Network Anomaly Intrusion Detection Based on Deep Learning Approach
Abstract
:1. Introduction
- This paper uses NVIDIA GPU to accelerate the training procedure. We used the complete CSE-CIC-IDS2018 dataset to reflect the current network traffic conditions in our experiments, with a focus on data preprocessing, to provide comprehensive test results. We adopted the DNN, CNN, RNN, LSTM, CNN + RNN and CNN + LSTM models to handle binary and multi-class classification tasks. When using the proposed appropriate data preprocessing methods and systematically tune hyperparameters of all six models, the accuracy of all models was found to be above 98%. Compared with the IDS of other papers, the proposed model effectively improves the detection performance.
- Along with the empirical demonstration, the inference time for the combinations of CNN + RNN and CNN + LSTM is longer than that of the individual DNN, RNN and CNN. When considering the implementation of the algorithm in the IDS device, we conclude that individual DNN, RNN and CNN are better than CNN + RNN and CNN + LSTM.
2. Related Work
3. Methodology
3.1. CSE-CIC-IDS2018 Dataset
3.2. Data Preprocessing
3.2.1. Data Merging
3.2.2. Data Cleaning
3.2.3. Data Transformation and Split
3.2.4. Numerical Normalization
3.3. Deep Learning Models
3.3.1. DNN
3.3.2. CNN
3.3.3. RNN
3.3.4. LSTM
3.3.5. CNN + RNN
3.3.6. CNN + LSTM
3.4. Evaluation Metrics
4. Experimental Results and Analysis
4.1. Experimental Environment
4.2. Results and Analysis
4.2.1. Evaluation of Multi-Class Classification
4.2.2. Evaluation of Binary Classification
5. Conclusions
Author Contributions
Funding
Informed Consent Statement
Data Availability Statement
Conflicts of Interest
References
- Acronis Cyberthreats Report 2022: 20 Billion USD in Damage from Ransomware and other Cyber Attacks. Available online: https://www.acronis.com/en-eu/pr/2021/12/09-13-43.html (accessed on 10 April 2022).
- FBI Statement on Incident Involving Fake Emails. Available online: https://www.fbi.gov/news/pressrel/press-releases/fbi-statement-on-incident-involving-fake-emails (accessed on 11 April 2022).
- Yi, T.; Chen, X.; Zhu, Y.; Ge, W.; Han, Z. Review on the Application of Deep Learning in Network Attack Detection. J. Netw. Comput. Appl. 2023, 212, 103580. [Google Scholar] [CrossRef]
- Gopinath, M.; Sethuraman, S.C. A Comprehensive Survey on Deep Learning based Malware Detection Techniques. Comput. Sci. Rev. 2023, 47, 100529. [Google Scholar]
- Ferrag, M.A.; Maglaras, L.; Moschoyiannis, S.; Janicke, H. Deep Learning for Cyber Security Intrusion Detection: Approaches Datasets and Comparative Study. J. Inf. Secur. Appl. 2020, 50, 102419. [Google Scholar] [CrossRef]
- Mezina, A.; Burget, R.; Travieso-González, C.M. Network Anomaly Detection with Temporal Convolutional Network and U-Net model. IEEE Access 2021, 9, 143608–143622. [Google Scholar] [CrossRef]
- Sharafaldin, I.; Lashkari, A.H.; Ghorbani, A.A. Toward Generating a New Intrusion Detection Dataset and Intrusion Traffic Characterization. ICISSp 2018, 1, 108–116. [Google Scholar]
- Leevy, J.L.; Khoshgoftaar, T.M. A Survey and Analysis of Intrusion Detection Models based on CSE-CIC-IDS2018 Big Data. J. Big Data 2020, 7, 1–19. [Google Scholar] [CrossRef]
- Xiao, Y.; Xing, C.; Zhang, T.; Ahao, Z. An Intrusion Detection Model based on Feature Reduction and Convolutional Neural Networks. IEEE Access 2019, 7, 42210–42219. [Google Scholar] [CrossRef]
- Yang, H.; Wang, F. Wireless Network Intrusion Detection based on Improved Convolutional Neural Network. IEEE Access 2019, 7, 64366–64374. [Google Scholar] [CrossRef]
- Lin, P.; Ye, K.; Xu, C.Z. Dynamic Network Anomaly Detection System by Using Deep Learning Techniques. In Proceedings of the Cloud Computing–CLOUD 2019: 12th International Conference, Held as Part of the Services Conference Federation, SCF 2019, San Diego, CA, USA, 25–30 June 2019; pp. 161–176. [Google Scholar]
- Karatas, G.; Demir, O.; Sahingoz, O.K. Increasing the Performance of Machine Learning-based IDSs on an Imbalanced and Up-to-Date Dataset. IEEE Access 2020, 8, 32150–32162. [Google Scholar] [CrossRef]
- Hu, Z.; Wang, L.; Li, Y.; Yang, W. A Novel Wireless Network Intrusion Detection Method based on Adaptive Synthetic Sampling and an Improved Convolutional Neural Network. IEEE Access 2020, 8, 195741–195751. [Google Scholar] [CrossRef]
- Jiang, K.; Wang, W.; Wang, A.; Wu, H. Network Intrusion Detection Combined Hybrid Sampling with Deep Hierarchical Network. IEEE Access 2020, 8, 32464–32476. [Google Scholar] [CrossRef]
- Jiang, F.; Fu, Y.; Gupta, B.B.; Liang, Y.; Rho, S.; Lou, F.; Meng, F.; Tian, Z. Deep Learning Based Multi-Channel Intelligent Attack Detection for Data Security. IEEE Trans. Sustain. Comput. 2020, 5, 204–212. [Google Scholar] [CrossRef]
- Malik, J.; Akhunzada, A.; Bibi, I.; Imran, M.; Musaddiq, A.; Kim, S.W. Hybrid Deep Learning: An Efficient Reconnaissance and Surveillance Detection Mechanism in SDN. IEEE Access 2020, 8, 134695–134706. [Google Scholar] [CrossRef]
- Kim, J.; Kim, H.; Shim, M.; Choi, E. CNN-based Network Intrusion Detection Against Denial-of-Service Attacks. Electronics 2020, 9, 916. [Google Scholar] [CrossRef]
- Imrana, Y.; Xiang, Y.; Ali, L.; Abdul-Rauf, Z. A Bidirectional LSTM Deep Learning Approach for Intrusion Detection. Expert Syst. Appl. 2021, 185, 115524. [Google Scholar] [CrossRef]
- Laghrissi, F.; Douzi, S.; Douzi, K.; Hssina, B. Intrusion Detection Systems using Long Short-Term Memory (LSTM). J. Big Data 2021, 8, 65. [Google Scholar] [CrossRef]
- Aldhyani, T.H.H.; Alkahtani, H. Attacks to Automatous Vehicles: A Deep Learning Algorithm for Cybersecurity. Sensors 2022, 22, 360. [Google Scholar] [CrossRef]
- Tang, Y.; Gu, L.; Wang, L. Deep Stacking Network for Intrusion Detection. Sensors 2022, 22, 25. [Google Scholar] [CrossRef] [PubMed]
- CSE-CIC-IDS2018 on AWS. Available online: https://www.unb.ca/cic/datasets/ids-2018.html (accessed on 16 May 2022).
- Communications Security Establishment. Available online: https://www.cse-cst.gc.ca/en (accessed on 16 May 2022).
- Canadian Institute for Cybersecurity. Available online: https://www.unb.ca/cic/ (accessed on 16 May 2022).
- A Realistic Cyber Defense Dataset. Available online: https://registry.opendata.aws/cse-cic-ids2018/ (accessed on 16 May 2022).
- Liu, L.; Wang, P.; Lin, J.; Liu, L. Intrusion Detection of Imbalanced Network Traffic based on Machine Learning and Deep Learning. IEEE Access 2021, 9, 7550–7563. [Google Scholar] [CrossRef]
- The State of Data Science 2020 Moving from Hype Toward Maturity. Available online: https://www.anaconda.com/state-of-data-science-2020?utm_medium=press&utm_source=anaconda&utm_campaign=sods-2020&utm_content=report (accessed on 16 May 2022).
- Ioffe, S.; Szegedy, C. Batch Normalization: Accelerating Deep Network Training by Reducing Internal Covariate Shift. In Proceedings of the 32nd International Conference on Machine Learning, Lille, France, 6–11 July 2015; Volume 37, pp. 448–456. [Google Scholar]
- Powers, D.M. Evaluation: From Precision, Recall and F-measure to ROC Informedness Markedness and Correlation. J. Mach. Learn. Technol. 2011, 2, 1, 37–63. [Google Scholar]
- Glob. Available online: https://docs.python.org/3/library/glob.html (accessed on 23 May 2022).
- Pandas. Available online: https://pandas.pydata.org/ (accessed on 23 May 2022).
- Numpy. Available online: https://numpy.org/ (accessed on 23 May 2022).
- Nguyen, X.-H.; Nguyen, X.-D.; Huynh, H.-H.; Le, K.-H. Realguard: A Lightweight Network Intrusion Detection System for IoT Gateways. Sensors 2022, 22, 432. [Google Scholar] [CrossRef] [PubMed]
Paper | Year | Dataset | Methods | Classification | Accuracy |
---|---|---|---|---|---|
[9] | 2019 | CSE-CIC-IDS2018 | LSTM + AM | Multi-class | 96.19% |
[10] | 2019 | NSLKDD | Improved CNN | Multi-class | 95.36% |
[11] | 2019 | CSE-CIC-IDS2018 | LSTM | Multi-class | 96% |
[12] | 2020 | CSE-CIC-IDS2018 | Adaboost | Multi-class | 99.69% |
[5] | 2020 | CSE-CIC-IDS2018 | DNN, RNN, CNN | Multi-class | 97.28%, 97.31%, 97.38% |
[13] | 2020 | NSLKDD | ADASYN + CNN | Multi-class | 80.08% |
[14] | 2020 | NSL-KDD UNSW-NB15 | CNN + BiLSTM | Multi-class | 83.58% 77.16% |
[15] | 2020 | KDD99 | LSTM | Binary | 98.94% |
[16] | 2020 | CSE-CIC-IDS2017 | LSTM + CNN | Multi-class | 98.60% |
[17] | 2021 | KDD99 CSE-CIC-IDS2018 | TCN + LSTM | Multi-class | 92.05% 97.77% |
[6] | 2021 | KDD99 CSE-CIC-IDS2018 | TCN + LSTM | Multi-class | 92% 97% |
[18] | 2021 | NSLKDD | BiLSTM | Binary Multi-class | 94.26% 91.36% |
[19] | 2021 | KDD99 | LSTM | Binary | 98.88% |
[20] | 2022 | Collected data | CNN + LSTM | Multi-class | 97.30% |
[21] | 2022 | NSLKDD | DSN | Multi-class | 86.80% |
Attack | Attack Name |
---|---|
Bruteforce | FTP-Bruteforce and SSH-Bruteforce |
DoS | DoS-GoldenEye, DoS-Slowloris, DoS-SlowHTTPTest, and DoS-Hulk |
Web Attack | Brute Force-Web, Brute Force-XSS, and SQL Injection |
Infiltration | Infiltration |
Botnet | Bot |
DDoS | DDoS attacks-LOIC-HTTP, DDoS-LOIC-UDP, and DDOS-HOIC |
Original Data | Remove Non Attack Data | Remove Features | Outlier Padding | Remove Duplicate Data | Processed Data |
---|---|---|---|---|---|
16,233,002 rows × 84 columns | 59 rows | 14 columns | — | 5,369,992 rows | 10,862,951 rows × 70 columns |
16,232,943 rows × 84 columns | 16,232,943 rows × 70 columns | 16,232,943 rows × 70 columns | 10,862,951 rows × 70 columns |
Label | Training-Validation Set | Testing Set | ||
---|---|---|---|---|
Number | Proportion | Number | Proportion | |
Benign | 7,003,032 | 87.22% | 1,824,935 | 87.49% |
Attacks | 1,025,894 | 12.78% | 260,892 | 12.51% |
total | 8,028,926 | 100% | 2,085,827 | 100% |
Label | Training-Validation Set | Testing Set | ||
---|---|---|---|---|
Number | Proportion | Number | Proportion | |
Benign | 7,003,032 | 87.22% | 1,824,935 | 87.49% |
DDoS | 618,384 | 7.70% | 154,529 | 7.41% |
DoS | 156,525 | 1.95% | 39,443 | 1.89% |
Botnet | 114,647 | 1.43% | 28,786 | 1.38% |
Bruteforce | 75,434 | 0.94% | 18,619 | 0.89% |
Infiltration | 60,382 | 0.75% | 19,379 | 0.93% |
Web Attack | 522 | 0.01% | 136 | 0.01% |
total | 8,028,926 | 100% | 2,085,827 | 100% |
Hidden Layers | Total Number of Neurons | Units |
---|---|---|
1 | 256, 512, 768 | 256, 512, 768 |
2 | 256, 512, 768 | 256 (128 + 128), 512 (256 + 256), 768 (256 + 512) |
3 | 256, 512, 768 | 256 (64 + 64 + 128), 512 (128 + 128 + 256), 768 (256 + 256 + 256) |
4 | 256, 512, 768 | 256 (64 + 64 + 64 + 64), 512 (128 + 128 + 128 + 128), 768 (128 + 128 + 256 + 256) |
5 | 256, 512, 768 | 256 (32 + 32 + 64 + 64 + 64), 512 (64 + 64 + 128 + 128 + 128), 768 (128 + 128 + 128 + 128 + 256) |
Layers | Type | Output Shape | Number of Units | Activation Function | Parameters |
---|---|---|---|---|---|
0~1 | Dense | (None, 1, 64) | 64 | 4480 | |
1~2 | BN | (None, 1, 64) | 256 | ||
2~3 | Dropout | (None, 1, 64) | 0 | ||
3~4 | Dense | (None, 1, 64) | 64 | 4160 | |
4~5 | BN | (None, 1, 64) | 256 | ||
5~6 | Dropout | (None, 1, 64) | 0 | ||
6~7 | Dense | (None, 1, 64) | 64 | 4160 | |
7~8 | BN | (None, 1, 64) | 256 | ||
8~9 | Dropout | (None, 1, 64) | 0 | ||
9~10 | Dense | (None, 1, 32) | 32 | 2080 | |
10~11 | BN | (None, 1, 32) | 128 | ||
11~12 | Dropout | (None, 1, 32) | 0 | ||
12~13 | Dense | (None, 1, 32) | 32 | 1056 | |
13~14 | BN | (None, 1, 32) | 128 | ||
14~15 | Dropout | (None, 1, 32) | 0 | ||
15~16 | Flatten | (None, 32) | 0 | ||
16~17 | Dense | (None, 1) (None, 7) | Binary 1 Multi 7 | Sigmoid SoftMax | 33 231 |
Nodes | 1 Layer | 2 Layers | 3 Layers | 4 Layers | 5 Layers | |
---|---|---|---|---|---|---|
Binary | 256 | 18,689 | 26,113 | 21,953 | 17,537 | 16,481 |
512 | 37,377 | 84,993 | 68,481 | 59,649 | 55,489 | |
768 | 56,065 | 168,961 | 1,512,97 | 134,785 | 102,017 | |
Multi-class | 256 | 20,231 | 26,887 | 22,343 | 17,927 | 16,679 |
512 | 40,455 | 86,535 | 69,255 | 60,423 | 5,5879 | |
768 | 60,679 | 170,503 | 152,839 | 135,559 | 102,791 |
Layers | Type | Output Shape | Number of Filters | Kernel Size | Activation Function | Parameters |
---|---|---|---|---|---|---|
0~1 | Conv1D | (None, 68, 32) | 32 | 2 × 1 | ReLU | 96 |
1~2 | MaxPooling | (None, 34, 32) | 0 | |||
2~3 | Conv1D | (None, 33, 32) | 32 | 2 × 1 | ReLU | 2080 |
3~4 | MaxPooling | (None, 16, 32) | 0 | |||
4~5 | Conv1D | (None, 15, 64) | 64 | 2 × 1 | ReLU | 4160 |
5~6 | MaxPooling | (None, 7, 64) | 0 | |||
6~7 | Conv1D | (None, 6, 64) | 64 | 2 × 1 | ReLU | 8256 |
7~8 | MaxPooling | (None, 3, 64) | 0 | |||
8~9 | Conv1D | (None, 2, 64) | 64 | 2 × 1 | ReLU | 8256 |
9~10 | MaxPooling | (None, 1, 64) | 0 | |||
10~11 | BN | (None, 1, 64) | 256 | |||
11~12 | Dropout | (None, 1, 64) | 0 | |||
12~13 | Flatten | (None, 64) | 0 | |||
13~14 | Dense | (None, 1) (None, 7) | Binary 1 Multi 7 | Sigmoid SoftMax | 65 455 |
Nodes | 1 Layer | 2 Layers | 3 Layers | 4 Layers | 5 Layers | |
---|---|---|---|---|---|---|
Binary | 256 | 9985 | 51,969 | 34,305 | 29,313 | 23,041 |
512 | 19,969 | 202,241 | 134,145 | 148,737 | 91,137 | |
768 | 29,953 | 403,713 | 396,801 | 346,113 | 165,633 | |
Multi-class | 256 | 62,215 | 64,263 | 39,687 | 30,087 | 23,431 |
512 | 124,423 | 226,823 | 144,903 | 150,279 | 91,911 | |
768 | 186,631 | 452,871 | 407,559 | 349,191 | 167,175 |
Layers | Type | Output Shape | Number of Units | Activation Function | Parameters |
---|---|---|---|---|---|
0~1 | SimpleRNN | (None, 1, 64) | 64 | 8576 | |
1~2 | BN | (None, 1, 64) | 256 | ||
2~3 | Dropout | (None, 1, 64) | 0 | ||
3~4 | SimpleRNN | (None, 1, 64) | 64 | 8256 | |
4~5 | BN | (None, 1, 64) | 256 | ||
5~6 | Dropout | (None, 1, 64) | 0 | ||
6~7 | SimpleRNN | (None, 1, 64) | 64 | 8256 | |
7~8 | BN | (None, 1, 64) | 256 | ||
8~9 | Dropout | (None, 1, 64) | 0 | ||
9~10 | SimpleRNN | (None, 1, 32) | 32 | 3104 | |
10~11 | BN | (None, 1, 32) | 128 | ||
11~12 | Dropout | (None, 1, 32) | 0 | ||
12~13 | SimpleRNN | (None, 32) | 32 | 2080 | |
13~14 | BN | (None, 32) | 128 | ||
14~15 | Dropout | (None, 32) | 0 | ||
15~16 | Dense | (None, 1) (None, 7) | Binary 1 Multi 7 | Sigmoid SoftMax | 33 231 |
Nodes | 1 Layer | 2 Layers | 3 Layers | 4 Layers | 5 Layers | |
---|---|---|---|---|---|---|
Binary | 256 | 84,255 | 58,881 | 46,529 | 33,921 | 30,817 |
512 | 299,521 | 216,065 | 166,785 | 125,185 | 112,833 | |
768 | 645,889 | 496,641 | 347,905 | 298,625 | 233,089 | |
Multi-class | 256 | 85,767 | 59,655 | 46,919 | 34,311 | 31,015 |
512 | 302,599 | 217,607 | 167,559 | 125,959 | 113,223 | |
768 | 650,503 | 498,183 | 349,447 | 299,399 | 233,863 |
Layers | Type | Output Shape | Number of Units | Activation Function | Parameters |
---|---|---|---|---|---|
0~1 | LSTM | (None, 1, 64) | 64 | 34,304 | |
1~2 | BN | (None, 1, 64) | 256 | ||
2~3 | Dropout | (None, 1, 64) | 0 | ||
3~4 | LSTM | (None, 1, 64) | 64 | 33,024 | |
4~5 | BN | (None, 1, 64) | 256 | ||
5~6 | Dropout | (None, 1, 64) | 0 | ||
6~7 | LSTM | (None, 1, 64) | 64 | 33,024 | |
7~8 | BN | (None, 1, 64) | 256 | ||
8~9 | Dropout | (None, 1, 64) | 0 | ||
9~10 | LSTM | (None, 1, 32) | 32 | 12,416 | |
10~11 | BN | (None, 1, 32) | 128 | ||
11~12 | Dropout | (None, 1, 32) | 0 | ||
12~13 | LSTM | (None, 32) | 32 | 8320 | |
13~14 | BN | (None, 32) | 128 | ||
14~15 | Dropout | (None, 32) | 0 | ||
15~16 | Dense | (None, 1) (None, 7) | Binary 1 Multi 7 | Sigmoid SoftMax | 33 231 |
Nodes | 1 Layer | 2 Layers | 3 Layers | 4 Layers | 5 Layers | |
---|---|---|---|---|---|---|
Binary | 256 | 334,593 | 233,601 | 184,385 | 133,953 | 121,633 |
512 | 1,193,473 | 860,417 | 663,681 | 497,281 | 448,065 | |
768 | 2,576,641 | 1,981,185 | 1,386,241 | 1,189,505 | 927,361 | |
Multi-class | 256 | 336,135 | 234,375 | 184,775 | 134,343 | 121,831 |
512 | 1,196,551 | 861,959 | 664,455 | 498,055 | 448,455 | |
768 | 2,581,255 | 1,982,727 | 1,387,783 | 1,190,279 | 928,135 |
Layers | Type | Output Shape | Number of Units | Kernel Size | Activation Function | Parameters |
---|---|---|---|---|---|---|
0~1 | Conv1D | (None, 68, 32) | 32 | 2*1 | ReLU | 96 |
1~2 | MaxPooling | (None, 34, 32) | 0 | |||
2~3 | Conv1D | (None, 32, 64) | 64 | 3*1 | ReLU | 6208 |
3~4 | MaxPooling | (None, 16, 64) | 0 | |||
4~5 | Conv1D | (None, 14, 128) | 128 | 3*1 | ReLU | 24,704 |
5~6 | MaxPooling | (None, 7, 128) | 0 | |||
6~7 | BN | (None, 7, 128) | 512 | |||
7~8 | Dropout | (None, 7, 128) | 0 | |||
8~9 | SimpleRNN | (None, 7, 64) | 64 | 12,352 | ||
9~10 | BN | (None, 7, 64) | 256 | |||
10~11 | Dropout | (None, 7, 64) | 0 | |||
11~12 | SimpleRNN | (None, 7, 64) | 64 | 8256 | ||
12~13 | BN | (None, 7, 64) | 256 | |||
13~14 | Dropout | (None, 7, 64) | 0 | |||
14~15 | SimpleRNN | (None, 7, 64) | 64 | 8256 | ||
15~16 | BN | (None, 7, 64) | 256 | |||
16~17 | Dropout | (None, 7, 64) | 0 | |||
17~18 | SimpleRNN | (None, 7, 32) | 32 | 3104 | ||
18~19 | BN | (None, 7, 32) | 128 | |||
19~20 | Dropout | (None, 7, 32) | 0 | |||
20~21 | SimpleRNN | (None, 32) | 32 | 2080 | ||
21~22 | BN | (None, 32) | 128 | |||
22~23 | Dropout | (None, 32) | 0 | |||
23~24 | Dense | (None, 1) (None, 7) | Binary 1 Multi 7 | Sigmoid SoftMax | 33 231 |
Nodes | 1 Layer | 2 Layers | 3 Layers | 4 Layers | 5 Layers | |
---|---|---|---|---|---|---|
Binary | 256 | 130,593 | 97,697 | 85,345 | 68,961 | 65,857 |
512 | 360,993 | 262,433 | 213,153 | 164,001 | 151,649 | |
768 | 722,465 | 558,113 | 394,273 | 344,993 | 279,457 | |
Multi-class | 256 | 132,135 | 98,471 | 85,735 | 69,351 | 66,055 |
512 | 364,071 | 263,975 | 213,927 | 164,775 | 152,039 | |
768 | 727,079 | 559,655 | 395,815 | 345,767 | 2802 |
Layers | Type | Output Shape | Number of Units | Kernel Size | Activation Function | Parameters |
---|---|---|---|---|---|---|
0~1 | Conv1D | (None, 68, 32) | 32 | 2*1 | ReLU | 96 |
1~2 | MaxPooling | (None, 34, 32) | 0 | |||
2~3 | Conv1D | (None, 32, 64) | 64 | 3*1 | ReLU | 6208 |
3~4 | MaxPooling | (None, 16, 64) | 0 | |||
4~5 | Conv1D | (None, 14, 128) | 128 | 3*1 | ReLU | 24,704 |
5~6 | MaxPooling | (None, 7, 128) | 0 | |||
6~7 | BN | (None, 7, 128) | 512 | |||
7~8 | Dropout | (None, 7, 128) | 0 | |||
8~9 | LSTM | (None, 7, 64) | 64 | 49,408 | ||
9~10 | BN | (None, 7, 64) | 256 | |||
10~11 | Dropout | (None, 7, 64) | 0 | |||
11~12 | LSTM | (None, 7, 64) | 64 | 33,024 | ||
12~13 | BN | (None, 7, 64) | 256 | |||
13~14 | Dropout | (None, 7, 64) | 0 | |||
14~15 | LSTM | (None, 7, 64) | 64 | 33,024 | ||
15~16 | BN | (None, 7, 64) | 256 | |||
16~17 | Dropout | (None, 7, 64) | 0 | |||
17~18 | LSTM | (None, 7, 32) | 32 | 12,416 | ||
18~19 | BN | (None, 7, 32) | 128 | |||
19~20 | Dropout | (None, 7, 32) | 0 | |||
20~21 | LSTM | (None, 32) | 32 | 8320 | ||
21~22 | BN | (None, 32) | 128 | |||
22~23 | Dropout | (None, 32) | 0 | |||
23~24 | Dense | (None, 1) (None, 7) | Binary 1 Multi 7 | Sigmoid SoftMax | 33 231 |
Nodes | 1 Layer | 2 Layers | 3 Layers | 4 Layers | 5 Layers | |
---|---|---|---|---|---|---|
Binary | 256 | 426,273 | 295,073 | 245,857 | 180,321 | 167,937 |
512 | 1,345,569 | 952,097 | 755,361 | 558,753 | 509,537 | |
768 | 2,789,153 | 1,673,633 | 1,477,921 | 1,281,185 | 1,019,041 | |
Multi-class | 256 | 427,815 | 295,847 | 246,247 | 180,711 | 168,199 |
512 | 1,348,647 | 953,639 | 756,135 | 559,527 | 509,927 | |
768 | 2,793,767 | 2,134,823 | 1,479,463 | 1,281,959 | 1,019,815 |
Project | Properties |
---|---|
OS | Ubuntu 18.04.4 LTS |
CPU | Intel(R) Xeon(R) CPU E5-2698 v4 @ 2.20GHz |
GPU | NVIDIA Tesla V100-SXM2-32GB-LS |
Memory | 62.88GiB |
Disk | 7.0TiB |
Python | Python 3.6.9 |
NVIDIA CUDA | 11.0 |
Framework | TensorFlow 2.2.0+nv- tf2-py3 |
No. of Node | 1 Layer | 2 Layer | 3 Layer | 4 Layer | 5 Layer | ||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Acc | Infer Time (ms) | Acc | Infer Time (ms) | Acc | Infer Time (ms) | Acc | Infer Time (ms) | Acc | Infer Time (ms) | ||
DNN | 256 | 98.78% | 2.15 | 98.80% | 2.45 | 98.80% | 2.78 | 98.78% | 3.10 | 98.79% | 3.42 |
512 | 98.79% | 2.18 | 98.80% | 2.50 | 98.82% | 2.79 | 98.82% | 3.13 | 98.78% | 3.39 | |
768 | 98.60% | 2.15 | 98.82% | 2.53 | 98.79% | 2.88 | 98.79% | 3.16 | 98.83% | 3.42 | |
CNN | 256 | 98.53% | 1.89 | 98.62% | 2.18 | 98.79% | 2.18 | 98.58% | 2.36 | 98.79% | 2.49 |
512 | 98.56% | 2.01 | 98.63% | 2.41 | 98.79% | 2.24 | 98.80% | 2.45 | 98.81% | 2.49 | |
768 | 98.57% | 2.18 | 98.64% | 2.49 | 98.81% | 2.65 | 98.83% | 2.64 | 98.81% | 2.52 | |
RNN | 256 | 98.78% | 2.09 | 98.78% | 2.32 | 98.78% | 2.34 | 98.77% | 2.81 | 98.67% | 3.05 |
512 | 98.78% | 2.03 | 98.79% | 2.38 | 98.79% | 2.36 | 98.78% | 2.82 | 98.78% | 3.10 | |
768 | 98.80% | 2.09 | 98.75% | 2.38 | 98.79% | 2.72 | 98.79% | 2.95 | 98.79% | 3.13 | |
LSTM | 256 | 98.81% | 2.12 | 98.79% | 2.68 | 98.79% | 2.98 | 98.83% | 3.45 | 98.79% | 3.94 |
512 | 98.80% | 2.21 | 98.83% | 2.62 | 98.83% | 3.02 | 98.83% | 3.51 | 98.83% | 3.87 | |
768 | 98.80% | 2.18 | 98.83% | 2.58 | 98.79% | 3.05 | 98.83% | 3.59 | 98.82% | 4.02 | |
CNN + RNN | 256 | 98.80% | 3.16 | 98.83% | 3.77 | 98.83% | 4.71 | 98.82% | 5.55 | 98.83% | 5.95 |
512 | 98.84% | 3.27 | 98.79% | 4.17 | 98.83% | 4.89 | 98.83% | 5.23 | 98.83% | 6.00 | |
768 | 98.84% | 3.39 | 98.84% | 4.49 | 98.82% | 5.43 | 98.84% | 5.15 | 98.83% | 8.01 | |
CNN + LSTM | 256 | 98.83% | 3.68 | 98.80% | 4.50 | 98.82% | 5.60 | 98.82% | 5.51 | 98.79% | 6.72 |
512 | 98.83% | 4.11 | 98.80% | 4.37 | 98.83% | 5.43 | 98.83% | 6.31 | 98.80% | 7.03 | |
768 | 98.84% | 4.31 | 98.80% | 4.74 | 98.84% | 5.23 | 98.79% | 6.49 | 98.84% | 7.52 |
Class | Precision | Recall | F1-Score |
---|---|---|---|
Benign | 98.80% | 99.88% | 99.33% |
BruteForce | 99.97% | 99.92% | 99.95% |
DoS | 99.06% | 98.77% | 98.91% |
Web Attack | 100% | 37.50% | 54.55% |
Infiltration | 0% | 0% | 0% |
Botnet | 99.98% | 99.62% | 99.80% |
DDoS | 98.76% | 98.62% | 98.69% |
Class | Precision | Recall | F1-Score |
---|---|---|---|
Benign | 98.83% | 99.85% | 99.34% |
BruteForce | 99.98% | 99.94% | 99.96% |
DoS | 99.08% | 98.78% | 98.93% |
Web Attack | 100% | 58.09% | 73.49% |
Infiltration | 52.23% | 2.48% | 4.73% |
Botnet | 99.98% | 99.74% | 99.86% |
DDoS | 98.68% | 98.72% | 98.70% |
Class | Precision | Recall | F1-Score |
---|---|---|---|
Benign | 98.82% | 99.83% | 99.32% |
BruteForce | 99.95% | 99.91% | 99.93% |
DoS | 98.77% | 98.63% | 98.70% |
Web Attack | 100% | 36.03% | 52.97% |
Infiltration | 47.06% | 0.37% | 0.74% |
Botnet | 99.86% | 99.47% | 99.67% |
DDoS | 98.30% | 98.90% | 98.60% |
Class | Precision | Recall | F1-Score |
---|---|---|---|
Benign | 98.80% | 99.87% | 99.33% |
BruteForce | 99.92% | 99.94% | 99.93% |
DoS | 99.04% | 98.75% | 98.89% |
Web Attack | 98.08% | 37.50% | 54.26% |
Infiltration | 46.15% | 0.19% | 0.37% |
Botnet | 99.96% | 99.50% | 99.73% |
DDoS | 98.78% | 98.63% | 98.71% |
Class | Precision | Recall | F1-Score |
---|---|---|---|
Benign | 98.86% | 99.83% | 99.34% |
BruteForce | 100% | 99.91% | 99.95% |
DoS | 99.12% | 98.75% | 98.93% |
Web Attack | 100% | 58.09% | 73.49% |
Infiltration | 53.25% | 2.41% | 4.61% |
Botnet | 100% | 99.75% | 99.87% |
DDoS | 98.42% | 99.02% | 98.72% |
Class | Precision | Recall | F1-Score |
---|---|---|---|
Benign | 98.85% | 99.84% | 99.34% |
BruteForce | 99.99% | 99.93% | 99.96% |
DoS | 99.06% | 98.78% | 98.92% |
Web Attack | 100% | 58.82% | 74.07% |
Infiltration | 52.01% | 3.07% | 5.08% |
Botnet | 99.99% | 99.75% | 99.87% |
DDoS | 98.70% | 98.83% | 98.77% |
Methods | Accuracy | Precision | Recall | F1-Score | Trainable Parameters | Inference Time |
---|---|---|---|---|---|---|
DNN | 98.83% | 97.91% | 98.83% | 98.36% | 20,231 | 3.421 ms |
CNN | 98.83% | 98.42% | 98.83% | 98.41% | 349,191 | 2.638 ms |
RNN | 98.80% | 98.33% | 98.80% | 98.35% | 650,503 | 2.086 ms |
LSTM | 98.83% | 98.34% | 98.83% | 98.37% | 134,343 | 3.451 ms |
CNN + RNN | 98.84% | 98.43% | 98.84% | 98.42% | 364,071 | 3.068 ms |
CNN + LSTM | 98.84% | 98.43% | 98.84% | 98.43% | 2,793,767 | 4.31 ms |
Paper | Year | Methods | Accuracy | Our Methods | Accuracy |
---|---|---|---|---|---|
[10] | 2019 | CNN | 91.5% | ||
[9] | 2019 | LSTM + AM | 96.19% | ||
[5] | 2020 | DNN RNN CNN | 97.28% 97.31% 97.38% | DNN RNN CNN | 98.83% 98.83% 98.80% |
[12] | 2020 | AdaBoost | 99.69% | LSTM | 98.83% |
[17] | 2020 | TCN + LSTM | 97.77% | CNN + RNN | 98.84% |
[6] | 2021 | TCN + LSTM | 97% | CNN + LSTM | 98.84% |
Methods | Accuracy | Precision | Recall | F1-Score | Trainable Parameters | Inference Time |
---|---|---|---|---|---|---|
DNN | 98.83% | 98.83% | 98.83% | 98.81% | 18,689 | 3.359 ms |
CNN | 98.82% | 98.82% | 98.82% | 98.80% | 346,113 | 2.301 ms |
RNN | 98.82% | 98.82% | 98.82% | 98.81% | 233,089 | 2.807 ms |
LSTM | 98.83% | 98.83% | 98.83% | 98.81% | 927,361 | 4.019 ms |
CNN + RNN | 98.84% | 98.84% | 98.84% | 98.82 | 85,345 | 4.341 ms |
CNN + LSTM | 98.85% | 98.85% | 98.85% | 98.83% | 1,345,569 | 3.068 ms |
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |
© 2023 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Wang, Y.-C.; Houng, Y.-C.; Chen, H.-X.; Tseng, S.-M. Network Anomaly Intrusion Detection Based on Deep Learning Approach. Sensors 2023, 23, 2171. https://doi.org/10.3390/s23042171
Wang Y-C, Houng Y-C, Chen H-X, Tseng S-M. Network Anomaly Intrusion Detection Based on Deep Learning Approach. Sensors. 2023; 23(4):2171. https://doi.org/10.3390/s23042171
Chicago/Turabian StyleWang, Yung-Chung, Yi-Chun Houng, Han-Xuan Chen, and Shu-Ming Tseng. 2023. "Network Anomaly Intrusion Detection Based on Deep Learning Approach" Sensors 23, no. 4: 2171. https://doi.org/10.3390/s23042171
APA StyleWang, Y.-C., Houng, Y.-C., Chen, H.-X., & Tseng, S.-M. (2023). Network Anomaly Intrusion Detection Based on Deep Learning Approach. Sensors, 23(4), 2171. https://doi.org/10.3390/s23042171