Cloud-based Network Intrusion Detection System using Deep
Learning
Archana C Chaitra H P
PES University, Bangalore, India PES University, Bangalore, India
[email protected] [email protected]
Pradhiksha Nandini T Sivaraman E
PES University, Bangalore, India PES University, Bangalore, India
[email protected]
[email protected]
[email protected]
ABSTRACT
With the increase in the internet traffic worldwide, it has been
observed that there is a major spike in the influx of network traffic
into any system over the years. The internet traffic and the number
of attempts at malicious access to any organization have increased
over the years. The attacker can take advantage of this and over
flood the organization with dummy traffic and make the systems
unresponsive. The current existing models of Network Intrusion
Detection System (NIDS) have a good prediction rate but somehow
have high False Positive Rate (FPR). We propose a Deep Learning
(DL) model to reduce the FPR which offers a scalable solution by
deploying the model on cloud to increase the responsiveness of
the NIDS during high loads, hence increasing the availability. The
model which is running on docker containers on the cloud instance
can be accessed using REST APIs as it is deployed as microservice.
The experimental results showed that Deep Neural Networks (DNN)
with five hidden layers achieved the best accuracy of 95.02% and a
least accuracy of 88.75% by Long Short-Term Memory (LSTM) with
two layers. In traditional ML algorithms, Random Forest approach
have achieved 86% accuracy.
CCS CONCEPTS
• Security and privacy; • Networks; • Computing methodolo-
gies;
KEYWORDS
Network Intrusion Detection, Deep Learning, Docker, Container,
Microservice
ACM Reference Format:
Archana C, Chaitra H P, Khushi M, Pradhiksha Nandini T, Sivaraman E,
and Prasad Honnavalli. 2021. Cloud-based Network Intrusion Detection
System using Deep Learning. In ArabWIC 2021: The 7th Annual International
Conference on Arab Women in Computing in Conjunction with the 2nd Forum
of Women in Research, Sharjah, UAE (ArabWIC 2021), August 25, 26, 2021,
Permission to make digital or hard copies of all or part of this work for personal or
classroom use is granted without fee provided that copies are not made or distributed
for profit or commercial advantage and that copies bear this notice and the full citation
on the first page. Copyrights for components of this work owned by others than ACM
must be honored. Abstracting with credit is permitted. To copy otherwise, or republish,
to post on servers or to redistribute to lists, requires prior specific permission and/or a
fee. Request permissions from [email protected].
ArabWIC 2021, August 25, 26, 2021, Sharjah, United Arab Emirates
© 2021 Association for Computing Machinery.
ACM ISBN 978-1-4503-8418-6/21/08. . . $15.00
https://doi.org/10.1145/3485557.3485562
Khushi M
PES University, Bangalore, India
[email protected]
Prasad Honnavalli
PES University, Bangalore, India
Sharjah, United Arab Emirates. ACM, New York, NY, USA, 6 pages. https:
//doi.org/10.1145/3485557.3485562
1 INTRODUCTION
Network Security has become an important aspect because com-
puter networks are used extensively in all the fields. Various sensi-
tive user data is handled by networks which are prone to various
kinds of attacks. There are a variety of tools like firewall, antimal-
ware, antivirus etc. used to detect and exploit attacks. These attacks
are diverse and are evolving with sophisticated algorithms which
makes it undetectable by traditional tools leading to data breach.
These kinds of malicious attacks pose security challenges which
makes it important to have a reliable and flexible Intrusion Detec-
tion System (IDS). An IDS is a software application or a system
that monitors network traffic for any suspicious activity and an
alert is issued to the management system on discovery of such ab-
normal events [1]. Anything that violates the CIA (Confidentiality,
Integrity and Availability) triad must be caught by the IDS and it
can be installed on any individual devices such as desktop, servers.
Network Intrusion Detection system (NIDS) monitors the net-
work traffic flowing in and out of the entire system to detect traces
of malicious activity [2]. It is usually placed at the crucial points
where all the traffic traverses. IDS uses the following methods to
identify the attacks: Signature based Intrusions can be detected by
classifying access to the systems into predefined signature, patterns,
malicious activities. Signatures need to be updated regularly and
it is accurate in finding known types of attacks. Anomaly based
IDS analyses the normal behavior of the network and alerts when
there’s a deviation [3]. It is used to detect unknown attacks. Hybrid
based IDS is a combination of both signature-based and anomaly-
based IDS. In this research, a novel and scalable cloud-based IDS is
proposed which can handle high network traffic loads and reduce
FPR.
2 RELATED WORKS
To enhance the performance of IDS, many studies are focusing on
applying ML techniques both supervised and unsupervised. Some
of the ML algorithms used are Naive bayes, Support Vector Ma-
chine (SVM), Random Forest, Decision Trees, K-Nearest Neighbour
(KNN), Decision Trees etc. [3]. In [4], the authors have presented a
NIDS model which is designed and implemented using Recurrent
Neural Network. Performance of the model is studied for both mul-
ticlass classification and binary classification and how the accuracy
is impacted by various combinations of the parameters like learning
ArabWIC 2021, August 25, 26, 2021, Sharjah, United Arab Emirates
rate and number of neurons. A Deep Neural Network model with
one input layer, five hidden layers and an output layered architec-
ture on the KDD99 dataset as the hybrid intrusion detection system
approach is presented by Vinayakumar et al. [5]. Another research
by Stefan Dlugolinsky et al. discusses about the harmony between
large scale data processing and Deep Learning techniques [6]. The
model by coupling filter-based feature selection with Feed Forward
Deep Neural Networks (FFDNNs) algorithm is proposed by Yanxia
Sun et al. [7]. A model which uses a hybrid of Convolutional Neural
Network (CNN) and weight-dropped Long Short-Term Memory
(LSTM) is presented by researchers [8]. The authors in [9] have
proposed an IDS based on the CNN to reinforce the security of
the internet. A hierarchical Convolutional Neural Network and
Recurrent Neural Network called LuNet, is proposed by Hui Guo
et al. [10] to detect intrusions. Farrukh Aslam Khan et al. [11] have
used a stacked Autoencoder (AE) based two staged Deep Learning
model by using soft-max for classification. To enhance the detec-
tion rate of the intrusion detection system, [12] mainly focuses on
false positive and false negative performance metrics. A genetic
algorithm based on exhaustive search and fuzzy C-means clustering
algorithm is used in Genetic Convolutional Neural Network [13].
3 RESEARCH CHALLENGES AND PROPOSED
SOLUTION
First challenge is that the NIDS usually has a large FPR and classi-
cal ML classifiers have high computation rate with high FPR since
they learn the characteristic of simple features of TCP and/or IP
locally [2]. Whereas DL is a complex subset of ML that acquires
hidden sequential relationships and hierarchical feature represen-
tations by sending the TCP and/or IP information on subsequent
hidden layers making it reduce the FPR. Since the DL algorithms
require substantial computational resources, the advent of cloud-
based platforms can streamline the process of implementation of
models using Deep Learning. Next challenge is the IDS built using
ML have achieved a high accuracy with small amounts of input
data. However, if the large dataset is used its very time consuming
and has high latency for large dataset [3]. There are some issues
with these classical algorithms. ML techniques fail in multi class
classification because of a greater number of features. There are
issues such as overfitting and inducing high bias due to redundant
or irrelevant features which affect the model metrics. Most of the
studies have used old publicly available dataset which doesn’t cover
today’s wide range of attacks. There is also the issue of scalability,
where the model can take a long time to respond if it is bombarded
with requests. The signature-based IDS has evolved over the years
into anomaly-based IDS to detect anomalous behavior posed by the
attacker [2]. However, these attacks are always evolving in both
quality and quantity. With increase in the internet traffic worldwide,
the influx of network traffic into any system has also seen a major
spike over the years. The attacker can take advantage of this and
over flood the system with dummy traffic and make the systems
unresponsive. In such environments having a single running in-
stance of an IDS to alert the organization about a potential attack in
real-time can be quite challenging. The proposed research is to use
a DL algorithm-based NIDS which will be hosted on the cloud to
classify malicious activities. It will offer a scalable solution using DL
Archana C et al.
algorithms to increase the responsiveness of the IDS during high
loads, hence increasing the reliability. The IDS can be scaled up or
down depending on the traffic. This way there won’t be concerns
regarding investment on infrastructure and wastage of resources
when the load is high and low respectively. The model prefers DL
algorithm over ML algorithm because DL learns new features which
majorly define a model on its own without any human intervention,
whereas ML requires the user to feed the important features to the
model. It trains a model using DL algorithms that learns about the
characteristics of a malicious activity using a pre-existing dataset
[14] and with each detection, improves and optimizes the model.
It will be hosted on the cloud and be configured as microservices
which can be scaled depending on the network traffic.
4 UNSW-NB15 DATASET
The dataset used in our research is UNSW-NB15 [14] and it was
collected by the Australian Center for Cyber Security (ACCS) in
2015 by the research group of cyber security. It is a network intru-
sion dataset. The raw network packets of the UNSW-NB15 data set
are created by the IXIA PerfectStorm tool. The training set consists
of 175,341 records. Testing set contains 82,232 records from the
different types, attack and normal. UNSW-NB15 contains approxi-
mately 2.5 million records. The dataset was generated using two
diverse simulation periods of 15 hours and 16 hours respectively.
This dataset consists of both synthesized attack activities and real
modern normal activities and of the network traffic. TCP dump
is employed to capture 100GB of the raw traffic. It contains nine
families of attacks, namely, Reconnaissance, Shellcode, Backdoors,
Analysis, DoS, Exploits, Generic, and Worm.
5 PROPOSED METHODOLOGY AND
IMPLEMENTATION
The proposed NIDS architecture is to build the IDS model as mi-
croservices on the cloud. The IDS will classify the input data in-
stance as normal or different types of attacks based on the features
of the initial stage. Using Neural Network models like Convolutional
Neural Network (CNN) [17], Long Short-Term Memory (LSTM) [16]
or Hybrid models with appropriate activations at each layer, the
model can perform better than the classical ML algorithms [18].
5.1 Proposed Cloud-based NIDS Architecture
The proposed architecture for cloud-based NIDS which consists of
Docker Containers, REpresentational State Transfer Application
Programming Interfaces (REST APIs) over postman and a Load
Balancer is illustrated in Figure 1. There are three microservices
namely, Training, Testing and Database. The testing/classification
of packets can be done by sending REST APIs to the testing mi-
croservice. The testing microservice will in turn send this now
classified packet into the database to ensure “real time” data is
being stored. The idea is to have weekly updates of the training
microservice on the data in the database. For experimentation, the
proposed NIDS model on Amazon EC2 instances as microservices.
The docker containers are configured accordingly and the train-
ing and testing containers are accessed through REST APIs. The
training and testing phases are implemented as a flask app hosted
locally. Both can be accessed through REST APIs over Postman.
Cloud-based Network Intrusion Detection System using Deep Learning
Figure 1: Proposed Cloud-based NIDS Architecture
Depending on the amount of data to be processed by the docker
containers, the number of running instances will be either scaled-up
or scaled-down accordingly via docker SDK.
Across multiple targets, the incoming traffic is automatically
distributed by the load balancer to respective EC2 instances. It
monitors the registered target’s health, and it routes the traffic only
to the healthy instances. The load balancer can scale itself according
to the change in incoming traffic changes with time. For clients,
it serves as a single point of contact. This ensures the availability
of the proposed NIDS application. One or more listeners can be
added to the load balancer. The model will get the incoming traffic
features from the training dataset. The traffic is fed to the neural
network model which extracts features and trains the model to
classify traffic as attack or benign.
5.2 NIDS Implementation using Deep Learning
Algorithms
A two-stage model is considered in this research. The initial stage
is to extract minimal meaningful features which best represent the
data. The next stage is to classify the input data instance as normal,
or attack based on the features of the initial stage. Neural networks
such as LSTM, Gated Recurrent Unit (GRU), CNN and DNN models
are used with appropriate activation functions [21, 22]. The activa-
tion function at each layer is fixed after experimentation. During
optimization, hyperparameter tuning like learning rate, number
and depth of hidden layers used, number of epochs can be fixed
after trial and experimentation. Initially, LSTM with different lay-
ers is used with Rectified activation Linear function (ReLu) as an
activation function and using Stochastic Gradient Descent (SGD)
as the optimization function. LSTM is an improvement on the Re-
current Neural Network (RNN) [16]. RNN suffers from vanishing
gradient problems so the layers won’t learn much and will forget
the information it has learned [20]. Next, GRU is considered which
is an improvised form of standard RNN. It solves the disappearing
gradient problem of a standard RNN. CNN is also considered which
has one or more convolutional layers along with a pooling layer
and a flattening layer. Our CNN model has 2 convolutional layers
ArabWIC 2021, August 25, 26, 2021, Sharjah, United Arab Emirates
with a maxpool layer and a flattening layer. Lastly, DNN uses the
Adam method for optimizing the network and minimizing the loss
function. Adam is an alternative to the gradient descent optimizer
and solves its limitations. Every node in the output and the hidden
layers have their own activation functions chosen on trial and error.
The prediction of accuracy depends on the computed weights and
biases which is why we need to choose the hyperparameters cor-
rectly. The model was run for 50 epochs with batch size as 64. The
experimental results of the proposed DL algorithms are conversed
in the following section.
6 EXPERIMENTAL RESULTS AND
DISCUSSION
Initially, we have experimented the proposed cloud-based IDS by
creating an AWS EC2 instance with two containers using flask
framework for making API calls. We have compared the results
of different ML and DL models on the UNSW-NB15 dataset. The
ML models implemented includes Logistic Regression, K-Nearest
Neighbor (KNN), Naive Bayes, Random Forest, Decision Trees and
Adaboost [3]. The first step is preprocessing the dataset which
will be used for model implementation. We were able to reduce 42
features to 29 which has improved the performance of the model.
Figure 2 shows the comparison of different ML algorithms, and it
can be perceived that Random Forest & Decision Tree have achieved
the highest accuracy of 86%.
The experimental results of different DL algorithms were calcu-
lated. Highest accuracy of 88.81% is achieved from LSTM model
with one hidden layer and GRU achieved 88.79% with both one and
two hidden layers. Usually, adding more hidden layers would in-
crease the accuracy of the model but in this study, it’s observed that
adding a greater number of hidden layers did not help in increasing
the accuracy rather it has decreased the performance of the model.
CNN with 2 convolutional layers achieved an accuracy of 93.11%.
Deep Neural Network is implemented using Batch Normalization
optimizer which gave the highest accuracy compared to other ML
and DL models (refer Figure 3).
ArabWIC 2021, August 25, 26, 2021, Sharjah, United Arab Emirates Archana C et al.

Figure 2: Performance Analysis of Machine Learning Algorithms

Figure 3: Performance Analysis of DNN with Different Hidden Layers

Table 1: Confusion Matrix for the Proposed DNN Model

Condition Predicted Benign Predicted Attack

Actual Benign 196299 (TN) 3511 (FP)
Actual Attack 7355 (FN) 21440 (TP)

The DNN model with 4 hidden layers achieved the highest ac-
curacy of 95.02%. DNN with 1 hidden layer achieved the lowest
FPR of 1.70% followed by four hidden layers with 1.75% FPR. For
DNN layers adding more hidden layers improves the accuracy but
the training time is also increased as more hidden layers are added.
Table 1 represents the confusion matrix for the DNN model. For an
IDS, FPR should be less as the users shouldn’t be alarmed falsely
when there is no attack because if the FPR rate is high users tend
to ignore an alarm of real attack thinking it as a false alarm [23].
ROC curve is used for performance comparison at different
thresholds. Ideally, FPR should be 0 and TPR should have the value
of 1. Area Under the Curve (AUC) tells us how well the model can
differentiate between the two classes. The ROC curve for different
layers of the DNN model is plotted in the Figure 4. It is noted that
AUC increases with hidden layers and DNN with four hidden layers
has the highest AUC of 0.97.
7 CONCLUSION
We have used AWS instances to run the model on the cloud and
configure the docker containers accordingly. We have implemented
different DL algorithms like LSTM, GRU, DNN and compared with
traditional ML models. Based on the experimental results, it is
noted that using Deep Learning over Machine Learning appreciably
increases the performance of the model for larger datasets. The
Cloud-based Network Intrusion Detection System using Deep Learning ArabWIC 2021, August 25, 26, 2021, Sharjah, United Arab Emirates

Figure 4: ROC Curve for DNN Model

performance metrics are calculated for the proposed model and
compared with the other studies. The Deep Neural Network model
achieved good accuracy. Using batch normalization has significantly
improved the accuracy of the model. This model can offer real
time detection provided, the input to the model for testing is given
according to the format specified and follows necessary. A proactive
model which can detect future attacks may be implemented in
future for prior detection of attacks.
REFERENCES
[1] Sabahi F and Movaghar A, 2008. Intrusion Detection: A Survey. In Proceedings of
the Third International Conference on Systems and Networks Communications,
Sliema, Malta. IEEE Xplore, DOI:10.1109/ICSNC.2008.44.
[2] Karen Scarfone and Peter Mell, 2007. Guide to Intrusion Detection and Prevention
Systems (IDPS). NIST Special Publication 800-94. National Institute of Standards
& Technology, Gaithersburg, MD, United States.
[3] Sharfuddin Khan, E Sivaraman and Prasad B. Honnavalli, 2020. Performance
Evaluation of Advanced Machine Learning Algorithms for Network Intrusion
Detection System. In Proceedings of the International Conference on IoT Inclusive
Life (ICIIL 2019), NITTTR Chandigarh, India. Lecture Notes in Networks and
Systems, 51-59. Springer, Singapore. DOI: https://doi.org/10.1007/978-981-15-
3020-3_6.
[4] Chuanlong Yin, Yuefei Zhu, Jinlong Fei and Xinzheng He, 2017. A Deep Learning
Approach for Intrusion Detection using Recurrent Neural Networks. IEEE Access,
21954 –21961. IEEE. DOI: https://doi.org/10.1109/ACCESS.2017.2762418.
[5] R. Vinayakumar, Mamoun Alazab, K. P. Soman, Prabaharan Poornachandran,
Ameer Al-nemrat, Sitalakshmi Venkatraman, 2019. Deep Learning Approach
for Intelligent Intrusion Detection System. IEEE Access. IEEE, pp.41525 – 41550.
DOI:https://doi.org/10.1109/ACCESS.2019.2895334.
[6] Giang Nguyen, Stefan Dlugolinsky, Viet Tran, Alvaro Lopez Garcia, 2020. Deep
Learning for Proactive Network Monitoring & Security Protection. IEEE Access.
IEEE, pp. 19696 - 19716. DOI:https://doi.org/10.1109/ACCESS.2020.2968718.
[7] Sydney Mambwe Kasongo, Yanxia Sun, 2019. A Deep Learning Method with Filter
Based Feature Extraction for Wireless Intrusion Detection System. IEEE Access.
IEEE, pp. 38597 - 38607. DOI:https://doi.org/10.1109/ACCESS.2019.2905633.
[8] Mohammed Mehedi Hassan, Abdu Gumaei, Ahmed Alsanad, Majed Alrubaian,
Giancarlo Fortino, 2019. A Hybrid Deep Learning Model for Efficient Network
Intrusion Detection in Big Data Environment. Information Sciences. Elsevier.
DOI: https://doi.org/10.1016/j.ins.2019.10.069.
[9] Samson Ho, Saleh Al Jufout, Khalil Dajani, Mohammed Mozumdar, 2021. A Novel
Intrusion Detection Model for Detecting Known and Innovative Cyberattacks Us-
ing Convolutional Neural Network. IEEE Open Journal of the Computer Society,
14-25. IEEE. DOI:https://doi.org/10.1109/OJCS.2021.3050917.
[10] Peilun Wu, Hui Guo, 2019. LuNet: A Deep Neural Network for Network Intrusion
Detection. In Proceedings of IEEE Symposium Series on Computational Intelli-
gence (SSCI), Xiamen, China. IEEE. DOI: https://doi.org/10.1109/SSCI44817.2019.
9003126.
[11] Farrukh Aslam Khan, Abdu Gumaei , Abdelouahid Derhab, and Amir Hussain,
2019. A Novel Two-Stage Deep Learning Model for Efficient Network Intrusion
Detection. IEEE Access. IEEE, pp.30373 – 30385. DOI: https://doi.org/10.1109/
ACCESS.2019.2899721.
[12] Mohammad Almseidin, Maen Szilveszter Kovacs and Mouhammd Alkasass-
beh, 2017. Evaluation of Machine Learning Algorithms for Intrusion Detec-
tion Systems. In Proceedings of IEEE 15th International Symposium on In-
telligent Systems and Informatics (SISY), Subotica, Serbia. IEEE, DOI: https:
//doi.org/10.1109/SISY.2017.8080566.
[13] Minh Tuan Nguyen and Kiseon Kim, 2020. Genetic Convolutional Neural Network
for Intrusion Detection Systems. Future Generation Computer Systems, 113, 418-
427. Elsevier. DOI: https://doi.org/10.1016/j.future.2020.07.042.
[14] UNSW-NB15 Dataset. Australian Centre for Cyber Security (ACCS). https://www.
kaggle.com/mrwellsdavid/unsw-nb15.
[15] Zouhair Chiba Noreddine Abghour Khalid Moussaid Amina El omri and Mo-
hamed Rida, 2019. Intelligent Approach to build a Deep Neural Network based
IDS for Cloud Environment Using Combination of Machine Learning Algorithms.
Computers & Security, 86, 291-317. Elsevier. DOI: https://doi.org/10.1016/j.cose.
2019.06.013.
[16] Sydney Mambwe Kasongo and Yanxia Sun, 2019. A Deep Long Short-Term Mem-
ory Based Classifier for Wireless Intrusion Detection System. ICT Express, 6
(2), 98-103. Korean Institute of Communications Information Sciences. DOI:
https://doi.org/10.1016/j.icte.2019.08.004.
[17] Kehe Wu, Zuge Chen and Wei Li, 2018. A Novel Intrusion Detection Model for a
Massive Network Using Convolutional Neural Networks. IEEE Access, 50850 –
50859. IEEE. DOI: https://doi.org/10.1109/ACCESS.2018.2868993.
[18] Jose Camacho, Roberto Therón, Jose M. García-Giménez, Gabriel Maciá-
Fernández and Pedro García-Teodoro, 2019. Group-Wise Principal Component
Analysis for Exploratory Intrusion Detection. IEEE Access, 113081 – 113093. IEEE.
DOI: https://doi.org/10.1109/ACCESS.2019.2935154.
[19] Ao Liu and Bin Sun, 2019. An Intrusion Detection System Based on Quantitative
Model of Interaction Mode Between Ports. IEEE Access, 161725 – 161740. IEEE.
DOI: https://doi.org/10.1109/ACCESS.2019.2951839.
[20] Jin Yang, Tao Li, Gang Liang, Wenbo He and Yue Zhao, 2019. A Simple Recurrent
Unit Model Based Intrusion Detection System With DCGAN. IEEE Access, 83286
– 83296. IEEE. DOI: https://doi.org/10.1109/ACCESS.2019.2922692.
[21] Shahid Anwar, Jasni Mohamad Zain, Mohamad Fadli Zolkipli, Zakira Inayat,
Suleman Khan, Bokolo Anthony and Victor Chang, 2017. From Intrusion Detec-
tion to An Intrusion Response System: Fundamentals, Requirements, And Future
Directions. Algorithms, 10 (2), 39. MDPI. DOI: https://doi.org/10.3390/a10020039.
ArabWIC 2021, August 25, 26, 2021, Sharjah, United Arab Emirates Archana C et al.

[22] Enamul Kabir, Jiankun Hu, Hua Wang, Guangping Zhuo, 2018. A Novel Statistical [23] Adel Binbusayyis and Thavavel Vaiyapuri, 2019. Identifying and Benchmarking
Technique for Intrusion Detection Systems. Future Generation Computer Systems, Key Features for Cyber Intrusion Detection: An Ensemble Approach. IEEE Access,
79 (1), 303-318. Elsevier. DOI: https://doi.org/10.1016/j.future.2017.01.029. 106495 – 106513. IEEE. DOI: https://doi.org/10.1109/ACCESS.2019.2929487.