UNSW-NB15 Dataset Research Articles

Efficient anomaly detection in tabular cybersecurity data using large language models

In cybersecurity, anomaly detection in tabular data is essential for ensuring information security. While traditional machine learning and deep learning methods have shown some success, they continue to face significant challenges in terms of generalization. To address these limitations, this paper presents an innovative method for tabular data anomaly detection based on large language models, called “Tabular Anomaly Detection via Guided Prompts” (TAD-GP). This approach utilizes a 7-billion-parameter open-source model and incorporates strategies such as data sample introduction, anomaly type recognition, chain-of-thought reasoning, multi-turn dialogue, and key information reinforcement. Experimental results indicate that the TAD-GP framework improves F1 scores by 79.31%, 97.96%, and 59.09% on the CICIDS2017, KDD Cup 1999, and UNSW-NB15 datasets, respectively. Furthermore, the smaller-scale TAD-GP model outperforms larger models across multiple datasets, demonstrating its practical potential in environments with constrained computational resources and requirements for private deployment. This method addresses a critical gap in research on anomaly detection in cybersecurity, specifically using small-scale open-source models.

Enhanced Deep Autoencoder-Based Reinforcement Learning Model with Improved Flamingo Search Policy Selection for Attack Classification

Intrusion detection has been a vast-surveyed topic for many decades as network attacks are tremendously growing. This has heightened the need for security in networks as web-based communication systems are advanced nowadays. The proposed work introduces an intelligent semi-supervised intrusion detection system based on different algorithms to classify the network attacks accurately. Initially, the pre-processing is accomplished using null value dropping and standard scaler normalization. After pre-processing, an enhanced Deep Reinforcement Learning (EDRL) model is employed to extract high-level representations and learn complex patterns from data by means of interaction with the environment. The enhancement of deep reinforcement learning is made by associating a deep autoencoder (AE) and an improved flamingo search algorithm (IFSA) to approximate the Q-function and optimal policy selection. After feature representations, a support vector machine (SVM) classifier, which discriminates the input into normal and attack instances, is employed for classification. The presented model is simulated in the Python platform and evaluated using the UNSW-NB15, CICIDS2017, and NSL-KDD datasets. The overall classification accuracy is 99.6%, 99.93%, and 99.42% using UNSW-NB15, CICIDS2017, and NSL-KDD datasets, which is higher than the existing detection frameworks.

An Improved Binary Simulated Annealing Algorithm and TPE-FL-LightGBM for Fast Network Intrusion Detection

With the rapid proliferation of the Internet, network security issues that threaten users have become increasingly severe, despite the widespread benefits of Internet access. Most existing intrusion detection systems (IDS) suffer from suboptimal performance due to data imbalance and feature redundancy, while also facing high computational complexity in areas such as feature selection and optimization. To address these challenges, this study proposes a novel network intrusion detection method based on an improved binary simulated annealing algorithm (IBSA) and TPE-FL-LightGBM. First, by integrating Focal Loss into the loss function of the LightGBM classifier, we introduce cost-sensitive learning, which effectively mitigates the impact of class imbalance on model performance and enhances the model’s ability to learn difficult-to-classify samples. Next, significant improvements are made to the simulated annealing algorithm, including adaptive adjustments of the initial temperature and Metropolis criterion, the incorporation of multi-neighborhood search strategies, and the integration of an S-shaped transfer function. These improvements enable the IBSA method to achieve efficient optimal feature selection with fewer iterations. Finally, the Tree-structured Parzen Estimator (TPE) algorithm is employed to optimize the structure of the FL-LightGBM classifier, further enhancing its performance. Through comprehensive visual analysis, ablation studies, and comparative experiments on the NSL-KDD and UNSW-NB15 datasets, the reliability of the proposed network intrusion detection method is validated.

XI2S-IDS: An Explainable Intelligent 2-Stage Intrusion Detection System

The rapid evolution of technologies such as the Internet of Things (IoT), 5G, and cloud computing has exponentially increased the complexity of cyber attacks. Modern Intrusion Detection Systems (IDSs) must be capable of identifying not only frequent, well-known attacks but also low-frequency, subtle intrusions that are often missed by traditional systems. The challenge is further compounded by the fact that most IDS rely on black-box machine learning (ML) and deep learning (DL) models, making it difficult for security teams to interpret their decisions. This lack of transparency is particularly problematic in environments where quick and informed responses are crucial. To address these challenges, we introduce the XI2S-IDS framework—an Explainable, Intelligent 2-Stage Intrusion Detection System. The XI2S-IDS framework uniquely combines a two-stage approach with SHAP-based explanations, offering improved detection and interpretability for low-frequency attacks. Binary classification is conducted in the first stage followed by multi-class classification in the second stage. By leveraging SHAP values, XI2S-IDS enhances transparency in decision-making, allowing security analysts to gain clear insights into feature importance and the model’s rationale. Experiments conducted on the UNSW-NB15 and CICIDS2017 datasets demonstrate significant improvements in detection performance, with a notable reduction in false negative rates for low-frequency attacks, while maintaining high precision, recall, and F1-scores.

SecEdge: A novel deep learning framework for real-time cybersecurity in mobile IoT environments.

The rapid growth of Internet of Things (IoT) devices presents significant cybersecurity challenges due to their diverse and resource-constrained nature. Existing security solutions often fall short in addressing the dynamic and distributed environments of IoT systems. This study aims to propose a novel deep learning framework, SecEdge, designed to enhance real-time cybersecurity in mobile IoT environments. The SecEdge framework integrates transformer-based models for efficient handling of long-range dependencies and Graph Neural Networks (GNNs) for modeling relational data, coupled with federated learning to ensure data privacy and reduce latency. The adaptive learning mechanism continuously updates model parameters to counter evolving cyber threats. The framework's performance was evaluated in a simulation environment using the NSL-KDD, UNSW-NB15, and CICIDS2017 datasets. Results demonstrated that SecEdge outperformed state-of-the-art methods with a detection rate of 98.8% for DoS attacks on NSL-KDD, 98.5% for MitM attacks on UNSW-NB15, and 98.7% for data injection attacks on CICIDS2017.

Enhancing Intrusion Detection with Cuckoo Search Optimized XGBoost Classifier for Network Traffic Analysis

An Intrusion Detection System (IDS) is crucial for ensuring network security by identifying and mitigating malicious activities. With the rise in interconnected systems, vulnerabilities have become a significant concern, requiring advanced detection mechanisms. Machine learning techniques, with their ability to identify patterns and anomalies, offer a promising approach for anomaly based IDS. This paper introduces a novel intrusion detection model combining the Cuckoo Search Algorithm (CSA) and the XGBoost classifier. This hybrid approach effectively analyzes network traffic and detects intrusions by leveraging the strengths of both methods. The model is trained and evaluated using the UNSW NB15 dataset, achieving a commendable accuracy of 92.06%. Key contributions include handling missing values, outlier analysis, one hot encoding, and feature scaling to enhance detection performance. The proposed model demonstrates superior results compared to existing techniques, offering an efficient solution for securing network infrastructures.

WSN intrusion detection method using improved spatiotemporal ResNet and GAN

Abstract A network intrusion detection method that integrates improved spatiotemporal residual network and generative adversarial network (GAN) in a big data environment is proposed to address the issues of poor feature extraction and significant impact from data imbalance in most existing intrusion detection methods. First, GANs are used for wireless sensor network data resampling to generate new sample sets, thereby overcoming the impact of data imbalance. Then, an improved spatiotemporal residual network model is designed, in which the spatial and temporal features of the data are extracted and fused through multi-scale one-dimensional convolution modules and gated loop unit modules, and identity maps are added based on the idea of residual networks to avoid network degradation and other issues. Finally, the resampled samples are input into the improved spatiotemporal residual network model to output the intrusion detection results of the network. Based on the NSL-KDD, UNSW-NB15, and CICIDS2017 datasets, experimental analysis is conducted on the proposed method. The results showed that its accuracy on the three datasets is 99.62, 83.98, and 99.86%, respectively, which are superior to other comparative methods.

Internet of vehicles intrusion detection method based on CFS-COA feature selection and spatio-temporal feature extraction

Abstract With the rapid spread of the Internet of Vehicles (IoV) technology, vehicle network security is facing increasingly severe challenges. Intrusion detection technology has become a crucial tool for ensuring the information security of IoV. Since the traffic data of the IoV is large and has spatio-temporal characteristics, most previous studies are based on a single deep learning method to extract temporal or spatial features, which does not fully extract features of IoV data. To address the above issues, a spatio-temporal feature extraction model with feature selection is proposed. First, to solve the problem of long detection time with huge data traffic, a new feature selection method is proposed to screen the optimal feature subset by combining the correlation-based feature selection method with the crayfish optimization algorithm (CFS-COA). Second, the selected optimal features are used in a spatio-temporal feature extraction model that combines a Temporal Convolutional Network and a Bidirectional Gated Recurrent Unit (TCN-BiGRU) for classification. Finally, the performance of the model is evaluated using two types of datasets: the NSL-KDD and UNSW-NB15 datasets for external communications, and the Car-Hacking dataset for in-vehicle networks. The experimental results indicate that the proposed model demonstrates high classification performance and lightweight characteristics, achieving 100% accuracy on the Car-Hacking dataset.

Deep Learning Approaches for IoT Intrusion Detection Systems

The Internet of Things (IoT) has had a substantial impact on a number of industries, including smart cities, the medical field, the automotive industry, and logistics tracking. But along with the IoT's advantages come security worries that are proliferating more and more. Deep learning-based Intelligent Network Intrusion Detection Systems (NIDS) have been created to detect continually evolving network threats and trends in order to address this issue. Six alternative deep learning algorithms, including CNN, RNN, and DNN architectures, are used in this research to present a novel anomaly-based solution for IoT networks. Three distinct intrusion detection datasets were used to evaluate the algorithms, and the findings revealed that the hybrid method performed better than the others in terms of accuracy. In particular, the hybrid algorithm had a 99.13% accuracy on the UNSW-NB15 dataset, an 89.01% accuracy on the IoTID20 dataset, and a 90.83% accuracy on the BoTNeTIoT-L01-v2 dataset. These results point to the suggested hybrid algorithm as superior to previous algorithms and a potential intrusion detection method for Internet of Things networks.

Intelligent Analysis and Prediction of Computer Network Security Logs Based on Deep Learning

Since the beginning of the 21st century, the development of computer networks has been advancing rapidly, and the world has gradually entered a new era of digital connectivity. While enjoying the convenience brought by digitization, people are also facing increasingly serious threats from network security (NS) issues. Due to the significant shortcomings in accuracy and efficiency of traditional Long Short-Term Memory (LSTM) neural networks (NN), different scholars have conducted research on computer NS situation prediction methods to address the aforementioned issues of traditional LSTM based NS situation prediction algorithms. Although these algorithms can improve the accuracy of NS situation prediction to a certain extent, there are still some limitations, such as low computational efficiency, low accuracy, and high model complexity. To address these issues, new methods and techniques have been proposed, such as using NN and machine learning techniques to improve the accuracy and efficiency of prediction models. This article referred to the Bidirectional Gated Recurrent Unit (BiGRU) improved by Gated Recurrent Unit (GRU), and introduced a multi model NS situation prediction algorithm with attention mechanism. In addition, the improved Particle Swarm Optimization (PSO) algorithm can be utilized to optimize hyperparameters and improve the training efficiency of the GRU NN. The experimental results on the UNSW-NB15 dataset show that the algorithm had an average absolute error of 0.0843 in terms of NS prediction accuracy. The RMSE was 0.0932, which was lower than traditional prediction algorithms LSTM and GRU, and significantly improved prediction accuracy.

Hybrid Learning Model for intrusion detection system: A combination of parametric and non-parametric classifiers

The growing digital transformation has increased the need for effective intrusion detection systems. Traditional intrusion detection systems face challenges in accurately classifying complex patterns. To address this issue, this study proposed a Hybrid Learning Model (HLM) that combines both parametric and non-parametric classifiers. The proposed HLM consist of two stages: the first stage employs a non-parametric Base Learner (np-BL) to analyze the data patterns and the second stage involves meta-modelling to generalize the overall performance of the model, named the Parametric Meta-Learning (PML) model. The proposed HLM blends the outcomes of np-BL and PML models using a stacking ensemble. As a base learning model K-Nearest Neighbors (KNN), Decision Tree (DT), Random Forest (RF), Gradient Boosting Machine (GBM), and Support Vector Classification with Radial Basis Function (SVC-RBF), are adopted from a non-parametric classifier group. The parametric classifiers Logistic Regression (LR), Naïve Bayes Classifier (NBC), Linear Discriminant Analysis (LDA), Quadratic Discriminant Analysis (QDA) and Support Vector Machine with linear kernel (Linear SVM) were used as meta-models. The HLM, as proposed, enhances the adaptability and robustness of the model by combining non-parametric and parametric models. To evaluate the competence of the proposed HLM, a performance analysis was conducted using the NSL-KDD, UNSW-NB15, and CICIDS2017 datasets. The effectiveness was assessed using various metrics, including classification accuracy, precision, recall, F1-Score (F1), Receiver Operating Characteristic (ROC) curve, Detection Rate (DR), and False Alarm Rate (FAR). The proposed HLM achieves a better accuracy rate across different datasets when compared with the existing models. The achieved accuracies are 99.02 %, 99.98 % and 99.63 % for the NSL-KDD, UNSW-NB15, and CICIDS2017 datasets respectively. Furthermore, the HLM gave a significant reduction in FAR, with values of 0.0126, 0.0001, and 0.0016 for the above-mentioned datasets.

Intrusion Detection: A Comparison Study of Machine Learning Models Using Unbalanced Dataset

The worldwide process of converting most activities of both corporate and non-corporate entities into digital formats is now firmly established. Machine learning models are necessary to serve as a tool for preventing illegal intrusion onto different networks. The machine learning (ML) model's strengths and drawbacks pertain to intrusion detection (IDS) tasks. This study used an experimental methodology to assess the efficacy of various ML models, including linear SVC, LR, random forest (RF), decision tree (DT), and XGBoost, in detecting intrusion on the UNSW NB15 datasets. The objective is to compare the strengths and shortcomings of these models. Data exploration, Feature engineering, selection and a test set of 15%, a validation set of 15%, and a training set of 70% respectively were used for data splitting. Performance evaluation was carried out using accuracy, recall, precision F1-score and confusion matrix plotted. The outcome of the experiment shows a percentage of 92.71% (1, normal) and 7.29% (0, attack) for normal traffic and attack traffic respectively. Performance evaluation results showed that RF and XGBoost outperformed the other ML models. Hence, ML models can effectively be used to detect system attacks. We intend to expand this research in the future and use the paradigm in a real-world setting with further conclusions and justifications.

I-MPaFS: enhancing EDoS attack detection in cloud computing through a data-driven approach

Cloud computing offers cost-effective IT solutions but is susceptible to security threats, particularly the Economic Denial of Sustainability (EDoS) attack. EDoS exploits cloud elasticity and the pay-per-use billing model, forcing users to incur unnecessary costs. This research introduces the Integrated Model Prediction and Feature Selection (I-MPaFS) framework to address EDoS attacks. I-MPaFS framework enhances an existing dataset to improve performance, using the generated data to build a Random Forest model for EDoS detection. Our investigation employs the UNSW-NB15, CSE-CIC-IDS18 and NSL-KDD datasets, demonstrating the proposed method’s superiority over existing techniques. The model achieved recall scores of 99.45% on the UNSW-NB15 dataset, 98.19% on the CSE-CIC-IDS18 dataset, and 99.82% on the NSL-KDD dataset, highlighting its reliability and efficacy in safeguarding cloud users from financial exploitation. This study contributes to the field by evaluating current EDoS detection methods, introducing the I-MPaFS framework, validating its performance with benchmark datasets, and comparing its effectiveness against state-of-the-art techniques. The findings affirm the significant potential of I-MPaFS in enhancing cloud security and protecting users from EDoS attacks.

An Improved Design for a Cloud Intrusion Detection System Using Hybrid Features Selection Approach with ML Classifier

The rapid adoption of cloud computing has introduced new security concerns, particularly regarding data privacy and protection from sophisticated cyberattacks. Intrusion Detection Systems (IDSs) based on Machine Learning (ML) offer improved detection of malicious behaviour in network traffic. However, existing IDS solutions struggle with large-dimensional data and imbalanced datasets, resulting in higher false positive rates (FPR) and reduced detection rates (DR). In this paper, we propose an improved Cloud IDS leveraging a hybrid features selection approach using Information Gain (IG), Chi-square (CS), and Particle Swarm Optimization (PSO). To address the challenge of imbalanced datasets, the Synthetic Minority Over-sampling Technique (SMOTE) is employed. The Random Forest (RF) classifier is used to detect and classify attacks. The system is evaluated on the UNSW-NB15 and Kyoto datasets, achieving accuracies of over 98% and 99%, respectively, outperforming other methods in terms of detection accuracy.

Nelder-Mead Optimized Weighted Voting Ensemble Learning for Network Intrusion Detection

The rise in internet usage and data transfer rates has led to numerous anomalies. Hence, anomaly-based intrusion detection systems (IDS) are essential in cybersecurity because of their ability to identify unknown cyber-attacks, especially zero-day attacks that signature-based IDS cannot detect. This study proposes an ensemble classification for intrusion detection using a weighted soft voting system with KNN, XGBoost, and Random Forest base models. The base model weights are optimized using the Nelder-Mead simplex method to improve the overall ensemble performance. We propose a robust intrusion detection framework that uses soft-voting classifier-level weights optimized using the Nelder-Mead algorithm and feature selection. We evaluated the system's performance using the KDD99 and UNSW-NB15 datasets, which demonstrated that the proposed approach exceeded other existing methods in respect of accuracy and provided comparable results with fewer features. The proposed system and its hyperparameter optimization technique were compared with other cyber threat detection and mitigation systems to determine their relative effectiveness and efficiency.

A Data-Driven Approach for Classifying and Predicting DDoS Attacks with Machine Learning

The importance of IoT security is growing as a result of the growing number of IoT devices and their many applications. Distributed denial of service (DDoS) assaults on IoT systems have become more frequent, sophisticated, and of a different kind, according to recent research on network security, making DDoS one of the most formidable dangers. Real, lucrative, and efficient cybercrimes are carried out using DDoS attacks. One of the most dangerous types of assaults in network security is the DDoS attack. ML-based DDoS-detection systems continue to face obstacles that negatively impact their accuracy. AI, which incorporates ML to detect cyberattacks, is the most often utilised approach for these goals. In this study, it is suggested that DDoS assaults in Software-Defined Networking be identified and countered using ML approaches. The F1-score, recall, accuracy, and precision of many ML techniques, including Cat Boost and Extra Tree classifier, are compared in the suggested model. DDoS-Net is designed to handle data imbalance effectively and incorporates thorough feature analysis to enhance the model's detection capabilities. Evaluation on the UNSW-NB15 dataset demonstrates the exceptional performance of DDoS-Net. The highest accuracy achieved by the machine learning algorithms Cat Boost and Extra Tree classifier is 90.78% and 90.27% respectively using the most familiar dataset. This work presents a strong and precise approach for DDoS attack detection, which greatly improves the cybersecurity environment and strengthens digital infrastructures against these ubiquitous threats.

Toward data efficient anomaly detection in heterogeneous edge–cloud environments using clustered federated learning

Anomaly detection in edge–cloud scenarios stands as a critical means to ensure the security of network environment. Federated learning (FL)-based anomaly detection combines multiple data sources and ensures data privacy, making it a promising distributed detection method. However, FL-based anomaly detection system is usually affected by data heterogeneity and data bias, resulting in the inefficiency of data used for FL and the decline of detection performance. We propose an iterative federated clustering ensemble algorithm named IFCEA, in which we (1) establish a committee on the devices, and select the optimal participation for each device based on the evaluations of committee; (2) filter the clusters based on committee results, and exclude the biased clusters; (3) design an aggregation weight that reflects the degree of local distribution balance; (4) present a novel cluster initialization method, OneBiPartition, which adapts to the number of clusters and commences clustering federated task efficiently. IFCEA enhances the data quality used in FL-based anomaly detection system from two perspectives: device selection and participation weights, effectively addressing the issues of data heterogeneity and data bias faced during the FL training phase. Extensive experimental results on five network traffic datasets (the UNSW-NB15, CIC-IDS2017, CIC-IDS2018, CIC-DDoS2019 and BCCC-DDoS2024 datasets) demonstrate that our proposed framework outperforms in terms of detection metrics and convergence performance.

An effective method for anomaly detection in industrial Internet of Things using XGBoost and LSTM

In recent years, with the application of Internet of Things (IoT) and cloud technology in smart industrialization, Industrial Internet of Things (IIoT) has become an emerging hot topic. The increasing amount of data and device numbers in IIoT poses significant challenges to its security issues, making anomaly detection particularly important. Existing methods for anomaly detection in the IIoT often fall short when dealing with data imbalance, and the huge amount of IIoT data makes feature selection challenging and computationally intensive. In this paper, we propose an optimal deep learning model for anomaly detection in IIoT. Firstly, by setting different thresholds of eXtreme Gradient Boosting (XGBoost) for feature selection, features with importance above the given threshold are retained, while those below are ignored. Different thresholds yield different numbers of features. This approach not only secures effective features but also reduces the feature dimensionality, thereby decreasing the consumption of computational resources. Secondly, an optimized loss function is designed to study its impact on model performance in terms of handling imbalanced data, highly similar categories, and model training. We select the optimal threshold and loss function, which are part of our optimal model, by comparing metrics such as accuracy, precision, recall, False Alarm Rate (FAR), Area Under the Receiver Operating Characteristic Curve (AUC-ROC), and Area Under the Precision–Recall Curve (AUC-PR) values. Finally, combining the optimal threshold and loss function, we propose a model named MIX_LSTM for anomaly detection in IIoT. Experiments are conducted using the UNSW-NB15 and NSL-KDD datasets. The proposed MIX_LSTM model can achieve 0.084 FAR, 0.984 AUC-ROC, and 0.988 AUC-PR values in the binary anomaly detection experiment on the UNSW-NB15 dataset. In the NSL-KDD dataset, it can achieve 0.028 FAR, 0.967 AUC-ROC, and 0.962 AUC-PR values. By comparing the evaluation indicators, the model shows good performance in detecting abnormal attacks in the Industrial Internet of Things compared with traditional deep learning models, machine learning models and existing technologies.

Ensemble and Gossip Learning-Based Framework for Intrusion Detection System in Vehicle-to-Everything Communication Environment.

Autonomous vehicles are revolutionizing the future of intelligent transportation systems by integrating smart and intelligent onboard units (OBUs) that minimize human intervention. These vehicles can communicate with their environment and one another, sharing critical information such as emergency alerts or media content. However, this communication infrastructure is susceptible to cyber-attacks, necessitating robust mechanisms for detection and defense. Among these, the most critical threat is the denial-of-service (DoS) attack, which can target any entity within the system that communicates with autonomous vehicles, including roadside units (RSUs), or other autonomous vehicles. Such attacks can lead to devastating consequences, including the disruption or complete cessation of service provision by the infrastructure or the autonomous vehicle itself. In this paper, we propose a system capable of detecting DoS attacks in autonomous vehicles across two scenarios: an infrastructure-based scenario and an infrastructureless scenario, corresponding to vehicle-to-everything communication (V2X) Mode 3 and Mode 4, respectively. For Mode 3, we propose an ensemble learning (EL) approach, while for the Mode 4 environment, we introduce a gossip learning (GL)-based approach. The gossip and ensemble learning approaches demonstrate remarkable achievements in detecting DoS attacks on the UNSW-NB15 dataset, with efficiencies of 98.82% and 99.16%, respectively. Moreover, these methods exhibit superior performance compared to existing schemes.

Hybrid intrusion detection models based on GWO optimized deep learning

In the rapidly evolving landscape of network communication systems, the need for robust security measures has become paramount due to increased vulnerability to cyber threats. Traditional Intrusion Detection Systems (IDSs) face challenges in efficiently handling redundant features, leading to increased computational complexity. This research addresses these challenges by proposing two optimized IDSs leveraging Grey Wolf Optimization (GWO) combined with deep learning (DL) models. The first system integrates Gated Recurrent Unit (GRU) with GWO (GRU-GWO), while the second utilizes Long Short-Term Memory (LSTM) with GWO (LSTM-GWO). These systems aim to enhance feature selection, reducing dimensionality and improving detection accuracy. The NSL-KDD and UNSW-NB15 datasets, representative of contemporary network environments, were employed to evaluate the proposed systems. Experimental results demonstrate significant improvements in intrusion detection accuracy and computational efficiency, underscoring the efficacy of the DL-GWO approach in enhancing network security. The first approach (GRU-GWO-FS) increased accuracy to 90% and 79% for anomaly and signature-based detection on the UNSW-NB15 dataset, compared to 80% and 77% with all features. The second approach (LSTM-GWO-FS) achieved 93% and 79%, compared to 82% and 77%. On the NSL-KDD dataset, GRU-GWO-FS improved accuracy to 94% and 92%, and LSTM-GWO-FS to 94% and 92% for anomaly and signature-based detection, respectively.