Applied Intelligence (2024) 54:6738–6759

https://doi.org/10.1007/s10489-024-05505-y

Deep learning method for efficient cloud IDS utilizing combined

behavior and flow-based features
Geetha T V1 · Deepa A J2 · Mary Linda M3

Accepted: 4 May 2024 / Published online: 24 May 2024

© The Author(s), under exclusive licence to Springer Science+Business Media, LLC, part of Springer Nature 2024

Abstract
The Intrusion Detection System (IDS) distinguishes the harmful entries from the normal ones in network traffic data and
aids in network security. Due to the emergence of new and unknown network-connected devices, a lot of modern systems
were penetrated. As a result, it is critical to improve information security and to detect new cyber-attacks exploiting vari-
ous application protocols such as Hyper Text Transfer Protocol (HTTP) and Domain Name System (DNS). Therefore, this
paper introduced an Optimized Bidirectional Convolutional Neural Network and Long-Short term Memory (OBCLSTM)
method to detect whether the protocol HTTP and DNS is attacked or not. Initially, the records are fed to data normalization
and data encoding. After pre-processing, the vectors are fed to the OBCLSTM model. The Bidirectional Channel Pooling
(BiCP) layer is used to learn behavior-based features (which show interactions among hosts based on ports, destinations and
behavior) and flow-based features (which identify basic flows, such as IP addresses of source-destination and ports), which
improves the accuracy of detecting malicious attacks. In the OBCLSTM model, the best hyper parameter configuration for
Convolutional Neural Network (CNN) to learn features is tuned using Enhanced Red Fox Optimization (ERFO). Then, bidi-
rectional long short-term memory (BiLSTM) is used to extract features in the time domain and has the ability to preserve
the long-term of the information from historical context, allowing attackers to be detected early before causing widespread
damage to networks. Finally, the fully connected layer utilizes these features to classify the network data as attacks (types
of attacks) or normal. Tests are conducted on the NSL-KDD99, TUIDS, UNSW-NB15 and BoT-IoT datasets. The proposed
OBCLSTM method attains better performance in terms of precision, accuracy, recall, and F-measure.

Keywords Intrusion detection system · Flow-based features · Behaviour-based features

1 Introduction host-based attacks (including malware, unauthorized, as well

Cloud computing is the most significant technology for data
storage. In cloud computing, both private and commercial-pur-
pose data are stored in the form of “pay as you use” [1]. Nowa-
days, many cloud computing services are available to users;
at the same time, they are concerned about security issues [2].
Many cyber-attacks, that are DoS (Denial of Service), U2R,
* Geetha T V
as privilege scaling) and R2L, etc [3]. , are affecting services
of cloud computing. An IDS is used to protect against these
intrusion attacks [4]. For this intrusion detection system, many
methods like fuzzy based clustering and the spider-monkey
optimization algorithm (FBC-SMO), deep neural network
(DNN), pre-training approach with a deep auto encoder
(PTDAE), fuzzy c-means clustering (FCM), deep logarithmic
neural network (LOGNN), Support vector machine (SVM),
Hidden Markov Model, etc., are used [5–7]. The exploration

[email protected] of neural networks with random weights (NNRWs) [8], ran-
dom neural networks [9] and Random Vector Functional Link
1
Department of Artificial Intelligence and Data Science, St. (RVFL) networks [10] is gaining attention. These unconven-
Xavier’s Catholic College of Engineering, Chunkankadai, tional neural network architectures introduce randomization
Nagercoil, India
in their weights and connections, potentially offering unique
2
Department of CSE, Ponjesly College of Engineering, advantages in the context of intrusion detection.
Nagercoil, India
Anyhow, the existing methods have some issues in their pro-
3
Department of EEE, KIT-Kalaignarkarunanidhi Institute cessing, like difficult to extract the feature, exploding gradient,
of Technology, Coimbatore, India

Vol:.(1234567890)
Deep learning method for efficient cloud IDS utilizing combined behavior and flow-based…
less convergence speed and vanishing issues, inaccuracy and
less data processing efficiency. From the above-mentioned
techniques, the CNN and the RNN are widely used in intru-
sion detection systems [11]. CNN is used to extract the feature
subset as well as for better classification [12]. The RNN is used
to process the data because it has short-time memory as inter-
nal memory [13]. It produces the output, copies that output,
and loops it back into the network [14, 15]. Due to the hidden
layer derivatives multiplication, RNN is having the gradient
exploding and vanishing problems [16, 17] and also neural net-
works with bandlimited random weights include challenges in
structured learning, potentially limited interpretability and the
risk of suboptimal network configurations. The randomization
may hinder capturing intricate patterns and might necessitate
careful tuning to achieve desired performance [18].
To overcome the gradient exploding and vanishing prob-
lems, long-short term memory (LSTM) [19, 20] and its vari-
ant [21, 22] are used in RNN and it is called bidirectional
RNN [23]. On account of its benefits, the CNN and bidirec-
tional RNN are combined for an effective intrusion detection
system [24]. However, it is having problems of computa-
tion complexity, high complexity of the network structure,
and over fitting. To overcome these problems, OBCLSTM
method is proposed to detect whether the protocol HTTP and
DNS is attacked or not.
1.1 Contributions
The proposed OBCLSTM method contributions are pro-
vided below,
• An effective IDS model (OBCLSTM) is introduced for
detecting attacks on numerous application protocols such
as DNS, and HTTP.
• An attention pooling and max-pooling is introduced as
BiCP layer to learn the flow based and behavior-based
features from HTTP and DNS protocol, which enhances
the accuracy to detect attacks. Besides, BiLSTM is used
to extract features in the time domain, where attackers
can be detected early before harming the entire networks.
• The best hyper parameter configuration for CNN to
learn features is tuned using ERFO by introducing the
opposition-based learning strategy (OBLS) and chaotic
sequences, which enhance the exploration of the algo-
rithm and for faster convergence.
• The proposed OBCLSTM model performs better in terms
of recall, precision, F1-score and accuracy, compared to
existing methods.
This paper is structured as follows. The existing research
based on intrusion detection is examined in Section 2. The
architecture of the proposed network is described in Sec-
tion 3. The results of the experiment are then presented and
6739
discussed in Section 4. Section 5 offers a conclusion in the
end.
2 Related work
Some of the recent works designed in improving the IDS are
discussed in here as shown below.
The IDS was very useful in detecting several attacks that
affected the network. Here, for the network intrusion detec-
tion, Zhendong et al. [25] introduced an integrated Deep
Learning (DL) model for the IDS. The data pre-processing
and the classification were done by an integrated deep learn-
ing method with SDAE-ELM. The stacked denoising auto
encoder (SDAE) was used to reduce the noise in the data,
as well as the extreme learning machine (ELM) was used to
make it as fast as the training speed of the data. The features
are extracted by using the denoising auto encoder method.
This method enhances the detection accuracy and it has the
poor detection in the small data sets.
IDS were used to secure and detect attacks in cloud
computing. Jitendra and Narander [26] present an intru-
sion detection system in cloud computing using hybrid
clustering-optimization. For a hybrid method of IDS, here
fuzzy based clustering is utilized for anomalies clustering.
Then the fitness value for fuzzy is obtained by using spider-
monkey optimization algorithm (FBC-SMO). This method
provides better accuracy and higher security in the cloud
computing environment. But it consumes more time for
processing.
The implementation of Deep Learning and Enhanced
Transient Search Optimization for IoT IDS was demon-
strated by Abdulaziz et al. [27]. Here, the features from
the data were extracted using the convolution neural net-
works and the Enhanced Transient Search Optimization
(CNNTSO) was used to select the new features with the
help of the differential evolution (DE) algorithm. TSO and
DE (TSODE) were combined and used to improve the train-
ing process. It consumes less time for processing. But it has
low accuracy in the small data sets.
The detection of impersonation attack using the centric
user profiling approach for a cloud environment is demon-
strated in Hisham [28]. Three stages were used to evaluate
the detection of masquerade and impersonation attacks. The
first stage analyses the systems call sequence and the Net-
Flow data subsystems to identify the attack. The next stage
analyses the audit data and the user behavior with both the
network environment and the host. The third stage combine
two stages by utilizing a neural network. The cloud intrusion
detection datasets (CIDD) were used to simplify the three
testing approaches and the data audit. The CIDD is one of
the few datasets to evaluate and support the IDS in the cloud.
The scoring systems and the sliding window size of DSSGA
6740
were used for their high flexibility and better accuracy. But
it needs more user profiles to detect impersonation attacks.
Yesi et al. [29] present an IDSby using deep learning and
grid search optimization. Here, a deep learning network IDS
was used with a combination of pre-training approach with
a deep auto encoder (PTDAE) and a deep neural network
(DNN) for attack detection. A grid search combined with
random search is used to obtain hyperparameter of deep
learning network. This method improves the performance of
detection. However, this method was not used for the imbal-
anced detection datasets.
Zhendong et al. [30] explained internet intrusion detec-
tion with a logarithmic neural network (LOGNN). The
LOGNN is operated by logarithmic operation and it is used
for processing features of data. Every LOGNN’s logarithmic
operation base number is obtained by neural network. This
method increases the accuracy. But its training process was
more complicated.
Several attacks impacted cloud computing during the data
processing process. To solve that, Naser and Shafiq [31] rep-
resent the IDS using fuzzy c-means clustering algorithm and
support vector machine (FCM-SVM) for cloud computing
environments. In this, the IDS was united with the FCM
algorithm and SVM for attack detection. Initially, the cluster
group is formed in terms of membership function. Based
on the cluster values, SVM are trained and finally the fuzzy
aggregation integrates the results. This method gives better
accuracy as well as a low false alarm rate. But it has high
computational time.
Kasongo [32] introduced a novel deep learning approach
for Intrusion Detection Systems (IDSs), leveraging a frame-
work based on Recurrent Neural Networks (RNNs). The
framework incorporates various RNN types, including Sim-
ple RNNs, Long-Short Term Memory (LSTM), and Gated
Recurrent Unit (GRU), evaluated using standard datasets.
Results indicate superior performance compared to exist-
ing IDSs in terms of test accuracy. Nevertheless, challenges
include the requirement for extensive labelled training data,
potential overfitting, and the intricate process of hyperpa-
rameter optimization for deep neural networks.
Samunnisa et al. [33] introduced anomaly-based IDS
in distributed cloud environments, employing benchmark
datasets NSL-KDD and KDD Cup 99. The proposed model
exhibits enhanced accuracy and detection rates across vari-
ous intrusion types through a combination of clustering,
classification, log analysis, pattern matching and threshold
evaluation. Despite its merits, challenges encompass intri-
cacies in model tuning, potential data quality impact, and
heightened computational resource demands.
Hnamte and Hussain [34] present a hybrid deep learn-
ing architecture, merging CNN and BiLSTM networks with
attention mechanisms for intrusion detection. By combin-
ing the strengths of CNN and BiLSTM, the model excels
G. T V et al.
in extracting distinct features and capturing long and short-
term relationships in network traffic data. This hybrid
approach demonstrates efficacy in real-time intrusion detec-
tion, enhancing the landscape of deep learning models for
network security. However, its complexity extends training
periods, differing from conventional deep learning methods.
Further research is warranted to explore attack behavioural
patterns and refine forecasting and prevention models.
Upon reviewing the survey, it becomes evident that poten-
tial attackers may exploit application protocols such as DNS
and HTTP, posing significant security and data leakage con-
cerns. Current challenges in intrusion detection methods
involve ineffective learning mechanisms for flow-based and
behavior-based features, limitations in extracting features
from the time domain and the inability to promptly iden-
tify emerging cyber threats from newly connected devices.
In response to these issues, we introduce the OBCLSTM
method, positioning it as an innovative intrusion detection
system that surpasses the constraints of existing approaches.
This solution aims to provide efficient learning for flow-
based and behavior-based features, enhance feature extrac-
tion in the time domain and swiftly recognize new cyber
threats from emerging network-connected devices. Table 1
depicts the existing IDS summary.
3 Proposed intrusion detection method
In the proposed model, an OBCLSTM method is introduced
for efficient intrusion detection. Figure 1 illustrates the archi-
tecture of the OBCLSTM model. Initially, the records are
fed to Z-score normalization and one hot encoder for data
normalization and data encoding. Then, the vectors extracted
by the encoder is given to the OBCLSTM model. Here, the
BiCP layer is used to learn behaviour-based features (which
show interactions among hosts based on ports, destinations,
and behaviour) and flow-based features (which identify
the basic flows, such as IP addresses of source-destination,
and ports), which enhance the detection accuracy. The best
hyper parameter configuration for CNN to learn features is
tuned using ERFO. The BiLSTM is then used to extract time
domain features and has the capability of storing informa-
tion in the long term from historical context, which aids
in detecting attacks early before they harm the entire net-
work. Finally, the fully connected layer uses these features
to determine whether or not the HTTP and DNS protocols
are being attacked.
3.1 Pre‑processing
In this stage, the records in the dataset consist of text and
numerical values. Large numbers in a numerical value will
slow down training and make processing more difficult.
Table 1  Existing IDS summary
Author Methods used
Zhendong et al. [25] SDAE-ELM
Jitendra and Narander [26] FBC-SMO
Abdulaziz et al. [27] CNNTSO
Hisham [28] centric user profiling approach
Yesi et al. [29] PTDAE
Zhendong et al. [30] LOGNN
Naser and Shafiq [31] FCM-SVM
Kasongo [32] RNN Framework with Simple RNNs,
LSTM and GRU​
Samunnisa et al. [33] Hybrid approach involving clustering,
classification, log analysis, pattern
matching, and threshold evaluation
Hnamte and Hussain [34] Hybrid architecture combining CNN,
BiLSTM and attention mechanisms
Dataset used
ADFA-LD, UNSW-NB15,KDD
Cup99, and NSL-KDD datasets
NSL-KDD, KDD99 datasets
NSL-KDD, BoT-IoT, KDDCup-99,
and CICIDS-2017 dataset.
CIDD dataset
CIDD dataset
NSL-KDD and UNSWNB-15 dataset Increases the accuracy.
NSL-KDD dataset
NSL-KDD, UNSW-NB15
NSL-KDD, KDD Cup 99
CICIDS2018, EdgeIIoT
Merits De-merits
Enhances the detection accuracy. It has the poor detection in the small data
sets.
Better accuracy and higher security in It takes more time to train the dataset.
the cloud computing environment.
It consumes less time for processing. It has low accuracy in the small data sets.
High flexibility and better accuracy.
It needs more user profiles to detect
impersonation attacks.
Improves the performance of detection. This method was not used for the imbal-
anced detection datasets.
Its training process was more compli-
cated.
Better accuracy as well as a low false It has high computational time
alarm rate.
Deep learning method for efficient cloud IDS utilizing combined behavior and flow-based…
Superior test accuracy compared to Requires extensive labeled training data,
existing IDSs. optimization for deep potential overfitting and intricate hyper-
neural networks. parameter optimization for deep neural
networks.
Enhanced accuracy and detection rates Model tuning intricacies, potential data
for various intrusion types. quality impact and heightened compu-
tational resource demands.
Extracts distinct features and captures Complexity extends training periods,
long and short-term relationships. requiring further research on attack
patterns
6741
6742 G. T V et al.

Fig. 1  Architecture of
OBCLSTM method Datasets

Pre-processing
Text
Data encoding
data

Numeri
Data normalization
cal data

Pre-processed records

OBCLSTM Classifier

Conv Pooling Fully

Pooling Conv
layers conne
layers
cted
layer

Max- ERFO
pooling Attention-
pooling

Extracted features
Input layer

Forward layer
Intrusion

Backward layer

Normal
Output layer

Additionally, the deep neural network algorithm’s opera- 3.2 OBCLSTM classifier

tions cannot process text values. Thus, pre-processing
of the dataset is required. Data normalisation and data
encoding is applied to the dataset’s records [35]. Z-score
normalisation ­(Zsr) is utilized to normalize the numerical
features in order to lower their values and to reduce the
process of training, which is given in Eq. (1).
y−𝜇
Zsr =
𝜎
where, y denotes the values, 𝜎 signifies the sample’s stand-
ard deviation and 𝜇denotes the sample’s mean. One Hot
encoder is used to convert the text features into numerical
values.
The existing methods fail to learn the behaviour based and
flow-based features. So, it is difficult to show the interac-
tion among hosts based on ports and destinations and to
update the attack types on a regular basis. Moreover, it
fails to preserve the long-term of the information in its
historical context. As a result of this detection, irrelevant
(1) attacks are launched and the attackers become more dan-
gerous. Therefore, we introduce the BiCP layer and BiL-
STM in the OBCLSTM model to detect malicious behav-
iour in the cloud.
Deep learning method for efficient cloud IDS utilizing combined behavior and flow-based…
After pre-processing, the records are given to the convo-
lution layer of the OBCLSTM classifier. Here, we use the
BiCP layer to learn behavior-based features (which show
interactions among hosts based on ports, destinations and
behaviour) and flow-based features (which identify the basic
flows, such as IP addresses of source-destination, protocols
and ports) in CNN. This gives high detection accuracy. In
the OBCLSTM model, the best hyper parameter configura-
tion for CNN to learn features is tuned using ERFO. ERFO
introduces OBLS and chaotic sequences to improve the algo-
rithm’s exploration and for faster convergence. The BiLSTM
network is then used to extract time-domain features and
to preserve the long-term of the information from histori-
cal context. Finally, the fully connected layer determines
whether it is an attack or a normal layer.
3.2.1 Extraction of behaviour‑based and flow‑based
features
Behavior-Based and Flow-Based Features Extraction is
essential for robust network behavior detection. Behavior-
based features capture patterns related to network activity,
aiding in the identification of specific behaviors. Flow-based
features, facilitated by attention mechanisms, address limi-
tations in capturing flow-related characteristics. Together,
these features provide a comprehensive understanding of
network traffic dynamics. Behavior-based features highlight
abnormal patterns, while flow-based features enhance the
model’s ability to discern nuances in data flow. This com-
bined extraction process significantly improves the model’s
accuracy in detecting anomalies, ensuring a more thorough
and nuanced analysis of network behavior for effective intru-
sion detection and security.
The process begins with the CNN block, which receives
pre-processed records through a 1D convolution operation.
The convolution operation employs a ReLU activation func-
tion to capture intricate information. The resulting activation
maps undergo max-pooling, focusing on behavior-based fea-
tures. Filters with varying area sizes are employed to acquire
diverse max-pooling values, capturing crucial characteristics
of each feature-mapping vector. A detailed explanation of
the feature extraction method is provided below.
The CNN block receives pre-processed records using a
1D convolution operation that results in activation maps
when a fixed kernel of 1 × 3is used. To learn more com-
plicated information, the convolution activation function
employs a Rectified Linear Unit (ReLU), which is given in
Eq. (2).
( )
rjk = Re l u Rkj (2)
QY = KY = V = U
6743
where Rkjsignifies k layer and j channel’s output activation
map. Rkj can determined in Eq. (3).
∑
Rkj = rk−1 Pkij + vkj (3)
i∈Lj j
where rjk−1denoted as the preceding layer’s previous output
activation map, vkj signifies the bias value and Pkij denotes the
convolution kernel weights. Dropout is used in the CNN
block after the ReLU activation function to address the over
fitting issue. After convolution, each feature is fed to the
BiCP layer for filtering and learning of features. BiCP layer
consist of max-pooling and attention pooling layers.
The max-pooling layer is regarded as one of the BiCP layer
and learns the behavior-based features. Here, filters with vary-
ing area sizes are made to acquire various max pooling values.
Every feature-mapping vector’s most important characteristic
is obtained, which is given below,
{ }
y = Max ui (4)
0≤i≤e−h
where h signifies the convolutional kernel’s width, e denotes
the input vectors matrix and ui signifies the convolutional
kernel matrix sub-matrix. The max-pooling layer, a facet
of BiCP, focuses on behavior-based features, utilizing fil-
ters with varying area sizes to obtain diverse max pooling
values. Each feature-mapping vector’s crucial characteristic
is identified. The Max-pooling Layer collaborates with an
Attention-pooling Layer (APL), amalgamating flow-based
and behavior-based features. Figure 2 illustrates the BiCP
layer’s architecture, emphasizing its vital role in feature
extraction and learning. The CNN’s inability to capture
flow-based features and the importance of the features var-
ies based on their location, which can be solved by an atten-
tion mechanism. It extracts the flow-based features and the
significant features.
Additionally, an Attention-pooling Layer (APL) is intro-
duced to amalgamate flow-based and behavior-based features.
This layer utilizes a Multi-Head Attention Mechanism, consist-
ing of Query (QY), Value (V) and Key (KY) matrices. The
attention mechanism, based on the Scaled Dot-product Atten-
tion (SDPA) approach, determines the similarity between dif-
ferent feature matrices, facilitating the extraction of flow-based
features. The multi-head attention mechanism transforms
matrices QY, KY and V, and their outputs are combined to
form the output of SDA. The resulting vector is then trans-
formed into a fixed-dimension vector through a linear trans-
formation, enabling the simultaneous learning of significant
behavior and flow-based features. The QY, KY, and V matrix
are similar to the convolutional layer output’s flow-based fea-
ture matrix ‘U’, which is given below,
(5)
6744
Fig. 2  Architecture of Bichan-
Convolution
nel pooling layer
The self-attention method is based on the SDPA
approach. it determines the similarity by √
first resolving the
dot product of QY and KY, and splits by dKY , so that the
output of the dot product calculation won’t be excessively
large ( dKY signifies the KY matrix dimension). To obtain
the expression of attention, we first normalise the result
using the Softmax function before multiplying it by the V
matrix. The SDPA is determined in Eq. (6).
� �
QYKY U
SDPA(QY, KY, V) = softmax √ V (6)
dKY
The purpose of the multi-head attention mechanism is
to make linear transformations on the matrices QY, KY,
and V. The output of each self-attention module’s is then
combined into a single output, which results in output of
SDA. Finally, the result is transformed into the vector with
fixed dimension by the W matrix transformation, which is
given below,
hi = SDPA(QYWiQY , KYWiKY , VWiV )
MH(QY, KY, V) = concat(h1 , … … … … ht )W
where t denotes the various self-attention modules, WiQY ,
WiKY , and WiV are various weight matrices. The two feature
matrices of the Attention-pooling layer and the Max-pooling
layer are merged into one. So, the method can learn signifi-
cant behavior and flow-based features in the vectors at the
same time.
G. T V et al.
Bi channel pooling layer (maxpooling,
Feature maps
and attention pooling layer)
1-max
Concat
Linear
Linear SDA Concat
Linear
3.2.2 Extraction of temporal features
The BiLSTM network plays a crucial role in extracting features
within the time domain and retaining long-term information
from the historical context. Comprising two reverse LSTM
networks, the BiLSTM provides a comprehensive understand-
ing of sequential data. Each LSTM network consists of several
neuron nodes, each equipped with three decision-making com-
ponents: the input gate, the forget gate and the output gate [36].
The BiLSTM conducts both forward and backward feature
extractions through two LSTM networks. The forward LSTM
(LSTM forw) processes information from the past to the present
(t-1 to t), while the backward LSTM ( LSTM backw ) analyses
information from the future to the present (t + 1 to t). This
bidirectional approach enables a more detailed exploration of
feature information and an understanding of each characteris-
tic’s impact before and after it in the sequence data.
For a given time point t, the outputs of the forward and
backward LSTMs are represented as where hit and hiback
forw
t
respectively. These outputs are then concatenated to form a
(7) comprehensive representation of the features at that specific
time point:
(8)
(9)
forw
hit = LSTM forw (hit−1 , yt , Ct−1 )
hiback = LSTM backw (hit−1 , yt , Ct−1 ) (10)
t
[ ]
forw
Hit = hit , hiback
t (11)
Deep learning method for efficient cloud IDS utilizing combined behavior and flow-based…
Here, hit and hiback
forw
t
denote the forward and backward
hidden layers, Ct−1 signifies the previous node state, and
Yt−1 represents the input. This concatenated representation
( Hi ) encapsulates the bidirectional influence of features at
the given time point.
The output from the BiLSTM is further processed through
a fully connected layer and the resulting features are sent to
a Softmax classifier. This final stage determines whether the
protocols HTTP or DNS are under attack or remain unaf-
fected, completing the network behavior detection process.
3.2.3 Enhanced Red Fox Optimization
During the intricate optimization journey, ERFO strategi-
cally deploys evaluation mechanisms to meticulously assess
the performance of diverse hyperparameter configurations.
Drawing inspiration from the adaptive hunting techniques
of the red fox, this approach guides the algorithm with a
nuanced and deliberate strategy. The algorithm’s adaptabil-
ity and equilibrium between exploration and exploitation are
paramount in navigating the vast hyperparameter space, akin
to the red fox’s adept navigation of its environment.
Inspired by the red fox’s ability to adapt to various hunt-
ing scenarios, ERFO dynamically manoeuvres through the
hyperparameter landscape, aiming for regions that hold the
promise of enhanced accuracy, efficiency and adaptability
for the OBCLSTM model. This strategic deployment mir-
rors the fox’s ability to adapt its hunting techniques to dif-
ferent prey and environments, ensuring that ERFO tailors
its approach based on the unique challenges posed by the
intrusion detection domain.
The adaptability inherent in ERFO’s optimization mecha-
nism becomes a key asset in achieving a delicate balance
between exploration and exploitation. Much like the red fox
adjusts its hunting strategies based on the characteristics of
the prey and the environment, ERFO fine-tunes its explora-
tion and exploitation tactics to efficiently navigate the com-
plexity of intrusion detection scenarios. This adaptability
serves as a cornerstone, allowing ERFO to respond dynami-
cally to the evolving demands of the optimization landscape.
In the intricate landscape of intrusion detection within
complex network environments, ERFO’s optimization
mechanism solidifies its role as a pivotal component. The
algorithm’s adeptness in mimicking the red fox’s adap-
tive hunting behaviors ensures that it not only explores the
hyperparameter space thoroughly but also exploits valuable
insights gained during the process. This intricate interplay
between exploration and exploitation establishes ERFO as
a resilient and efficient instrument for refining hyperparam-
eters, thereby significantly enhancing the performance and
adaptability of the OBCLSTM model within the demanding
domain of intrusion detection.
6745
Initialization The initialization phase is a critical starting
point for the ERFO algorithm. At the onset, a fixed number
of candidate solutions, symbolizing foxes in the algorithm
inspired by the red fox behavior, are randomly selected.
Each candidate, representing a fox, is characterized by a set
of coordinates in the solution space. These coordinates are
essential parameters in the optimization process, analogous
to the spatial attributes that determine the position of a fox
in its environment.
In more technical terms, let’s denote the solution space
dimensions by ‘t’. For every fox, its position in the solution
space is represented by coordinates of t he
form y = (y0 , y1 , … … .yt ). We introduce the representation
k n
(yj ) , where j is the coordinate as indicated by the solution space
dimensions, in order to distinguish each fox Y in n iteration, and
k
k denotes the fox numbers. The t variable’s criterion function is
considered as w ∈[Rtin terms of search space’s dimension. ] The
notation (Y)(k) = (Y 0 )(k) , (Y 1 )(k) … … … … (Y t−1 )(k) desig-
[ ]t
nates the points in the space p, q where p, q ∈ R. If the func-
tion value f ((Y)(k)is a global optimum on [p, q], then (Y)(k) will
be the best solution at that time.
Then the subsequent stages of the algorithm will then
iteratively explore, evaluate and refine these initial solutions
to converge towards optimal hyperparameter values for the
given problem, such as learning rate, epochs and batch size
in the context of CNN optimization for intrusion detection.
Objective function evaluation The initial phase encom-
passes the segregation of the dataset into separate training
and testing sets, establishing the fundamental basis for sub-
sequent procedures. Here, the hyperparameters of the CNN,
including learning rate, epochs and batch size, emerge as
pivotal elements in the optimization endeavour. The core
objective centers around the minimization of an assigned
objective function, typically representing the model’s loss.
This function becomes the focal point, steering the algo-
rithm’s efforts toward fine-tuning specified hyperparam-
eters for optimal configuration. The overarching aspiration
is to elevate the CNN model’s performance, emphasizing
improvements in learning efficiency and accuracy as it navi-
gates the intricacies of training and testing datasets.
ERFO’s optimization prowess extends seamlessly across
learning rate, batch size and epochs through an adaptive and
iterative search process. In the realm of learning rate optimi-
zation, ERFO dynamically adjusts the learning rate, guided
by the foraging behavior of red foxes, traversing a spectrum
of values to pinpoint the optimal rate within the OBCLSTM
architecture. This dynamic tuning enhances adaptability,
ensuring alignment with the network’s training dynamics.
The introduction of chaotic sequences acts as a safeguard
6746
against stagnation in local optima, fostering effective explo-
ration of the hyperparameter space and preventing premature
convergence.
Transitioning to batch size optimization, ERFO show-
cases versatility in exploring diverse batch size configura-
tions. The algorithm’s inherent adaptability dynamically
adjusts its search strategy based on varying batch sizes,
facilitating effective training of the OBCLSTM model. The
exploration-exploitation balance, inspired by the red fox’s
hunting strategies, guides ERFO in efficiently navigating the
complex landscape of batch size selection.
In epochs optimization, ERFO exhibits finesse in fine-
tuning the number of training epochs. Striking a delicate
balance between underfitting and overfitting, the algorithm
adjusts epoch values under the guidance of OBLS and
chaotic sequences. This meticulous process ensures CNN
convergence to an optimal solution without compromising
generalization performance. The incorporation of chaotic
sequences injects controlled randomness, preventing entrap-
ment in suboptimal solutions and promoting more effective
exploration of the solution space. This holistic approach,
inspired by the red fox’s adaptive hunting techniques, posi-
tions ERFO as a robust and effective tool for fine-tuning
hyperparameters, ultimately contributing to the enhanced
performance and adaptability of the OBCLSTM model in
the challenging( realm
) of intrusion detection.
The dataset Dtset is splitted as training Dt(Tr)set as well as
testing Dt(Te)set . The CNN model considers the learning
( rate,
number of epochs and batch size as hyper parameters Hrpr .
)
The objective function is determined in Eq. (12).
( ) ( )
OHrpr Dt(Tr)set = arg s min X OP, Dt(Tr)set + 𝜌(OP) (12)
OP∈M
where OP signifies the optimized hyper parameters,
OHrpr denotes the required hyper parameter configuration
optimization. The objective function minimizes the loss at a
rate of ‘X’.
We first arrange the population by objective condition and
calculate the Euclidean(distance ) square for each individual
best
within a population for Y as given below,
√ By[ taking] into⌢ account Yi as a solution among
i best i
d((Y )k , (Y )k = ∥ (Y )k − (Y )k ∥,
best
(13)
and we lead population individual towards the optimal one
i k i k best k i k
(Y ) = (Y ) + 𝛼sign(Y ) − (Y ) (14)
Where 𝛼 def ines the random integer,
best best
𝛼 ∈ (0, d((Y )k , (Y )k ).
The movement and observation to cheat the prey while
hunting into a local search stage are part of the RFO algo-
rithm. In order to imitate a fox potentially getting closer
G. T V et al.
to the prey. For each candidate in the iteration, a random
value is set as 𝛿 ∈ [0,1].
{
move closer if 𝛿 > 3∕4
remain hidden if 𝛿 ≤ 3∕4 (15)
The radius is defined in below Eq. (16).
{
p × sin(𝜑0 )∕𝜑0 if 𝜑0 ≠ o
R=
𝜇 if 𝜑0 = 0 (16)
where 𝜇 denotes the random value [0,1].
Opposition based learning strategy This strategy defines
that there is an opposing location for each possible posi-
tion in the solution space, which enhances the algorithm
exploration. A comparison with each solution’s opposite
is made after producing its opposite location to choose
the best one as a new solution. Consider, when a candi-
date solution is generated, OBLS immediately produces
its opposite location in the solution space. This opposi-
tion is not a mere inversion but is crafted to represent
a contrasting viewpoint. Following this, a crucial step
involves comparing the original solution with its opposite
counterpart. The comparison considers various aspects,
such as fitness or objective function values, to evaluate
their relative performance. The best-performing solution
between the original and its opposite is then selected as
the new solution.
This strategy plays a pivotal role in infusing diversity
into the optimization process. By constantly introducing
opposing viewpoints, OBLS ensures that the search algo-
rithm explores different regions of the solution space. This
is particularly valuable in preventing premature conver-
gence to local optima, as the algorithm is less likely to get
stuck in a specific solution region. The contrasting per-
spectives provided by the original solution and its oppo-
site contribute to a more robust and thorough exploration,
allowing the optimization algorithm to discover a wider
range of potential solutions.
Yi ∈ Yi , Y i and its Y ij opposite value, the equation is given
below,
i i i i
(Y )kop = (Y )kl + (Y )ku − (Y )kop (17)
i i
where (Y )kop , (Y )k ∈ Ri. By taking into account the declared
i i
explanation, the best position between (Y )kop and (Y )khas
been chosen, and the stored solution and the remainder have
been discarded.
Chaotic learning is the foundation of the second modi-
fication. This mechanism was developed to improve the
Deep learning method for efficient cloud IDS utilizing combined behavior and flow-based… 6747

quality of the ideal solution through iterations, which 𝛿k+1 = 4𝛿k (1 − 𝛿k ) (18)
enhances the convergences. We make use of the logistic
map here based on chaos mechanism. The updating equa-
tion for 𝛿 and 𝜇 are given below,
𝜇k+1 = 4𝜇k (1 − 𝜇k ) (19)
where k denotes the iteration number, 𝛿k and 𝜇k are the ini-
tial amounts chosen at random [0,1].

Algorithm: ERFO
Start
Define the following algorithmic parameters: maximum population size, search space
solution size, iteration number (k).
Create a population of foxes within the search area at random.

t:=0
while t ≤ Kdo
Set up the iteration's parameters as follows: scaling parameter and fox approaching
change
For every fox in present populationdo
Arrange individuals based on the fitness
calculate individual reallocation
If the outcome is superior to the previous position, then
relocate the fox,
else
Set the fox back in its original place.
End if
If the hunting fox is not observed, then
calculate the observation radius of the fox
Determine reallocation
else
Fox stays in place to hide himself
End if
End for
Organize the population based on fitness,
The worst foxes abandon the herd or hunted,
New foxes are introduced into the population
Determine the opposite location using Eqn. (17)
t++
End while
Return the best fox
Stop
6748 G. T V et al.

Table 2  ERFO Parameter Parameters Values 100GB. Nine different attack types are found during
settings analysis, of which DoS attacks make up 5% of the total.
Population 100 The dataset has 49 data columns and a total of 2,540,044
Iteration 200 instances. In this case, training was done with 80% of the
𝛿 [0,1] data, and testing with 20%.
𝜇m [0,1] Dataset-3: Among the 72,000,000 entries in the BoT-IoT
dataset are DoS and DDoS attacks, service scans and OS,
data exfiltration and keylogging. The protocol being used
Table 3  Configuration Settings of proposed OBCLSTM affects both DoS and DDoS attacks.
Block Values
Dataset-4: Indian university Tezhpur created the TUIDS
dataset. DoS, DDoS, and scanning and probing attacks
CNN block 1 Kernel size 3 are present in this dataset.
Stride 1
Drop out 0.4
filters 64 4.2 Performance measure
Max-pooling Pooling size 2
CNN block 1 Kernel size 3 The performance of proposed OBCC-BiLSTM method is
Stride 1 determined based on metrics such as precision, accuracy,
Drop out 0.4 F-measure, and Recall.
filters 64
Attention pooling Pooling size 2 (a) Accuracy
Hidden units 256   This metric is defined as the rate of successfully
Fully connected 128 identifying the intrusion, which is given below,
Tneg + Tpos
Aacc = (20)
4 Experimental results Tneg + Tpos + Fneg + Fpos

(b) Precision
The simulation was run on the Python platform, with
  This metric is defined as the proportion of actually
an Intel(R) Core (TM) i7-1165G7 CPU running at
positive samples among all samples with positive pre-
2.80 GHz and 8.00 GB of memory from a Dell Inspiron
dictions, which is given below,
15 3511. We set the initial learning rate at 0.028, batch
size at 171, dropout at 0.4, activation at RELU, and Tpos
epoch at 50. Table 2 shows the ERFO parameter set- Ppcn = (21)
Fpos + Tpos
tings and Table 3 shows the configuration settings of
proposed OBCLSTM. (c) Recall
  It is defined as the percentage of predicted positive
4.1 Dataset description intrusion, which is given below,

In our work, we utilized four datasets, they are NSL-KDD99, Tpos

Rrecll = (22)
TUIDS, UNSW-NB15 and BoT-IoT dataset. Tpos + Fneg

Dataset-1: The NSL-KDD99 dataset includes 3,925,650 (d) F-measure

attacks and 972, 781 instances of regular traffic. Every   This metric is used for accurately classifying net-
record in the datasets has attributes of 41 that character- work data based on recall and precision, which is given
ise whether it’s a malicious attack or a regular flow. The below,
datasets as a whole have 41 features. The datasets have (
Ppcn
)
41 features total. Fmeasr = 2 × (23)
Ppcn + Rrecll
Dataset-2: Slay and Moustafa’s latest intrusion detection  
dataset is UNSW-NB15. It is made up of a dataset that where Tnegdenotes the true negative, Tpos signifies the
was gathered between January and February of 2015 and true positive, Fpos denotes the false positive values
contains real-world traffic networks totalling more than and Fneg denotes the false negative values.
Deep learning method for efficient cloud IDS utilizing combined behavior and flow-based… 6749

4.3 Comparative analysis Table 5  Performance analysis of proposed and recent techniques for
dataset-2
Based on accuracy, F-measure, recall and precision the com- Models Precision Accuracy F-measure Recall
parison of the OBCLSTM method is done with recent meth-
SDAE-ELM 84.9028 90.6035 97.0134 96.8865
ods like SDAE-ELM [25], CNN-TSO [26], PTDAE [27],
CNN-TSO 83.9876 91.5534 96.2509 96.8903
LOGNN [29] and FCM-SVM [30].
PTDAE 85.8015 92.7809 92.6429 96.2805
LOGNN 84.4590 91.7654 96.8903 95.2412
4.3.1 Evaluation on NSL‑KDD99 dataset
FCM-SVM 81.5421 94.5420 96.8865 94.4261
Proposed 86.1956 96.5679 98.3093 97.3796
Table 4 illustrates the examination results of pro-
posed OBCLSTM method and recent techniques. The
OBCLSTM method has obtained better performance
in terms of precision, recall, F-measure, and accuracy 4.3.2 Evaluation on UNSW‑NB15 dataset
when compared with recent techniques such as SDAE-
ELM, CNN-TSO, PTDAE, LOGNN and FCM-SVM. The outcomes derived from the OBCLSTM method in
The recent techniques fail to learn the behaviour-based comparison to established techniques for attack detection
features and flow-based features. So, it is difficult to are shown in Table 5. The results shows that the proposed
capture the interaction among hosts based on ports and method has precision (86.1956), recall (97.3796), F-meas-
destinations and to update the attack types on a regu- ure (98.3093), and accuracy (96.5679) when compared with
lar basis. Therefore, our proposed OBCLSTM method recent techniques such as SDAE-ELM, CNN-TSO, PTDAE,
introduces the BiCP, one channel is max-pooling layer LOGNN and FCM-SVM. The former methods fail to pre-
to learn behavior-based features and other channel is serve the long-term of the information from historical con-
attention pooling layer to learn flow-based features. This text. This detection results causes irrelevant, and the attack-
enhances the detection accuracy of precision. The pro- ers become more harmful. To overcome these issues, our
posed OBCLSTM method has high precision (84.6508), proposed OBCLSTM method introduces BiLSTM to extract
recall (99.9086), accuracy (91.2992), and F-meas- features in the time domain and has the ability to preserve
ure (99.619) when compared with recent techniques. the long-term of the information from historical context.
The recent techniques such as SDAE-ELM, CNN- This enhances the efficiency of intrusion detection. The
TSO, PTDAE, LOGNN and FCM-SVM has precision recent techniques such as SDAE-ELM, CNN-TSO, PTDAE,
of76.0785, 77.8034, 74.9807, 84.2014, and 83.9990. LOGNN, and FCM-SVM has precision of84.9028, 83.9876,
The recent techniques such as SDAE-ELM, CNN- 85.8015, 84.4590, and 81.5421. The recent techniques such
TSO, PTDAE, LOGNN and FCM-SVM has accuracy as SDAE-ELM, CNN-TSO, PTDAE, LOGNN, and FCM-
of83.8604, 84.4579, 89.6790, 90.1472, and 90.2950. SVM has accuracy of90.6035, 91.5534, 92.7809, 91.7654,
The recent techniques such as SDAE-ELM, CNN-TSO, and 94.5420. The recent techniques such as SDAE-ELM,
PTDAE, LOGNN and FCM-SVM has recall of 99.2479, CNN-TSO, PTDAE, LOGNN, and FCM-SVM has recall
99.5799, 99.3689, 96.2509, 95.2453 and 99.9086. The of 96.8865, 96.8903, 96.2805, 95.2412, and 94.4261. The
recent techniques such as SDAE-ELM, CNN-TSO, recent techniques such as SDAE-ELM, CNN-TSO, PTDAE,
PTDAE, LOGNN and FCM-SVM has F-measure of LOGNN, and FCM-SVM has F-measure of97.0134,
97.2456, 95.2484, 94.9349, 99.5609 and 99.57. 96.2509, 92.6429, 96.8903, and 96.8865.

Table 4  Performance analysis of proposed and recent techniques for Table 6  Performance analysis of proposed and recent techniques for
dataset-1 dataset-3
Models Precision Accuracy F-measure Recall Models Precision Accuracy F-measure Recall

SDAE-ELM 76.0785 83.8604 97.2456 99.2479 SDAE-ELM 83.3673 83.8823 95.2394 96.2355
CNN-TSO 77.8034 84.4579 95.2484 99.5799 CNN-TSO 82.9076 81.0957 91.7862 96.4376
PTDAE 74.9807 89.6790 94.9349 99.3689 PTDAE 83.9934 82.6094 92.3258 96.8903
LOGNN 84.2014 90.1472 99.5609 96.2509 LOGNN 84.2014 84.2014 90.1097 96.2805
FCM-SVM 83.9990 90.2950 99.57 95.2453 FCM-SVM 83.2160 84.4590 91.9180 96.9098
Proposed 84.6508 91.2992 99.619 99.9086 Proposed 85.3217 84.9386 97.9747 98.3093
6750 G. T V et al.

4.3.3 Evaluation on BoT‑IoT dataset
Table 6 shows the results obtained for proposed OBCLSTM
method and recent techniques. The former methods can
able to detect only known attacks, whereas unable to detect
new types of cyber threats. So, the proposed OBCLSTM
method introduces BiCP and BiLSTM to learn the behav-
iour based and flow-based features, and can extract time
domain features. This helps to detect the unknown attacks
from the unknown network-connected devices. The pro-
posed OBCLSTM method has high precision (85.3217),
recall (98.3093), accuracy (84.9386), and F-measure
(97.9747) when compared with recent techniques. The
recent techniques such as SDAE-ELM, CNN-TSO, PTDAE,
LOGNN, and FCM-SVM has precision of83.3673, 82.9076,
83.9934, 84.2014, and 83.2160. The recent techniques such
as SDAE-ELM, CNN-TSO, PTDAE, LOGNN, and FCM-
SVM has accuracy of83.8823, 81.0957, 82.6094, 84.2014,
and 84.4590. The recent techniques such as SDAE-ELM,
CNN-TSO, PTDAE, LOGNN, and FCM-SVM has recall
of 96.2355, 96.4376, 96.8903, 96.2805, and 96.9098. The
recent techniques such as SDAE-ELM, CNN-TSO, PTDAE,
LOGNN, and FCM-SVM has F-measure of95.2394,
91.7862, 92.3258, 90.1097, and 91.9180.
4.3.4 Evaluation on TUIDS dataset
Table 7 shows the performance analysis of proposed and
recent methods. The proposed OBCLSTM method has high
precision, accuracy, F-measure, and recall due to the intro-
duction of ERFO, the best hyper parameter configuration
for CNN to learn flow based and behaviour-based features.
This leads to an accurate detection of intrusion. The pro-
posed OBCLSTM method has high precision (85.6312),
recall (98.5123), accuracy (90.9352), and F-measure
(98.8015) when compared with recent techniques. The
recent techniques such as SDAE-ELM, CNN-TSO, PTDAE,
LOGNN, and FCM-SVM has precision of82.0245, 80.9912,
81.5918, 83.3937, and 81.8673. The recent techniques such
as SDAE-ELM, CNN-TSO, PTDAE, LOGNN, and FCM-
SVM has accuracy of86.1154, 85.7023, 88.3564, 88.7247,
and 88.1192. The recent techniques such as SDAE-ELM,
CNN-TSO, PTDAE, LOGNN, and FCM-SVM has recall
of 96.4376, 96.2355, 97.7349, 92.0965, and 90.1097. The
recent techniques such as SDAE-ELM, CNN-TSO, PTDAE,
LOGNN, and FCM-SVM has F-measure of97.4509,
94.4285, 96.4994, 96.1683, and 96.4037.
4.4 Statistical analysis
A nonparametric test called the Friedman test is used to
evaluate how well classifiers perform across various data-
sets. After the null hypothesis is rejected, a post-hoc test
is carried out to establish the pairwise comparisons. The
null hypothesis (H0) states that there are no variations in
the performance of each classifier, whereas the alternative
hypothesis (H1) suggests that there are differences in how
well at least one classifier works. The Friedman test statistic
can be determined in Eq. (24).

Table 7  Performance analysis of proposed and recent techniques for (n − 1)X

FS = (24)
dataset-4 n(l − 1)X
Models Precision Accuracy F-measure Recall X can be determined in Eq. (25).
SDAE-ELM 82.0245 86.1154 97.4509 96.4376 ( )2
CNN-TSO 80.9912 85.7023 94.4285 96.2355 12 ∑l n(l + 1)
X= Fj − (25)
PTDAE 81.5918 88.3564 96.4994 97.7349 nl(l + 1) j=1 2
LOGNN 83.3937 88.7247 96.1683 92.0965
X is distributed with respect to degrees of freedom.
FCM-SVM 81.8673 88.1192 96.4037 90.1097
The classifiers from j = 1, 2, 3…. l is ranked as Fj . Fjcan
Proposed 85.6312 90.9352 98.8015 98.5123
be determined in Eq. (26)

Table 8  Friedman average rank Techniques Dataset-1 Dataset-2 Dataset-3 (BoT-IoT) Dataset-4 (TUIDS) Friedman P-value
based on F-measure (NSL- (UNSW- avg.Rank
KDD99) NB15)

SDAE-ELM 97.2456 97.0134 95.2394 97.4509 2.25

CNN-TSO 95.2484 96.2509 91.7862 94.4285 3.5 0.1354
PTDAE 94.9349 92.6429 92.3258 96.4994 2.75
LOGNN 99.5609 96.8903 90.1097 96.1683 2.35
FCM-SVM 99.57 96.8865 91.9180 96.4037 2.65
Proposed 99.619 98.3093 97.9747 98.8015 1.5
Deep learning method for efficient cloud IDS utilizing combined behavior and flow-based… 6751

other techniques across all datasets. This suggests that the

∑n
(26)
( )
Fj = F Yij
i=1
where n and l signify the dataset’s number and classifier’s
number.
Table 8 presents the results of the Friedman average
rank test based on F-measure for various intrusion detec-
tion techniques across four different datasets: Dataset-1
(NSL-KDD99), Dataset-2 (UNSW-NB15), Dataset-3
(BoT-IoT) and Dataset-4 (TUIDS). The F-measure is a cru-
cial metric that balances precision and recall in evaluating
the performance of intrusion detection systems. The tech-
niques evaluated include SDAE-ELM, CNN-TSO, PTDAE,
LOGNN, FCM-SVM and the Proposed OBCLSTM method.
The numerical values in each cell of the table represent the
F-measure scores achieved by each technique on the respec-
tive datasets. The Friedman average rank is calculated to
assess the overall performance of each technique across all
datasets.
The Friedman average rank is indicative of the ranking
of each technique based on its F-measure across the data-
sets. A lower Friedman average rank signifies better perfor-
mance. The P-value, which determines the significance of
the observed differences in ranks, is also provided. A P-value
greater than 0.05 implies that the observed differences are
not statistically significant, leading to the acceptance of the
null hypothesis. In this context, the Proposed OBCLSTM
method consistently attains the lowest Friedman average
rank (1.5), indicating superior performance compared to
Proposed OBCLSTM method is highly effective in achieving
a balance between precision and recall, making it a promis-
ing solution for intrusion detection across diverse scenarios.
Table 9 presents the results of the Friedman average
rank test based on Recall for various intrusion detection
techniques across four datasets: Dataset-1 (NSL-KDD99),
Dataset-2 (UNSW-NB15), Dataset-3 (BoT-IoT) and Data-
set-4 (TUIDS). Recall is a critical metric in intrusion
detection systems as it measures the ability of the system
to correctly identify all relevant instances of attacks. The
techniques evaluated in Table 9 include SDAE-ELM, CNN-
TSO, PTDAE, LOGNN, FCM-SVM, and the Proposed
OBCLSTM method. Each cell in the table represents the
recall scores achieved by the respective technique on the
corresponding dataset.
The Friedman average rank is calculated, the Pro-
posed OBCLSTM method consistently achieves the
lowest Friedman average rank (1.5), indicating superior
recall performance compared to other techniques across
all datasets. This implies that the Proposed OBCLSTM
method excels in correctly identifying instances of attacks
while minimizing false negatives. The high recall scores
obtained by the Proposed OBCLSTM method underscore
its effectiveness in detecting a wide range of attacks
across diverse datasets, making it a promising solution
for intrusion detection tasks.
Table 10 presents the results of the Friedman average
rank test based on precision for various intrusion detection

Table 9  Friedman average rank Techniques Dataset-1 Dataset-2 Dataset-3 (BoT-IoT) Dataset-4 (TUIDS) Friedman P-value
based on Recall (NSL- (UNSW- avg.Rank
KDD99) NB15)

SDAE-ELM 99.2479 96.8865 96.2355 96.4376 2.65

CNN-TSO 99.5799 96.8903 96.4376 96.2355 2.5
PTDAE 99.3689 96.2805 96.8903 97.7349 2.65 0.9256
LOGNN 96.2509 95.2412 96.2805 92.0965 2.35
FCM-SVM 95.2453 94.4261 96.9098 90.1097 3.5
Proposed 99.9086 97.3796 98.3093 98.5123 1.5

Table 10  Friedman average Techniques Dataset-1 Dataset-2 Dataset-3 (BoT-IoT) Dataset-4 (TUIDS) Friedman P-value
rank based on precision (NSL- (UNSW- avg.Rank
KDD99) NB15)

SDAE-ELM 76.0785 84.9028 83.3673 82.0245 1.975

CNN-TSO 77.8034 83.9876 82.9076 80.9912 3.75
PTDAE 74.9807 85.8015 83.9934 81.5918 2.650 0.3806
LOGNN 84.2014 84.4590 84.2014 83.3937 2.5
FCM-SVM 83.9990 81.5421 83.2160 81.8673 1.8
Proposed 84.6508 86.1956 85.3217 85.6312 1.625
6752
techniques across four datasets: Dataset-1 (NSL-KDD99),
Dataset-2 (UNSW-NB15), Dataset-3 (BoT-IoT) and Data-
set-4 (TUIDS). Precision is a crucial metric in intrusion
detection systems as it measures the accuracy of the sys-
tem in correctly identifying instances flagged as attacks.
The techniques evaluated in Table 10 include SDAE-ELM,
CNN-TSO, PTDAE, LOGNN, FCM-SVM and the Proposed
OBCLSTM method. Each cell in the table represents the
precision scores achieved by the respective technique on the
corresponding dataset.
The Friedman average rank is calculated, the Proposed
OBCLSTM method consistently achieves the lowest Fried-
man average rank (1.625), indicating superior precision
performance compared to other techniques across all data-
sets. This implies that the Proposed OBCLSTM method
excels in accurately identifying instances of attacks while
minimizing false positives. The high precision scores
obtained by the Proposed OBCLSTM method underscore
its effectiveness in distinguishing attacks from normal
behavior, making it a robust solution for intrusion detec-
tion tasks.
Table 11 presents the outcomes of the Friedman average
rank test based on accuracy for multiple intrusion detection
techniques, evaluated across four distinct datasets: Dataset-1
(NSL-KDD99), Dataset-2 (UNSW-NB15), Dataset-3 (BoT-
IoT) and Dataset-4 (TUIDS). Accuracy is a critical metric
in evaluating the overall performance of intrusion detec-
tion systems, as it reflects the system’s ability to correctly
classify both normal and attack instances. The techniques
considered in Table 11 include SDAE-ELM, CNN-TSO,
PTDAE, LOGNN, FCM-SVM and the Proposed OBCLSTM
method. Each cell in the table represents the accuracy scores
achieved by the respective technique on the corresponding
dataset.
The Friedman average rank is computed, the Proposed
OBCLSTM method consistently achieves the lowest Fried-
man average rank (1.75), indicating superior accuracy per-
formance compared to other techniques across all datasets.
This implies that the Proposed OBCLSTM method excels
in achieving a balance between correctly identifying both
Table 11  Friedman average Techniques Dataset-1 Dataset-2
rank based on accuracy (NSL- (UNSW-
KDD99) NB15)
SDAE-ELM 83.8604 90.6035
CNN-TSO 84.4579 91.5534
PTDAE 89.6790 92.7809
LOGNN 90.1472 91.7654
FCM-SVM 90.2950 94.5420
Proposed 91.2992 96.5679
G. T V et al.
normal and attack instances, contributing to an overall
robust intrusion detection capability. The high accuracy
scores obtained by the Proposed OBCLSTM method under-
score its effectiveness and reliability in real-world intrusion
detection scenarios.
Tables 8, 9, 10 and 11 shows the Friedman average rank
test. If p < 0.05, then the null hypothesis is accepted. Here
the p-value for all datasets is greater than 0.05, so the null
hypothesis is accepted.
4.5 ROC curve
Figure 3 illustrates the ROC curve, which shows that our
proposed OBCLSTM method attain a better detection rate
than the other methods. It is evident from figure that the pro-
posed OBCLSTM method has detection rate of 99.1% while
the FPR produces 1.37%, which performs better than other
recent techniques such as SDAE-ELM, CNN-TSO, PTDAE,
LOGNN, and FCM-SVM. The existing SDAE-ELM method
produces 98% detection rate while 1.5% FPR, CNN-TSO has
detection rate of 78% while 3% FPR, PTDAE has detection
rate of 82% while 2.8% FPR, LOGNN has detection rate of
75% while 5% FPR, and FCM-SVM has detection rate of
65% while 8% FPR. Therefore, our proposed OBCLSTM
method has ability to identify the protocol HTTP and DNS
are attacked or not.
4.6 Analysis of convergence
Figure 4 shows the analysis of convergence with ERFO
and other algorithms. It shows that the ERFO converges
faster than another optimization such as. By comparing the
convergence curves of Salp Swarm Algorithm (SSA) [37],
RFO [38] and Moth-Flame Optimization (MFO) [39], the
proposed method has a small chance of reaching a local
optimum. The convergence graph shows that ERFO has
effectively balanced local and global search capabilities.
This enhances the tuning the best configuration of hyper
parameters, which improves the performance of intrusion
detection among various protocols.
Dataset-3 (BoT-IoT) Dataset-4 (TUIDS) Friedman P-value
avg.Rank
83.8823 86.1154 2.75
81.0957 85.7023 3.25
82.6094 88.3564 2.25 0.2506
84.2014 88.7247 2.5
84.4590 88.1192 2.4
84.9386 90.9352 1.75
Deep learning method for efficient cloud IDS utilizing combined behavior and flow-based…
Fig. 3  ROC curve (a) Dataset-1 (b) Dataset-2 (c) Dataset-3 (d) Dataset-4
Fig. 4  Convergence curve
4.7 Time complexity
The ERFO algorithm time complexity is analysed utiliz-
ing the procedure. Assume n for population size, D for
the dimension, and T for iterations. All individuals are
arranged in each ERFO iteration, which yields, in the worst
case, O((D × n))2operations. In the worst scenario, each fox
will be changed, increasing the time complexity of calcula-
tions to O(D × n). In the worst situation, deleting the worst
6753
individuals and creating new ones be O((D × n))2 . Then the
time complexity is O(T × D2 × n2 × 3).
Figure 5 displays the validation accuracy, training
loss, validation loss, and training accuracy in the training
process. In each training cycle, the proposed OBCLSTM
method has minimum training loss and high accuracy
on training set when compared with recent techniques
such as SDAE-ELM, CNN-TSO, PTDAE, LOGNN and
6754 G. T V et al.

Fig. 5  Training loss, validation loss, training accuracy and validation accuracy for dataset-1, dataset-2, dataset-3 and dataset-4

FCM-SVM. This shows that the proposed OBCLSTM
method has a better training result, showing its effective-
ness in training models. Also, the loss value and accuracy
on the validation set shows that the proposed OBCLSTM
method is capable of obtaining lower loss values and
higher accuracy in each training cycle. As a result, the
proposed algorithm’s model’s prediction effect is verified.
Figure 6 shows the confusion matrix of four datasets.
It shows that the majority of the record types classifica-
tion was accurate. The true label is represented by the
vertical axis, and the predicted label is represented by
the horizontal axis. From figure, it is evident that the
proposed OBCLSTM method gives better performance
in classification of all record types.
Deep learning method for efficient cloud IDS utilizing combined behavior and flow-based… 6755

Fig. 5  (continued)

4.8 Discussion of the Bidirectional Convolutional LSTM (BiCP layer and

The proposed OBCLSTM method represents a significant
leap forward in enhancing intrusion detection systems tai-
lored for cloud computing environments. This model stands
out by excelling in capturing both behavior-based and flow-
based features, achieved through the innovative integration
BiLSTM). Notably, leveraging ERFO for hyperparameter
tuning contributes to enhanced CNN learning, showcasing
superior accuracy, efficiency and adaptability.
SDAE-ELM [25], CNN-TSO [26], PTDAE [27], LOGNN
[29] and FCM-SVM [30], the comparative models in, exhibit
varying degrees of performance across the NSL-KDD99,
6756
Fig. 6  Confusion matrix for (a) NSL-KDD99 dataset (b) BoT-IoT dataset (c) UNSW-NB15 dataset (d) TUIDS dataset
UNSW-NB15, BoT-IoT and TUIDS datasets in contrast to
our proposed OBCLSTM. SDAE-ELM, though achieving
competitive results, faces challenges in effectively learning
both behavior-based and flow-based features, limiting its
ability to adapt to diverse cyber threats. CNN-TSO, while
demonstrating notable accuracy, grapples with a higher
false-positive rate, potentially compromising intrusion
detection efficacy. PTDAE struggles to preserve long-term
information, impacting its efficiency in detecting attacks
accurately. LOGNN, despite showcasing robust perfor-
mance, encounters challenges in capturing comprehensive
features critical for intrusion detection. FCM-SVM, while
effective, demonstrates limitations in detecting unknown
attacks. In contrast, OBCLSTM surpasses these models by
integrating Bidirectional Convolutional LSTM layers, effec-
tively capturing behavior-based, flow-based, and temporal
features. The use of ERFO further refines hyperparameter
configurations, enhancing CNN learning and positioning
OBCLSTM as a versatile and advanced intrusion detection
methodology across diverse datasets.
In direct comparison to existing intrusion detection meth-
odologies, including the Hybrid Clustering and Classifica-
tion Model [33], the Recurrent Neural Networks (RNNs)
Framework [32] and the Efficient Deep CNN-BiLSTM
Model [34], the OBCLSTM methodology introduces a
G. T V et al.
nuanced and technically superior approach to network
security.
The Hybrid Clustering and Classification Model primar-
ily relies on K-means and Gaussian Mixture Model (GMM)
clustering, combined with the Random Forest (RF) clas-
sifier. While effective, its focus on log and event analysis,
pattern matching and threshold evaluation is predominant. In
contrast, OBCLSTM integrates Bidirectional Convolutional
LSTM layers (BiCP and BiLSTM) for comprehensive fea-
ture extraction. The BiCP layer adeptly captures behavior-
based and flow-based features, providing a more nuanced
understanding of network patterns.
The RNN Framework concentrates on different RNN
variations, such as LSTM, GRU and Simple RNN. Despite
achievements in improved test accuracy, it grapples with
challenges related to computational cost, overfitting, inter-
pretability and susceptibility to adversarial attacks. In con-
trast, OBCLSTM introduces a hybrid architecture that avoids
the singular focus on recurrent architectures. By incorporat-
ing Bidirectional Convolutional LSTM layers, it provides a
more balanced and robust solution to these challenges.
The Efficient Deep CNN-BiLSTM Model successfully
combines CNN and BiLSTM networks for intrusion detec-
tion. While showcasing superior performance, it acknowl-
edges longer training periods and the need for further
Deep learning method for efficient cloud IDS utilizing combined behavior and flow-based…
research into attack behavioral patterns. OBCLSTM diverges
by incorporating Bidirectional Convolutional LSTM layers
for feature extraction, offering a unique synergy of capabili-
ties in capturing behavior-based, flow-based and temporal
features. Bidirectional Convolutional LSTM layers empower
OBCLSTM to capture a richer set of features, making it
a robust and advanced solution for intrusion detection in
network security.
The implications of the OBCLSTM model are significant
for advancing intrusion detection in cloud environments. Its
ability to comprehensively capture behavior-based, flow-
based and temporal features suggests practical applications
in enhancing cybersecurity. The model’s potential impact
lies in improving the accuracy and efficiency of detecting
malicious activities, addressing existing limitations in cur-
rent IDS systems. Furthermore, the OBCLSTM framework
paves the way for future research directions, such as refining
feature extraction techniques, exploring diverse protocols
and optimizing hyperparameter configurations.
Revisiting the objectives outlined in the introduction, the
OBCLSTM model has successfully achieved its goals. The
integration of Bidirectional Convolutional LSTM layers has
proven effective in capturing behavior-based, flow-based and
temporal features, aligning with the initial expectations. The
results affirm the model’s capability to address the limita-
tions of existing methods, contributing significantly to the
field of intrusion detection in cloud environments. In con-
clusion, the OBCLSTM model stands as an innovative and
successful approach, offering valuable insights for advancing
cybersecurity measures in cloud environments and contrib-
uting to the broader scientific community’s understanding
of intrusion detection methodologies.
5 Conclusion
The previous IDS systems cannot determine or recognize
new types of cyber threats due to the emergence of new
and unknown network-connected devices. Also, the existing
methods suffer from a lack of learning flow-based features
and behaviour-based features, which leads to inaccuracies
in the detection of attacks. Moreover, there is an inability
to extract the features in the time domain. To overcome this
issue, an OBCLSTM method is introduced to detect whether
the protocol HTTP or DNS is attacked or not. In the pre-
processing, normal features are converted into numerical
features by one hot encoder and numerical features are nor-
malized using Z-score normalization. Then the vectors are
given to the OBCLSTM model, and here the BiCP layer is
used to learn the behavior based and flow-based features in
the HTTP and DNS protocols. The BiLSTM method is used
to extract the time domain features. The ERFO is employed
6757
to optimize the hyperparameter configuration for effective
feature learning in CNN. Finally, the fully connected layer
makes use of these features to determine whether or not the
HTTP and DNS protocols are being attacked. The perfor-
mance result shows that the proposed OBCLSTM model
attains better results in terms of precision, recall, ROC
curve, accuracy and F-measure. While OBCLSTM excels
in its objective of enhancing intrusion detection, potential
challenges include the need for computational resources
due to its advanced features and the complexity associated
with fine-tuning the ERFO parameters. The future scope of
the proposed OBCLSTM lies in refining its adaptability to
evolving cyber threats through continuous optimization and
integration of advanced deep learning techniques.
Authors’ contributions All the authors have participated in writing the
manuscript and have revised the final version. All authors read and
approved the final manuscript.
All authors contributed to the study conception and design. Material
preparation, data collection and analysis were performed by Geetha T
V, Deepa A J, and Mary Linda M. The first draft of the manuscript was
written by Geetha T V and all authors commented on previous versions
of the manuscript. All authors read and approved the final manuscript.
Conceptualization: Geetha T V; Methodology: Geetha T V; Formal
analysis and investigation: Geetha T V, Deepa A J, and Mary Linda
M., Writing - original draft preparation: Geetha T V, Deepa A J, and
Mary Linda M., Writing - review and editing: Deepa A J, Mary Linda
M; Supervision: Mary Linda M.
Funding There is no funding for this study.
Data Availability Data will not be available as authors are not interested
to disclose the data.
Declarations
Ethical approval This article does not contain any studies with human
participants and/or animals performed by any of the authors.
Informed consent There is no informed consent for this study.
Conflict of interest Authors declares that they have no conflict of
interest.
References
1. Singh P, Ranga V (2021) Attack and intrusion detection in cloud
computing using an ensemble learning approach. Int J Inform
Technol 13(2):565–571
2. Rabbani M, Wang YL, Khoshkangini R, Jelodar H, Zhao R,
Hu P (2020) A hybrid machine learning approach for malicious
behaviour detection and recognition in cloud computing. J Netw
Comput Appl 151
3. Lu KD, Zeng GQ, Luo X, Weng J, Luo W, Wu Y (2021) Evolu-
tionary deep belief network for cyber-attack detection in indus-
trial automation and control system. IEEE Trans Industr Inf
17(11):7618–7627
6758
4. Al S, Dener M (2021) STL-HDL: a new hybrid network intru-
sion detection system for imbalanced dataset on big data envi-
ronment. Comput Secur 110
5. Meryem A, Ouahidi BE (2020) Hybrid intrusion detection sys-
tem using machine learning. Netw Secur 5:8–19
6. Almiani M, AbuGhazleh A, Al-Rahayfeh A, Atiewi S, Razaque
A (2020) Deep recurrent neural network for IoT intrusion detec-
tion system. Simul Model Pract Theory 101
7. Popoola SI, Adebisi B, Hammoudeh M, Gui G, Gacanin
H (2020) Hybrid deep learning for botnet attack detection
in the internet-of-things networks. IEEE Internet Things J
8(6):4944–4956
8. Li M, Wang D (2017) Insights into randomized algorithms for
neural networks: practical issues and common pitfalls. Inf Sci
382:170–178
9. Wang D, Li M (2017) Stochastic configuration networks:
fundamentals and algorithms. IEEE Trans Cybernetics
47(10):3466–3479
10. Li M, Wang D (2021) 2-D stochastic configuration networks for
image data analytics. IEEE Trans Cybernetics 51(1):359–372
11. Wang W, Du X, Shan D, Qin R, Wang N (2020) Cloud intru-
sion detection method based on stacked contractive auto-
encoder and support vector machine. IEEE Trans Cloud
Comput 10(3):1634–1646
12. Nguyen MT, Kim K (2020) Genetic convolutional neural network
for intrusion detection systems. Future Generation Comput Syst
113:418–427
13. Pooja TS, Shrinivasacharya P (2021) Evaluating neural networks
using bi-directional LSTM for network IDS (intrusion detection
systems) in cyber security. Global Transitions Proc 2(2):448–454
14. Sai Sindhu Theja R, Shyam GK (2021) An efficient metaheuristic
algorithm based feature selection and recurrent neural network for
DoS attack detection in cloud computing environment. Appl Soft
Comput 100
15. Imrana Y, Xiang Y, Ali L, Abdul-Rauf Z (2021) A bidirectional LSTM
deep learning approach for intrusion detection. Expert Syst Appl 185
16. Rehmer A, Kroll A (2020) On the vanishing and exploding gra-
dient problem in gated recurrent units. IFAC-Papers OnLine
53(2):1243–1248
17. Landi F, Baraldi L, Cornia M, Cucchiara R (2021) Working mem-
ory connections for LSTM. Neural Netw 144:334–341
18. Li M, Sonoda S, Cao F, Wang YG, Liang J (2023) How powerful are
shallow neural networks with bandlimited random weights? In Inter-
national Conference on Machine Learning. PMLR. pp 19960–19981
19. Hossain MD, Inoue H, Ochiai H, Fall D, Kadobayashi Y (2020)
LSTM-based intrusion detection system for in-vehicle can bus
communications. IEEE Access 8:185489–185502
20. Ren Z, Shen Q, Diao X, Xu H (2021) A sentiment-aware deep
learning approach for personality detection from text. Inf Process
Manag 58(3)
21. Kasongo SM, Sun Y (2021) A deep gated recurrent unit based
model for wireless intrusion detection system. ICT Express
7(1):81–87
22. Sumaiya Thaseen I, Saira Banu J, Lavanya K, Rukunuddin Ghalib
M, Abhishek K (2021) An integrated intrusion detection system
using correlation-based attribute selection and artificial neural
network. Trans Emerg Telecommun Technol 32(2):e4014
23. Liu J, Gao Y, Hu F (2021) A fast network intrusion detection
system using adaptive synthetic oversampling and light GBM.
Computers Secur 106
G. T V et al.
24. Basiri ME, Nemati S, Abdar M, Cambria E, Acharya UR
(2021) ABCDM: an attention-based bidirectional CNN-RNN
deep model for sentiment analysis. Future Gener Comput Syst
115:279–294
25. Wang Z, Liu Y, He D, Chan S (2021) Intrusion detection methods
based on integrated deep learning model. Comput Secur 103
26. Samriya JK, Kumar N (2020) A novel intrusion detection system
using hybrid clustering-optimization approach in cloud comput-
ing. Mater Today Proc 2(1):23–54
27. Fatani A, Abd Elaziz M, Dahou A, Al-Qaness MA, Lu S
(2021) IoT intrusion detection system using deep learning
and enhanced transient search optimization. IEEE Access
9:123448–123464
28. Kholidy HA (2021) Detecting impersonation attacks in cloud
computing environments using a centric user profiling approach.
Future Gener Comput Syst 117:299–320
29. Kunang YN, Nurmaini S, Stiawan D, Suprapto BY (2021) Attack
classification of an intrusion detection system using deep learning
and hyperparameter optimization. J Inform Secur Appl 58:102804
30. Wang Z, Xu Z, He D, Chan S (2021) Deep logarithmic neu-
ral network for internet intrusion detection. Soft Comput
25(15):10129–10152
31. Jaber AN, Rehman SU (2020) FCM–SVM based intrusion detec-
tion system for cloud computing environment. Cluster Comput
23(4):3221–3231
32. Kasongo SM (2023) A deep learning technique for intrusion
detection system using a recurrent neural networks based frame-
work. Comput Commun 199:113–125
33. Samunnisa K, Kumar GS, Madhavi K (2023) Intrusion detection
system in distributed cloud computing: hybrid clustering and clas-
sification methods. Meas: Sens 25:100612
34. Hnamte V, Hussain J (2023) DCNNBiLSTM: an efficient hybrid
deep learning-based intrusion detection system. Telematics Inf
Rep 10
35. Larriva-Novo X, Villagrá VA, Vega-Barbas M, Rivera D, Sanz
Rodrigo M (2021) An IoT-focused intrusion detection system
approach based on preprocessing characterization for cybersecu-
rity datasets. Sensors 21(2)
36. Peng T, Zhang C, Zhou J, Nazir MS (2021) An integrated frame-
work of bi-directional long-short term memory (BiLSTM) based
on sine cosine algorithm for hourly solar radiation forecasting.
Energy 221
37. Faris H, Mirjalili S, Aljarah I, Mafarja M, Heidari AA (2020)
Salp swarm algorithm: theory, literature review, and application in
extreme learning machines. Nature-inspired optimizers: theories,
literature reviews and applications, pp 185–199
38. Połap D, Woźniak M (2021) Red fox optimization algorithm.
Expert Syst Appl 166
39. Shehab M, Abualigah L, Al Hamad H, Alabool H, Alshinwan
M, Khasawneh AM (2020) Moth–flame optimization algorithm:
variants and applications. Neural Comput Appl 32(14):9859–9884
Publisher’s Note Springer Nature remains neutral with regard to
jurisdictional claims in published maps and institutional affiliations.
Springer Nature or its licensor (e.g. a society or other partner) holds
exclusive rights to this article under a publishing agreement with the
author(s) or other rightsholder(s); author self-archiving of the accepted
manuscript version of this article is solely governed by the terms of
such publishing agreement and applicable law.
Deep learning method for efficient cloud IDS utilizing combined behavior and flow-based… 6759

Geetha T V obtained her B.E Dr. Mary Linda M received the

degree in Computer Science
and Engineering in 2008 from
Anna University, Chennai, M.E
degree in Computer Science and
Engineering in 2013 from Anna
University, Chennai and Ph. D
degree in Information and Com-
munication Engineering from
Anna University Chennai in
2024. In 2009 she joined as Lec-
turer and now working as Assis-
tant Professor in the Department
of Artificial Intelligence and Data
Science at St. Xavier’s Catholic
College of Engineering, Nager-
coil. Her research interests include Cloud Computing and Security,
Machine Learning and Data Analytics. She has published many papers
in national and international journal in areas such as network security
and Cloud computing. She is a life time member of Indian Society for
Technical Education (ISTE).
B.E Degree in Electrical and
Electronics Engineering from MS
University in 2002, M.E degree
in power systems from Kalasal-
ingam College of Engineering in
2005 and Ph. D degree in power
system stability from Anna Uni-
versity Chennai in 2012. She
is working as Professor in the
department of Electrical and
Electronics Engineering in KIT-
Kalaignarkarunanidhi Institute
of Technology, Coimbatore. She
is a life time member of ISTE.
She published 37 International
Journals and three books. Her areas of interest are power systems,
control systems, optimization techniques.

Deepa A J obtained her B.E

degree in Computer Science
and Engineering in 2001 from
MS University and M.E degree
in Computer Science and Engi-
neering in 2008 from Anna Uni-
versity, Chennai. She is the Uni-
versity Rank Holder in PG. She
received Ph.D degree in Com-
puter Science and Engineering
from Anna University Chennai
in 2015. Right from 2001 she
is in the Department of Computer
Science and Engineering under
various designations. Currently
under her guidance 2 Research
Scholars are pursuing Ph.D. Under her guidance three research stu-
dent had completed their research. Her research interests include ad
hoc network security, computational intelligence, Data mining and
Cloud Computing. She has published many papers in national and
international journal in areas such as network security, Data mining
and Cloud computing. She is a member of Computer Society of India
and a life time member of ISTE.