Received December 14, 2021, accepted January 31, 2022, date of publication February 11, 2022, date of current

version February 24, 2022.

Digital Object Identifier 10.1109/ACCESS.2022.3151248

Machine Learning and Deep Learning Approaches

for CyberSecurity: A Review
ASMAA HALBOUNI1 , (Graduate Student Member, IEEE),
TEDDY SURYA GUNAWAN 1 , (Senior Member, IEEE),
MOHAMED HADI HABAEBI 1 , (Senior Member, IEEE), MURAD HALBOUNI2 ,
MIRA KARTIWI 3 , (Member, IEEE), AND ROBIAH AHMAD 4 , (Senior Member, IEEE)
1 Department of Electrical and Computer Engineering, International Islamic University Malaysia, Kuala Lumpur 53100, Malaysia
2 Department of Natural, Engineering and Technology Sciences, Arab American University, Jenin 240, Palestine
3 InformationSystems Department, International Islamic University Malaysia, Kuala Lumpur 53100, Malaysia
4 Razak Faculty of Technology and Informatics, Universiti Teknologi Malaysia, Kuala Lumpur 54100, Malaysia

Corresponding author: Teddy Surya Gunawan ([email protected])

This work was supported by Universiti Teknologi Malaysia through Collaborative Research Grant CRG18.2.R.K130000.7356.4B416.

ABSTRACT The rapid evolution and growth of the internet through the last decades led to more concern
about cyber-attacks that are continuously increasing and changing. As a result, an effective intrusion
detection system was required to protect data, and the discovery of artificial intelligence’s sub-fields, machine
learning, and deep learning, was one of the most successful ways to address this problem. This paper reviewed
intrusion detection systems and discussed what types of learning algorithms machine learning and deep
learning are using to protect data from malicious behavior. It discusses recent machine learning and deep
learning work with various network implementations, applications, algorithms, learning approaches, and
datasets to develop an operational intrusion detection system.

INDEX TERMS Cybersecurity, machine learning, deep learning, intrusion detection system.

I. INTRODUCTION safeguards systems connected to a network against malicious

The internet is transforming people’s jobs, learning, and activity. The goal is to provide networked computers to ensure
lifestyles, and today, allowing to the integration of social life data security, integrity, and accessibility. Current cybersecu-
and the internet, which increases security threats in various rity research focuses on creating an effective intrusion detec-
ways. What counts now is learning how to identify net- tion system that can identify both known and new attacks and
work threats and cyberattacks, particularly those previously threats with high accuracy and a low false alarm rate [1].
seen. Cybersecurity is defined as the process of implement-
ing cyber protective measures and policies to protect data,
programs, servers, and network infrastructures from unautho-
rized access or modification. The internet connects the major-
ity of our computer systems and network infrastructure. As a
result, cybersecurity emerged as the backbone for practically
all types of corporations, governments, and even people to
secure data, grow their businesses, and maintain privacy.
People send and receive data across network infrastructure,
such as a router, that can be hacked and manipulated by
outsiders. The increased use of the internet has increased the
amount and complexity of data, resulting in the emergence
FIGURE 1. Relation between Artificial Intelligence, Machine Learning, and
of big data. The constant rise of the internet and extensive Deep Learning.
data necessitated the creation of a reliable intrusion detection
system. Network security is a subset of cybersecurity that
As shown in Figure 1, the terms Artificial Intelligence
The associate editor coordinating the review of this manuscript and (AI), Machine Learning (ML), and Deep Learning (DL)
approving it for publication was Shunfeng Cheng. are frequently used interchangeably to describe the same

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
19572 VOLUME 10, 2022
A. Halbouni et al.: Machine Learning and Deep Learning Approaches for CyberSecurity: A Review

principles in software development. These names all indicate learning by analyzing data like text, images, and audio [4].
the same thing: a machine programmed to learn and find In contrast to deep learning models, which feature multiple
the best solution to a problem. DL is a subfield of machine connected layers, shallow learning models are built up of
learning, whereas machine learning is a subfield of AI. As a a few hidden layers. By stacking layers on top of layers,
result, ML and DL are employed to create an efficient and DL will be able to express increasing complexity functions
effective intrusion detection system. This paper provides an more effectively. DL is used to learn representations with
overview of machine learning and deep learning applications many abstraction levels [5]. Deep neural networks are capable
and approaches in intrusion detection systems by concen- of finding and learning representations from raw data and
trating on network security technologies, methodologies, and performing feature learning and classification [6]. Machine
implementation. learning methodologies are also utilized in deep learning.
Alan Turing stated that general use computers could learn However, other ways are employed in deep learning, such as
and qualify originality, which has paved the way to whether Transfer Learning, as shown in Figure 3.
computers should look at data to develop rules rather than
allow humans to do it. Machine learning algorithms are
algorithms that can learn and adapt based on data. Machine
learning algorithms are designed to generate output based
on what is learned from data and examples. For example,
such algorithms will allow a computer to choose and perform
a particular task on novel traffic detection without explicit
information [2].
Automatic analyses of attacks and security events, such
as spam mail, user identification, social media analytics,
and attack detection may be performed efficiently using
machine learning [1]. As indicated in Figure 2, there are three FIGURE 3. Deep learning approaches.
main techniques to machine learning: supervised, unsuper-
vised, semi-supervised, and reinforcement learning. Super-
vised learning is based on labeled data, unsupervised learning The remainder of the paper is organized as follows:
is based on unlabelled data, and semi-supervised learning is Section 2 discusses the intrusion detection system concept.
based on both. Section 3 summarises the most frequently utilized datasets
for the intrusion detection system. Section 4 discusses
recent advances in machine learning and deep learning-
based intrusion detection systems, while Section 5 concludes
this paper.

II. INTRUSION DETECTION SYSTEMS

Intrusion Detection is the process of monitoring network
traffic and events in computers in order to detect unexpected
events, and it is called Intrusion Detection System (IDS) when
a software application is used to do so [7]. IDS is a type of net-
work security that can identify and sense risks before services
are lost, illegal access is granted, or data is lost [6]. IDS can
also provide a graphical user interface through which users
FIGURE 2. Machine learning approaches and algorithms. can interact by having access to various features when doing
the IDS testing and training process [4]. Figure 4 depicts
Deep learning (DL) is a new subfield of machine learning, the deployment of two IDS methods depending on activities:
which is itself a subfield of Artificial Intelligence (AI). Tradi- a Network-Based Intrusion Detection System (NIDS) and a
tional machine learning techniques are limited to processing Host-Based Intrusion Detection System (HIDS). NIDS, for
natural raw data that rely on adequate feature extraction, example, examines packets gathered by network devices such
and in order to classify or find patterns by a classifier, the as routers, while HIDS examines events on a host computer.
raw data must be transformed into the appropriate format, Hybrid detection is a system that combines the best of both
which is where deep learning comes in. Deep learning is a worlds [1], [8].
machine learning approach that can learn from unstructured
or unlabeled data and representation based on human brain A. INTRUSION DETECTION SYSTEM APPROACH
knowledge [3]. Intrusion detection techniques are classified into Anomaly
Deep learning is motivated by neural networks (NN), Detection Methods and Misuse Detection Methods [8],
which can mimic the human brain and perform analytical as shown in Table 1.

VOLUME 10, 2022 19573

 A. Halbouni et al.: Machine Learning and Deep Learning Approaches for CyberSecurity: A Review

and gain network access. Then there is Remote to User (R2U),

in which an attacker sends packets to various devices across a
network to gain access as a local user [10]. For this definition,
a worm is defined as a malicious application capable of self-
replication from one device to another [9]. Finally, User to
Root (U2R) is used, in which the intruder attempts to access
network resources to use them as a local user after numerous
trials [11].

C. EVALUATION METRICS
Some indications are used to assess an intrusion detec-
tion system’s performance, either machine learning or deep
learning-based. These indicators are based on the confusion
matrix component that contains four metrics: True Positive
FIGURE 4. NIDS versus HIDS. (TP), True Negative (TN), False Positive (FP), and False Neg-
ative (FN), and the assessment indicators are as follows [1]:
• Accuracy - The ratio of correct predictions to records; a
1) ANOMALY DETECTION
higher accuracy indicates a more accurate prediction by
This model assumes that specific abnormal traffic has a low the learning model.
probability and can be distinguished from regular traffic with • Recall - The model’s capacity to locate all positive
a high probability [9]. Unsupervised learning and statisti- records is the detection rate, as it quantifies the correctly
cal learning-based anomaly detection algorithms can detect predicted records.
unique and undiscovered assaults. • Precision - The capacity to avoid mislabeling negative
records as positive; a high precision rate equates to a low
2) MISUSE DETECTION rate of false positives.
This approach is a signature-based technique. While moni- • F1-Score (F1) - The sum of Precision and Recall; a
toring threats in an IDS, detection can occur based on known higher F1 indicates a more effective learning model.
attack signatures [1]. This strategy is based on supervised • False Positive Rate (FPR) - To compute the False Alarm
learning and can detect illegal or suspicious behaviors that Rate, divide the total number of normal records identi-
can be used to defend against similar assault behaviors. fied as attacks by the total number of normal records.

TABLE 1. Differences between intrusion detection system approaches.

TABLE 2. Confusion matrix.

For decades, scientists and researchers have been attempt-

ing to develop and build an intrusion detection system that is
both effective and efficient. With the advent of artificial intel-
ligence, all IDS models utilized machine learning methodolo-
gies and approaches. However, after years of research, deep
learning began to perform better for IDS, as seen by assess-
ment indicator outcomes. Section IV will explore machine
B. ATTACK CLASSIFICATION learning and deep learning in IDS.
As the network’s diversity increased, attacks and threats
evolved, becoming more sophisticated and non-repetitive. III. DATASETS
As a result, numerous attack types have been identified, When it comes to intrusion detection systems, one should
including DoS, Probe, U2R, Worm, Backdoor, R2L, and consider the dataset employed to ensure the system’s accu-
Trojan [9]. Denial of service (DoS) attacks are among the racy. Nowadays, applications and networks are growing
most common network resource attacks, as they render net- exponentially, necessitating resilient network security. It can
work services unavailable to all users. They employ a vari- be accomplished by selecting the proper datasets for train-
ety of different behaviors and methods to consume network ing and testing. Following that, a summary of the most
resources. For Probe, the intruder marks open ports after often used dataset in intrusion detection systems will be
scanning all devices connected to the network to exploit them discussed.

19574 VOLUME 10, 2022

A. Halbouni et al.: Machine Learning and Deep Learning Approaches for CyberSecurity: A Review

A. KDD CUP 1999 TABLE 4. Attack types in CIC-IDS2017.

This dataset is the most widely used dataset for intrusion

detection, based on the DARPA dataset. This dataset includes
basic and high-level TCP connection information such as
the connection window but no IP addresses. In addition, this
dataset contains over 20 different types of attacks and a record
for the test subset [10].

B. UNSW-IDS15
Founded in 2015 by Australian Centre for Cyber Secu-
rity (ACCS). Samples in this dataset contain normal and
malicious traffic [12], and it has been collected from three
real-world websites; BID (Symantec Corporation), CVE
(Common Vulnerabilities and Exposures), and MSD
(Microsoft Security Bulletin) and then to generate the dataset,
it emulated in a laboratory environment. This dataset has nine
attack families, such as worms, DoS, and fuzzers [9].

TABLE 3. Attack types in UNSW-IDS15.

TABLE 5. Attack types in NSL-KDD.

C. CIC-IDS2017
The dataset was generated in 2017 by the Canadian Institute
for Cybersecurity. This dataset contains normal and attack
scenarios and includes an abstract behavior for 25 users based
on SSH, HTTPS, HTTP, FTP, and email protocols [8], [13].

D. NSL-KDD
It is the improved KDD dataset, where a large amount of
redundancy has been removed, and an advanced sub-dataset
has been created [10]. This dataset utilizes the same KDD99
attributes and belongs to four attack categories: DoS, U2R,
R2L, and Probe [8].

E. PU-IDS
A derivative dataset from NSL-KDD is generated to extract
a statistic from an input data and then utilized to create Table 6 shows a comparison of several deep learning meth-
new synthetic instances. The traffic generator of this dataset ods, the year the dataset was created, whether it was publicly
obtained the same format and attributes as the NSL-KDD available, the number of characteristics that were utilized for
dataset [8]. analysis, and lastly, how much traffic the data handled.

VOLUME 10, 2022 19575

 A. Halbouni et al.: Machine Learning and Deep Learning Approaches for CyberSecurity: A Review

TABLE 6. Comparison between datasets. raw data. While in machine learning, the expert must
determine the necessary representations, in deep learn-
ing, the representations are identified automatically
through the use of deep learning algorithms.
• Interpretability – This is described as a model’s capacity
to comprehend human language. An interpretable model
can be understood without extra tools or procedures.
On the other hand, it is difficult to specify how neurons
should be modeled and how the layers should interact
in deep learning, making it difficult to explain how the
result was obtained.
IV. INTRUSION DETECTION SYSTEMS IN RECENT WORKS • Problem-solving – In conventional machine learning, the
USING MACHINE LEARNING AND DEEP LEARNING problem is divided into sub-problems, each of which
Methodologies and algorithms have undergone significant is solved independently, and then the final answer is
change and evolution to produce the most acceptable intru- obtained. On the other hand, deep learning will resolve
sion detection system in many applications that attempt to the issue completely [4].
identify constantly changing threats and attacks. Initially,
classification was based on machine learning, but as per- The following subsections describe how researchers
formance needed to be further improved, deep learning employed machine learning and deep learning to create an
was utilized to produce higher accuracy and a lower false intrusion detection system.
alarm rate.
A. MACHINE LEARNING IDS ALGORITHM
This subsection discusses recent research into IDS imple-
mentations that utilize a variety of machine learning
algorithms. Machine learning algorithms, such as support
vector machine (SVM) and random forest (RF), have been
used to investigate the binary categorization of IDS using a
supervised learning approach [14]. SVM outperformed RF
throughout the training process, whereas RF outperformed
SVM during the test procedure. Additionally, they concluded
that a classifier’s performance would vary based on the
dataset and attributes.
An IDS model based on a decision tree, naïve Bayes, and
the random forest was proposed by [15] to classify Probe,
R2L, and U2R on the NSL-KDD dataset. It is discovered that
FIGURE 5. Machine learning Vs. deep learning.
the highest accuracy was achieved in detecting DOS attacks
using the RF algorithm. Additionally, when they compared
The primary distinction between machine learning and their hybrid model with its 14 features to other hybrid models
deep learning is illustrated in Figure 5, and it is based on the with varying features, the hybrid model had a greater accu-
method by which the system gets input. It depends on how racy for DOS, Probe, and U2R and a nearly identical accuracy
the data is trained by machine learning, but it depends on the for R2L.
connections between artificial neural networks in deep learn- In order to increase the performance of the attack detection
ing to train data without requiring many human interactions. model, an intrusion detection strategy utilizing SVM ensem-
Additional differences between machine learning and deep ble with the feature was presented in [16]. They examined
learning are summarised here and in Table 7. validated training data and discovered that it might be used
• Data dependencies – This metric indicates the volume to improve the detection process resulting in the fast train-
of data. In traditional machine learning, based on rules, ing time, high accuracy, and low false alarm rate. However,
performance is improved when the data set is limited. because this strategy trains classifiers independently of fea-
In comparison, deep learning performs better with a vast ture spaces and then combines judgments via an ensemble,
number of data since a significant amount is required for some correlations across feature spaces will be missed during
accurate interpretation and understanding. classifier learning, lowering the model’s accuracy.
• Feature processing – This is a method of extracting Three datasets comprising high-level network features
features to generate patterns that contribute to the imple- were explicitly created for non-payload-based network intru-
mentation of learning algorithms and reduce the com- sion detection systems in [17] by enabling machine learn-
plexity of the data. In other words, the feature process ing classifiers to use Advanced Security Network Metrics
is used to do categorization and feature detection on (ASNM) features. It was the first dataset to include

19576 VOLUME 10, 2022

A. Halbouni et al.: Machine Learning and Deep Learning Approaches for CyberSecurity: A Review

TABLE 7. Comparison between machine learning and deep learning.

FIGURE 6. An overview of constructing ASNM datasets.

Detection and Prevention System, which can detect and pre-

vent not only known but also unexpected attacks.
They developed their dataset from real-world IoT networks
and implemented a detection model with three machine learn-
ing levels to identify and detect assaults and threats. They
obtained 99.93 % accuracy for the second detection level
when using a decision tree-based machine learning algorithm
and 99.34 % accuracy when using an encoder-based machine
learning strategy. However, this model obtained a high degree
of accuracy and can detect and respond to risks associated
with the oneM2M service layer.

FIGURE 7. OneM2M architecture.

The use of Artificial Neural Networks (ANNs) was pro-

posed by [18] to detect malicious traffic by training them on
a large variety of benign and malicious traffic data. ANNs
adversarial obfuscation techniques and benign traffic samples create weights that are adaptively tuned during the training
that were applied to the malicious traffic execution of TCP phase by a learning rule. Their methodology outperformed
network connections. While such classifiers can detect a siz- signature-based detection, with an accuracy of 98 %. Table 8
able percentage of unknown threats, some unknown attacks analyses the learning method, performance metric, dataset,
may be undetectable, as illustrated in Figure 6. attack type, strengths, and limits of machine learning tech-
The requirement for a horizontal platform for IoT appli- niques based on intrusion detection systems.
cations/M2M resulted in creating the worldwide standard
OneM2M [18], which aims to address the requirement for B. DEEP LEARNING IDS ALGORITHM
an M2M service layer that enables communication across This subsection discusses recent implementations of DL-IDS
heterogeneous apps and devices seen in Figure 7. Addition- using a variety of deep learning methods. A model was
ally, the authors investigated the second line of defense for introduced by [24] to collect and label real network traf-
oneM2M IoT networks that can identify and prevent threats fic using their dataset in order to investigate mobile appli-
and intrusions, dubbed Machine Learning-based Intrusion cation identification and connect it to a cloud server.

VOLUME 10, 2022 19577

 A. Halbouni et al.: Machine Learning and Deep Learning Approaches for CyberSecurity: A Review

TABLE 8. Machine learning algorithms for IDS.

The classification was learned using deep learning methods

such as AE, CNN, and RNN, with the greatest performance,
obtained when utilizing CNN and LSTM, with an accuracy
of 91.8 % for 1D CNN classifiers and 90.1 % for F-measure.
However, their analysis was limited to a particular applica-
tion, and because all features are equally essential, CNN and
RNN lack a crucial evaluation function while still extracting
features adequately.
An intelligent intrusion detection system was developed
by [25] that combines deep learning algorithms with network
virtualization to detect malicious behavior on IoT networks.
Their technique enables efficient anomaly detection in IoT
networks regarding scalability and interoperability by simu-
lating and tracing five different attacks. Their model achieved FIGURE 8. Sample of IDS deep learning model.
a precision rate of 95% and a recall rate of 97% for various
threat scenarios. However, as with many other IDS models,
they emphasize detection rather than prevention techniques. by 5% compared to pure Autoencoder, and is depicted in Fig-
Figure 8 illustrates the implementation of the deep learning ure 9. It consists of two NDADs with three hidden layers each,
model for IDS. and the two NDAEs are joined using an RF method. Their
A deep learning classification model using NSL-KDD and methodology, however, is ineffective in detecting complex
KDD CUP99 was proposed in [26] to address increased attacks due to its high false alarm rate.
human engagement and decreasing accuracy. The model was Convolutional neural networks with the NSL-KDD dataset
constructed using an unsupervised learning technique known were investigated in [28] and are depicted in Figure 10.
as Non-symmetric Deep Autoencoder (NDAE). Their model In addition, the authors investigated a method for detecting
required less training time than DBN and improved accuracy threats in a vast real-time network by converting the raw

19578 VOLUME 10, 2022

A. Halbouni et al.: Machine Learning and Deep Learning Approaches for CyberSecurity: A Review

data to an image data format, which aids in resolving the the critical nature of the datasets needed to construct an IDS
unbalanced dataset issue by computing the cost function for and the efficacy of Autoencoder for anomaly detection.
each class from the training sample. As a result, they were To enhance detection accuracy in IDS, the author incor-
able to reduce the number of computing parameters in their porated big data, deep learning approaches, and natural lan-
model, but their model’s accuracy was low compared to other guage processing in [28]. They worked with KDD CUP99
machine learning and neural network models. Table 9 sum- and achieved an accuracy of 94.32 % with their model.
marizes various deep learning algorithms for IDS. In addition, another deep neural network method was intro-
duced in [29] to detect risks and attacks in the cloud envi-
ronment. Their approach used Simulated Annealing and
Improved Genetic Algorithms to create the hybrid optimiza-
tion framework IGASAA using the datasets NSL-KDD2015,
CIC-IDS2017, and CIDDS-001. Compared to the Simulated
Annealing Algorithm (SAA), their model demonstrated a
higher detection rate, increased accuracy, and a lower false
alarm rate.
Web application security is highly reliant on detecting
malicious HTTP traffic, which needs a significant invest-
FIGURE 9. Stacked NDAE classification model. ment in training data gathering and a large dataset. To detect
malicious HTTP traffic, the authors in [29] introduced the
DeepPTSD method based on a deep transfer semi-supervised
learning methodology. The construction of their model is
given in Figure 11. They used two raw public datasets from
FSecurify and another from their lab via a honeypot server.
When a little training dataset is available, their model exceeds
other existing baselines, with a precision of 93.33% compared
to 86.67 % and 86.61 % for CNN and RNN, respectively.

FIGURE 10. IDS based on CNN.

In [27], a combination of CIC-IDS 2017, NSL-KDD,
Kyoto, UNSW-NB15, and WSN-DS datasets was proposed to FIGURE 11. DeepPTSD architecture.
categorize and detect unplanned and unexpected cyberattacks
using a deep neural network. The performance of this model An intrusion detection model based on a convolutional
was evaluated by comparing it to other machine learning clas- neural network was presented in [30] to extract structural
sifiers, and their model outperformed the others. Similarly, information. The authors performed multiclassification on
in [2], the author suggested a deep neural network approach NIDS using the NSL-KDD and KDD-CUP99 datasets. Their
for classifying network data as harmful or benign. He sup- model’s accuracy increased compared to other classifiers,
plemented his analysis with two more datasets: UNB-ISCX resulting in enhanced detection of unknown threats and a
2012 and CIC-IDS 2017. First, a feedforward Deep Neural decrease in false alert rates. A feedforward deep neural net-
Network was utilized for training the model, and then an work was proposed by [1] for an intrusion detection system
Autoencoder was employed to categorize assaults and threats to perform binary classification on the NSL-KDD dataset.
in the absence of tagged harmful data. Their model was Due to the dense structure of this model, it beat the usual
99.96% accurate for UNB-ISCX 2012 and 99.96% accurate machine-learning technique in terms of scalability with big
for CIC-IDS 2017. Additionally, their research established datasets and time for training data. As a result, there was

VOLUME 10, 2022 19579

 A. Halbouni et al.: Machine Learning and Deep Learning Approaches for CyberSecurity: A Review

TABLE 9. Deep learning algorithms for IDS.

a high proportion of true positives and accurate categoriza-

tion records, with this model achieving an accuracy of 89%.
In [31], an RNN-based IDS binary and multiclass classifica-
tion technique were investigated. This model outperformed
convolutional machine learning algorithms and demonstrated
that it is suited for classification with high accuracy. The
authors trained and tested their model on the NSL-KDD
dataset. Figure 12 illustrates the RNN structure and the pro-
posed RNN-IDS model.
Deep neural networks were used in [32] to investigate
the applicability of anomaly-based intrusion detection sys-
tems. Based on the NSL-KDD dataset, the authors studied a
variety of machine learning and deep learning frameworks.
According to the comparison, deep learning outperformed FIGURE 12. RNN and RNN-IDS architecture.

machine learning in the accuracy test. The best performance

was first achieved by the RNN, then by the CNN, and finally
They proposed adding deep learning classifiers to each
by the Autoencoder. A comparison of deep learning meth-
TCP/IP architecture layer to increase its complexity. The
ods based on intrusion detection systems is presented in
model’s accuracy was 98.91 %, and the false alarm rate was
Table 9, which compares the learning algorithm, performance
0.76 %. However, one may argue that the model’s robustness
metric, dataset, attack targeted, strengths, and limits of the
was low.
algorithms.
Hierarchical Intrusion Detection System (HAST-IDS) was
developed in [40] to improve anomaly detection. As illus-
C. HYBRID LEARNING IDS ALGORITHM trated in Figure 13, they began by extracting spatial features
This section discusses works that combine machine learn- using CNN and then temporal characteristics using LSTM.
ing and deep learning or use many algorithms of the same Finally, they evaluated the performance of their proposed
learning type. First, a deep learning-based intrusion detection model using the ISCX2012 and DARPA datasets. Although
system for an IoT network was developed in [39]. By pro- the hierarchical CNN-LSTM model beats pure CNN or
viding a model based on Gated Recurrent Neural Networks LSTM models and gives higher accuracy for IDS, it is compu-
(GRU and LSTM), their detection dataset was KDD99 cup. tationally expensive because of its complicated architecture.

19580 VOLUME 10, 2022

A. Halbouni et al.: Machine Learning and Deep Learning Approaches for CyberSecurity: A Review

TABLE 10. Hybrid learning algorithms for IDS.

D2H-IDS [41] is an intrusion detection system that was devel- Neural Network (DNN), and Gradient Boosting Tree (GBT).
oped to ensure the security of connections between connected The authors evaluated their strategy using the CIC-IDS2017
smart vehicles. This model is built on a framework for con- and UNSW-NB15 datasets. DNN has the highest accuracy
tinuous automated secure service availability and utilises a at 99.19 % based on UNSW-NB15 and 99.99 % based on
decision tree and deep belief network to classify attacks and CIC-IDS2017. Although all three classifiers achieved good
reduce their dimensionality. accuracy, training the model was difficult due to the features’
wide variety of numerical data.
In wireless sensor networks, IDS was performed using
a combination of machine learning and deep learning [43].
The authors proposed the Restricted Boltzmann machine-
based clustered RBC-IDS approach as a deep learning tech-
nique. They used the KDD Cup99 dataset and Network
Simulator-3 to compare their model against adaptive machine
learning-based IDS (NS-3). While RBC-IDS has high accu-
racy, the detection time was comparable to that of the adap-
tive machine learning model, resulting in overhead expenses.
A hybrid network IDS was utilized in [6] using the UNSW-
15 dataset that utilized the CNN-LSTM algorithm. When
applied to real-world devices, they employed a transfer learn-
ing approach to optimise the IDS model’s efficiency. Their
model was 98.43 % accurate.
CBR-CNN (Channel Boosted and Residual Learning)
was created in [44], employing deep Convolutional Neu-
ral Networks for intrusion detection using the NSL-KDD
dataset. Training is carried out using an unsupervised learn-
FIGURE 13. Hierarchy of HAST-IDS. ing approach, and normal traffic is modeled using stacked
autoencoders (SAE). Their model had an accuracy of 89.41 %
Security attacks in smart connected vehicles an intrusion for KDD-Test+ and 80.36 % for KDD-Test-21, respectively.
detection system based on continuous automated secure ser- Table 10 analyses the learning method, performance metric,
vice availability framework was proposed in [41]. The model dataset, attack type, strengths, and limits of hybrid learning
classifies attacks and reduces their dimensionality using a algorithms based on intrusion detection systems.
decision tree and deep belief machine learning. A model
for enhancing IDS performance was provided by [42] by D. DISCUSSION AND OPEN CHALLENGES
integrating three classifiers with big data. The methods uti- Intrusion detection systems are now considered a neces-
lized were a combination of machine learning and deep sary component of our daily lives. However, developing an
learning techniques, including Random Forest (RF), Deep intrusion detection system capable of detecting and

VOLUME 10, 2022 19581

 A. Halbouni et al.: Machine Learning and Deep Learning Approaches for CyberSecurity: A Review

TABLE 11. Comparison of machine learning and deep learning algorithms.

responding to a wide range of attacks and threats is a difficult asserted that datasets not based on reality might result in
task. As a result, hundreds of studies in the field of intrusion mistaken studies in their conclusions. Employing ESR-NID
detection systems have been carried out for various appli- computation approaches, they provided in [45] a model for
cations by academic researchers. Some academics believe searching for a solution to automatically generate rulesets for
that deep learning, through a neural network, will enable network intrusion detection by using computation techniques
greater flexibility in IDS, allowing it to detect and classify (Evolving Statistical Rulesets for Network Intrusion Detec-
harmful threats more effectively. This flexibility is because tion). The model outperforms other existing models and is
its algorithms have hidden layers with a high-dimensional capable of dealing with a variety of various types of attacks.
feature representation of the data. To summarize, some researchers were concentrating on
A comprehensive assessment of network-based intrusion whatever algorithm would provide the best performance, such
detection systems was offered in [10], in which they stressed as [14], [15], [21]–[23], [33], [39]. A comparison between
the need for labeling data when doing evaluation and training different types of algorithms used for IDS is presented in
on anomaly-based intrusion detection systems. Moreover, Table 11, in terms of the learning approach, advantages, and
in [45], the author investigated the possibility of improving disadvantages.
model optimization, and they concluded that the supervised As a means of increasing accuracy and improving model
learning approach is more successful than the unsupervised implementation, some researchers investigated combining
learning approach. After all, it can achieve higher perfor- algorithms in order to achieve higher accuracy or a lower
mance in terms of the algorithms used because it uses labeled false alarm rate, as in [40], [41], while others com-
data to train the models. NADS implementation with various bined methods in machine learning and deep learning,
applications, data centers, fog, cloud computing, and the as in [43], [44], [46]. Some researchers experimented to
Internet of Things (IoT) was a priority [13]. The authors see which dataset could provide a more stable model,

19582 VOLUME 10, 2022

A. Halbouni et al.: Machine Learning and Deep Learning Approaches for CyberSecurity: A Review

as in [15], [21], [25], [35], [38], [43], while others created Selecting a good dataset to train and test an intrusion
their dataset to use in IDS development, as in [17], [24], [47]. detection system is a crucial parameter, and it was clear that
Each dataset contains a different range of threats and attacks, datasets have an impact on research in this sector, as some
so some researchers experimented to see which dataset could deem it out of date or contains redundant information. As a
provide a more stable model. result, the most frequent datasets used to detect threats over
The intrusion detection system field has many challenges, the last decade are compared in the research.
represented by: The final step in this project was to look into what other
people did to save their data. Recent research has revealed
1) UNAVAILABILITY OF UP-TO-DATE DATASET that there are numerous data protection implementations.
A highly effective IDS must be trained and tested against They employed machine learning for several purposes at
a dataset of new and old threats and attacks. When more first, and many studies were conducted to determine which
patterns and types of attacks are discovered in a dataset, the algorithm would provide higher accuracy or which datasets
model becomes more resistant to various attack types. Thus, would produce a lower false alarm rate. Finally, they arrived
one of the challenges for IDS is to maintain an up-to-date at deep learning after extensive investigation and testing.
dataset with sufficient records to cover the majority of attack Many studies and experiments have shown that deep learning
types. is superior to machine learning because it can handle more
complicated problems with greater accuracy and lower false
2) HYPERPARAMETER TUNING alarm rates. Previous work has been used in a variety of
The deep structure of an IDS model requires that the hyper- applications. They employed various datasets, architectures,
parameters be specified. The activation function and opti- learning methodologies, and learning algorithms to secure
mization method, the number of nodes per layer, and the data from attacks and dangers each time.
total number of layers in a network are all hyperparameters.
Hyperparameters affect training and model building, with REFERENCES
the ability to increase or decrease the IDS model’s accuracy [1] D. I. Edeh, ‘‘Network intrusion detection system using deep learning
and detection rate. Hyperparameters can be tuned manually, technique,’’ M.S. thesis, Dept. Comput., Univ. Turku, Turku, Finland,
2021.
which will take a significant amount of time, or automated to [2] G. C. Fernandez, ‘‘Deep learning approaches for network intrusion detec-
improve the performance of the IDS model. tion,’’ M.S. thesis, Dept. Comput. Sci., Univ. Texas at San Antonio, San
Antonio, TX, USA, 2019.
[3] H. Benmeziane, ‘‘Comparison of deep learning frameworks and compil-
3) IMBALANCED DATASET
ers,’’ M.S. thesis Comput. Sci., Inst. Nat. Formation Informatique, École
Existing datasets contain varying numbers of records for nationale Supérieure d’Informatique, Oued Smar, Algeria, 2020.
various types of attacks. These differences will affect the [4] Y. Xin, L. Kong, Z. Liu, Y. Chen, Y. Li, H. Zhu, and M. Gao, ‘‘Machine
learning and deep learning methods for cybersecurity,’’ IEEE Access,
accuracy and detection rate of various types of attacks. A low- vol. 6, pp. 35365–35381, 2018, doi: 10.1109/ACCESS.2018.2836950.
record attack will have a lower detection rate than a high- [5] I. Goodfellow, Y. Bengio, and A. Courville, Deep Learning. Cambridge,
record attack. This issue can be resolved by either balancing MA, USA: MIT Press, 2016.
the dataset or by increasing the number of minority attack [6] H. Dhillon, ‘‘Building effective network security frameworks using deep
transfer learning techniques,’’ M.S. thesis, Dept. Comput. Sci., Western
records. Univ., London, ON, Canada, 2021.
[7] M. Labonne, ‘‘Anomaly-based network intrusion detection using machine
4) PERFORMANCE IN REAL-WORLD learning,’’ Ph.D. dissertation, Inst. Polytechnique de Paris, Palaiseau,
France, 2020.
When researchers attempt to develop an intrusion detection [8] A. Kim, M. Park, and D. H. Lee, ‘‘AI-IDS: Application of deep learning to
system, they train and test the model in laboratories, with real-time web intrusion detection,’’ IEEE Access, vol. 8, pp. 70245–70261,
the majority of the data coming from public sources. Thus, 2020.
[9] P. Wu, ‘‘Deep learning for network intrusion detection: Attack recognition
an IDS model faces a challenge when it is implemented in with computational intelligence,’’ M.S. thesis, School Comput. Sci. Eng.,
a real-world environment, as the model developed in the lab Univ. New South Wales, Sydney NSW, Australia, 2020.
should be validated in a real-world environment to ensure its [10] M. Ring, S. Wunderlich, D. Scheuring, D. Landes, and A. Hotho, ‘‘A survey
of network-based intrusion detection data sets,’’ Comput. Secur., vol. 86,
efficiency. pp. 147–167, Sep. 2019.
[11] M. Alkasassbeh and M. Almseidin, ‘‘Machine learning methods for net-
V. CONCLUSION work intrusion detection,’’ 2018, arXiv:1809.02610.
[12] T. Hamed, R. Dara, and S. C. Kremer, ‘‘Network intrusion detection system
One of the essential subjects in the cybersecurity area was based on recursive feature addition and bigram technique,’’ Comput. Secur.,
intrusion detection systems. Many researchers are develop- vol. 73, pp. 137–155, Mar. 2018.
ing a system that will secure data against malicious con- [13] N. Moustafa, J. Hu, and J. Slay, ‘‘A holistic review of network anomaly
duct. However, research into other applications of learning detection systems: A comprehensive survey,’’ J. Netw. Comput. Appl.,
vol. 128, pp. 33–55, Feb. 2019.
algorithms, such as establishing a new dataset or merging [14] L. Arnroth and J. Fiddler Dennis, ‘‘Supervised learning techniques: A
algorithms, is currently ongoing. As a result, we explain the comparison of the random forest and the support vector machine,’’ Uppsala
concept of an intrusion detection system, types of attacks, and Univ., Uppsala, Sweden, 2016.
[15] D. H. Lakshminarayana, ‘‘Intrusion detection using machine learning algo-
how to determine whether or not we have an effective system rithms,’’ M.S. thesis, Dept. Comput. Sci., East Carolina Univ., Greenville,
in this work. NC, USA, 2019.

VOLUME 10, 2022 19583

 A. Halbouni et al.: Machine Learning and Deep Learning Approaches for CyberSecurity: A Review

[16] J. Gu, L. Wang, H. Wang, and S. Wang, ‘‘A novel approach to intru- [39] M. K. Putchala, ‘‘Deep learning approach for intrusion detection sys-
sion detection using SVM ensemble with feature augmentation,’’ Comput. tem (IDS) in the Internet of Things (IoT) network using gated recurrent
Secur., vol. 86, pp. 53–62, Sep. 2019. neural networks (GRU),’’ M.S. thesis, Dept. Comput. Sci. Eng., Wright
[17] I. Homoliak, K. Malinka, and P. Hanacek, ‘‘ASNM datasets: A collec- State Univ., Dayton, OH, USA, 2017.
tion of network attacks for testing of adversarial classifiers and intru- [40] W. Wang, Y. Sheng, J. Wang, X. Zeng, and X. Ye, ‘‘HAST-IDS: Learn-
sion detectors,’’ IEEE Access, vol. 8, pp. 112427–112453, 2020, doi: ing hierarchical spatial-temporal features using deep neural networks to
10.1109/ACCESS.2020.3001768. improve intrusion detection,’’ IEEE Access, vol. 6, pp. 1792–1806, 2018.
[18] A. Shenfield, D. Day, and A. Ayesh, ‘‘Intelligent intrusion detection sys- [41] M. Aloqaily, S. Otoum, I. A. Ridhawi, and Y. Jararweh, ‘‘An intrusion
tems using artificial neural networks,’’ ICT Exp., vol. 4, no. 2, pp. 95–99, detection system for connected vehicles in smart cities,’’ Ad Hoc Netw.,
Jun. 2018. vol. 90, Jul. 2019, Art. no. 101842, doi: 10.1016/j.adhoc.2019.02.001.
[19] N. Farnaaz and M. A. Jabbar, ‘‘Random forest modeling for network [42] O. Faker and E. Dogdu, ‘‘Intrusion detection using big data and deep
intrusion detection system,’’ Proc. Comput. Sci., vol. 89, pp. 213–217, learning techniques,’’ presented at the ACM Southeast Conf., 2019.
May 2016. [43] S. Otoum, B. Kantarci, and H. T. Mouftah, ‘‘On the feasibility of deep
[20] B. B. Rao and K. Swathi, ‘‘Fast kNN classifiers for network intrusion learning in sensor network intrusion detection,’’ IEEE Netw. Lett., vol. 1,
detection system,’’ Indian J. Sci. Technol., vol. 10, no. 14, pp. 1–10, no. 2, pp. 68–71, Jun. 2019, doi: 10.1109/LNET.2019.2901792.
Apr. 2017. [44] N. Chouhan, A. Khan, and H.-U.-R. Khan, ‘‘Network anomaly detection
[21] C. Khammassi and S. Krichen, ‘‘A GA-LR wrapper approach for fea- using channel boosted and residual learning based deep convolutional
ture selection in network intrusion detection,’’ Comput. Secur., vol. 70, neural network,’’ Appl. Soft Comput., vol. 83, Oct. 2019, Art. no. 105612,
pp. 255–277, Sep. 2017. doi: 10.1016/j.asoc.2019.105612.
[22] A. Verma and V. Ranga, ‘‘Statistical analysis of CIDDS-001 dataset for net- [45] S. Rastegari, ‘‘Intelligent network intrusion detection using an evolutionary
work intrusion detection systems using distance-based machine learning,’’ computation approach,’’ Ph.D. dissertation, School Comput. Secur. Sci.,
Proc. Comput. Sci., vol. 125, pp. 709–716, Jan. 2018. Edith Cowan Univ., Joondalup WA, Australia, 2015.
[23] M. Belouch, S. El Hadaj, and M. Idhammad, ‘‘Performance evaluation of [46] J. Yang, J. Deng, S. Li, and Y. Hao, ‘‘Improved traffic detection with
intrusion detection based on machine learning using apache spark,’’ Proc. support vector machine based on restricted Boltzmann machine,’’ Soft
Comput. Sci., vol. 127, pp. 1–6, Jan. 2018. Comput., vol. 21, no. 11, pp. 3101–3112, 2017.
[24] X. Wang, S. Chen, and J. Su, ‘‘Real network traffic collection and deep [47] N. Chaabouni, ‘‘Intrusion detection and prevention for IoT systems using
learning for mobile app identification,’’ Wireless Commun. Mobile Com- machine learning,’’ Ph.D. dissertation, School Math. Comput. Sci., Uni-
put., vol. 2020, pp. 1–14, Feb. 2020, doi: 10.1155/2020/4707909. versité de Bordeaux, Bordeaux, France, 2020.
[25] G. Thamilarasu and S. Chawla, ‘‘Towards deep-learning-driven intrusion
detection for the Internet of Things,’’ Sensors, vol. 19, no. 9, p. 1977,
Apr. 2019, doi: 10.3390/s19091977.
[26] N. Shone, T. N. Ngoc, V. D. Phai, and Q. Shi, ‘‘A deep learning approach to
network intrusion detection,’’ IEEE Trans. Emerg. Topics Comput. Intell.,
vol. 2, no. 1, pp. 41–50, Feb. 2018.
[27] R. Vinayakumar, M. Alazab, K. Soman, P. Poornachandran, A. Al-Nemrat, ASMAA HALBOUNI (Graduate Student Member,
and S. Venkatraman, ‘‘Deep learning approach for intelligent intrusion IEEE) received the bachelor’s degree in telecom-
detection system,’’ IEEE Access, vol. 7, pp. 41525–41550, 2019, doi: munication engineering from An-Najah National
10.1109/ACCESS.2019.2895334. University, Palestine. She is currently pursuing
[28] Y. Dong, R. Wang, and J. He, ‘‘Real-time network intrusion detection the M.S. degree in computer and information
system based on deep learning,’’ in Proc. IEEE 10th Int. Conf. Softw. Eng. engineering with International Islamic University
Service Sci. (ICSESS), Oct. 2019, pp. 1–4. Malaysia, Malaysia. Her research interests include
[29] T. Chen, Y. Chen, M. Lv, G. He, T. Zhu, T. Wang, and Z. Weng, intrusion detection, network security, and deep
‘‘A payload based malicious HTTP traffic detection method using transfer learning.
semi-supervised learning,’’ Appl. Sci., vol. 11, no. 16, p. 7188, 2021, doi:
10.3390/app11167188.
[30] G. Liu and J. Zhang, ‘‘CNID: Research of network intrusion detection
based on convolutional neural network,’’ Discrete Dyn. Nature Soc.,
vol. 2020, pp. 1–11, May 2020.
[31] C. Yin, Y. Zhu, J. Fei, and X. He, ‘‘A deep learning approach for intru-
sion detection using recurrent neural networks,’’ IEEE Access, vol. 5,
pp. 21954–21961, 2017. TEDDY SURYA GUNAWAN (Senior Member,
[32] S. Naseer, Y. Saleem, S. Khalid, M. K. Bashir, and J. Han, ‘‘Enhanced IEEE) received the B.Eng. degree (cum laude) in
network anomaly detection based on deep neural networks,’’ IEEE Access, electrical engineering from the Institut Teknologi
vol. 6, pp. 48231–48246, 2018, doi: 10.1109/ACCESS.2018.2863036. Bandung (ITB), Indonesia, in 1998, the M.Eng.
[33] Y. Xiao, C. Xing, T. Zhang, and Z. Zhao, ‘‘An intrusion detection model degree from the School of Computer Engineering,
based on feature reduction and convolutional neural networks,’’ IEEE Nanyang Technological University, Singapore,
Access, vol. 7, pp. 42210–42219, 2019. in 2001, and the Ph.D. degree from the School of
[34] D. Papamartzivanos, F. G. Mármol, and G. Kambourakis, ‘‘Introducing Electrical Engineering and Telecommunications,
deep learning self-adaptive misuse network intrusion detection systems,’’ The University of New South Wales, Australia,
IEEE Access, vol. 7, pp. 13546–13560, 2019. in 2007.
[35] M. Mayuranathan, M. Murugan, and V. Dhanakoti, ‘‘Best features based He was the Head of the Department of Electrical and Computer Engi-
intrusion detection system by RBM model for detecting DDoS in neering, from 2015 to 2016, and the Head of Programme Accreditation and
cloud environment,’’ J. Ambient Intell. Hum. Comput., vol. 12, no. 3, Quality Assurance with the Faculty of Engineering, International Islamic
pp. 3609–3619, 2019.
University Malaysia, from 2017 to 2018. He has been a Chartered Engineer
[36] F. Jiang, Y. Fu, B. B. Gupta, Y. Liang, S. Rho, F. Lou, F. Meng, and
at IET, U.K., since 2016, an Insinyur Profesional Utama at PII, Indonesia,
Z. Tian, ‘‘Deep learning based multi-channel intelligent attack detec-
tion for data security,’’ IEEE Trans. Sustain. Comput., vol. 5, no. 2,
since 2021, and a Registered ASEAN Engineer, since 2018. He has been
pp. 204–212, Apr. 2020. a Professor, since 2019, and has been an ASEAN Chartered Professional
[37] Q. Tian, D. Han, K.-C. Li, X. Liu, L. Duan, and A. Castiglione, ‘‘An Engineer, since 2020. His research interests include speech and audio pro-
intrusion detection approach based on improved deep belief network,’’ cessing, biomedical signal processing and instrumentation, image and video
Appl. Intell., vol. 50, pp. 3162–3178, May 2020. processing, and parallel computing. He was awarded the Best Researcher
[38] C. Zhang, X. Costa-Pérez, and P. Patras, ‘‘Tiki-taka: Attacking and defend- Award at IIUM, in 2018. He was the Chairperson of IEEE Instrumentation
ing deep learning-based intrusion detection systems,’’ in Proc. ACM and Measurement Society—Malaysia Section, in 2013, 2014, 2021, and
SIGSAC Conf. Cloud Comput. Secur. Workshop, 2020, pp. 27–39. 2022.

19584 VOLUME 10, 2022

A. Halbouni et al.: Machine Learning and Deep Learning Approaches for CyberSecurity: A Review

MOHAMED HADI HABAEBI (Senior Member, MIRA KARTIWI (Member, IEEE) is currently
IEEE) is currently a Professor with the Depart- a Professor with the Department of Informa-
ment of Electrical and Computer Engineering, tion Systems, Kulliyyah of Information and
International Islamic University Malaysia (IIUM). Communication Technology, and currently the
His research interests include the IoT, mobile app Deputy Director of E-learning with the Centre for
development, networking, blockchain, AI appli- Professional Development, International Islamic
cations in image processing, cyber-physical secu- University Malaysia (IIUM). She was one of a
rity, wireless communications, small antennas, and recipients of the Australia Postgraduate Award
channel propagation modeling. (APA), in 2004. For her achievement in research,
she was awarded the Higher Degree Research
Award for Excellence, in 2007. She has also been appointed as an Edi-
torial Board Member in local and international journals to acknowledge
her expertise. She is also an experienced consultant specializing in the
health, financial, and manufacturing sectors. Her research interests include
health informatics, e-commerce, data mining, information systems strategy,
business process improvement, product development, marketing, delivery
strategy, workshop facilitation, training, and communications.

ROBIAH AHMAD (Senior Member, IEEE)

received the B.Sc. degree in electrical engineering
from the University of Evansville, Evansville, IN,
USA, the M.Sc. degree in information technol-
ogy for manufacturer from the Warwick Manu-
facturing Group, University of Warwick, U.K.,
and the Ph.D. degree in mechanical engineering
from University Teknologi Malaysia, Malaysia.
MURAD HALBOUNI received the bachelor’s She is currently an Associate Professor with the
degree in telecommunication engineering from Razak Faculty of Technology and Informatics,
Palestine Technical University, Kadoorie, Pales- UTM, Kuala Lumpur, Malaysia. She has more than 20 years experience
tine. He is currently pursuing the M.S. degree as a Research Scientist. She has published more than 100 peer-reviewed
in cyber crime with Arab American University, international journal articles/proceedings in areas of instrumentation and
Palestine. His research interests include cyber- control, system modeling and identification, and evolutionary computation.
crime and digital evidence analysis, metro net- She currently holds a position as an executive committee for Humanitarian
works, network security, and machine learning. Activities for IEEE Malaysia Section and the Past Chair for IEEE Instrumen-
He also works at Paltel, a Palestinian communi- tation and Measurement Society Malaysia Chapter.
cation business, as a Network Engineer.

VOLUME 10, 2022 19585