Shebl et al.

EURASIP Journal on
EURASIP Journal on Information Security (2024) 2024:36
https://doi.org/10.1186/s13635-024-00184-1 Information Security

RESEARCH Open Access

DCNN: a novel binary and multi‑class

network intrusion detection model via deep
convolutional neural network
Ahmed Shebl1*, E. I. Elsedimy2, A. Ismail1, A. A. Salama1 and Mostafa Herajy1

Abstract
Network security become imperative in the context of our interconnected networks and everyday communications.
Recently, many deep learning models have been proposed to tackle the problem of predicting intrusions and mali-
cious activities in interconnected systems. However, they solely focus on binary classification and lack reporting
on individual class performance in case of multi-class classification. Moreover, many of them are trained and tested
using outdated datasets which eventually impact the overall performance. Therefore, there is a need for an effi-
cient and accurate network intrusion detection system. In this paper, we propose a novel intelligent detection
system based on convolutional neural network, namely DCNN. The proposed model can be utilized to efficiently
analyze and detect attacks and intrusions in intelligent network systems (e.g., suspicious network traffic activities
and policy violations). The DCNN model is applied against three benchmark datasets and compared with state-of-
the-art models. Experimental results show that the proposed model improved resilience to intrusions and malicious
activities for binary as well as multi-class classification, expanding its applicability across different intrusion detec-
tion scenarios. Furthermore, our DCNN model outperforms similar intrusion detection systems in terms of positive
predicted value, true positive rate, F1 measure, and accuracy. The scores obtained for binary and multi-class classifica-
tions on the CICIoT2023 dataset are 99.50% and 99.25%, respectively. Additionally, for the CICIDS-2017 dataset, DCNN
attains a score of 99.96% for both binary and multi-class classifications, while the CICIoMT2024 dataset attains a score
of 99.98% and 99.86% for binary and multi-class classifications, respectively.
Keywords Convolutional neural network, Cybersecurity, Deep learning, Deep neural network, Network intrusion
detection

1 Introduction services and technologies in their daily activities [1].

The tremendous expansion in networks as well as the
exponential development of technologies and services
related to the Internet of Things (IoTs), cloud computing
and big data has led to users’ excessive reliance on these
*Correspondence:
Ahmed Shebl
As a result, the confidentiality and integrity of sensitive
data has become vulnerable to serious forms of intru-
sions, leaks and potential threat of unauthorized access
by malicious individuals [2]. Moreover, the advance-
ment in today’s technologies and the hackers’ determi-
nation to continuously enhance these penetrations and
cyber-attacks have given rise to novel and unexpected

[email protected] intrusions which are increasingly sophisticated [3, 4].
1
Mathematics and Computer Science Department, Faculty of Science, Therefore, enhancing network security and defending
Port Said University, Port Fouad City, Egypt
2
Department of System and Information Technology, Faculty it from such complex intrusions and hacking attempts
of Management Technology and Information System, Port Said University, has been a growing trend among network researchers
Port Fouad City, Egypt in recent years [5–7]. This makes intrusion detection an

© The Author(s) 2024. Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which
permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the
original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or
other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line
to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory
regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this
licence, visit http://creativecommons.org/licenses/by/4.0/.
Shebl et al. EURASIP Journal on Information Security (2024) 2024:36
important research field that requires in-depth investi-
gation and has led to the conception of network intru-
sion detection systems (NIDSs) [8]. Through their ability
to detect and predict intrusions, NIDS technology has
proven its outstanding reliability in blocking hacking
attempts by unauthorized users and sustaining network
security [9, 10].
Correspondingly, artificial intelligence (AI) [11] that
simply refers to machines imitating the intelligent human
behavior [12], is increasingly becoming a key feature
in the field of network security and intrusion detec-
tion [13–16]. Machine learning (ML) and deep learning
(DL) algorithms being utilized for learning and develop-
ment, enabling the examination of massive datasets and
the detection of subtle insights and patterns that sur-
pass human ability, thereby enhancing NIDSs [17, 18].
DL models are types of ML that takes inspiration from
human’s brain with its ability to filter information by uti-
lizing stacked mathematical functions arranged in lay-
ers to mimic neurons’ functions of the biological neural
networks achieving depth and hence deep learning [19].
These models have the ability to efficiently learn the con-
cealed network behavior and features, extract patterns
and non-redundant information from data. Thus, this
approach enables efficient detection of potential attacks
in large datasets, unlike ML, which works better with
smaller datasets [20, 21].
Nevertheless, despite the noticeable advancements in
attack detection techniques for IoT environments, there
are still many limitations in current proposed models. On
the one hand, some existing research primarily empha-
sizes binary classification (e.g., see [7, 22, 23]). However,
this approach is limited, as different attack types require
individual analysis and investigation. On the other hand,
other researchers may direct their attention towards
multi-class classification (e.g., see [5, 24–31]), disre-
garding the notion of binary classification. Furthermore,
monitoring the performance of each class is impera-
tive in order to guarantee that the model is functioning
effectively across all class. However, many models lack
reporting on the performance of individual classes in
multi-class classification (e.g., see [6, 26, 27, 29, 32–37]).
Hence, resulting in an incomplete comprehension of the
model’s performance. Moreover, another issue of the cur-
rently proposed NIDS models is the utilization of out-
dated datasets during model training and testing which
do not accurately reflect modern IoT network traffic (e.g.,
see [6, 22, 28, 29]). Thus, leading to poor model generali-
zation and inaccurate model performance metrics when
deployed in real-world scenarios. Besides, the improper
selection and adjustment of techniques and key param-
eters related to reducing dimensionality and sampling
leads to defects in the entire process, such as potential
Page 2 of 23
bias, overfitting and the exclusion of important informa-
tion. As a result, classification algorithms suffer degraded
performance, particularly for minority samples.
In this paper, convolutional neural network (CNN) and
deep neural network (DNN) models are utilized to pro-
pose an NIDS based on deep learning. This method com-
bines the strengths of both deep learning architectures:
CNNs excel at identifying important patterns by treating
rows or columns as spatial features, while DNNs capture
complex relationships between features, especially in
high-dimensional data or when feature interactions are
key. This results in a more accurate model with improved
performance in both multi-class and binary classification
tasks.
Furthermore, as our proposed model targets the
detection of ongoing malicious intrusions, it is best
trained using three distinct yet closely related data-
sets: CICIoT2023 [33], CICIoMT2024 [34], and CIC-
IDS-2017 [38]. These datasets are chosen due to the
imbalance in class distribution, popularity, and the inclu-
sion of a variety of network traffic examples, includ-
ing both normal and malicious actions. In addition, the
performance of our model is compared to that of the
DNN as well as related state-of-art models. Experimental
findings demonstrate that the proposed model exhibits
increased F-score, accuracy and detection rate, indicating
its robustness performance against cyber attacks.
The rest of this paper is organized as follow: We start
with summarizing related work outlining recent DL
models used for NIDS. Afterwards, the proposed model
is presented thoroughly in Sect. 3. The experimental
environment configuration and result assessment as well
as the analysis of our experimental findings are presented
in Sect. 4. Section 5 discusses the implications and the
limitation of presented model. Finally, the paper is closed
with conclusions and an outline for the future work.
2 Related work
Motivated by the need of detecting intrusions and
defending networks against attacks, researchers have
put a lot of efforts into developing a variety of network
intrusion detection systems (NIDS) [5, 6, 24–29, 32, 35,
36]. Table 1 provides a summary of the limitations and
strengths of recently published models. In the following,
we further elaborate on the strengths and limitations of
these models.
Various NIDS approaches offer promising results, but
they are only tested and validated via multi-class classi-
fication. For instance, recently, authors in [5] proposed
a hybrid IDS based on DL by merging CNN and LSTM
(long short-term memory network) while optimizing
category weights to reduce data imbalance. Similarly,
in [24], an IDS based on CNN is proposed to attain the
Shebl et al. EURASIP Journal on Information Security (2024) 2024:36
Table 1 Summary of the limitations and strengths (in table footnotes) of existing IDS models
# Limitations
1 Limited to binary classification
2 Limited to multi-class classification
3 Lack detailed reporting on the performance of individual classes in multi-class classification
4 Possible risk of overfitting and time consumption due to the replication of minority class
events
5 Important information may be excluded during features’ reduction
6 Trained and tested using outdated datasets
a
Offer a comparative analysis
b
Provide novel feature selection
c
Utilize novel datasets and benchmarks
d
Offer real-time detection
e
Exhibit explainability and transparency of the model outcomes
f
Make use of hybrid models
security of network against intrusions, while in [25],
an IDS based on Robust Transformer named RTIDS,
is introduced. In addition, a two-stage hybrid model
based on DL named LSTM-AE is proposed in [26], while
in [30], an innovative approach was introduced. That
approach focus on enhancing attack detection through
leverageing a blending model, offering high accuracy and
a deeper understanding of attack classifications. In addi-
tion, authors in [27] proposed a one-dimensional Pyra-
mid Depth-wise Separable CNN IDS (PyDSC-IDS) based
on OneHot Encoding and VGM, while another intrusion
detection method is introduced in [29]. In a similar man-
ner, authors in [31] introduced IoT-PRIDS, novel packet
representation-based approach for intrusion detection.
This approach is a lightweight non-ML model that can
operate in near real-time scenarios, as it only requires
parsing packets.
Furthermore, many of the presented models do not
provide in-depth information regarding the perfor-
mance of individual classes in the context of multi-
class classification. Examples of models that belong to
this category include those introduced in [26, 27, 29].
Likewise, authors in [6] proposed a hierarchical CNN-
Attention network named CANET with Equalization
Loss v2 in order to balance learning attention of minor-
ity classes by increasing their weights. This proposal
was found to enhance the rate of detecting minority
classes. In addition, a hybrid IDS combining the feature
extraction ability of the LSTM and the spatial feature
extraction ability of the CNN is proposed in [32], while
in [35], a bi-phase NIDS that utilizes a combination of
PSO and GA for feature selection is outlined. However,
Page 3 of 23
Model
[7]a,b, [22]a,b and [23]f
[5]f, [24]a,d,f, [25]a,d,f, [26]a,f,
[27]a,b,f, [28]a,f, [29]a,f, [30]a,e,f,
and [31]a,d
[6]a,b, [26]a,f, [27]a,b,f,
[29]a,f,[32]a,f, [33]a,c,[34]a,c,
[35]a,d, [36]a,f, and [37]a,d,f
[6]a,b, [7]a,b, [25]a,d,f, and [29]a,f
[22]a,f and [35]a,f
[6]a,b, [22]a,f, [28]a,f, and [29]a,f
there is a possibility to exclude important information
when reducing features. Another novel technique for
intrusion detection in IoT named DIS-IoT is proposed
in [36]. The proposed model utilizes a stacking ensem-
ble of four DL models integrated into a deep fully con-
nected layer. In the same way, in [37] an innovative
model, namely, CKAN (Convolutional Kolmogorov-
Arnold Network) is proposed. The CKAN model is
developed through replacing the MLPs (Multi-Layer
Perceptrons) layers with KANs layers inside the CNN
architecture.
Moreover, some approaches are limited to binary
classification. For example, in [22], an approach to
select optimal features is proposed by combining sta-
tistical importance through the difference in stand-
ard deviation of median and mean. Moreover, in [23],
a two-phase IDS is introduced to classify multi-class
data using Naive Bayes classifier, followed by major-
ity voting. In the second phase, binary data are passed
through an unsupervised elliptic envelope for classifi-
cation. Another approach to intrusion detection based
on AutoML and a soft voting is proposed in [7]. This
approach utilizes an AutoML framework to select
supervised classifiers and sampling methods to address
data imbalance and minority classes.
Additionally, some developed models adopts sam-
pling techniques to solve the problem of data imbal-
ance, However, although sampling techniques serves as
a solution to the problem of data imbalance, the rep-
lication of minority class events may increase the risk
of overfitting and time consumption. As examples of
models that fit into this category are those proposed in
Shebl et al. EURASIP Journal on Information Security
[6, 7, 25, 29]. Notably, important information may be
excluded during features’ reduction as in [22, 35].
Furthermore, the majority of recent research mod-
els in the domain of NIDS including [6, 22, 28, 29] have
employed outdated testing datasets, which may not accu-
rately reflect the real-world data. Therefore these models
may not be trained or tested on the most relevant and up-
to-date data. This could affect the model’s ability to learn
new patterns or features, potentially impacting its accu-
racy and reliability when deployed. Therefore, in order
to support the development of security analytical appli-
cations in actual IoT operations, a new and broad IoT
attack dataset that comprises several attacks which are
not present in existing IoT datasets is provided in [33].
Similarly, a novel and realistic dataset comprising wide
range of attacks for Internet of Medical Things (IoMT)
security is introduced in [34]. Several ML and DL models
were used to examine and test the datasets in both stud-
ies. However, no information is provided regarding the
performance of individual classes in the context of multi-
class classification.
Nevertheless, despite advancements in attack detec-
tion techniques for IoT environments, Table 1 highlights
that there are still exist persistent limitations in current
network intrusions detection models. To address these
issues, we propose in this paper a hybrid deep convo-
lutional neural network (DCNN) model for classifying
network attacks, which is thoroughly analyzed and evalu-
ated for both binary-class and multi-class classification,
with detailed reporting and analysis of individual class
performance.
3 Methodology
This section outlines the fundamental design principles
that form the basis of the proposed model. For the pur-
pose of training our model, the CICIoMT2024, CIC-
IDS-2017, and CICIoT2023 benchmark datasets are
presented and analyzed. Afterwards, the structure of the
datasets is provided, along with the preprocessing tech-
niques employed. Finally, the details of the proposed
deep neural network model is given.
3.1 Datasets
For the purpose of evaluating the performance of our
model, three benchmark datasets were employed: CICI-
oMT20241 [34], CICIoT20232 [33], and CICIDS-20173 [38]
1
https://​www.​unb.​ca/​cic/​datas​ets/​iomt-​datas​et-​2024.​html
2
https://​www.​unb.​ca/​cic/​datas​ets/​iotda​taset-​2023.​html
3
https://​www.​unb.​ca/​cic/​datas​ets/​ids-​2017.​html
(2024) 2024:36 Page 4 of 23
3.1.1 CICIoT2023
The CICIoT2023 dataset represents a novel and extensive
IoT attacks dataset which is publicly available. It consists
of 33 attacks in total executed in an IoT topology com-
posed of 105 devices. These attacks are classified into
seven categories and contains about 47 features as out-
lined in Table 2.
3.1.2 CICIDS‑2017
The CICIDS-2017 dataset composed of benign as well
as a range of common intrusions, featuring at total of 14
class of attacks as outlined in Table 2. This representation
of real-world scenarios is based on five days of Canadian
Cybersecurity Institute (CIC) traffic data captured in
eight files. The labeled network traffic, which is publicly
available, contains over 80 features.
3.1.3 CICIoMT2024
The CICIoMT2024 dataset serves as a realistic bench-
mark for evaluating the security within the healthcare
sector. This dataset is publicly available, containing about
46 features, while encompassing a diverse set of 18 dis-
tinct cyberattacks as illustrated in Table 2.
3.2 Data preprocessing
Figure 1 depicts the steps we employed in our data pre-
processing phase. As the CSV files of the two datasets are
publicly accessible, we can load and merge all files into
a single data frame, facilitating efficient analysis and pre-
processing in preparation for training.
To enhance the dependability and accuracy of the
dataset, it is imperative to include a data cleaning phase
within the data preprocessing pipeline, wherein errors,
inconsistencies, and inaccuracies are identified and
removed. Handling irrelevant, inconsistent and redun-
dant data, dropping null and infinite values, locating and
eliminating duplicates and checking for data integrity
problems are all included in this stage. Additionally, the
One-Hot Encoder was employed to convert non-numer-
ical label values into numerical values for compatibility
with deep neural networks, while unnecessary features
like timestamp, flow id, destination ip, and source ip were
excluded.
Features that substantially vary in scale do not have
equal impact on analysis, potentially causing bias. Given
that the features within the input dataset exhibit wide
variations within their ranges, and due to the fact that
the dataset is characterized by a high level of imbalance,
the data standardization approach is adopted to normal-
ize the input dataset by centering values around the mean
(µ) with a unit standard deviation (σ ) using (1).
Shebl et al. EURASIP Journal on Information Security (2024) 2024:36 Page 5 of 23

Table 2 Summary of the CICIoT2023, CICIDS-2017 and CICIoMT2024 datasets [33, 34, 38]
Class CICIoT2023 Class CICIDS-2017 Class CICIoMT2024
Samples % Samples % Samples %

DDoS 8,587,268 72.79 BENIGN 2,273,097 80.3004 TCP_IP-DDoS-UDP 1,635,956 22.85

DoS 2,043,697 17.32 DoS Hulk 231,073 8.1630 TCP_IP-DDoS-ICMP 1,537,476 21.47
Mirai 666,553 5.65 PortScan 158,930 5.6144 TCP_IP-DDoS-TCP 804,465 11.23
BenignTraffic 277,682 2.35 DDoS 128,027 4.5227 TCP_IP-DDoS-SYN 801,962 11.20
Spoofing 122,866 1.04 DoS GoldenEye 10,293 0.3636 TCP_IP-DoS-UDP 566,950 7.92
Recon 89,344 0.76 FTP-Patator 7938 0.2804 TCP_IP-DoS-SYN 441,903 6.17
Web - based 6278 0.05 SSH-Patator 5897 0.2083 TCP_IP-DoS-ICMP 416,292 5.81
Brute - Force 3318 0.03 DoS slowloris 5796 0.2048 TCP_IP-DoS-TCP 380,384 5.31
DoS Slowhttptest 5499 0.1943 Benign 192,732 2.69
Bot 1966 0.0695 MQTT-DDoS-Connect_Flood 173,036 2.42
Web Attack - Brute Force 1507 0.0532 Recon-Port_Scan 83,981 1.17
Web Attack - XSS 652 0.0230 MQTT-DoS-Publish_Flood 44,376 0.62
Infiltration 36 0.0013 MQTT-DDoS-Publish_Flood 27,623 0.39
Web Attack - Sql Injection 21 0.0007 Recon-OS_Scan 16,832 0.24
Heartbleed 11 0.0004 ARP_Spoofing 16,047 0.22
MQTT-DoS-Connect_Flood 12,773 0.18
MQTT-Malformed_Data 5130 0.07
Recon-VulScan 2173 0.03
Recon-Ping_Sweep 740 0.01
Attacks 11,519,324 97.65 Attacks 557,646 19.6996 Attacks 6,968,099 97.31
Total 11,797,006 100 Total 2,830,743 100 Total 7,160,831 100

Fig. 1 A schematic diagram depicting the process of data preprocessing. First, we load and merge raw data. Then, errors, inconsistencies
and duplicates are eliminated from the data in the cleaning phase. Unnecessary features are excluded during the feature selection phase. After that,
non-numerical values are transformed into numerical values with the use of one-hot-encoder during the data encoding phase. Moreover, data
is normalized in the feature scaling stage using standardization scaling technique. Finally, data was split into training 75% and testing 25%
Shebl et al. EURASIP Journal on Information Security (2024) 2024:36
X −µ
X′ = (1)
σ
3.3 Proposed model
The proposed hybrid model integrates the advan-
tages inherent in CNNs and DNNs to enhance the per-
formance of our network intrusion detection system
(NIDS). The structure of this hybrid model is provided
in Fig. 2, which encompasses 11 layers: an input layer,
convolutional layers, activation layers, pooling layers, up-
sampling layers, followed by fully connected deep layers
and an output layer.
The first convolutional layer extracts features from
the input data. First, the input sequence data undergoes
convolutional layer processing, which serves as the fun-
damental element of the CNN. During the forward pass,
the convolutional layer applies filters, known as kernels,
in a sliding manner along the sequence. Meaning each of
the N kernels will slide across the input sequence with
a stride of S calculating the dot product between the
sequence and the set of learnable parameters, or kernels
at each position, resulting in the generation of a feature
Fig. 2 The architecture of DCNN model merges the strengths of CNN and DNN models. CNN is exceptional in spatial and sequential feature
extraction. The fully connected DNN layer acts as a powerful classifier. This integration enables a smooth and efficient workflow by using spatial
features for precise categorization and labeling of input data
Page 6 of 23
map sequence representing the extracted features from
the input sequence data.
This architectural design of CNNs [39] renders it pos-
sible to effectively handle and analyze data that exhibits
a spatial or grid-like structure, such as image processing,
natural language processing and even models involving
sequential inputs. The CNN within the hybrid model
focuses on extracting both sequential patterns and tem-
poral features from the input traffic data. The architec-
ture of the CNN component is composed of three 1D
convolutional layers interspersed with max pooling and
up-sampling layers. The convolutional layers employ a
kernel size of three with a default stride of one, utiliz-
ing 256, 128, and 256 filters in each respective layer. The
max-pooling layer operates with a pool size of three and
a default stride of one, whereas the up-sampling layer uti-
lizes an up-sampling factor of three.
Afterwards, an activation function is employed to pro-
cess the feature map sequence by utilizing a non-linear
activation function: the rectified linear unit (ReLU) [40],
as given by (2).
Relu(x) = max(0, x) (2)
Shebl et al. EURASIP Journal on Information Security (2024) 2024:36
Pooling layers are utilized to compress the size of the
generated map, thereby reducing parameters and com-
putations while preserving significant features. Thus,
exerting regulation over the challenge of overfitting. The
max pooling process is applied to each window of size
three along the sequence returning the maximum value.
Conversely, up-sampling layers, which are essentially the
antithesis of pooling layers, augment the dimensions of
the map in preparation for the subsequent convolutional
layer. The second and third convolutional layers extract
higher-level features from the input sequence data,
encompassing patterns and textures.
The DNN of the hybrid model is designed to classify
the output of the CNN component into different classes
of network traffic. The structural design of the DNN com-
prises of three fully connected layers (FCLs) each with
256, 128, and 128 neurons, respectively. Upon the com-
pletion of feature extraction for the training samples, the
data undergoes flattening process and is subsequently
fed into a sequence of deep FCLs. Each FCL employs the
ReLU activation function, which is followed by a dropout
layer that removes certain nodes from the network during
training, thus eliminating their influence on prediction
and back-propagation to mitigate the impact of overfit-
ting, ultimately facilitating the classification process.
Subsequently, the output layer estimates the prob-
abilities associated with each possible class as the final
output. The output layer is equipped with the softmax
function [12] defined by (3) in the context of multi-class
classification, whereas in the scenario of binary-class
classification, the sigmoid function [41] given by (4) is
employed.
e xi
Softmax(xi ) = K xj
for i = 1, 2, . . . , K
j=1 e
1 instances. Moreover, Eq. (8) shows F1-score that is the
Sigmoid(x) =
1 + e−x
The CNN and DNN are integrated to create our hybrid
model by flattening the output of the CNN part, then
feeding it into the DNN part, which generates the final
output of the model as shown in Fig. 2.
The model undergoes training through the Adam opti-
mization algorithm with a learning rate set to 0.0001 (see
Sect. 5 for more details). The binary crossentropy loss
function is employed for binary-class classification tasks,
whereas the categorical crossentropy loss function is uti-
lized in the context of multi-class classification scenarios.
Loss functions assess the extent to which the model’s
predictions diverge from the actual outcomes. A closer
alignment of the model’s predictions to the true values
results in a minimal loss, while a significant deviation
Page 7 of 23
from the original values yields a maximal loss. The train-
ing process comprises batch size of 128, with a total of 30
epochs being executed.
3.4 Evaluation metric
The performance assessment of the suggested NIDS
model is accomplished by utilizing confusion matrix indi-
cators. The following metrics are calculated as follows:
TP
DR = TPR = Sensitivity = Recall = (5)
TP + FN
TP
PPV = Precision = (6)
TP + FP
TN
TNR = Specificity = (7)
TN + FP
Precision × Recall
F 1 − score = 2 × (8)
Precision + Recall
TP + TN
Accuracy = (9)
TP + FP + FN + TN
The acronyms TP, FP, FN, and TN represent true posi-
tive, false positive, false negative, and true negative.
Moreover, DR and TPR in Eq. (5) represent detection
rate and true positive rate, respectively, are metrics used
to assess the performance of a classification model in the
positive class. They quantify how well the model identi-
fies positive instances correctly. PPV in Eq. (6) represents
positive predictive value; it is a metric that focuses on the
positive class and quantifies the number of actual posi-
(3) tive samples out of all the samples predicted as positive.
TNR in Eq. (7) is an abbreviation for true negative rate, it
measures the model’s ability to correctly identify negative
(4)
harmonic mean of the PPV and TPR. Accuracy metric in
Eq. (9), represents the total of correctly identified samples
in our test data. In summary, these acronyms and metrics
are crucial in evaluating the effectiveness and reliability
of classification models and frequently employed when
evaluating machine learning models.
4 Results
This section presents an assessment of the proposed
model, encompassing a range of performance metrics
such as accuracy, precision, recall, and F1-score (see
Sect. 3.4). Furthermore, it showcases the visualization of
the model’s accuracy, model’s loss, and confusion matrix,
effectively illustrating its performance. In addition to
this, it furnishes the outcomes of our testing, providing
valuable insights into the identification and explication
Shebl et al. EURASIP Journal on Information Security (2024) 2024:36 Page 8 of 23

of diverse attack types and normal behavior in two dis- becomes apparent that certain classes within the dataset
tinct scenarios: multi-class classification and binary-class are exceptionally well-classified, particularly for those
classification. The primary objective is to comprehen- that possess a substantial number of instances within
sively investigate the implications and outcomes associ- the dataset. The benign class demonstrates particularly
ated with each approach and their overall impact on the impressive metrics, including a TPR of 95.02% and a
analysis. TNR of 99.58%, indicating robust capabilities in identify-
ing benign instances.
4.1 Experiment configuration Furthermore, the model excels in detecting certain
Table 3 outlines the details of the experimental design attacks with minuscule misclassification rate, notably
and setup that were employed in order to evaluate the DDoS, DoS, and Mirai, which achieves a remarkable
various parameters of the model with utmost accuracy overall metrics of over 99%, alongside a low FPR and
and F-score, facilitating the attainment of reliable and FNR. Therefore, the proposed model exhibits the high-
dependable results that can be used for further analysis est values in terms of DR and F-score for these classes.
and interpretation. This highlights the effectiveness of the proposed model in
accurately detecting and classifying instances pertaining
4.2 Experimental analysis to these specific attack types.
Table 4 provides a comprehensive overview of the per- Furthermore, to gain further insights into the perfor-
formance exhibited by the proposed model using multi- mance of the proposed model, it is crucial to examine the
class classification based on the CICIoT2023 dataset. It results depicted in the confusion matrix, as illustrated in
is worth noting that the proposed model demonstrates Fig. 3c and d. The confusion matrix provides a visual rep-
a good overall performance, achieving high accuracy resentation of the performance of the model, showcas-
rates consistently across various categories, with accu- ing the classification results for each class. Analyzing the
racy ranging from 99.47 to 100%. Moreover, upon confusion matrix enables a more nuanced understanding
closer examination of the results presented in Table 4, it of the model’s performance and the specific areas where
improvements can be made. In order to provide a com-
prehensive overview of the findings, the performance
Table 3 Experiment configuration results have been visually depicted in Fig. 3a and b. This
visual representation serves as a succinct summary of the
OS Windows 11 Home
performance.
CPU Intel Core i7 12700H
14core cash 24MB In contrast, for the case of binary-class classification
GPU NVIDIA RTX 3060 (6GB) using the CICIoT2023 dataset, one can observe a dis-
RAM DDR5 16GB 4800 Mhz cernible improvement in the overall performance of the
Anaconda 23.7.4 proposed model with respect to overall evaluation met-
Python 3.8.20 rics, see Table 5. Both classes achieve good performance
Tensorflow 2.7 in terms of high TPR, accuracy, PPV, F-score, and TNR
Tensorflow-gpu 2.10 alongside a low FPR and FNR .The enhancements can
be witnessed in a steady manner. The comprehensive

Table 4 Multi-class classification performance analysis with CICIoT2023

Class Model TPR TNR FPR FNR PPV F1 measure Accuracy

BenignTraffic DNN DCNN 97.46% 95.02% 99.71% 99.58% 0.29% 0.42% 2.54% 4.98% 88.86% 84.37% 92.96% 89.38% 99.65% 99.47%
Brute - Force DNN DCNN 19.83% 24.94% 100.00% 0.00% 0.00% 80.17% 75.06% 96.36% 76.34% 32.89% 37.59% 99.98% 99.98%
100.00%
DDoS DNN DCNN 99.99% 99.98% 99.84% 99.86% 0.16% 0.14% 0.01% 0.02% 99.94% 99.95% 99.96% 99.97% 99.95% 99.95%
DoS DNN DCNN 99.78% 99.82% 99.99% 99.99% 0.01% 0.01% 0.22% 0.18% 99.97% 99.95% 99.88% 99.88% 99.96% 99.96%
Mirai DNN DCNN 99.98% 99.97% 100.00% 0.00% 0.00% 0.02% 0.03% 99.98% 99.97% 99.98% 99.97% 100.00% 100.00%
100.00%
Recon DNN DCNN 78.70% 65.34% 99.89% 99.90% 0.11% 0.10% 21.30% 34.66% 84.50% 83.38% 81.50% 73.26% 99.73% 99.64%
Spoofing DNN DCNN 78.70% 74.67% 99.90% 99.81% 0.10% 0.19% 21.30% 25.33% 89.08% 80.64% 83.57% 77.54% 99.68% 99.55%
Web - based DNN DCNN 33.75% 12.82% 100.00% 0.00% 0.00% 66.25% 87.18% 97.91% 65.77% 50.19% 21.46% 99.97% 99.95%
100.00%
Shebl et al. EURASIP Journal on Information Security (2024) 2024:36 Page 9 of 23

Fig. 3 CICIoT2023 performance analysis in terms of multi-class classification (8 classes). The analysis includes visualizing accuracy and loss curves,
alongside the confusion matrix of the proposed model, to assess the model’s learning and improvement over time

Table 5 Binary-class classification performance analysis with CICIoT2023

Class Model TPR TNR FPR FNR PPV F1 measure Accuracy

BenignTraffic DNN DCNN 99.71% 99.68% 91.62% 92.16% 8.38% 7.84% 0.29% 0.32% 99.80% 99.81% 99.75% 99.75% 99.52% 99.50%
Attack DNN DCNN 91.62% 92.16% 99.71% 99.68% 0.29% 0.32% 8.38% 7.84% 88.42% 87.41% 89.99% 89.72% 99.52% 99.50%

outcomes of the proposed model are visually represented
in Fig. 4a depicting the model accuracy, and Fig. 4b
showcasing the model loss providing a graphical repre-
sentation of the model’s performance. Additionally, the
confusion matrix of the proposed model can be found in
Fig. 4c and d.
Furthermore the classification process applied to
the CICIDS-2017 dataset, which is detailed in Table 6,
yielded highly favorable outcomes across multiple
classes from the model proposed. The obtained results
demonstrate that the suggested methods exhibit good
performance in the scenario of multi-class classifica-
tion with TPR, TNR and accuracy consistently exceed-
ing threshold of 99% alongside very low FPR and FNR
for the majority of classes. Notably, Heartbleed and
Infiltration achieves the highest value of 100% in all
metrics alongside a FPR and FNR of 0%, reflecting
the model’s robustness in detecting these specific
minor classes. However, while these metrics showcase
the model’s strengths, a comprehensive examination
Shebl et al. EURASIP Journal on Information Security (2024) 2024:36
Fig. 4 CICIoT2023 performance analysis in terms of binary-class classification (2 classes). The analysis includes visualizing accuracy and loss curves,
alongside the confusion matrix of the proposed model, to assess the model’s learning and improvement over time
reveals some notable limitations. For instance, the
model’s performance on Web Attack-Brute Force and
Web Attack-XSS, where the TPR drops to 97.58%
and 97.25%, respectively, in addition to PPV with
85.23% and 83.10%, and the FNR increases to 2.42%
and 2.75%, respectively. Moreover, Web Attack-Sql
Injection achieves a noticeable low TPR and F-score
of 42.86% and 50% alongside a high FNR of 57.14%.
This discrepancy can be attributed to the fact that the
testing data comprises a relatively small number of
instances pertaining to this specific attack type (also
see Sect. 5).
Nevertheless, it is important to highlight the robustness
of the overall performance of the model. In order to pro-
vide a more comprehensive understanding of the model’s
performance, the resulting confusion matrix is presented
in Fig. 5c and d. Additionally, Fig. 5a and b visually depict
the model’s performance in terms of both model accu-
racy and model loss. These visual representations serve to
Page 10 of 23
enhance the clarity and comprehensibility of the obtained
results, allowing for a more thorough evaluation of the
proposed model’s efficacy.
Furthermore, a similar trend emerges when binary-
class classification is applied to the CICIDS2017 data-
set, as showcased in Table 7. Once again, the proposed
model exhibits a high level of performance in this con-
text, further validating their effectiveness. The corre-
sponding confusion matrix can be found in Fig. 6c and
d, while Fig. 6a and b provide insights into the model’s
performance in terms of both model accuracy and
model loss.
Moreover, the classification methodology of our model
is also applied on the CICIoMT2024 dataset, as detailed
in Table 8, yielded exceptionally favorable results across
various categories derived from the proposed model. The
acquired findings indicate that the recommended method-
ologies demonstrate good performance within the context
of multi-class classification, with accuracy levels surpassing
Table 6 Multi-class classification performance analysis with CICIDS-2017
Class Model TPR TNR FPR FNR PPV F1 measure Accuracy

BENIGN DNN DCNN 99.95% 99.97% 99.93% 99.97% 0.07% 0.03% 0.05% 0.03% 99.98% 99.99% 99.96% 99.98% 99.94% 99.97%
Bot DNN DCNN 96.00% 99.11% 100.00% 100.00% 0.00% 0.00% 4.00% 0.89% 98.86% 94.69% 97.41% 96.85% 100.00%
100.00%
DDoS DNN DCNN 99.98% 99.99% 100.00% 100.00% 0.00% 0.00% 0.02% 0.01% 99.93% 99.99% 99.95% 99.99% 100.00%
Shebl et al. EURASIP Journal on Information Security

100.00%
DoS GoldenEye DNN DCNN 99.23% 99.45% 100.00% 100.00% 0.00% 0.00% 0.77% 0.55% 99.04% 99.82% 99.14% 99.63% 99.99% 100.00%
DoS Hulk DNN DCNN 99.99% 99.98% 99.98% 99.99% 0.02% 0.01% 0.01% 0.02% 99.74% 99.90% 99.87% 99.94% 99.98% 99.99%
DoS Slowhttptest DNN DCNN 99.00% 99.64% 100.00% 100.00% 0.00% 0.00% 1.00% 0.36% 98.72% 99.71% 98.86% 99.68% 100.00%
100.00%
DoS slowloris DNN DCNN 98.99% 99.59% 100.00% 100.00% 0.00% 0.00% 1.01% 0.41% 99.19% 99.73% 99.09% 99.66% 100.00%
(2024) 2024:36

100.00%
FTP-Patator DNN DCNN 99.65% 99.85% 100.00% 100.00% 0.00% 0.00% 0.35% 0.15% 99.75% 100.00% 99.70% 99.93% 100.00%
100.00%
Heartbleed DNN DCNN 100.00% 100.00% 100.00% 100.00% 0.00% 0.00% 0.00% 0.00% 100.00% 100.00% 100.00% 100.00% 100.00%
100.00%
Infiltration DNN DCNN 100.00% 100.00% 100.00% 100.00% 0.00% 0.00% 0.00% 0.00% 100.00% 100.00% 100.00% 100.00% 100.00%
100.00%
PortScan DNN DCNN 99.93% 99.98% 100.00% 100.00% 0.00% 0.00% 0.07% 0.02% 99.99% 99.98% 99.96% 99.98% 100.00%
100.00%
SSH-Patator DNN DCNN 98.87% 99.22% 100.00% 100.00% 0.00% 0.00% 1.13% 0.78% 99.22% 99.50% 99.04% 99.36% 100.00%
100.00%
Web Attack - Brute DNN DCNN 99.28% 97.58% 99.99% 99.99% 0.01% 0.01% 0.72% 2.42% 85.63% 85.23% 91.95% 90.99% 99.99% 99.99%
Force
Web Attack - Sql DNN DCNN 28.57% 42.86% 100.00% 100.00% 0.00% 0.00% 71.43% 57.14% 100.00% 60.00% 44.44% 50.00% 100.00%
Injection 100.00%
Web Attack - XSS DNN DCNN 95.05% 97.25% 100.00% 99.99% 0.00% 0.01% 4.95% 2.75% 85.64% 83.10% 90.10% 89.62% 99.99% 99.99%
Page 11 of 23
Shebl et al. EURASIP Journal on Information Security (2024) 2024:36 Page 12 of 23

Fig. 5 CICIDS-2017 performance analysis in terms of multi-class classification (8 classes). The analysis includes visualizing accuracy and loss curves,
alongside the confusion matrix of the proposed model, to assess the model’s learning and improvement over time

Table 7 Binary-class classification performance analysis with CICIDS-2017

Class Model TPR TNR FPR FNR PPV F1 measure Accuracy

BENIGN DNN DCNN 99.93% 99.94% 99.95% 99.96% 0.05% 0.04% 0.07% 0.06% 99.79% 99.83% 99.86% 99.89% 99.95% 99.96%
Attack DNN DCNN 99.95% 99.96% 99.93% 99.94% 0.07% 0.06% 0.05% 0.04% 99.98% 99.99% 99.97% 99.97% 99.95% 99.96%

the threshold of 99.9%, and TPR and TNR predominantly
exceeding the threshold of 99%, alongside remarkably FPR
and FNR for the majority of classifications. This is particu-
larly evident in the classes MQTT-DDoS-Connect_Flood,
MQTT-DDoS-Publish_Flood, MQTT-DoS-Connect_Flood,
DoS-Publish_Flood, TCP_IP-DDoS-ICMP, TCP_IP-DDoS-
SYN, TCP_IP-DDoS-TCP, TCP_IP-DDoS-UDP, TCP_IP-
DoS-ICMP, TCP_IP-DoS-SYN, TCP_IP-DoS-TCP, and
TCP_IP-DoS-UDP.
Nevertheless, while these metrics showcase the mod-
el’s advantageous attributes, a thorough analysis unveils
several significant constraints. For instance, there exists
a slight diminishment in performance with the MQTT-
DDoS-Publish_Flood class, which attained a TPR of
99.76%, an FNR of 0.24%, and an F-score of 99.88%. Simi-
larly, the MQTT-DoS-Connect_Flood class achieved a
PPV of 99.70% and an F-score of 99.85%. Furthermore,
ARP_Spoofing attained a TPR of 97.60%, FNR of 2.40%,
Shebl et al. EURASIP Journal on Information Security (2024) 2024:36
Fig. 6 CICIDS-2017 performance analysis in terms of binary-class classification (2 classes). The analysis includes visualizing accuracy and loss curves,
alongside the confusion matrix of the proposed model, to assess the model’s learning and improvement over time
PPV of 93.08%, and F-score of 95.25%, while the Benign
class recorded a TPR of 99.44%, FNR of 0.56%, PPV
of 99.81%, and an F-score of 99.63%. Additionally, the
MQTT-Malformed_Data class obtained a TPR of 91.34%,
FNR of 8.66%, PPV of 96.47%, and an F-score of 93.83%.
Conversely, one can discern a significant decline in per-
formance with the Recon-OS-Scan class achieving a PPV
of 74.08% and an F-score of 84.44%, while the Recon-
Ping_Sweep class recorded a TPR of 80.89%, an FNR of
19.11%, PPV of 88.35%, and an F-score of 84.45%. In a
similar vein, the Recon-Port_Scan class attained a TPR of
93.94%, an FNR of 6.06%, PPV of 97.81%, and an F-score
of 95.84%, whereas the Recon-VulScan class exhibited
the poorest performance with a TPR of 37.20%, an FNR
of 62.80%, and an F-score of 54.04%. This variation can
be attributed to the relatively limited number of instances
within the testing dataset that pertain to this specific
attack type.
Page 13 of 23
Nonetheless, it is essential to emphasize the resilience
of the model’s overall performance. To facilitate a more
exhaustive comprehension of the model’s efficacy, the cor-
responding confusion matrix is illustrated in Fig. 7c and
d. Furthermore, Fig. 7a and b represent the model’s per-
formance with respect to both accuracy and loss metrics.
However, in the context of binary-class classification,
one can observe a significant enhancement in the over-
all performance metrics associated with the model’s
predictive capabilities as outlined in Table 9. It is par-
ticularly noteworthy that both of the distinct classes
within the binary classification attained remarkably
high values for TPR, TNR, PPV, F-score, and accu-
racy, all exceeding the remarkable threshold of 99%,
while simultaneously maintaining very low rates for
both FPR and FNR. Also, when binary-class classi-
fication is applied to the CICIoMT2024 dataset, the
proposed model exhibits a high level of performance
Table 8 Multi-class classification performance analysis with CICIoMT2024
Class Model TPR TNR FPR FNR PPV F1 measure Accuracy

ARP_Spoofing DNN DCNN 86.59% 97.60% 99.98% 99.99% 0.02% 0.01% 13.41% 2.40% 90.68% 93.08% 88.59% 95.29% 99.95% 99.98%
Benign DNN DCNN 99.29% 99.44% 99.97% 99.99% 0.03% 0.01% 0.71% 0.56% 98.93% 99.81% 99.11% 99.63% 99.95% 99.98%
MQTT-DDoS-Con- DNN DCNN 99.97% 100.00% 100.00% 100.00% 0.00% 0.00% 0.03% 0.00% 99.82% 99.98% 99.89% 99.99% 99.99% 100.00%
nect_Flood
MQTT-DDoS-Publish_ DNN DCNN 98.95% 99.76% 100.00% 100.00% 0.00% 0.00% 1.05% 0.24% 99.79% 99.99% 99.36% 99.88% 99.99% 100.00%
Flood
MQTT-DoS-Connect_ DNN DCNN 97.64% 100.00% 100.00% 100.00% 0.00% 0.00% 2.36% 0.00% 99.49% 99.70% 98.56% 99.85% 99.99% 100.00%
Flood
Shebl et al. EURASIP Journal on Information Security

MQTT-DoS-Publish_ DNN DCNN 99.86% 99.97% 100.00% 100.00% 0.00% 0.00% 0.14% 0.03% 99.37% 99.99% 99.61% 99.98% 100.00%
Flood 100.00%
MQTT-Malformed_ DNN DCNN 96.24% 91.34% 99.99% 100.00% 0.01% 0.00% 3.76% 8.66% 87.84% 96.47% 91.85% 93.83% 99.99% 99.99%
Data
Recon-OS_Scan DNN DCNN 83.46% 98.16% 99.97% 99.92% 0.03% 0.08% 16.54% 1.84% 87.12% 74.08% 85.25% 84.44% 99.93% 99.91%
(2024) 2024:36

Recon-Ping_Sweep DNN DCNN 84.00% 80.89% 100.00% 100.00% 0.00% 0.00% 16.00% 19.11% 78.75% 88.35% 81.29% 84.45% 100.00%
100.00%
Recon-Port_Scan DNN DCNN 96.95% 93.94% 99.95% 99.97% 0.05% 0.03% 3.05% 6.06% 96.08% 97.81% 96.51% 95.84% 99.92% 99.90%
Recon-VulScan DNN DCNN 50.60% 37.20% 99.99% 100.00% 0.01% 0.00% 49.40% 62.80% 67.26% 98.72% 57.75% 54.04% 99.97% 99.98%
TCP_IP-DDoS-ICMP DNN DCNN 100.00% 99.98% 100.00% 100.00% 0.00% 0.00% 0.00% 0.02% 100.00% 100.00% 100.00% 99.99% 100.00%
100.00%
TCP_IP-DDoS-SYN DNN DCNN 99.99% 100.00% 100.00% 100.00% 0.00% 0.00% 0.01% 0.00% 100.00% 99.97% 99.99% 99.98% 100.00%
100.00%
TCP_IP-DDoS-TCP DNN DCNN 99.99% 100.00% 100.00% 100.00% 0.00% 0.00% 0.01% 0.00% 100.00% 99.99% 99.99% 100.00% 100.00%
100.00%
TCP_IP-DDoS-UDP DNN DCNN 100.00% 100.00% 100.00% 100.00% 0.00% 0.00% 0.00% 0.00% 99.99% 100.00% 100.00% 100.00% 100.00%
100.00%
TCP_IP-DoS-ICMP DNN DCNN 99.99% 99.98% 100.00% 100.00% 0.00% 0.00% 0.01% 0.02% 100.00% 99.99% 100.00% 99.98% 100.00%
100.00%
TCP_IP-DoS-SYN DNN DCNN 99.96% 99.98% 100.00% 100.00% 0.00% 0.00% 0.04% 0.02% 100.00% 99.99% 99.98% 99.98% 100.00%
100.00%
TCP_IP-DoS-TCP DNN DCNN 99.99% 99.98% 100.00% 100.00% 0.00% 0.00% 0.01% 0.02% 99.95% 99.97% 99.97% 99.98% 100.00%
100.00%
TCP_IP-DoS-UDP DNN DCNN 99.99% 99.99% 100.00% 100.00% 0.00% 0.00% 0.01% 0.01% 99.98% 99.99% 99.99% 99.99% 100.00%
100.00%
Page 14 of 23
Shebl et al. EURASIP Journal on Information Security (2024) 2024:36 Page 15 of 23

Fig. 7 CICIoMT2024 performance analysis in terms of multi-class classification (19 classes). The analysis includes visualizing accuracy and loss
curves, alongside the confusion matrix of the proposed model, to assess the model’s learning and improvement over time

Table 9 Binary-class classification performance analysis with CICIoMT2024

Class Model TPR TNR FPR FNR PPV F1 measure Accuracy

Attack DNN DCNN 99.93% 100.00% 99.69% 99.32% 0.31% 0.68% 0.07% 0.00% 99.99% 99.98% 99.96% 99.99% 99.93% 99.98%
Benign DNN DCNN 99.69% 99.32% 99.93% 100.00% 0.07% 0.00% 0.31% 0.68% 97.60% 99.82% 98.63% 99.57% 99.93% 99.98%

in this context, further validating their effectiveness.
The corresponding confusion matrix can be found in
Fig. 8c and d, while Fig. 8a and b provide insights into
the model’s performance in terms of both model accu-
racy and model loss (Table 10).
As a final assessment of the outcomes derived from
the process of evaluation, Table 11 provides a compre-
hensive analysis of the overall performance of the model
proposed by our work as compared to the state-of-the-art
models on the CICIoT2023 dataset. Notwithstanding, the
obtained results indicate that our model, when compared
to the related-work on the CICIoT2023 dataset, achieves
a level of accuracy and F-score and PPV that surpasses
that of [33], although, it falls slightly short in terms of
accuracy and TPR. Also, it outperforms that of [31] in
terms of accuracy, PPV, and F-score, while it exhibits a
Shebl et al. EURASIP Journal on Information Security (2024) 2024:36 Page 16 of 23

Fig. 8 CICIoMT2024 performance analysis in terms of binary-class classification (2 classes). The analysis includes visualizing accuracy and loss
curves, alongside the confusion matrix of the proposed model, to assess the model’s learning and improvement over time

Table 10 Performance benchmarking of the proposed model versus other related work with CICIoMT2024 dataset
Ref Model Dataset PPV TPR F1 measure Accuracy

[34] Logistic regression CICIoMT2024 B: 95.20% 95.90% B: 94.00% 96.10% B: 94.60% 95.90% B: 99.50% 99.60%
Adaboost DNN 95.60% 97.10% 94.80% 95.10% 95.20% 96.10% 99.60% 99.60%
Random Forest M: 54.70% 14.40% M: 47.10% 23.80% M: 43.20% 14.10% M: 72.70% 42.20%
64.90% 69.10% 55.30% 57.70% 52.20% 55.10% 72.90% 73.30%
Proposed DNN DCNN CICIoMT2024 B: 99.93% 99.98% B: 99.93% 99.98% B: 99.93% 99.98% B: 99.93% 99.98%
M: 99.84% 99.86% M: 99.84% 99.86% M: 99.84% 99.86% M: 99.84% 99.86%

minor deficiency with respect to TPR. However, it sur-
passes that of [37] in terms of all metrics. Nevertheless,
our model still exhibit exceptional performance, particu-
larly in terms of PPV and F-score metrics, surpassing
those of the State-of-the-Art.
Table 12 illustrates the comparison between our work
and the state-of-the-art models on the CICIDS-2017
dataset. It is important to note that our proposed model
surpasses the related work in all aspects, particularly
in terms of F-score in both binary and multi-class clas-
sification. While [26] manages to achieve a high level
Shebl et al. EURASIP Journal on Information Security (2024) 2024:36 Page 17 of 23

Table 11 Performance benchmarking of the proposed model versus other related work with CICIoT2023 dataset
Ref Model Dataset PPV TPR F1 measure Accuracy

[30] Blending CICIoT2023 IoTID20 M: 98.51% 100.00% M: 99.63% 100.00% M: 99.07% 100.00% M: 99.51% 100.00%
[31] IoT-PRIDS CICIoT2023 M: 93.84% M: 99.71% M: 95.29% M: 98.74%
[33] Logistic regression CICIoT2023 B: 86.31% 82.54% B: 89.04% 79.70% B: 87.62% 81.05% B: 98.90% 98.17%
Perception Adaboost 96.56% 96.53% 94.73% 96.51% 95.62% 96.52% 99.58% 99.68%
Random Forest DNN 94.75% 93.32% 94.03% 99.44%
M: 51.24% 52.39% M: 69.60% 65.91% M: 53.94% 55.51% M: 83.16% 86.63%
46.49% 70.54% 48.77% 91.00% 36.86% 71.92% 35.13% 99.43%
67.94% 90.66% 69.72% 99.11%
[37] CKAN CICIoT2023 NSL_KDD B: 99.81% 98.36% B: 99.40% 98.90% B: 99.60% 98.63% B: 99.22% 98.71%
TONIoT 99.95% 99.91% 99.93% 99.93%
M: 98.84% 99.20% M: 98.84% 99.20% M: 98.84% 99.20% M: 98.84% 99.20%
93.30% 93.30% 93.30% 93.30%
Proposed DNN DCNN CICIoT2023 B: 99.52% 99.50% B: 99.52% 99.50% B: 99.52% 99.50% B: 99.52% 99.50%
M: 99.45% 99.25% M: 99.45% 99.25% M: 99.45% 99.25% M: 99.45% 99.25%

of performance in terms of accuracy, wherein we have
achieved scores above 99.94%.
A comparison between our work and the state-of-the-
art models on the CICIoMT2024 dataset is outlined in
Table 10. It is important to note that our proposed model
surpasses the related work in all aspects in both binary
and multi-class classification.
In summary, the analysis conducted on both the CIC-
IDS-2017 and CICIoT2023 datasets clearly demonstrates
the effectiveness of the proposed model in both multi-
class and binary-class classification approaches. The
obtained results, supported by the visual representations
and statistical evaluations, highlight the remarkable accu-
racy and robustness of the model. Thus signifying their
potential for real-world implementation and contribution
to enhanced detection and prevention of diverse attack
types in the cybersecurity field.
Table 13 presents time analysis of fitting and infer-
ence times for both binary and multi-class classi-
fication across the three datasets: CICIoMT2024,
CICIoT2023, and CICIDS-2017. The results indicate
that fitting times vary between multi-class and binary
classifications, with the CICIoMT2024 dataset show-
ing fitting times of 356 s for multi-class and 390 s for
binary-class. Significantly, the CICIDS-2017 dataset
displays the minimal fitting times, recorded at 147 s
for multi-class and 138 s for binary-class, whereas the
CICIoT2023 dataset shows the highest fitting times
of 562 s and 469 s, respectively. Regarding inference
times, the CICIoMT2024 dataset reflects a multi-
class inference time of 127.18 s compared to 119.75s
for binary-class. The CICIoT2023 dataset reports an
inference times of 238.67 s and 180.88 s, respectively.
Notably, the CICIDS-2017 dataset demonstrates the
lowest inference times of 44.60 s and 41.72 s for multi-
class and binary-class, respectively.
5 Discussion
Many different machine learning models have been pre-
viously developed to address the issue of network intru-
sion detection from different perspectives. In this paper,
our objective is to take advantage of the power of comb-
ing CNNs and DNNs in one model in order to improve
the overall NIDS system performance and accuracy.
When this new hybrid model is trained using three dif-
ferent datasets, it shows a better performance for both
binary and multi-class classification.
However, despite these strengths, some limitations
emerge, particularly in the detection of certain classes
such as Brute-Force and Web-based, that are frequently
misclassified as benign, recon, or spoofing, leads to a
minor degradation in performance for these classes. For
instance, Brute-Force presents a concerning TPR of only
24.94%, which indicates that the model struggles to iden-
tify this attack effectively, despite a high TNR of 100%.
Such misclassifications highlight potential issues in the
training data or suggesting that the model may not be
adequately capturing the unique characteristics of these
attacks, that may lead to underperformance in identify-
ing Brute-Force attacks. Further considering this aspect
in future model development by comparing the model
response across different datasets will indeed enhance its
accuracy.
Similarly, Web-based exhibits a low TPR of just
12.82% and a high FNR of 87.18%, indicating a gap in
the detection capabilities. Such misclassifications also
Shebl et al. EURASIP Journal on Information Security (2024) 2024:36 Page 18 of 23

Table 12 Performance benchmarking of the proposed model versus other related work with CICIDS-2017 dataset
Ref Model Dataset PPV TPR F1 measure Accuracy

[5] CNN-LSTM CICIDS-2017 - M: 97.21% M: 93.32% M: 98.67%

[6] Canet NSL-KDD UNSW-NB15 B: 99.90%97.89% - B: 99.79% 97.71%
CICIDS-2017 CICDDoS-2019 99.37% 99.96% 99.67% 99.95%
M: 99.73% 98.93% M: 99.77% 89.39%
99.82% 99.97% 99.88% 99.58%
[7] OE-IDS UNSW-NB15 B: 98.00% 99.70% B: 97.10% 100.00% B: 70.50% 99.90% B: 98.60% 99.90%
OE-IDS+SMOTE CICIDS2017 97.30% 97.50% 96.00% 99.40% 96.70% 98.40% 98.00% 98.40%
[22] DNN NSL-KDD UNSW-NB15 B: 99.94% 95.00% B: 98.81% 98.95% B: 99.37% 96.93% B: 99.84% 89.03%
CICIDS 2017 99.85% 99.94% 99.89% 99.80%
[23] Two-phase IDS NSL-KDD UNSW-NB15 B: 96.00% 88.10% B: 99.10% 88.10% B: 97.50% 88.10% B: 97.10% 86.90%
CICIDS-2017 95.40% 97.51% 96.44% 98.59%
[24] CNN CICIDS-2017 - M: 99.29% - M: 99.64%
[25] RTIDS CICIDS-2017 CIC-DDoS2019 M: 98.98% 98.82% M: 98.83% 98.66% M: 99.17% 98.48% M: 99.35% 98.58%
[26] LSTM-AE CICIDS-2017 CICIDS-2018 M: 99.99% 99.07% M: 99.99% 99.10% M: 99.99% 99.02% M: 99.99% 99.10%
[27] PyDSC-IDS NSL-KDD CICIDS-2017 M: 83.55% 90.73% M: 81.63% 97.81% M: 80.63% 94.13% M: 81.63% 97.60%
[28] PDAE KDDCup99 CICIDS2017 - - - B: 99.93% 99.37%
UNSW-NB15 100.00%
M: 99.92% 99.43%
99.84%
[29] LightGBM + RNDAE NSL-KDD CICIDS-2017 - M: 95.90% 97.20% M: 95.10% 96.40% M: 96.50% 97.80%
CICIDS-2018 98.20% 97.40% 98.80%
[32] CNN-LSTM CICIDS 2017 UNSW-NB15 B: 99.56% 94.69% B: 99.70% 94.53% B: 99.60% 94.77% B: 99.64% 93.78%
WSN-DS 98.18% 98.14% 98.00% 99.67%
M: 99.84% 81.59% M: 99.95% 82.41% M: 99.98% 80.87% M: 99.60% 81.83%
98.72% 98.83% 98.44% 98.35%
[35] DT and CatBoost CICIDS-2017 B: 99.82% M: 99.36% B: 99.82% M: 99.42% B: 99.82% M: 99.32% B: 99.82% M: 99.42%
[36] DIS-IoT ToN-IoT CICIDS-2017 B: 99.40% 95.90% B: 99.40% 97.60% B: 99.40% 96.70% B: 99.60% 98.70%
SWaT 99.70% 99.90% 99.80% 99.60%
M: 99.70% 98.70% M: 99.70% 98.70% M: 99.70% 98.60% M: 99.70% 98.70%
Proposed DNN DCNN CICIDS-2017 B: 99.95% 99.96% B: 99.95% 99.96% B: 99.95% 99.96% B: 99.95% 99.96%
M: 99.94% 99.96% M: 99.94% 99.96% M: 99.94% 99.96% M: 99.94% 99.96%

Table 13 Runtime analysis of the proposed model for training as well as inference stages
Dataset Case study Fitting time (per epoch) Inference time (25%) Inference time (per record)

CICIoMT2024 Multi-class 356 s 127.18 s 0.071042024 ms

Binary-class 390 s 119.75 s 0.066891668 ms
CICIoT2023 Multi-class 562 s 238.67 s 0.080925604 ms
Binary-class 469 s 180.88 s 0.061330805 ms
CICIDS-2017 Multi-class 147 s 44.60 s 0.063086217 ms
Binary-class 138 s 41.72 s 0.059012489 ms
Experiments conducted using the configuration listed in Table 3

highlight potential issues in the training data or fea-
ture selection that may lead to inefficiency in identify-
ing these specific attacks. In addition, The results for
Recon and Spoofing attacks also reveal challenges, with
TPR of 65.34% and 74.67%, respectively, suggesting that
while the model performs well overall, certain attack
types are not being effectively recognized. Nonethe-
less, it is noteworthy that despite the model making
these errors due to the similarities in data patterns, the
Shebl et al. EURASIP Journal on Information Security (2024) 2024:36
Fig. 9 Comparison of the model accuracy when two hyper-parameters are variated: (a) learning rate and (b) optimizers. The value of learning
rate of 0.0001 provides the best accuracy for both binary and multi-class classification, while Adam optimizer algorithm offers the best accuracy
compared to other considered algorithms
classification process is successful in the majority of
other cases.
Furthermore, when dealing with class imbalance,
there are many techniques that can be employed to
address the issue, including oversampling the minor-
ity class, under-sampling the majority class, and using
class weights. However, in this study, we deliberately
chose to focus on data standardization to reduce the
effect of class imbalance. By standardizing the data,
we ensured that all features have equal importance,
which helped to mitigate the impact of class imbalance.
Additionally, we employed alternative metrics, such as
F1-score, precision, and recall to evaluate the model’s
performance for each class. These metrics provide a
more comprehensive understanding of the model’s abil-
ity to detect minority class instances.
When training a neural network, key hyperparameters
play a crucial role in shaping how the network learns and
performs. In our model, we experimented with different
learning rates and optimizers to identify the optimal set-
tings that yield the best accuracy and parameter optimi-
zation. Figure 9 illustrates how model accuracy responds
to various learning rates and optimizer choices, while
Figs. 10 and 11 provide detailed views of these effects as
training progresses across epochs.
We experimented with three learning rates: 0.01,
0.001, and 0.0001. As shown in Fig. 9a, a learning rate
of 0.0001 achieved the highest accuracy among these
Page 19 of 23
values. Figure 10a through d further confirm that 0.0001
optimizes both accuracy and learning loss. This learn-
ing rate is also commonly used in similar models across
the literature. Lower values than 0.0001 were found to
negatively impact accuracy and loss. Thus, we selected
0.0001 as the optimal learning rate for training our
model in this study.
Similarly, various optimization algorithms are com-
monly used to train deep neural networks effectively.
In this study, we experimented with three optimizers-
Adam, SGD, and Adagrad-to identify the best fit for
our model. As shown in Fig. 9b, the Adam optimizer
achieved the highest accuracy among the options
tested. Figure 11a through d further confirm Adam’s
consistent performance improvement with each train-
ing epoch.
Finally, while we did not have the opportunity to test
the model in a real network environment (see Sect. 6),
the runtime measurements presented in Table 13 indi-
cate that the model could operate within a real network
without introducing significant latency. This potential
will be further validated in future studies.
6 Conclusion and future work
In this paper, we proposed an NIDS based on deep learn-
ing, utilizing a hybrid deep convolutional neural network
model. This model combines two deep learning para-
digms, namely convolutional neural network and deep
Shebl et al. EURASIP Journal on Information Security (2024) 2024:36 Page 20 of 23

Fig. 10 Comparison of the model accuracy and loss (y-axis) with different learning rate values and different number of epochs (x-axis): (a)
epochs versus accuracy for multi-class classification, (b) epochs versus accuracy for binary-class classification, (c) epochs versus loss for multi-class
classification, and (d) epochs versus loss for binary-class classification

neural network. To evaluate the performance of the pro-
posed model, experiments were conducted using three
benchmark datasets. In order to thoroughly analyze and
evaluate the model performance, two distinct scenarios
were taken into consideration, namely multi-class classi-
fication as well as binary-class classification.
The findings indicate that the model attained remark-
ably high F-score, accuracy, positive predictive value,
and true positive rate. The scores obtained for binary and
multi-class classifications is ranging from 99.25 to 99.98%
depending on the dataset used, which further improved
existing models in the literature. By leveraging the power
of deep learning, our model is able to effectively analyze
complex patterns in network traffic data and accurately
identify potential intrusions. This will contribute to the
field of network security and has the potential to greatly
improve the overall security of interconnected networks
and systems. The model implementation can be found at
this link https://​github.​com/​Ahmed​Shebl​13/​NIDS.
The presented model offers several avenues for future
development. First, the detection of minor classes,
as elaborated in the Sect. 5, could be enhanced to
improve the classification accuracy. Second, evaluating
the model with additional benchmark datasets would
strengthen its robustness. Third, integrating innovative
solutions, such as blockchain, could further expand the
model’s applications. Fourth, to provide insight into the
model’s performance in a real network environment,
we have relied on its detection runtime. However, test-
ing the model by deploying it in an actual environment
Shebl et al. EURASIP Journal on Information Security (2024) 2024:36 Page 21 of 23

Fig. 11 Comparison of the model accuracy and loss (y-axis) with different optimizers and different number of epochs (x-axis): (a) epochs
versus accuracy for multi-class classification, (b) epochs versus accuracy for binary-class classification, (c) epochs versus loss for multi-class
classification, and (d) epochs versus loss for binary-class classification

would give a more accurate assessment of its effec- GA Genetic algorithm

DCNN Deep convolutional neural network
tiveness and reveal additional areas for improvement. CIC Canadian Cybersecurity Institute
Lastly, like many deep learning models, the current ANN Artificial neural network
model operates as a “black box,” lacking transparency in ReLU Rectified linear unit
FCL Fully connected layers
how specific classifications are determined. Investigat- DR Detection rate
ing methods to explain the model’s outputs would be a TPR True positive rate
valuable direction for future research. PPV Positive predictive value
TNR True negative rate
Abbreviations
IoT Internet of Things Acknowledgements
NIDS Network intrusion detection system None.
AI Artificial intelligence
ML Machine learning Authors’ contributions
DL Deep learning Ahmed Shebl proposed the idea, Mostafa Herajy refined the idea. E. Elsedimy,
CNN Convolutional Neural Network A Ismail, and A Salama validate the model. Ahmed Shebl wrote the draft.
DNN Deep neural network Mostafa Herajy and E. Elsedimy revised and improved the manuscript. All the
LSTM Long short-term memory authors read and improved the manuscript.
PSO Particle swarm optimization
Shebl et al. EURASIP Journal on Information Security (2024) 2024:36
Funding
Open access funding provided by The Science, Technology & Innovation
Funding Authority (STDF) in cooperation with The Egyptian Knowledge Bank
(EKB).
Data availability
No datasets were generated or analyzed during the current study.
Declarations
Ethical approval and consent to participate
Not applicable.
Consent for publication
Not applicable.
Competing interests
The authors declare that they have no competing interests.
Received: 26 March 2024 Accepted: 21 November 2024
References
1. Y. Harbi, Z. Aliouat, A. Refoufi, S. Harous, Recent security trends in internet
of things: A comprehensive survey. IEEE Access 9, 113292–113314 (2021).
https://​doi.​org/​10.​1109/​ACCESS.​2021.​31037​25
2. P. TS, P. Shrinivasacharya, Evaluating neural networks using bi-directional
lstm for network ids (intrusion detection systems) in cyber security. Glob.
Transit. Proc. 2(2), 448–454 (2021). https://​doi.​org/​10.​1016/j.​gltp.​2021.​08.​
017. International Conference on Computing System and its Applications
(ICCSA-2021)
3. M.A. Hossain, M.S. Islam, Ensuring network security with a robust intru-
sion detection system using ensemble-based machine learning. Array 19,
100306 (2023). https://​doi.​org/​10.​1016/j.​array.​2023.​100306
4. Z. Zhang, H.A. Hamadi, E. Damiani, C.Y. Yeun, F. Taher, Explainable artificial
intelligence applications in cyber security: State-of-the-art in research.
IEEE Access 10, 93104–93139 (2022). https://​doi.​org/​10.​1109/​ACCESS.​
2022.​32040​51
5. P. Sun, P. Liu, Q. Li, C. Liu, X. Lu, R. Hao, J. Chen, Dl-ids: Extracting features
using cnn-lstm hybrid network for intrusion detection system. Secur.
Commun. Netw. 2020, 1–11 (2020)
6. K. Ren, S. Yuan, C. Zhang, Y. Shi, Z. Huang, Canet: A hierarchical cnn-
attention model for network intrusion detection. Comput. Commun.
205, 170–181 (2023). https://​doi.​org/​10.​1016/j.​comcom.​2023.​04.​018
7. M.A. Khan, N. Iqbal, Imran, H. Jamil, D.H. Kim, An optimized ensemble
prediction model using automl based on soft voting classifier for network
intrusion detection. J. Netw. Comput. Appl. 212, 103560 (2023). https://​
doi.​org/​10.​1016/j.​jnca.​2022.​103560
8. S. Sindhu, S. Geetha, S. Selvakumar, Network Intrusion Detection System
Using Machine Learning Techniques: A Quick Reference (Lap Lambert Aca-
demic Publishing GmbH KG, 2013). https://​books.​google.​com.​eg/​books?​
id=​QuZGn​wEACA​AJ. Accessed 11 Oct 2024
9. W. Wang, S. Jian, Y. Tan, Q. Wu, C. Huang, Robust unsupervised network intru-
sion detection with self-supervised masked context reconstruction. Comput.
Secur. 128, 103131 (2023). https://​doi.​org/​10.​1016/j.​cose.​2023.​103131
10. P. Barnard, N. Marchetti, L.A. DaSilva, Robust network intrusion detection
through explainable artificial intelligence (xai). IEEE Netw. Lett. 4(3),
167–171 (2022). https://​doi.​org/​10.​1109/​LNET.​2022.​31865​89
11. M. Kubat, Fundamentals of Artificial Intelligence: Problem Solving and
Automated Reasoning (McGraw Hill LLC, 2023). https://​books.​google.​com.​
eg/​books?​id=​w9alE​AAAQB​AJ. Accessed 11 Oct 2024
12. C. Bishop, Neural Networks for Pattern Recognition. Advanced Texts in
Econometrics (Clarendon Press, 1995). https://​books.​google.​com.​eg/​
books?​id=​T0S0B​gAAQB​AJ. Accessed 11 Oct 2024
13. B. Sharma, L. Sharma, C. Lal, S. Roy, Explainable artificial intelligence for
intrusion detection in iot networks: A deep learning based approach.
Page 22 of 23
Expert Syst. Appl. 238, 121751 (2024). https://​doi.​org/​10.​1016/j.​eswa.​
2023.​121751
14. M. Saied, S. Guirguis, M. Madbouly, Review of artificial intelligence for
enhancing intrusion detection in the internet of things. Eng. Appl. Artif.
Intell. 127, 107231 (2024). https://​doi.​org/​10.​1016/j.​engap​pai.​2023.​
107231
15. C. Park, J. Lee, Y. Kim, J.G. Park, H. Kim, D. Hong, An enhanced ai-based
network intrusion detection system using generative adversarial net-
works. IEEE Internet Things J. 10(3), 2330–2345 (2023). https://​doi.​org/​10.​
1109/​JIOT.​2022.​32113​46
16. H. Zhao, M. Li, H. Zhao, Artificial intelligence based ensemble approach
for intrusion detection systems. J. Vis. Commun. Image Represent. 71,
102736 (2020). https://​doi.​org/​10.​1016/j.​jvcir.​2019.​102736
17. V. Kanimozhi, T.P. Jacob, Artificial intelligence based network intrusion
detection with hyper-parameter optimization tuning on the realistic
cyber dataset cse-cic-ids2018 using cloud computing. ICT Express 5(3),
211–214 (2019). https://​doi.​org/​10.​1016/j.​icte.​2019.​03.​003
18. C. Lu, in 2022 International Conference on Electronics and Devices, Computa-
tional Science (ICEDCS). Research on the technical application of artificial
intelligence in network intrusion detection system (2022), pp. 109–112.
https://​doi.​org/​10.​1109/​ICEDC​S57360.​2022.​00031
19. S. Naseer, Y. Saleem, S. Khalid, M.K. Bashir, J. Han, M.M. Iqbal, K. Han,
Enhanced network anomaly detection based on deep neural networks.
IEEE Access 6, 48231–48246 (2018). https://​doi.​org/​10.​1109/​ACCESS.​2018.​
28630​36
20. M. Ramkumar, P.B. Reddy, J. Thirukrishna, C. Vidyadhari, Intrusion detec-
tion in big data using hybrid feature fusion and optimization enabled
deep learning based on spark architecture. Comput. Secur. 116, 102668
(2022). https://​doi.​org/​10.​1016/j.​cose.​2022.​102668
21. N. Hussen, S.M. Elghamrawy, M. Salem, A.I. El-Desouky, A fully streaming
big data framework for cyber security based on optimized deep learning
algorithm. IEEE Access 11, 65675–65688 (2023). https://​doi.​org/​10.​1109/​
ACCESS.​2023.​32818​93
22. A. Thakkar, R. Lohiya, Fusion of statistical importance for feature selection
in deep neural network-based intrusion detection system. Inf. Fusion 90,
353–363 (2023). https://​doi.​org/​10.​1016/j.​inffus.​2022.​09.​026
23. M. Vishwakarma, N. Kesswani, A new two-phase intrusion detection sys-
tem with naïve bayes machine learning for data classification and elliptic
envelop method for anomaly detection. Decis. Analytics J. 7, 100233
(2023). https://​doi.​org/​10.​1016/j.​dajour.​2023.​100233
24. S. Ho, S.A. Jufout, K. Dajani, M. Mozumdar, A novel intrusion detection
model for detecting known and innovative cyberattacks using convolu-
tional neural network. IEEE Open J. Comput. Soc. 2, 14–25 (2021). https://​
doi.​org/​10.​1109/​OJCS.​2021.​30509​17
25. Z. Wu, H. Zhang, P. Wang, Z. Sun, Rtids: A robust transformer-based
approach for intrusion detection system. IEEE Access 10, 64375–64387
(2022). https://​doi.​org/​10.​1109/​ACCESS.​2022.​31823​33
26. V. Hnamte, H. Nhung-Nguyen, J. Hussain, Y. Hwa-Kim, A novel two-stage
deep learning model for network intrusion detection: Lstm-ae. IEEE Access
11, 37131–37148 (2023). https://​doi.​org/​10.​1109/​ACCESS.​2023.​32669​79
27. J. He, X. Wang, Y. Song, Q. Xiang, A multiscale intrusion detection system
based on pyramid depthwise separable convolution neural network.
Neurocomputing 530, 48–59 (2023). https://​doi.​org/​10.​1016/j.​neucom.​
2023.​01.​072
28. A. Basati, M.M. Faghih, Pdae: Efficient network intrusion detection in IOT
using parallel deep auto-encoders. Inf. Sci. 598, 57–74 (2022). https://​doi.​
org/​10.​1016/j.​ins.​2022.​03.​065
29. M. Srikanth Yadav, R. Kalpana, Recurrent nonsymmetric deep auto
encoder approach for network intrusion detection system. Meas. Sensors
24, 100527 (2022). https://​doi.​org/​10.​1016/j.​measen.​2022.​100527
30. T.T.H. Le, R.W. Wardhani, D.S.C. Putranto, U. Jo, H. Kim, Towards enhanced
attack detection and explanation in intrusion detection system-based
iot environment data. IEEE Access 1–1 (2023). https://​doi.​org/​10.​1109/​
ACCESS.​2023.​33366​78
31. A. Zohourian, S. Dadkhah, H. Molyneaux, E.C.P. Neto, A.A. Ghorbani, Iot-
prids: Leveraging packet representations for intrusion detection in iot
networks. Comput. Secur. 146, 104034 (2024). https://​doi.​org/​10.​1016/j.​
cose.​2024.​104034
32. A. Halbouni, T.S. Gunawan, M.H. Habaebi, M. Halbouni, M. Kartiwi, R.
Ahmad, Cnn-lstm: Hybrid deep neural network for network intrusion
Shebl et al. EURASIP Journal on Information Security (2024) 2024:36 Page 23 of 23

detection system. IEEE Access 10, 99837–99849 (2022). https://​doi.​org/​

10.​1109/​ACCESS.​2022.​32064​25
33. E.C.P. Neto, S. Dadkhah, R. Ferreira, A. Zohourian, R. Lu, A.A. Ghorbani,
Ciciot2023: A real-time dataset and benchmark for large-scale attacks in
iot environment. Sensors 23(13) (2023). https://​doi.​org/​10.​3390/​s2313​
5941
34. S. Dadkhah, E.C.P. Neto, R. Ferreira, R.C. Molokwu, S. Sadeghi, A.A. Ghor-
bani, Ciciomt 2024: A benchmark dataset for multi-protocol security
assessment in iomt. Internet Things 28, 101351 (2024). https://​doi.​org/​10.​
1016/j.​iot.​2024.​101351
35. R. Chowdhury, S. Sen, A. Goswami, S. Purkait, B. Saha, An implementation
of bi-phase network intrusion detection system by using real-time traffic
analysis. Expert Syst. Appl. 224, 119831 (2023). https://​doi.​org/​10.​1016/j.​
eswa.​2023.​119831
36. R. Lazzarini, H. Tianfield, V. Charissis, A stacking ensemble of deep learning
models for iot intrusion detection. Knowl. Based Syst. 279, 110941 (2023).
https://​doi.​org/​10.​1016/j.​knosys.​2023.​110941
37. M. Abd Elaziz, I. Ahmed Fares, A.O. Aseeri, Ckan: Convolutional kolmog-
orov-arnold networks model for intrusion detection in iot environment.
IEEE Access 12, 134837–134851 (2024). https://​doi.​org/​10.​1109/​ACCESS.​
2024.​34622​97
38. I. Sharafaldin, A.H. Lashkari, A.A. Ghorbani, Toward generating a new
intrusion detection dataset and intrusion traffic characterization. ICISSp 1,
108–116 (2018). Accessed 11 Oct 2024
39. M. Sewak, P. Pujari, R. Karim, Practical Convolutional Neural Networks:
Implement Advanced Deep Learning Models Using Python (Packt Publishing,
2018). https://​books.​google.​com.​eg/​books?​id=​wkM6w​AEACA​AJ
40. V. Nair, G.E. Hinton, in Proceedings of the 27th International Conference
on International Conference on Machine Learning. Rectified linear units
improve restricted boltzmann machines, ICML’10 (Omnipress, Madison,
2010), pp. 807–814
41. F. Rosenblatt, The perceptron: A probabilistic model for information
storage and organization in the brain. Psychol. Rev. 65(6), 386–408 (1958).
https://​doi.​org/​10.​1037/​h0042​519

Publisher’s Note
Springer Nature remains neutral with regard to jurisdictional claims in pub-
lished maps and institutional affiliations.