Received 8 November 2023, accepted 30 November 2023, date of publication 7 December 2023,

date of current version 13 December 2023.

Digital Object Identifier 10.1109/ACCESS.2023.3340142

CNN-BiLSTM: A Hybrid Deep Learning Approach

for Network Intrusion Detection System
in Software-Defined Networking With
Hybrid Feature Selection
RACHID BEN SAID 1, ZAKARIA SABIR 2, AND IMAN ASKERZADE 1
1 Departmentof Computer Engineering, Ankara University, 06830 Ankara, Turkey
2 ILM Department, National School of Applied Sciences (ENSA), Ibn Tofail University, Kenitra 14000, Morocco

Corresponding author: Rachid Ben Said ([email protected])

This work was supported in part by TÜBİTAK ULAKBİM High Performance, Grid Computing Centre.

ABSTRACT A Software-Defined Network (SDN) was designed to simplify network management by

allowing the control and management of the entire network from a single place. SDN is commonly used
in today’s data center network infrastructure, but new forms of threats such as Distributed Denial-of-Service
(DDoS), web attacks, and the U2R (User to Root) attack are significant issues that might restrict the
widespread adoption of SDNs. Intruders are attractive to SDN controllers because they are valuable targets.
An SDN controller can be hijacked by an attacker and used to route traffic in accordance with its own
needs, resulting in catastrophic consequences for the whole network. While the unified vision of SDN and
deep learning methods opens new possibilities for the security of IDS deployment, the effectiveness of the
detection models is dependent on the quality of the training datasets. Even though deep learning for NIDSs
has lately shown promising results for a number of issues, the majority of the studies overlooked the impact
of data redundancy and an unbalanced dataset. As a consequence, this may adversely affect the resilience
of the anomaly detection system, resulting in a suboptimal model performance. In this study, we created a
hybrid Convolutional Neural Network (CNN) and bidirectional long short-term memory (BiLSTM) network
to enhance network intrusion detection using binary and multiclass classification. The effectiveness of
the proposed model was tested and assessed using the most frequently used datasets (UNSW-NB15 and
NSL-KDD). In addition, we used the InSDN dataset, which is specifically dedicated to SDN. The outcomes
demonstrate the efficiency of the proposed model in achieving high accuracy and requiring less training time.

INDEX TERMS Network intrusion detection system (NIDS), software-defined networking (SDN), CNN-
BiLSTM, deep learning.

I. INTRODUCTION the OpenFlow protocol maintained by the Open Network-

Software-defined networking (SDN) is the result of ear- ing Foundation (ONF), a nonprofit industry consortium that
lier proposals that were mainly concerned with both pro- offers support and ensures various improvements in the SDN
grammable networks and control-data plane separation [1]. field [2], [3]. Even though SDN has many advantages, there
In the SDN paradigm, the controller, which represents a may be security issues which have to be assured in order to be
logically centralized controlling point, successfully manages widely used. When a security breach occurs in a traditional
and gathers flow-based statistics via a protocol such as network, the harm is restricted mostly to a single node or seg-
ment; however, an intrusion on an SDN controller might have
The associate editor coordinating the review of this manuscript and far-reaching impacts on the entire network. In the situation
approving it for publication was Filbert Juwono . that the controller is taken down by an attacker, the network

2023 The Authors. This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 License.
138732 For more information, see https://creativecommons.org/licenses/by-nc-nd/4.0/ VOLUME 11, 2023
R. Ben Said et al.: CNN-BiLSTM: A Hybrid Deep Learning Approach
may be vulnerable to failures. In addition, an attacker may
inundate the network with hazardous cyber-attacks, such as
Distributed Denial of Service (DDoS) and Denial of Service
(DoS) attacks. As a result, genuine queries may be refused
due to the heavy consumption of channel bandwidth and
network resources [4].
The dynamic and configurable nature of SDN may increase
the false detection of attacks. An SDN controller may be
hijacked by an attacker and used to route traffic according
to its own needs, resulting in consequences for the whole
network. Although IDS is a legitimate way to make sure
a network is safe and can detect and stop intrusions, it is
not directly clear whether SDN’s more complicated flow
management may increase the chances of service failures.
Although the purpose of an IDS is to monitor network traffic
and warn the administrator of any malicious threats in the
network, the particularities of SDN may raise exposure to
sophisticated cyber-attacks, which has led to concerns about
developing innovative IDS approaches to secure SDN, protect
user communication [5], and reveal new security problems
that appear.
Feature selection is becoming an important phase of the
preparation for network classification problems. The selec-
tion of features helps us reduce and remove irrelevant and
redundant features from the main database that have no
impact on the classification results. The method of enabling
feature selection selects a subset of the original dataset
with some criteria that contain the properties of the original
dataset. According to Kantardzic [6], classification improves
when the features of large datasets are reduced by using basic
techniques. There are two types of feature selection algo-
rithms: filter-based and wrapper-based. Filter methods are
computationally efficient, have fast processing speeds, and
are less likely to be overadjusted [7]. Common methods for
filter selection include ANOVA, Chi-square, and Pearson’s
correlation. On the other hand, wrapper methods provide
the best subset of relevant functions, but they require more
computational time, which decreases system performance.
Recursive selection, forward selection, and backward elim-
ination are commonly employed by wrappers. As network
traffic increases, intrusion detection systems face problems
in terms of data dimensions and complexity.
One of the proposed solutions for improving NIDS (net-
work intrusion detection system (NIDS) monitoring is to
use Deep Learning (DL) models. While the unified vision
of SDN and deep learning methods opens new possibilities
for the security of IDS deployment, the effectiveness of the
detection method is dependent on the quality of the training
datasets. Even though deep learning for NIDSs has lately
shown promising results for a number of issues, the majority
of the studies overlooked the impact of data redundancy and
an unbalanced dataset. As a consequence, this may adversely
affect the resilience of the anomaly detection system, result-
ing in a suboptimal model performance.
Our model aims to enhance SDN security by employing
a convolutional neural network–bidirectional long short-term
VOLUME 11, 2023
memory (CNN–BiLSTM) hybrid algorithm. The previous
DL models required a high number of training parameters
to be effective. Forcing the model to use a large number of
parameters may slow down its training phase and increase its
computational cost. As a result, it adds extra computing over-
head to the SDN architecture. Our approach suggests using
deep learning over SDN to optimize NIDS deployment. The
NIDS implementation of the SDN controller features a deep
learning approach for network monitoring. To better identify
anomalies, this study proposes the use of tree-based deep-
learning approaches. Ten features were used in a multi-class
classification to determine whether or not an intrusion has
occurred and to classify the kind of intrusion. In comparison
with other studies, previous works have used deep learning
algorithms in NIDS to secure SDN, such as [8] and [9].
However, they only used general datasets, such as NSL-KDD
and UNSW-NB15, which are not dedicated to SDN. Other
authors [10] used the InSDN dataset, but their model
employed CNN-LSTM, which is considered weak compared
to the CNN-BiLSTM model. This model used BiLSTM,
which has different sequences. As each sequence of BiLSTM
moves forward and backward, it has two LSTM layers. This
compensates for the absence of contextual semantic infor-
mation in LSTM. Each single time in the input sequence
of the output layer is covered by a bidirectional structure,
which provides information about both the past and future.
The BiLSTM Networks employed in our model were used
to better find LSTM dependent features and improve the
accuracy of classification [11].
The major contributions of this paper are flowing:
• We propose an approach that includes a hybrid model
combining a convolutional neural network (CNN) with
Bidirectional Long Short-Term Memory (BiLSTM).
We used the L2 regularizer and dropout (0.5) techniques
in the training model. Our hybrid CNN-BiLSTM model
achieved high classification performance.
• Numerous experiments were conducted to validate the
performance of the proposed hybrid model for multi-
class and binary classifications. Additionally, we bal-
anced the datasets using random oversampling, after that
we used a random forest classifier and recursive fea-
ture elimination algorithm to select the highly important
features so that the proposed model could train those
features with high performance. Each experiment was
validated by using the InSDN dataset.
• The efficiency of the proposed model was verified
using two distinct benchmark datasets: NSL-KDD and
UNSW-NB15.
• The efficacy and performance of suggested deep learn-
ing algorithms were tested using a set of measures
including accuracy, recall, F1-score, precision, and
training time. The findings indicate that our model out-
performs the CNN, AlexNet, LeNet5, and CNN-LSTM
models for the majority of the evaluation measures.
The remainder of this paper is organized into four sections.
Section II outlines several related works concerning network
138733

intrusion detection. The proposed method is presented in
detail in Section III. Section IV is devoted to the presentation
of the experimental results as well as the analysis achieved
on the dataset. Section V summarizes the results of this study
and discusses future work.
II. RELATED WORK
Deep Learning is a subfield of machine learning that has been
used successfully in a variety of research areas such as image
processing, face recognition and natural language processing.
Recently, various deep learning methods have been evaluated
in NIDS research; specifically, CNN and LSTM models have
been experimented with because of their potential ability to
represent contextual and sequence or temporal information,
respectively, in the training datasets.
Elsayed et al. developed a hybrid intrusion detection sys-
tem that combines CNNs and LSTMs. The proposed model
can capture both the spatial and temporal features of the net-
work traffic. In this study, the authors used two regularization
techniques, L2 regularization and dropout, to deal with the
overfitting problem [8]. The authors used a recently published
novel dataset of NIDS in SDN (InSDN) [12]. The proposed
model improves the intrusion detection performance for zero-
day attacks, and the results achieved by this model can reach
96.32% accuracy.
Kaiyuan et al. proposed a network intrusion detection
algorithm that combines hybrid sampling with deep hier-
archical networks, that is, CNN and BiLSTM. In the first
stage, they used One-Side Selection (OSS) to reduce the
noise samples in the majority category and then increased the
minority samples using the synthetic minority oversampling
technique (SMOTE) [9]. Using this hybrid technique, they
balanced the dataset so that the model could learn features
of minority samples and greatly reduce the model training
time. In the second stage, they used a CNN to extract spatial
features and a BiLSTM to extract temporal features. By using
this method, the proposed model achieved good classification
accuracy in two datasets, NSL-KDD and UNSW-NB15, with
83.58% and 77.16%, respectively. However, this study did not
deal with NIDS in SDN.
On the other hand, the incorporation of data preprocessing
methods with machine learning, such as data reduction, data
augmentation, and feature selection, into SDN has received
interest. In [10], a method was suggested to address the diffi-
culties in the KDD Cup 99 dataset by conducting large-scale
experimental research with the NSL-KDD dataset to achieve
high accuracy in intrusion detection. The experiment was
carried out on five effective machine learning algorithms
(Naïve Bayes, CART, RF, SVM, and J48). The correlation
feature selection approach was applied to minimize the fea-
ture complexity, providing only 13 features in the NSL-KDD
dataset.
In TSDL [13], a deep neural network model with two
stages was constructed and suggested for NIDS, employing
a piled auto-encoder combined with SoftMax in the output
layer as a classifier. TSDL was created and developed to
138734
R. Ben Said et al.: CNN-BiLSTM: A Hybrid Deep Learning Approach
identify attacks using multiclass classification. Down-
sampling and several pre-processing techniques have been
used on various datasets to increase the detection rate and
monitoring effectiveness. The UNSW-NB15 detection accu-
racy was 89.134 %. In this study, UNSW-NB15 was the only
dataset used to verify the effectiveness of the proposed model
and did not treat the network intrusion detection systems in
the SDN case.
Authors of [14] suggested many neural network models
for NIDS, including seq2seq structures using LSTM (Long-
Short-Term-Memory), variational auto-encoder, and fully
connected networks. Several datasets, including NSL-KDD,
KYOTO-HONEYPOT, MAWILAB, and UNSWNB15, were
used to create and execute the suggested technique to dis-
tinguish between malicious and legitimate packets in the
network. Different preprocessing methods have been utilized,
such as normalization and one-hot encoding, to prepare data,
smooth training, feature manipulation, and selection in neural
networks. These parameters are intended but are not limited
to allowing neural networks to learn complicated characteris-
tics from the diverse scope of a packet.
A deep neural network architecture [15] was built on
the KDD cup99 to check intrusion attempts using four hid-
den layers. Data preparation and decreased data usage were
achieved using feature scaling and encoding. For several
datasets, more than 50 characteristics were utilized to com-
plete this assignment. Therefore, advanced hardware GPUs
were employed to handle such a large number of character-
istics while reducing the training time. Although the authors
obtained a high accuracy, the NIDS in SDN was not the focus
of their study.
Tang et al. [16] used a Deep Neural Network (DNN) to
detect flow-based anomalies in SDN. To reduce the compu-
tational cost of attack detection, only six main characteristics
from the NSL-KDD database were used. The structure of
the DNN model consists of three hidden layers, each with
12, 6, and 3 neurons. The suggested model has a global
accuracy of 75%, which is less than the threshold required
for real-world environment implementations. Using the same
NSL-KDD database, the authors improved their suggested
model using a Gated Recurrent Unit (GRU) to achieve better
accuracy [17]. The upgraded model detection rate increased
to 89%. Although the authors improved their model, they
did not use feature selection, which may have significantly
enhanced the obtained results. Table 1 summarizes and com-
pares the most important studies on this topic.
The earlier DL models, on the other hand, needed an
enormous number of training parameters (as all neighbor-
ing layers are entirely linked together). Using a significant
number of parameters may hold back the training phase
and increase the computing charge of the detection model.
As a result, in an SDN architecture, it adds unnecessary
computational load. By employing deep learning over SDN,
the suggested approach improves NIDS implementation.
It incorporates a deep learning technique for network moni-
toring into the SDN controller’s NIDS implementation. In this
VOLUME 11, 2023
R. Ben Said et al.: CNN-BiLSTM: A Hybrid Deep Learning Approach

TABLE 1. Different deep learning and machine learning techniques for NIDS in traditional networks and SDNs.

VOLUME 11, 2023 138735


research, improved deep learning methods for anomaly detec-
tion were suggested. We employed ten features to perform a
multi-class classification that involves identifying whether or
not there is an intrusion and categorizing the kind of intrusion.
III. METHODS AND TOOLS USED IN EXPERIMENT
Each component in the NIDS structure and its purpose are
discussed and explained in this section. The NIDS is designed
as the SDN controller. The purpose of this study is to show
the usage of the SDN architecture as a network infrastructure
for a NIDS. Figure 1 depicts the architecture of NIDS in
SDN, which consists of three major components: Anomaly
Mitigator, Anomaly Detector and Flow Collector.
The Anomaly Mitigator can make flow choices based on
the results of the Anomaly Detector (e.g., forward or drop
the flow). The model was used as the core of the anomaly
detector. This module runs a trained model, gets network
information, and determines whether or not a flow is an
anomaly. A message or timer function triggers the flow
collector, which aggregates all flow statistics, including the
source and destination ports, and the source and destination
IP protocol. The Anomaly Detector module will get all aggre-
gated characteristics.
FIGURE 1. NIDS architecture in the SDN controller.
The SDN model, as can be seen in Figure 2, the architecture
of NIDS in SDN, which consists of three major components:
The application layer’s primary responsibility is to handle all
network management activities that may be carried out with
the help of a network intrusion detection system and an SDN
controller. The control layer is in charge of controlling activ-
ities and managing traffic data by initiating or terminating
every network flow. The infrastructure layer comprises two
major components: hardware and software, such as routers
and OpenFlow switches.
Figure 3 depicts the overall framework of the network
intrusion detection model in SDN, which includes these
approaches. First, we start with transformation and cleaning
that content normalization and numerical process. In addi-
tion, we balanced the dataset using random oversampling.
Subsequently, we performed feature selection using a ran-
dom forest classifier algorithm to obtain the highly important
138736
R. Ben Said et al.: CNN-BiLSTM: A Hybrid Deep Learning Approach
FIGURE 2. Architecture of NIDS in SDN.
features. Finally, we deployed the hybrid model in the training
and testing datasets to obtain multiclass classification results.
A. DATASET DESCRIPTION
The InSDN [12] dataset is widely regarded as one of the first
methods for generating a complete dataset for evaluating an
IDSs for SDNs. We used the attack collection dataset to verify
the performance of our model. The collection contains attacks
with properties that are unique to SDN networks. Choosing
an SDN-specific dataset is critical for conducting a thorough
evaluation of SDN-based threat-detection techniques. Utiliz-
ing non-specific SDN datasets might create a compatibility
issue because the attack vector implementation should con-
sider the new architecture of the network [34]. Furthermore,
certain attacks operate differently on SDN networks than
on traditional networks. For instance, an attacker may use
techniques like ‘‘IPsweep’’ and ‘‘Portscan’’ to flood the SDN
controller’s bandwidth with unknown packets, resulting in
a DDoS attack. Although the abovementioned attacks do
not qualify as DDoS by traditional definitions, they may be
utilized to produce a large number of data packets in an
SDN network. Numerous records were included in the InSDN
collection.
SDN-specific attacks are included in the InSDN dataset as
threats common to conventional networks, and SDN-specific
attacks on various forms of standard traffic. DoS, DDoS,
Probe, Botnet, Exploitation, Brute force, and web attacks are
among the several forms of attacks. In addition, various inter-
nal and external attack vectors were used to mimic real-world
attack scenarios. We split each of the three datasets into 70%
for training and 30% for testing.
Furthermore, we considered two other publicly accessible
intrusion detection datasets that have been frequently used in
various studies: NSL-KDD and UNSW-NB15. To see if our
proposed model produces generalizable results, we trained
and tested it on the NSL-KDD dataset, followed by the
UNSW-NB15 dataset.
VOLUME 11, 2023
R. Ben Said et al.: CNN-BiLSTM: A Hybrid Deep Learning Approach
FIGURE 3. Model of the overall framework of the proposed network intrusion detection method used in SDN.
The KDD CUP99 and the NSL-KDD are well-known
datasets in the context of network intrusion detection, and
Revathi’s research demonstrates that the NSL-KDD datasets
are ideal for evaluating different intrusion detection algo-
rithms [13]. Each incursion record in this dataset includes a
42-dimensional feature that is subdivided into a traffic-type
label, 3-dimensional symbol feature, and 38-dimensional
digital feature. The label mostly comprises normal data as
well as the data of four categories of attack (R2L, DoS,
U2R, and Probe). In this study’s experiments, the test set
(KDDTest) and training set (KDDTrain) from the NSL-KDD
dataset were utilized as the model’s test and training sets,
respectively.
The Australian Centre for Cyber Security research team
has produced a dataset containing the most recent updates
named the UNSW-NB15 dataset [35] to address the concerns
detected in the NSL-KDD and KDDCup 99 datasets. A full
connection record partition comprised 82337 test connec-
tion records and 175343 train connection records linked by
10 attacks. The partitioned dataset included 42 characteristics
with parallel-class labels that were typical and nine distinct
intrusions.
B. DATA PREPROCESSING
The process of data processing, which is referred to as data
engineering, is crucial for the success of the learning pro-
cess. It involves various procedures such as column and row
cleaning, feature encoding, and data normalization, which are
used to preprocess the data to ensure that they are adequately
prepared for analysis. All these procedures were applied to
all datasets. This subsection discusses the details of these
procedures as follows.
1) DROP ROWS AND MISSING VALUES
To ensure data integrity, all rows were inspected thoroughly
to detect missing values. This process is a standard practice
VOLUME 11, 2023
in data preparation, as the ‘‘id’’ column typically contains no
significant data. Eliminating the ‘‘id’’ column allows for a
focus on examining only essential features.
2) CATGEORICAL LABELENCODER ENCONDING
The process of categorical transformation holds significance
in enhancing the learning capacity of classifiers that are
designed to handle only numerical data. Specifically, in the
context of the InSDN dataset, attributes like ‘‘proto,’’ ‘‘ser-
vice,’’ and ‘‘state’’ encompass categorical information that
has been converted into numeric representations.
We have opted to employ the LabelEncoder technique for
encoding purposes [36]. This choice is well suited for the
InSDN dataset because it assigns a distinct numerical label to
each unique categorical value. This transformation enables
the classifier to comprehend and derive insights from the
encoded labels. While LabelEncoder differs from OneHotEn-
coder in that it does not generate distinct binary columns,
it nonetheless preserves the categorical characteristics of the
feature [37].
3) BALANCING THE DATASET
Among the several oversampling methods available, ran-
dom oversampling is the simplest method for balancing an
unbalanced dataset. It provides data parity by duplicating
the minority class samples. This does not result in any
information loss; however, the dataset is susceptible to over-
fitting because identical information is duplicated. In this
study, we used random oversampling to deal with imbalanced
datasets.
4) HYBRID FEATURE SELECTION
Data were gathered from network packets to identify intru-
sions. As a result, manually classifying the huge quantity of
network data gathered by the system is a time-consuming
operation. Apart from gathering network data, evaluating it
138737

FIGURE 4. High importance of the features.
is a complicated process due to the number of behavioral
patterns and attributes included in the data. To protect the net-
work from attacks, real-time intrusion detection is necessary,
which may be accomplished by mining accessible datasets
for key characteristics. The reduced collection of features
can significantly improve the intrusion detection rate [38].
The selection of features may be accomplished in a variety
of ways. For example, filtering data that are unnecessary
to the detection process in order to categorize the attacks,
clustering data based on their similarity in order to uncover
hidden patterns in the data for classification and deleting
irrelevant features from the feature set using feature selection
techniques.
We used a random forest classifier algorithm to select the
high important features because it is a very accurate algorithm
that performs well on massive datasets [39]. Random Forests
(RF) is a classifier composed of several decision trees. It is
a mixture of classification trees so that each tree is reliant
on the values of a random vector selected randomly for all
trees in the forest and having the same distribution [40].
When new records are received as input, the RF stores them
in forest trees. Each tree provides a categorization, and the
forest selects the class in which the majority of trees fall [40].
From the results of the RF classifier, we selected 10 features
using Recursive Feature Elimination (RFE) because of the
high accuracy achieved after different attempts while training
our proposed model using different sets of selected features.
Figure 4 shows the importance of each feature and Table 2
shows the feature name and the descriptions of the 10 selected
features.
138738
R. Ben Said et al.: CNN-BiLSTM: A Hybrid Deep Learning Approach
5) NORMALIZATION PROCESSING
The calculated value scope of continuous feature data in the
InSDN dataset is noticeably different; in the dataset, the value
scope of logged-in is [0,39], whereas the value scope of num
compromised is [0,27]. As a result, the maximum value scope
varies greatly. To make arithmetic calculations and dimension
removal easier, the normalization processing approach is used
to consistently and straightly map the value scope of each
feature within the [0,1] interval. The normalization equation’s
formula (1) is as follows:
X − Xmin
Xnorm = (1)
Xmax − Xmin
where Xnorm represents feature normalzed, Xmax is the maxi-
mal feature’s value and Xmin is the minimal value.
6) NUMERICAL PROCESSING
Because the model input is a digital matrix, a hot encoding
approach was utilized. The utility of this approach is to align
the data in the dataset with the symbol features to a digital
feature vector.
7) GENERATING A MATRIX USING NORMALIZED DATA
Each network of usable data was recorded and dimension-
ally converted to correspond to a grayscale image format.
For example, RGB = 1 is the default; to enter the convolu-
tional neural network (CNN), the network data are reformed
into a matrix; for example, 100 feature vectors are reformed
into a 10 × 10 matrix.
VOLUME 11, 2023
R. Ben Said et al.: CNN-BiLSTM: A Hybrid Deep Learning Approach
TABLE 2. Selected 10 features with their description.
IV. THE PROPOSED NETWORK INTRUSION DETECTION
MODEL
DL is an instance of ML. Using neural networks with
multiple hidden layers, the input and output layers of the
models are constructed. Each input layer node receives
metadata as input and processes the data through the hid-
den layers of the nonlinear transformation of the input
data using training adjusted weights to compute the
output.
One of the major purposes of Deep Learning is that it does
not require the feature extraction phase. Precisely, instead of
manually selecting and extracting features, Deep Learning
learns the deep structure from the original data and extracts
the features automatically.
However, the redundancy of noisy features and the huge
amount of data in addition to the poor classification algorithm
of deep learning cause the degradation of the accuracy of
detection in the NIDS (Network Intrusion Detection Sys-
tem) [39]. Therefore, in our proposed model, we used the
RF classifier algorithm and RFE to select the optimal feature
subset, as well as deep learning to ensemble the output of
the multi-classifier. As a result, the accuracy of intrusion
detection was improved effectively.
A. CONVOLUTIONAL NEURAL NETWORKS (CNN)
A CNN is a supervised learning approach and is one of the
fundamental models often used in computer vision. The CNN
can accelerate the training process because it resolves the
parameter explosion problem by developing a weight-sharing
VOLUME 11, 2023
principle. It’s been utilized in a variety of scenarios, including
image processing and face reorganization. The CNN archi-
tecture is made up of three essential parts: a pooling layer,
a convolution layer, and a’’ fully connected’’ layer. The linear
operation is applied via shifting the filter (kernel) of a given
size through the outcome of the preceding layer; this is done
in the convolution layer. The rectified linear unit (ReLU)
activation function is the most widely used activation func-
tion in convolutional neural networks (CNNs) to introduce
nonlinearity and set all negative values in the feature map to
zero. A convolutional neural network (CNN) may consist of
multiple convolution layers, with the initial layer specifically
designed to extract basic features such as corners and edges.
The ensuing levels are used for complicated feature extrac-
tions, and the pooling layer is used to minimize the feature
size, thus lowering the computing costs. The last completely
linked layer is utilized for classification goals.
B. BIDIRECTIONAL LONG-SHORT TERM MEMORY
(BiLSTM)
A Recurrent Neural Network (RNN) is a type of neural
network designed for sequential data processing. However,
it exhibits instability due to challenges related to gradient van-
ishing and exploding. HochReiter et al. used Long Short-term
memory based on RNN [41]. The difficulties of gradient
disappearance and gradient explosion in the RNN training
process were successfully solved by adding the gate mech-
anism and memory unit.
In contrast to LSTM, bidirectional long-short term memory
allows information to move on both sides; forward to back-
ward and backward to forward employing two hidden states,
this can aid BiLSTM to learn the context. With the help of
these two-way directions, incoming data from both the future
and the past will be kept. In the backward, the LSTM state is
used to acquire previous information. This architecture aids
the network in retaining previous and subsequent informa-
tion. In Bi-LSTM, the first layer’s sequence output is the
second layer’s input, while the second layer’s sequence output
is the concatenation of the final unit output of the forward and
backward layers. The final result of the piled BiLSTM layers
is given by h:
h= [hforward , hbackward ] (2)
C. THE PROPOSED MODEL
1) EXPERIMENT SETUP
In the experiment, we used the Truba platform from
TUBITAK ULAKBIM. As the backend, TensorFlow is under
the Jupyter Notebook, encoded with Python and Keras. The
experimental setup is illustrated in Table 3.
2) BUILDING THE HYBRID MODEL
This section describes the architecture of the CNN-BiLSTM
hybrid model for learning and classifying network data in
time and space. Figure 5 depicts the overall network archi-
tecture, which was divided into three phases. The first phase
138739

FIGURE 5. Architecture of the CNN-BiLSTM model.
TABLE 3. Experimental setup for model training.
consists of feature selection, as explained above, while the
second and third phases are responsible for extracting and
deriving data, respectively. Both CNN and BiLSTM are
well-known deep learning algorithms. CNNs are capable of
extracting spatial dimensional information from data. BiL-
STM is unique in that it retains contextual background data
for an extended period of time and enables the derivation of
data characteristics at the temporal level. It is vital to examine
the feature link at the spatial level while extracting features
138740
R. Ben Said et al.: CNN-BiLSTM: A Hybrid Deep Learning Approach
from a network intrusion detection system. As a result, this
model integrates CNN and BiLSTM to extract features and
then builds a hybrid model.
Due to the fact that the CNN and BiLSTM mechanism
inputs have different formats, the derived spatial features
are changed at the CNN output to conform to the BiLSTM
network’s input format. In our case, the completely linked
layer of the CNN produced 1 × 128, 1 × 64, and 1 × 32
feature vectors as the output. When applied to the input layer
of the BiLSTM model, the input value is fixed at 70. One
layer of BiLSTM units was used to extract temporal features.
Three convolution layers were created using kernels sizes of
5,3 and 5. Each convolution layer is a Max Pooling layer
with a size of 2 × 2 to minimize the dimensionality of the
batch normalization and map features. The high-dimensional
characteristics extracted in the CNN stage are passed to the
next stage, which has three layers: a fully connected layer,
a BiLSTM layer, and an output layer. In both the BiLSTM and
fully connected layers, there were 10 neurons for multiclass
classification and one neuron for binary-class classification.
Finally, at the output, the sigmoid layer was employed to
represent the likelihood of each input flow for classification
purposes.
We employed the L2 Regularizer and dropout approaches
to mitigate the impact of overfitting and improve the detection
model’s capacity in unseen data. We ran multiple tests to
find the appropriate regularization hyperparameter λ given
the dropout technique’s probability values. The value of λ
is determined to 0.1 for the L2 Regularizer, and a dropout
with a probability P of 0.5 is employed after the following
pooling layer and the entirely connected layer, respectively.
VOLUME 11, 2023
R. Ben Said et al.: CNN-BiLSTM: A Hybrid Deep Learning Approach
TABLE 4. Hyperparameters settings.
We begin with a low dropout probability and progressively
increase it because a dropout might induce some errors inside
the learning model, and we want to limit the propagation of
this loss to the subsequent layers. We trained all the models
using k-fold cross-validation with 2-fold and 20 epochs for
each fold.
3) HYPER-PARAMETER SETTING
In some circumstances, the model may result in lower
accuracy or even overfitting or underfitting. Performing
hyperparameter adjustment is crucial for achieving high
model performance. For that reason, the randomized search
approach was utilized to refine the hyper-parameters and
improve accuracy. Table 4 shows the hyperparameter values
for the proposed model.
4) EVALUATION METRIC
The model was tested using a standard performance assess-
ment. The model’s accuracy, precision, recall, and f1-score
are the four principal indicators to evaluate. These four
indicators are basically derived from the four basic attribute
of the confusion matrix as follows:
a. True Positive (TP): indicates that attack data is correctly
classified as an attack.
b. True Negative (TN): indicate that normal data is cor-
rectly classified as normal.
VOLUME 11, 2023
c. False Positive (FP): indicate that normal data is incor-
rectly classified as an attack.
d. False Negative (FN): indicate that attack data is incor-
rectly classified as normal.
The evaluation indicators accuracy (3), Precision (4), Recall
(4) and F1-score (5) below are the principal indicators to
evaluate our model:
Accuracy(A):
TP + TN
A= (3)
TP + FP + TN + FN
Precision (p):
TP
p= (4)
TP + FP
Recall (r):
TP
r= (5)
TP + FN
F1-Score (f1):
2 (TP + FP) (TP + FN )
f1 = (6)
TP
V. EXPERIMENT RESULTS AND DISCUSSION
A. BINARY CLASS CLASSIFICATION RESULTS FOR ALL
DATASETS
Several deep learning and machine learning algorithms are
currently being used to detect network intrusions. In network
intrusion detection, random forests and standards convolu-
tional neural networks are widely used. As a result, the
algorithms in this paper are compared to the classic clas-
sification algorithms widely used in intrusion detection.
In this study, classification performance was compared using
AlexNet, LeNet5, CNN, and CNN-LSTM networks.
The suggested model was compared to numerous deep
learning models, including CNN, ALexNet, LeNet5, and
CNN-LSTM, according to the study with the optimal hyper-
parameter tuning. Additionally, it was tested in the InSDN,
UNSW-NB15, and NSL-KDD datasets. Table 5 and Figure 6
show the binary classification for each model in InSDN
dataset. The CNN-BiLSTM is determined to have the top
performance for binary classification across all evaluation
metrics. Our model has an average accuracy of 97.77 %.
The suggested model outperformed the previous models
i.e., CNN, AlexNet, LeNet5, and CNN-LSTM by 2.11 %,
31.19 %, 5.68 %, and 2.74 %. This illustrates the significance
and ability of CNN-BiLSTM for efficiently detecting anoma-
lies with the least number features.
We also conducted tests on the UNSW-NB15 and
NSL-KDD datasets to further validate the suggested tech-
nique in this research. Table 5 summarizes the experimental
findings. The classification performance of all classifiers is
between 84 and 95 %. In classification performance, the
approach described in this research outperformed AlexNet,
LeNet5, CNN, and CNN-LSTM by 8.13 %, 9.23 %, 9.04 %,
and 7.62 %, respectively, on the UNSW-NB15 dataset.
138741

TABLE 5. Binary classification results for all dataset and the running time.
FIGURE 6. Binary class classification results comparison on InSDN dataset.
It also outperformed the same models in NSL-KDD dataset
by 9.86 %, 9.94 %, 11.86%, and 3.71% respectively.
As illustrated in Table 5, among all classification mod-
els in the InSDN dataset, the CNN-BiLSTM produced
the best detection accuracy. CNN, AlexNet, LeNet-5,
CNN-LSTM, and CNN-BiLSTM take 421.15s, 1633.62s,
242.01s, 736.56s, and 978.42s of training time, respec-
tively. Although CNN-BiLSTM took more training time than
LetNet-5, this was tolerable in consideration of the much
higher accuracy. CNN-BiLSTM performed much better
than AlexNet.
B. MULTI-CLASS CLASSIFICATION RESULTS
1) RESULTS AND DISCUSSION ON INSDN DATASET
Table 6 provides detailed findings for multi-class classifica-
tion using several classifiers on the InSDN dataset. In terms
138742
R. Ben Said et al.: CNN-BiLSTM: A Hybrid Deep Learning Approach
of different metrics, the performance of various attacks varies
significantly amongst classifiers.
• The accuracy of different models was depicted by
figure7, and the Proposed CNN-BiLSTM model demon-
strates the highest accuracy among the models analyzed.
It outperforms the other models with an accuracy of
97.12%. The CNN-LSTM model follows closely with
an accuracy of 96.69%. LeNet5 and AlexNet models
achieved accuracies of 93.97% and 89.79% respec-
tively, while the CNN model had the lowest accuracy
at 85.94%.
• The recall of the models ranged from 50% to 100%. The
proposed CNN-BiLSTM model had the highest recall of
100% for the following classes: U2R, DDoS, DoS, R2L,
Botnet, Web Attack, and Normal. The CNN-LSTM
model had the highest recall of 90.18% for the class
VOLUME 11, 2023
R. Ben Said et al.: CNN-BiLSTM: A Hybrid Deep Learning Approach

TABLE 6. Multi classification results on InSDN dataset.

FIGURE 7. Accuracy results of multi class classification on InSDN dataset

for different models.

BFA. For the precision of the models ranged from

13.43% to 100%. The Proposed CNN-BiLSTM model
had the highest precision of 100% for the class BFA. The
CNN-LSTM model had the highest precision of 92.42%
for the class U2R.
• Figure 8 shows the F1-score of all models that ranged
from 20.35% to 100%. The Proposed CNN-BiLSTM
model had the highest F1-score of 100% for the classes
U2R, DDoS, DoS, R2L, Botnet, Web Attack, and Nor-
mal. The CNN-LSTM model had the highest F1-score
of 91.89% for the class BFA.
Overall, the proposed CNN-BiLSTM model had the high-
est accuracy, recall, precision, and F1-score for most of
the classes. This suggests that the Proposed CNN-BiLSTM
model is the most accurate model for classifying network
attacks.
FIGURE 8. All models of multiclass classification on InSDN dataset were
scored using the F1 score metric.
2) RESULTS AND DISCUSSION ON NSL KDD DATASET
Table 6 shows the performance of different models on five
different classes of network traffic: U2R, R2L, Probe, DoS,
and Normal. The models are evaluated using different met-
rics, including accuracy, recall, precision, and F1-score.
Based on Figure 9 and Table 7, the proposed CNN-BiLSTM
model has the highest accuracy of 98.42%. It also has the

VOLUME 11, 2023 138743


TABLE 7. NSL KDD multi class classification results.
FIGURE 9. Accuracy results of multi class classification on the NSL-KDD
dataset for different models.
FIGURE 10. Accuracy results of multi class classification on UNSW-NB15
dataset for different models.
highest recall for all five classes of attacks, and the highest
precision for three of the five classes. The F1-score for the
proposed CNN-BiLSTM model is also the highest for all
138744
R. Ben Said et al.: CNN-BiLSTM: A Hybrid Deep Learning Approach
FIGURE 11. All models of multiclass classification on UNSW-NB15
dataset were scored using the F1 score metric.
five classes. The next best model is CNN-LSTM, which
has an accuracy of 98.38%. It has the highest recall for the
DoS class, and the highest precision for the Probe class. The
F1-score for CNN-LSTM is also the highest for the DoS
class. The other three models (CNN, AlexNet, and LeNet5)
have lower accuracy than the proposed CNN-BiLSTM and
CNN-LSTM models. However, they still have relatively high
accuracy, with all three models having an accuracy of at
least 97%. Overall, the proposed CNN-BiLSTM model is
the most accurate model for classifying network traffic. It has
VOLUME 11, 2023
R. Ben Said et al.: CNN-BiLSTM: A Hybrid Deep Learning Approach
TABLE 8. UNSW-NB15 multi class classification results.
TABLE 9. Average accuracy of the proposed model compared to other
models.
the highest accuracy, recall, precision, and F1-score for all
five classes of network traffic. The CNN-LSTM model is the
next best model, with slightly lower accuracy but still very
high performance. The other three models (CNN, AlexNet,
and LeNet5) have lower accuracy but still relatively high
performance.
3) RESULTS AND DISCUSSION ON UNSW-NB15 DATASET
Table 8 shows the performance of different models on an
attack detection task. The models are evaluated using dif-
ferent metrics, including accuracy, recall, precision, and
F1-score. The proposed CNN-BiLSTM model achieves the
VOLUME 11, 2023
highest accuracy of 84.23%. It also has the highest recall and
F1-score for most of the classes. This suggests that the pro-
posed model can effectively detect attack with high accuracy.
In Table 8 is a more detailed breakdown of the results for
UNSW-NB dataset for the proposed model:
• Figure 10 shown the accuracy of different models, the
proposed model has an accuracy of 84.23%, which is
higher than all of the other models.
• Recall: The proposed model has a recall of 49.29% for
backdoors, 54.95% for analysis, 68.69% for fuzzers,
86.08% for shellcode, 97.98% for reconnaissance,
93.4% for exploits, 79.31% for DoS, and 91.47% for
worms. This suggests that the proposed model is capable
of efficiently identifying a wide range of attacks.
• Precision: The proposed model has a precision of
49% for backdoors, 42.56% for analysis, 54.29% for
fuzzers, 66.83% for shellcode, 91.2% for reconnais-
sance, 75.45% for exploits, 72.31% for DoS, and
88.87% for worms. This implies that the proposed model
is not overfitting the data and is able to generalize to
unseen attack samples.
• Figure 11 shown the F1-score of all models for multi
class classification on UNSW-NB15, the proposed
model has an F1-score of 44.35% for backdoors, 42.18%
for analysis, 51.16% for fuzzers, 70.51% for shell-
code, 94.01% for reconnaissance, 81.82% for exploits,
74.88% for DoS, and 90.58% for worms. This suggests
that the proposed model can effectively detect most
types of attack with good accuracy and precision.
Overall, the results show that the proposed CNN-BiLSTM
model is a promising approach for attack detection. It can
effectively detect most types of attack with high accuracy and
precision.
138745

4) COMPARISON OF THE PROPOSED HYBRID MODEL WITH
DIFFERENT MODELS
An improved level of accuracy was achieved with the pro-
posed model. Based on Table 9, our model had an accuracy
of 98.42%, which was the highest among comparable studies.
VI. CONCLUSION
In this research, we propose a solution for network intrusion
detection based on CNN and BiLSTM. The suggested model
makes use of the integrity of CNN and BiLSTM to enhance
detection capacity across a variety of datasets. Additionally,
we demonstrated that our suggested technique outperformed
either a single CNN, LeNet5, AlexNet, or CNN-LSTM in
terms of training time and accuracy. Furthermore, by bal-
ancing the dataset using the random over sampling approach
and selecting features using a random forest classifier along
with the recursive feature elimination approach, the detec-
tion model’s performance was improved, indicating that the
hybrid model has a significant potential for usage in real-time
NIDS. In further work, we attempting to explore the potential
of transfer learning techniques to improve the performance
of our model. as well as to deploy the suggested model in
a real SDN system and evaluate its throughput and latency
performance.
ACKNOWLEDGMENT
The authors would like to thank their technical support team
for making it possible and for using the TRUBA HPC system
efficiently in this article.
REFERENCES
[1] Y. Jarraya, T. Madi, and M. Debbabi, ‘‘A survey and a layered
taxonomy of software-defined networking,’’ IEEE Commun.
Surveys Tuts., vol. 16, no. 4, pp. 1955–1980, 4th Quart., 2014, doi:
10.1109/COMST.2014.2320094.
[2] N. McKeown and T. Anderson, ‘‘OpenFlow: Enabling innovation in
campus networks,’’ SIGCOMM Comput. Commun. Rev., vol. 38, no. 2,
pp. 69–74, 2008.
[3] M. Latah and L. Toker, ‘‘An efficient flow-based multi-level hybrid intru-
sion detection system for software-defined networks,’’ CCF Trans. Netw.,
vol. 3, nos. 3–4, pp. 261–271, Dec. 2020, doi: 10.1007/s42045-020-00040-
z.
[4] M. S. ElSayed, N.-A. Le-Khac, M. A. Albahar, and A. Jurcut, ‘‘A novel
hybrid model for intrusion detection systems in SDNs based on CNN and a
new regularization technique,’’ J. Netw. Comput. Appl., vol. 191, Oct. 2021,
Art. no. 103160.
[5] N. Sultana, N. Chilamkurti, W. Peng, and R. Alhadad, ‘‘Survey on
SDN based network intrusion detection system using machine learn-
ing approaches,’’ Peer-Peer Netw. Appl., vol. 12, no. 2, pp. 493–501,
Mar. 2019, doi: 10.1007/s12083-017-0630-0.
[6] M. Kantardzic, Data Mining: Concepts, Models, Methods, and Algorithms.
Hoboken, NJ, USA: Wiley, 2011.
[7] I. Srba and M. Bieliková, ‘‘Encouragement of collaborative learning based
on dynamic groups,’’ in Proc. Eur. Conf. Technol. Enhanced Learn. Cham,
Switzerland: Springer, 2012, pp. 432–437.
[8] M. Abdallah, N. A. Le Khac, H. Jahromi, and A. D. Jurcut, ‘‘A hybrid
CNN-LSTM based approach for anomaly detection systems in SDNs,’’ in
Proc. 16th Int. Conf. Availability, Rel. Secur., Aug. 2021, pp. 1–12, doi:
10.1145/3465481.3469190.
[9] K. Jiang, W. Wang, A. Wang, and H. Wu, ‘‘Network intrusion detection
combined hybrid sampling with deep hierarchical network,’’ IEEE Access,
vol. 8, pp. 32464–32476, 2020.
[10] N. M. Jacob and M. Y. Wanjala, ‘‘A review of intrusion detection systems,’’
Global J. Comput. Sci. Inf. Technol. Res., vol. 5, no. 4, pp. 1–5, 2017.
138746
R. Ben Said et al.: CNN-BiLSTM: A Hybrid Deep Learning Approach
[11] L. Zhang, J. Huang, Y. Zhang, and G. Zhang, ‘‘Intrusion detection model
of CNN-BiLSTM algorithm based on mean control,’’ in Proc. IEEE 11th
Int. Conf. Softw. Eng. Service Sci. (ICSESS), Oct. 2020, pp. 22–27.
[12] M. S. Elsayed, N.-A. Le-Khac, and A. D. Jurcut, ‘‘InSDN: A novel SDN
intrusion dataset,’’ IEEE Access, vol. 8, pp. 165263–165284, 2020, doi:
10.1109/ACCESS.2020.3022633.
[13] S. Revathi and A. Malathi, ‘‘A detailed analysis on NSL-KDD dataset using
various machine learning techniques for intrusion detection,’’ Int. J. Eng.
Res. Technol., vol. 2, no. 12, pp. 1848–1853, 2013.
[14] F. A. Khan, A. Gumaei, A. Derhab, and A. Hussain, ‘‘A novel two-
stage deep learning model for efficient network intrusion detection,’’ IEEE
Access, vol. 7, pp. 30373–30385, 2019.
[15] R. K. Malaiya, D. Kwon, J. Kim, S. C. Suh, H. Kim, and I. Kim, ‘‘An empir-
ical evaluation of deep learning for network anomaly detection,’’ in Proc.
Int. Conf. Comput., Netw. Commun. (ICNC), Mar. 2018, pp. 893–898.
[16] T. A. Tang, L. Mhamdi, D. McLernon, S. A. R. Zaidi, and M. Ghogho,
‘‘Deep learning approach for network intrusion detection in software
defined networking,’’ in Proc. Int. Conf. Wireless Netw. Mobile Commun.
(WINCOM), Oct. 2016, pp. 258–263.
[17] S. Boukria and M. Guerroumi, ‘‘Intrusion detection system for SDN net-
work using deep learning approach,’’ in Proc. Int. Conf. Theor. Applicative
Aspects Comput. Sci. (ICTAACS), vol. 1, Dec. 2019, pp. 1–6.
[18] T. Bakhshi and B. Ghita, ‘‘Anomaly detection in encrypted internet traffic
using hybrid deep learning,’’ Secur. Commun. Netw., vol. 2021, pp. 1–16,
Sep. 2021.
[19] A. R. Narayanadoss, T. Truong-Huu, P. M. Mohan, and M. Gurusamy,
‘‘Crossfire attack detection using deep learning in software defined
ITS networks,’’ in Proc. IEEE 89th Veh. Technol. Conf. (VTC-Spring),
Apr. 2019, pp. 1–6.
[20] M. K. Prasath and B. Perumal, ‘‘A meta-heuristic Bayesian network clas-
sification for intrusion detection,’’ Int. J. Netw. Manage., vol. 29, no. 3,
p. e2047, May 2019.
[21] A. Dawoud, S. Shahristani, and C. Raun, ‘‘Deep learning and software-
defined networks: Towards secure IoT architecture,’’ Internet Things,
vols. 3–4, pp. 82–89, Oct. 2018.
[22] C. Song, Y. Park, K. Golani, Y. Kim, K. Bhatt, and K. Goswami, ‘‘Machine-
learning based threat-aware system in software defined networks,’’ in
Proc. 26th Int. Conf. Comput. Commun. Netw. (ICCCN), Jul. 2017,
pp. 1–9.
[23] A. Alshamrani, A. Chowdhary, S. Pisharody, D. Lu, and D. Huang,
‘‘A defense system for defeating DDoS attacks in SDN based networks,’’ in
Proc. 15th ACM Int. Symp. Mobility Manage. Wireless Access, Nov. 2017,
pp. 83–92.
[24] S. A. Mehdi, J. Khalid, and S. A. Khayam, ‘‘Revisiting traffic anomaly
detection using software defined networking,’’ in Proc. Int. Symp.
Recent Adv. Intrusion Detection, Menlo Park, CA, USA, Sep. 2011,
pp. 161–180.
[25] R. Sathya and R. Thangarajan, ‘‘Efficient anomaly detection and mitigation
in software defined networking environment,’’ in Proc. 2nd Int. Conf.
Electron. Commun. Syst. (ICECS), Feb. 2015, pp. 479–484.
[26] S. T. Selvi and K. Govindarajan, ‘‘DDoS detection and analysis in SDN-
based environment using support vector machine classifier,’’ in Proc. 6th
Int. Conf. Adv. Comput. (ICoAC), Dec. 2014, pp. 205–210.
[27] Q. Niyaz, W. Sun, and A. Y. Javaid, ‘‘A deep learning based
DDoS detection system in software-defined networking (SDN),’’ 2016,
arXiv:1611.07400.
[28] S. M. Mousavi and M. St-Hilaire, ‘‘Early detection of DDoS attacks against
software defined network controllers,’’ J. Netw. Syst. Manage., vol. 26,
no. 3, pp. 573–591, Jul. 2018.
[29] A. Le, P. Dinh, H. Le, and N. C. Tran, ‘‘Flexible network-based intrusion
detection and prevention system on software-defined networks,’’ in Proc.
Int. Conf. Adv. Comput. Appl. (ACOMP), Nov. 2015, pp. 106–111.
[30] S. Nanda, F. Zafari, C. DeCusatis, E. Wedaa, and B. Yang, ‘‘Predicting
network attack patterns in SDN using machine learning approach,’’ in Proc.
IEEE Conf. Netw. Function Virtualization Softw. Defined Netw., Nov. 2016,
pp. 167–172.
[31] H. Li, F. Wei, and H. Hu, ‘‘Enabling dynamic network access con-
trol with anomaly-based IDS and SDN,’’ in Proc. ACM Int. Workshop
Secur. Softw. Defined Netw. Netw. Function Virtualization, Mar. 2019,
pp. 13–16.
[32] P. Manso, J. Moura, and C. Serrão, ‘‘SDN-based intrusion detection system
for early detection and mitigation of DDoS attacks,’’ Information, vol. 10,
no. 3, p. 106, Mar. 2019.
VOLUME 11, 2023
R. Ben Said et al.: CNN-BiLSTM: A Hybrid Deep Learning Approach
[33] M. A. Albahar, ‘‘Recurrent neural network model based on a new regular-
ization technique for real-time intrusion detection in SDN environments,’’
Secur. Commun. Netw., vol. 2019, pp. 1–9, Nov. 2019.
[34] M. Ring, S. Wunderlich, D. Scheuring, D. Landes, and A. Hotho, ‘‘A survey
of network-based intrusion detection data sets,’’ Comput. Secur., vol. 86,
pp. 147–167, Sep. 2019.
[35] N. Moustafa and J. Slay, ‘‘UNSW-NB15: A comprehensive data set
for network intrusion detection systems (UNSW-NB15 network data
set),’’ in Proc. Mil. Commun. Inf. Syst. Conf. (MilCIS), Nov. 2015,
pp. 1–6.
[36] E. Bisong, Building Machine Learning and Deep Learning Models on
Google Cloud Platform. Cham, Switzerland: Springer, 2019.
[37] E. Jackson and R. Agrawal, Performance Evaluation of Different Feature
Encoding Schemes on Cybersecurity Logs. Piscataway, NJ, USA: IEEE,
2019.
[38] J. Li, K. Cheng, S. Wang, F. Morstatter, R. P. Trevino, J. Tang, and H. Liu,
‘‘Feature selection: A data perspective,’’ ACM Comput. Surv., vol. 50, no. 6,
pp. 1–45, Jan. 2018.
[39] J. Ling and C. Wu, ‘‘Feature selection and deep learning based approach
for network intrusion detection,’’ in Proc. 3rd Int. Conf. Mechatronics Eng.
Inf. Technol., 2019, pp. 764–770, doi: 10.2991/icmeit-19.2019.122.
[40] L. Breiman, ‘‘Random forests,’’ Mach. Learn., vol. 45, no. 1, pp. 5–32,
2001.
[41] S. Hochreiter and J. Schmidhuber, ‘‘Long short-term memory,’’
Neural Comput., vol. 9, no. 8, pp. 1735–1780, Nov. 1997, doi:
10.1162/neco.1997.9.8.1735.
[42] T. A. Tang, L. Mhamdi, D. McLernon, S. A. R. Zaidi, and M. Ghogho,
‘‘Deep recurrent neural network for intrusion detection in SDN-based
networks,’’ in Proc. 4th IEEE Conf. Netw. Softwarization Workshops (Net-
Soft), Jun. 2018, pp. 202–206.
[43] P. Choobdar, M. Naderan, and M. Naderan, ‘‘Detection and multi-class
classification of intrusion in software defined networks using stacked auto-
encoders and CICIDS2017 dataset,’’ Wireless Pers. Commun., vol. 123,
no. 1, pp. 437–471, Mar. 2022.
VOLUME 11, 2023
RACHID BEN SAID received the M.S. degree
in computer engineering from the National High
School for Electricity and Mechanics, Hassan II
University of Casablanca, Casablanca, Morocco,
in 2014. He is currently pursuing the Ph.D. degree
in computer engineering with Ankara University,
Ankara, Turkey. His research interests include the
application of deep learning, and machine learning
in the fields of software-defined networking, net-
working security, and NLP.
ZAKARIA SABIR received the Ph.D. degree in
computer engineering and the master’s degree in
information systems security from the National
School of Applied Sciences (ENSA), Ibn Tofail
University, Kenitra, Morocco. His research inter-
ests include connected vehicles, named data
networking, security, blockchain, and intelligent
transportation systems.
IMAN ASKERZADE received the B.S. and
M.S. degrees from the Department of Physics,
Moscow State University, Russia, and the Ph.D.
degree from the Azerbaijan Academy of Sciences,
Moscow State University, Azerbaijan, in 1995.
Since 2012, he has been a Professor with the Com-
puter Engineering Department, Ankara University,
Ankara, Turkey. His research interests include
fuzzy logic, quantum computing, modeling, and
simulation.
138747