on this technology. The proposed model of intrusion detection and response system (IDRS) catches network attacks and responses to stop the attacks at the first time to reduce the damage. Detecting, reporting, and responding capabilities are all embedded and integrated in the proposed system. A prototype system is developed using a novel data mining technology (the support vector machine) to enhance the detection function. In addition, several experiments were conducted to verify the system and results showed that the system was able to effectively identify the intrusions and respond promptly. Experiments also showed that the support vector machine outperforms the competitive neural networks in identifying the intrusions.

Intrusion detection and prevention are security measures used to detect and prevent cybersecurity risks to computer systems, networks, infrastructure resources, and others. Intrusion detection and prevention systems automatically detect and respond to cybersecurity risks in order to reduce potential risks through threat event attacks. They use different methods for a successful execution. In this context, the signature-based approach that corresponds to known threat event attacks is used, or the anomaly-based detection that compares definitions of what activity is considered normal against observed threat event attacks, to identify significant deviations. Other methods are the stateful protocol analysis, which compares predetermined profiles of general accepted definitions of benign protocol activities for each protocol state against observed events, to identify deviations, or the hybrid system approach that combines some or all of the other methodologies to detect and respond to cybersecurity risks, and others. However, the need of intrusion detection and prevention systems architectures require distinguished decisions to the essential methodology used and the deployed system architecture. Against this background, this chapter seeks to offer a clear explanation of respective methodologies and comparing theses methodologies with regard to effectivity and efficiency. This requires (i) a discussion regarding the importance of intrusion detection and prevention to combat against threat event attack risks, malicious threat event attacks, by logging information about them and attempt to stop this, and (ii) reporting the identified malicious threat event attacks to the cybersecurity response team. Furthermore, investigation of threat event attacks is done, because threat event actor’s seeking out computer systems, networks, and infrastructure resources to exploit vulnerabilities and to attack, causing serious problems for threat event attacks for the targeted industrial, public, and private organizations. Therefore, Intrusion Detection and Prevention Systems (IDPSs) are a valuable approach in keeping information systems secure against malicious threat event attack risks by monitoring, analyzing, and responding to possible cybersecurity violations against computer systems, networks, or infrastructure resources. The violations may result from attempts by unauthorized intruders that try to compromise the computer systems, networks, infrastructure resources, and others. These intruders can be privileged internal users that misuse their authority, or external single cyberattackers or attacker-groups. In this context, Chap. 3 introduces in Sect. 3.1 in the specific background of intrusion detection methods and in Sect. 3.1.1 in the specific characteristics and capabilities of the different intrusion detection forms and their advantages and disadvantages. Thus, anomaly detection is part of Sect. 3.1.2, while Sect. 3.1.3 refers to misuse intrusion detection, and Sect. 3.1.4 focuses on advantages and disadvantages of anomaly and misuse intrusion detection forms. Section 3.1.5 refers to the Specification-based Intrusion Detection, which combines the strength of anomaly and misuse detection, and Sect. 3.1.6 refers to the characteristics of intrusion detection types. The focus of Sect. 3.1.7 is on intrusion detection systems and its architecture. In this sense, Sect. 3.2 focusses on intrusion prevention, whereby Sect. 3.2.1 describes the intrusion prevention system, while Sect. 3.2.2 focuses on the architecture of the intrusion prevention system. Section 3.3 refers to the intrusion detection and prevention system architecture and the respective performance measures as constraints for the proof of concept approach. Section 3.4 introduces the intrusion detection capability metric, which includes the necessity developing the respective detection approach to detect known and unknown threat event attacks. Finally, Sect. 3.5 summarizes the intrusion detection and intrusion prevention approaches, concerning a stable and resilient system operation. Section 3.6 contains comprehensive questions from the topics intrusion detection and intrusion prevention methodologies and architectures, while reference section refers to references for further reading.