2024 8th International Conference on Inventive Systems and Control (ICISC)
2024 8th International Conference on Inventive Systems and Control (ICISC) | 979-8-3503-8657-8/24/$31.00 ©2024 IEEE | DOI: 10.1109/ICISC62624.2024.00069
A study on Anomaly-based Intrusion Detection
Systems Employing Supervised Deep Learning
Techniques
Abubucker.S.Shaffi John Velloreuzhathil Chacko
Assistant Professor Lecturer
Department of Department of
Computing Sciences Computing Sciences,
Gulf College Gulf College
Sultanate of Oman Sultanate of Oman
[email protected]
[email protected]
[email protected]
[email protected]
Abstract – The rise of smart cities, driverless automobiles,
smart watches, and mobile banking has led to increased reli ance
on the Internet. Although technology has enormous advantages
for people and society, it also introduces threats. Cyber attacks
are more common in this digital world and the intruders are
working hard to enter into the business websites or an
organization data server. Hence, integrating an intrusion
detection system (IDS ) is essential in the security environment
because it enables IT infrastructure to resist threats.
Conventional IDS are limited to detect only sophisticated attacks
and fails to detect the hidden and other anomalies that occur in
the network S ystems. An accurate and strong approach for IDS
must be created to solve this difficulty for the successful
functioning of businesses. The present study explores the use of
supervised Deep Learning (DL) techniques and recommends an
effective model for anomaly detection. The performance
evaluation of the model is performed using NS L-KDD dataset
and KDDcup99 and the explored DL models in this study are
compared in terms of accuracy and precision.
Keywords–Intrusions detection, Anomaly-based, Deep
Learning(DL), Convolutional Neural Networks(CNN)
I. INT RODUCT ION
In the digital age of today, cyber security is critical
and a single security solution is insufficient to address the
wide spectrum of IT infrastructure . The conventional security
techniques include anti-virus programs, firewalls, and other
software’s are adopted by organizations. These strategies
Protect networks from both inside and outside threats . An IDS
is a type of detection tool that safeguards cyber security by
monitoring the status of software as well as hardware in a
network. Many researchers’ aims to develop security solutions
and most of them are lagging in finding the unknown attacks
due to the dynamic nature of the IT infrastructure. For each
and every variant in the IT sector needs a different types of
security solutions [1].
Several Machine Learning (ML) methods like Support
Vector Machines (SVM), Fuzzy based approaches, Artificial
Neural networks(ANN), Swarm Intelligence and Evolutionary
computation are used in the design of IDS. But these
approaches still have some limitations and drawbacks in the
detection of anomalies in the network. It includes handling
979-8-3503-8657-8/24/$31.00 ©2024 IEEE
DOI 10.1109/ICISC62624.2024.00069
Authorized licensed use limited to: BRAC UNIVERSITY. Downloaded on October 28,2024 at 16:09:43 UTC from IEEE Xplore. Restrictions apply.
Greeshma Eliyan S. Balaji ,
Lecturer Associate Professor
Department of Department of Information
Computing Sciences, Technology ,
Gulf College Al Zahra College for
Sultanate of Oman Women, Ghala Muscat
raw data or unstructured data, unlabeled data and high
dimensional data[2]. Deep learning (DL) is widely used in
several fields of research due to its effectiveness in training
enormous datasets. The vast amount of data and the data
complexity leads to the use of Deep Learning methods in IDS.
This study focuses on the design of IDS using two DL
supervised models viz, CNN and Recurrent Neural Networks
(RNN).
The paper has been arranged as follows. Section 2
presented relevant research on DL techniques for anomaly -
based intrusion detection, while Section 3 presented
methodologies and suggestions which were followed by an
experimental evaluation utilizing measures of performance in
Section 4. Finally, Section 5 examines the conclusion and next
steps.
II. RELAT ED W ORKS
IDS can be classified into signature based or anomaly
based. Both the approaches have its own strengths and
weaknesses. DL methods for IDS can use either supervised or
unsupervised learning algorithms. Supervised DL methods
that are used in this study are CNN and RNN. The suggested
method in [3] employs CNN for IDS, which may be easily
implemented into cybersecurity frameworks to improve the
ability to identify and neutralize sophisticated network
assaults. It uses data augmentation approaches on four well-
known datasets, the UNSW-NB15, FLNET2023, 5G-NIDD
and CIC-IDS-2017 for enhancing the performance of multiple
DL frameworks for IDS. A study in [4] reviewed the
developments in the application of DL approaches, including
CNN, RNN, Deep Neural Networks (DNN), Self-Normalizing
Networks (SNN), autoencoders (AE), Multi-Layer Perceptrons
(MLP), Long Short-Term Memory (LSTM), and hybrid
models in IDS. The merits and limitations of each DL
approach are analysed in terms of detection accuracy,
computing efficiency, scalability, and adaptation to emerging
threats.
A distinctive architecture combining CNNs and
LSTM(LSTMs) is used in time series data with predictive
algorithms for predicting impending malware packets [5]. The
DL model for IDS classifies different attacks in the dataset
366
utilizing a filter-based approach to choose the most significant
characteristics from publically available datasets9NSL-KDD,
and UNSW-NB 15). The Deep Neural Network (DNN) and
CNN models were implemented on both of the datasets. The
DL model surpassed both datasets. Because DL models are
opaque and difficult to understand, the concept of explainable
Artificial Intelligence (XAI) is used to provide model
explanations. To boost trust in the DNN model, the XAI Local
Interpretable Model-agnostic Explanations (LIME) technique,
and for enhanced comprehension, Shapley Additive
Explanations (SHAP) is used [6].
Researchers began to rely on DL approaches with the
emergence of DL systems like ANN’s, which generate
information dynamically with no human involvement. A novel
Golden Jackal Optimization Algorithm with DL Assisted IDS
for Network Security (GJOADL-IDSNS) technique is
proposed in [7] for effective intrusion detection and
classification in order to accomplish security in network
network security. The GJOADL-IDSNS method use GJOA-
based feature selection (GJOA-FS) method to choose the best
selected group of attributes . The GJOADL-IDSNS strategy
then employs attention-based bidirectional LSTM (A-
BiLSTM) model, and the salp swarm algorithm (SSA) is used
to tune the A-BiLSTM model's hyperparameters. The
simulation value of GJOADL-IDSNS approach was evaluated
employing benchmark datasets. The GJOADL-IDSNS
approach outperforms other models. The development and
execution of a Deep Neural Network model for identifying
attacks in the networks uses approaches such as SMOTE and
Random Sampling to tackle the imbalance in the data. The
whole experiment was done in Python, including required
software libraries. The DNN outperforms in predicting
assaults with the CICIDS-2017 dataset, with an accuracy value
of 99.6% and a loss of 0.010[8].
The suggested model in [9] is a DL-based network
IDS that employs a chaotic optimization techniqu e. The
technique employs data cleaning and M-squared normalization
for pre-processing and Extended Synthetic Sampling approach
for data balance. Then the attributes from the dataset are
extracted by applying kernel-guided principal component
analysis. The Chaotic Honey Badger optimization method
chooses the ideal features. After capturing all required
attributes, attacks are classified using the Gated Attention
Dual LSTM (Dugat-LSTM), TON-IOT, and NSL-KDD
datasets. The working model is evaluated based on the
following metrics such as accuracy, precision, recall, and F1.
The suggested model has an accuracy value of 99.65% in the
NSL-KDD dataset and 98.76% in the TON-IOT dataset and it
outperforms the other methods.
The proposed DLL-IDS in [10] are made up of three
elements, DL-based IDS, adversarial example (AE) detector,
and ML-based IDS. Firstly, a new AE detector that utilizes
local intrinsic dimensionality (LID) is developed. Then we
used the limited attack interchangeability among DL and ML
techniques to create a strong ML model that can help us
determine the malevolent nature of AEs. If the input traffic is
recognized as an AE, the ML-based IDS will anticipate its
maliciousness; otherwise, the DL-based IDS will perform the
prediction. The combined approach may enhance the system's
367
Authorized licensed use limited to: BRAC UNIVERSITY. Downloaded on October 28,2024 at 16:09:43 UTC from IEEE Xplore. Restrictions apply.
overall robustness by utilizing high accuracy of prediction of
DL algorithms and the low attack transferability throughout
DL and ML methods. When subjected to an adversarial attack,
the IDS's prediction performance improves significantly,
resulting in high accuracy while using minimal resources. The
research in [11] investigates Flying Ad Hoc Network
(FANET) intrusion-detection threats by proposing a dynamic
data-analytics framework that employs RNN. The
experiments are conducted on a large scale using various
datasets to assess the efficiency of the models. The outcomes
confirmed that the recommended model is superior than the
existing models.
III. M ET HODOLOGY
Anomaly detection requires initial training the system
with a normalized baseline and then correlating activity to that
baseline. They can compare the current condition of traffic on
the network to this baseline to find patterns that would not be
present in regular traffic. DL techniques are increasingly
frequently employed for anomaly-based IDS since the deep
network may learn valuable features on its own. The DL
method for anomaly–based IDS is shown in figure-1. The
CNN and RNN models are considered in this study
Fig.1 DL Strategy for Anomaly-based IDS
A. Convolutional Neural Networks(CNN)
The CNN model used in this study is for binary and multi-
class classification of attacks in the networks. The
fundamental advantage of CNN is its ability to easily link
spatial and temporal data. In this work, it is employed for both
feature extraction and classification. It is conducted performed
utilizing two datasets: NSL-KDD and UNSW-NB!5. The
dataset represents four types of attacks: Denial Of Service
(DoS), probing, User-To-Root (U2R), and remote-to-local
(R2L). Each entry in NSL-KDD data collection provides 41
features categorized into three categories: Fundamental
characteristics are created from TCP/IP connections, traffic
information from the total number of connections, and the
attributes of data of the application layer[12].
To build a CNN-based intrusion model, the dataset has to
be converted to images. The labeled information is then
transformed into images based on the number of features
chosen, and the images are classified using the feature label.
Figure.2 depicts the overall perspective of the IDS with CNN.
A CNN model is composed of three layers: convolutional,
max-pooling, and fully connected.
 B. Recurrent Neural Networks(RNN)
RNN is a form of ANN that can analyze linear or time-
series data. RNNs are known as deep neural networks because
of how they manage data over many different levels. It isn't
restricted to the processing of information in one particular
direction. RNNs can loop over many different layers and
temporarily retain data for later use. Figure 4 depicts the
generation of a standard RNN (sRNN) or Simple RNN with
the input and output. NN stands for a conventional neural
network, hp is the input, and Xp is the output.

hp

Fig.2 Flowchart for IDS using CNN

The optimal CNN model is then created by layer grouping
and modelling attributes like size of kernel, number of kernels
and dropout ratio [13]. The CNN layers are shown in Figure 3.
NN

xp

Fig.4 A standard RNN

The forward-backward propagation (FFP) strategy is used

to train the sRNN model and is shown in Figure 5 . Like other
learning algorithms, the RNN also uses training dataset to
Fig.3 CNN layers
learn. RNN uses data from previous inputs to affect the current
The usual range of kernels is 16 to 64, and every kernel input and outcomes. RNN’s output is determined by the
acts as a filter, producing a feature map that represents components that come before it in the sequence. RNNs share
distinctive. The combined properties produced from parameters throughout each layer of the network, and each
convolution kernels of various dimensions can send more node shares the same weight parameter inside each layer[14].
feature information. Kernel size indicates the size of the
convolutional filter; as the size decreases, consequently
declines the level of information captured. Pooling layers are
used to reduce spatial dimensions, and their typical size is 2*2.
It describes noise that is specifically eliminated from the
neural network in order to improve the rate of processing. All
the elements are carefully chosen in order to perceive the
better performance in IDS. The modelling factors are shown
inTable:1

Table 1 Modelling Elements

Fig.5 Recurrent Neural networks

A feed-forward neural network is made up of three layers:

input, one or more layers that are concealed, and outcome. The
outcome of a node in the network is calculated by adding a
weight matrix to its inputs and employing an activation
function. The network is trained using the back propagation
technique. This necessitates evaluating gradients for all the
weights in neural network’s and changing them in order to
generates the expected results. RNN’s has backward linkage,

368

Authorized licensed use limited to: BRAC UNIVERSITY. Downloaded on October 28,2024 at 16:09:43 UTC from IEEE Xplore. Restrictions apply.
which implies that the outcome of previous layer is TABLE-1 PERFORMANCE M ET RICS –DAT ASET -1
transmitted back into the layer above it in the network. DL Detection Precisio F1-
RNNs preserve context by referring to values from a Technique accuracy n Score
previous time step in the prsent time step [14]. Figure 6 CNN 78% 76% 86%
depicts the RNN for IDS.
RNN 82% 79% 88%

TABLE -2 PERFORMANCE M ET RICS –DAT ASET -2

DL Accuracy Precisio F1-
Method n Score
CNN 76.5% 75% 82%

Fig.6 RNN for IDS RNN 80.6% 79% 86.5%

VI . RESULT S AND DISCUSSION

The models used in the present study were implemented

using Tensor-flow library in python and experiments were
carried out in Google collaborator. NSL-KDD and KDDcup99
dataset were employed to assess the models using evaluation
metrics like detection accuracy, Precision and F1-Score [15].
The real time data can also be used by analysing the packets
with suspicious patterns and classifying it accordingly in a
database.
Accuracy: The percentage of total number of correct
predictions. It represents how well the prediction model
matches the actual results, which ultimately determines if any
data-driven solution is successful
Accuracy TP  TN /(TP  TN  FP  FN) -----Eq-1
Where TP is true positives, TN is true negatives, FP is
false positives and FN is true negatives. These values are
derived from the confusion matrix that provides positive and
negative class.
Precision: The percentage of true positives that are
successfully detected. It is one measure of the effectiveness of
a machine learning model and the caliber of a successful
prediction the model makes. It displays the frequency with
which an ML model predicts the target class correctly.
Pr ecision TP /(TP  FP) ------Eq-2 Fig 4.1 a) Metrics for NSL dataset b) KDD dataset
F1-score: the harmonic mean of the precision and recall.
Because it considers both false positive and false negative
errors in addition to the total number of incorrect predictions, The evaluation results show that the RNN is superior to
the F1 score is a valuable metric for evaluating th e CNN and the same has been shown in figure 4.1(a) and (b).
Furthermore, the measures will differ according to the
performance of classification models in cases of imbalanced
data. This is important in fields such as fraud prevention and characteristics employed in the computation of measures .
other [16]. RNN is a dynamic neural network that is computationally
powerful, making it useful in temporal processing models. It
F1  Score (2 * precision* recall) /( precision* recall) processes inputs of any length and share weights across time
steps to enhance the efficiency of training. At the same time
--Eq-3 RNN needs vast collection of training data to arrive optimal
performance and it is slower than other neural networks. On
The table-1 and 2 shows the experimental results of the
performance metrics using NS-KDD and KDDcup99 datasets the other hand, CNN is mostly used to handle image data for
feature identification. It is computationally expensive and it
respectively.
requires lots of memory. One important hyperparameter that
impacts the accuracy of the model is the number of training

369

Authorized licensed use limited to: BRAC UNIVERSITY. Downloaded on October 28,2024 at 16:09:43 UTC from IEEE Xplore. Restrictions apply.
epochs. Underfitting can occur when the number of epochs is [13] Kasongo, Sydney Mambwe. "A deep learning technique for intrusion
set too low, which prevents the model from having enough detection system using a Recurrent Neural Networks based framework."
Computer Communications 199 (2023): 113-125.
training time to identify the intricate patterns in the data.
[14] Ibrahim, Mariam, and Ruba Elhafiz. "Modeling an intrusion detection
Moreover, the efficiency of the IDS is enhanced using correct using recurrent neural networks." Journal of Engineering Research 11,
attribute selection techniques from dataset, as well as by no. 1 (2023): 100013.
adjusting the IDS placement. To give better visibility, it [15] Kethineni, Keerthi, and G. Pradeepini. "Intrusion detection in internet of
should ideally be positioned behind the firewall on the things-based smart farming using hybrid deep learning framework."
network's edge. Cluster Computing 27, no. 2 (2024): 1719-1732.
[16] Shanthi, K. & R., Maruthi. (2023). Machine Learning Approach for
V. CONCLUSION Anomaly-Based Intrusion Detection Systems Using Isolation Forest
Model and Support Vector Machine. 136-139.
Anomaly-based ML algorithms are more efficient at 10.1109/ICIRCA57980.2023.10220620.
identifying anomalies than traditional approaches. The two DL
based approaches CNN and RNN were studied in and the
efficacy of those methods are analysed using the performance
metrics. The studies found in the literature shows the RNN-
LSTM performs better than the RNN. The performance of
RNN- LSTM and CNN-LSTM can be studied further. Based
on the increasing frequency of anomalies of all kinds in the
cyber domain, a combination of methodologies is always the
best option when developing any IDS.
REFERENCES
[1] Liu, Hongyu, and Bo Lang. 2019. "Machine Learning and Deep
Learning Methods for Intrusion Detection Systems: A Survey" Applied
Sciences 9, no. 20: 4396. https://doi.org/10.3390/app9204396
[2] Kocher, Geeta, and Gulshan Kumar. "Machine learning and deep
learning methods for intrusion detection systems: recent developments
and challenges." Soft Computing 25, no. 15 (2021): 9731 -9763.
[3] Mohammad, Rasheed, Faisal Saeed, Abdulwahab Ali Almazroi, Faisal
S. Alsubaei, and Abdulaleem Ali Almazroi. "Enhancing Intrusion
Detection Systems Using a Deep Learning and Data Augmentation
Approach." Systems 12, no. 3 (2024): 79.
[4] Kimanzi, Richard, Peter Kimanga, Dedan Cherori, and Patrick K.
Gikunda. "Deep Learning Algorithms Used in Intrusion Detection
Systems--A Review." arXiv preprint arXiv:2402.17020 (2024).
[5] Psychogyios, Konstantinos, Andreas Papadakis, Stavroula Bourou,
Nikolaos Nikolaou, Apostolos Maniatis, and T heodore Zahariadis.
"Deep Learning for Intrusion Detection Systems (IDSs) in T ime Series
Data." Future Internet 16, no. 3 (2024): 73.
[6] Sharma, Bhawana, Lokesh Sharma, Chhagan Lal, and Satyabrata Roy.
"Explainable artificial intelligence for intrusion detection in IoT
networks: A deep learning based approach." Expert Systems with
Applications 238 (2024): 121751.
[7] Aljehane, Nojood O., Hanan Abdullah Mengash, Majdy M. Eltahir, Faiz
Abdullah Alotaibi, Sumayh S. Aljameel, Ayman Yafoz, Raed Alsini,
and Mohammed Assiri. "Golden jackal optimization algorithm with
deep learning assisted intrusion detection system for network security."
Alexandria Engineering Journal 86 (2024): 415 -424.
[8] Osa, Edosa, Patience E. Orukpe, and Usiholo Iruansi. "Design and
implementation of a deep neural network approach for intrusion
detection systems." e-Prime-Advances in Electrical Engineering,
Electronics and Energy 7 (2024): 100434.
[9] Devendiran, Ramkumar, and Anil V. T urukmane. "Dugat -LST M: Deep
learning based network intrusion detection system using chaotic
optimization strategy." Expert Systems with Applications 245 (2024):
123027.
[10] Yuan, Xinwei, Shu Han, Wei Huang, Hongliang Ye, Xianglong Kong,
and Fan Zhang. "A simple framework to enhance the adversarial
robustness of deep learning-based intrusion detection system."
Computers & Security 137 (2024): 103644.
[11] Al-T uraiki, Isra, and Najwa Altwaijry. "A convolutional neural network
for improved anomaly-based network intrusion detection." Big Data 9,
no. 3 (2021): 233-252.
[12] Kim, Jiyeon, Yulim Shin, and Eunjung Choi. "An intrusion detection
model based on a convolutional neural network." Journal of Multimedia
Information System 6, no. 4 (2019): 165 -172.

370

Authorized licensed use limited to: BRAC UNIVERSITY. Downloaded on October 28,2024 at 16:09:43 UTC from IEEE Xplore. Restrictions apply.