Optimizing IoT Network Intrusion Detection: A

Deep Learning Approach

Khorshed Alam† , Md Fahad Monir‡ , Zoheb Hassan§ , Md Tarek Habib†
Department of Computer Science & Engineering, Independent University Bangladesh (IUB), Bangladesh,†
Department of Electrical and Computer Engineering, Virginia Tech, USA,‡
2024 7th Conference on Cloud and Internet of Things (CIoT) | 979-8-3503-5671-7/24/$31.00 ©2024 IEEE | DOI: 10.1109/CIoT63799.2024.10757105

Department of Electrical and Computer Engineering, Université Laval, Canada§

Email: mohdkhurshed120gmail.com, [email protected], [email protected], [email protected]

Abstract—Network Intrusion Detection System (NIDS) serves growth of IoT devices has significantly enlarged the attack
as a essential component in data protection by monitoring com- surface, as each device introduces a potential vulnerability that
puter networks for threats that can bypass conventional defenses cyber attackers can exploit. Traditional security measures often
such as malware and hackers. Deep learning (DL) techniques
provide a promising approach for analyzing raw IoT network struggle to protect this diverse ecosystem. A specialized NIDS
data to identify subtle patterns indicative of intrusion attempts. can observe network traffic continuously, identify anomalies,
This study addresses a crucial research gap by developing a and respond to threats in real-time. Since many IoT devices
Deep Convolutional Neural Network (DCNN) model specifically have limited processing power, memory, and storage, an IoT-
designed for the efficient detection of stealthy and polymorphic focused NIDS can offload heavy computational tasks to cen-
variants while reducing false positives. Utilizing the NF-ToN-IoT
dataset, the proposed model achieves outstanding performance tralized or edge-based systems, enabling effective monitoring
metrics on test data, with an accuracy of 0.9923, precision of and protection without burdening the individual devices.
0.9925, recall of 0.9979, and F1 score of 0.9952. To compre- Contemporary NIDS research faces challenges such as
hensively evaluate the robustness of the model, a multi-dataset reliance on outdated datasets and the mismatch between
validation strategy is employed. The model is retrained and high accuracy metrics and real-world effectiveness. Securing
assessed on established benchmark datasets on IoT Networks,
including NF-UNSW-NB15, NF-UNSW-NB15-v2 and NF-BoT- emerging technologies like smart grids also requires special-
IoT, demonstrating exceptional performance. Furthermore, the ized solutions. To address these issues, we propose a novel
significance of the contribution is validated by comparing the deep CNN-based model for intrusion detection, as detailed in
proposed model against previously established architectures such Section II(A). This model offers a more robust and adaptable
as CNN+BiLSTM, DNN, GRU+RNN, and CNN+LSTM using the approach to enhance network security in dynamic environ-
NF-ToN-IoT dataset. The proposed model consistently outper-
forms these prior models, highlighting its efficacy and advance- ments. The contributions of this study include:
ments in the field. Additionally, an ablation study is conducted • This study presents a new Deep CNN model designed to
to analyze the individual components of the Deep CNN model, effectively detect stealthy and polymorphic intrusions in
providing insights into their contributions towards detecting
IoT networks, with a focus on minimizing false negatives.
malware traffic and offering guidance for optimizing future NIDS
models in the cybersecurity domain. Making our work avail- • A multi-dataset validation, as shown in Table IV, is used
able open-source on https://github.com/codewithkhurshed/IDS- to rigorously assess the model. It is retrained and evalu-
IUB can enhance its accessibility and promote future research ated on benchmark datasets such as NF-UNSW-NB15,
opportunities in Network Intrusion Detection. NF-UNSW-NB15-v2, and NF-BoT-IoT, showcasing its
Index Terms—Network Protection, Intrusion Detection Mech- strong performance across various datasets.
anism, Deep Convolutional Neural Networks, Cyber Defense, • A comparative analysis using the NF-ToN-IoT dataset,
Malware Identification, IoT detailed in Table III, shows that the proposed model out-
performs established architectures like CNN+BiLSTM,
I. I NTRODUCTION DNN, GRU+RNN, and CNN+LSTM.
• Table II presents an ablation study that examines the
A Network Intrusion Detection System (NIDS) oversees Deep CNN model’s components, revealing their individ-
the data flow in computer networks, ensuring the integrity of ual impact on malware detection and offering insights for
transmitted information. It detects and mitigates threats such as optimizing future NIDS models.
malware and unauthorized access attempts [1]. Utilizing Deep
Learning (DL), especially in IoT-based NIDS, enhances net-
work security by efficiently processing vast data streams with II. P REVIOUS W ORK
minimal manual intervention. Convolutional Neural Networks R. Tahri et al. [2] applied ML algorithms like Naı̈ve Bayes,
(CNNs) are crucial, recognizing complex patterns in raw SVM, and k-nearest neighbors for intrusion detection on
network traffic. Extensive training on labeled datasets enables NSL-KDD and UNSW-NB15 datasets but did not compare
DL models to distinguish between normal and anomalous their results with previous studies. Conversely, T. Kim and
behaviors, allowing for the swift detection and categorization W. Pak [3] tackle this issue by comparing previous studies
of intrusions such as malware and DOS attacks. The rapid and suggesting the creation of a new training dataset for a

Authorized licensed use limited to: VNR Vignana Jyothi Inst of Eng & Tech. Downloaded on March 07,2025 at 17:28:18 UTC from IEEE Xplore. Restrictions apply.
Generative Adversarial Network (GAN) using misclassified its generalizability in real-world scenarios. Our Deep CNN
data from a custom LSTM-DNN model. However, this method model addresses false negatives and optimizes for both ac-
has hardware dependencies and requires enhanced accuracy. curacy and efficiency, overcoming computational challenges
[4] introduces a Convolutional Deep Belief Network (CDBN) noted in [4]. An ablation study in Table II highlights each
for real-time intrusion detection in wireless networks, but it component’s contribution, offering valuable insights for future
requires substantial computational resources for training and improvements. Our model outperforms previous methods in
inference. The hybrid CNN and BiLSTM network in [5] detecting stealthy and polymorphic intrusions and covers a
enhances intrusion detection with binary and multiclass clas- broader range of malware compared to [10], achieving higher
sification, achieving an average accuracy of 84.42% on NF- detection rates. Additionally, similar to [8], which uses a
UNSW-NB15 using L2 regularizer and dropout techniques. mix of unsupervised and supervised learning, our approach
However, it may lack robustness across different datasets. integrates various techniques to boost detection accuracy and
[6] uses SMOTE oversampling, One-Hot encoding, and Ran- efficiency.
dom Forest for binary classification, combined with a CNN
and Softmax activation for final classification. However, it III. P ROPOSED M ETHODOLOGY
lacks comparison with prior research and may have issues
Our approach, illustrated in Fig. 1, involves three key steps.
with robustness and scalability. L. Zou et al. [7] proposed
First, we collect four open-source datasets for building our
a hierarchical clustering decision tree with twin SVMs but
deep CNN model. Next, we preprocess the data to ensure it
did not thoroughly compare it to other intrusion detection
is suitable for model training. Finally, we develop the CNN
methods, potentially limiting insights into its performance. [8]
model, explaining the choice of algorithm, parameter selection,
introduced a Semi-Supervised Deep Reinforcement Learning
and architectural decisions.
(SSDDQN) model for abnormal traffic detection, featuring
a Double Deep Q-Network (DDQN) for better learning ef-
ficiency and a DNN classifier for improved detection. The
model also uses K-Means clustering to enhance prediction
performance through unsupervised learning. X. Ma and W. Shi
[9] developed an anomaly detection framework for IDS that
integrates Reinforcement Learning (RL) with class-imbalance
techniques, using an adapted SMOTE to enhance RL perfor-
mance. The AESMOTE model achieved over 0.82 accuracy
and an F1 score above 0.824 on the NSL-KDD dataset, but
its effectiveness may vary with other datasets, highlighting the
need for broader validation. M. Al-Fawa’reh et al. [10] devel-
oped MalBoT-DRL, a botnet detector that adapts to evolving
malware patterns, achieving detection rates of 99.80% and
99.40% on MedBIoT and N-BaIoT datasets. While it faces
challenges with stealthy malware and adversarial attacks, it re-
mains efficient in training. Similarly, [11] introduced RLAuth,
a risk-based authentication system using DRL, which achieved Fig. 1: Framework of proposed IoT Network Intrusion detector
a G-Mean of 92.62%. Despite its effectiveness, RLAuth has
high memory consumption and vulnerabilities in familiar
contexts.
A. Data Collection
A. Dealing with limitations We used open-source IoT-based NIDS datasets from the
University of Queensland, including NF-ToN-IoT (1,379,274
Our work addresses several limitations identified in previous flows), NF-UNSW-NB15 (1,623,118 flows), NF-UNSW-
studies in network intrusion detection. Unlike [2] and [6], NB15-v2 (2,390,275 flows), and NF-BoT-IoT (600,100 flows).
which lack comprehensive comparisons with prior research, These datasets, which include various attack types such as
our study systematically evaluates the proposed Deep CNN DoS, DDoS, Reconnaissance, and Exploits, are used to eval-
model against established architectures like CNN+BiLSTM, uate network security in both traditional and IoT contexts.
DNN, GRU+RNN, and CNN+LSTM. This comparison, shown We extract features from CSV files to label data flows by
in Table III, underscores our model’s superior performance attack type. The NF-ToN-IoT dataset serves as our primary
and contextualizes our findings within the broader landscape data source, with the others used for validation.
of existing methods. Our approach overcomes the dataset
dependency issue highlighted in [9], which relied solely on
the NSL-KDD dataset. By using a multi-dataset validation B. Data Preprocessing
strategy, including benchmark datasets shown in table IV, To prepare the dataset for a deep CNN model, we
we display the robustness and versatility of the proposed start by loading it into a pandas DataFrame and dropping
DCNN model across different data environments, validating the ’IPV4 SRC ADDR’ and ’IPV4 DST ADDR’ columns,

Authorized licensed use limited to: VNR Vignana Jyothi Inst of Eng & Tech. Downloaded on March 07,2025 at 17:28:18 UTC from IEEE Xplore. Restrictions apply.
which are irrelevant for classification. The ’Label’ column is Here, K is the size of the pooling window.
one-hot encoded for neural network compatibility. We then Fully connected (dense) layers process the flattened output
standardize features with StandardScaler to improve model from earlier layers, enabling high-level feature extraction and
performance and convergence. The dataset is reshaped to fit classification. They integrate features to differentiate between
the CNN model’s requirements and split into 80% training and malware and benign network traffic, with multiple layers
20% testing sets for evaluation. These steps ensure the data is enhancing the model’s ability to understand complex relation-
well-prepared for effective training and testing.. ships. In equation (3), representing input data as x, weights
as w, biases as b, and activation function as σ, dense layers
C. Model Development operate element-wise on the summation of weighted inputs
and biases.
Our network intrusion detection framework introduces a
Deep CNN-based architecture, delivering impressive perfor-
y = σ(Wx + b) (3)
mance across multiple benchmark datasets. Referencing Table
I, we showcase the architecture’s composition. Now, let’s delve Dropout layers help prevent overfitting in DCNN models
into the layers and their rationale within this model. by randomly deactivating units during training, allowing the
model to generalize better. The output layer uses softmax
TABLE I: Proposed DCNN Architecture for NIDS activation to classify network traffic as Malware or benign
Layer (type) Output Shape Param based on learned patterns.
conv1d 16 (Conv1D) (None, 8, 64) 256
max pooling1d 16 (MaxPooling1D) (None, 4, 64) 0
conv1d 17 (Conv1D) (None, 3, 64) 8256 D. Understanding the Feature Contributions for Accurate
max pooling1d 17 (MaxPooling1D) (None, 4, 64) 0 Classification
flatten 11 (Flatten) (None, 192) 0
dense 72 (Dense) (None, 100) 19300 LIME improves intrusion detection by showing how indi-
dropout 61 (Dropout) (None, 100) 0 vidual features impact model predictions. This transparency
dense 73 (Dense) (None, 200) 20200
dropout 62 (Dropout) (None, 200) 0 builds trust, aids in debugging, and helps analysts focus on
dense 74 (Dense) (None, 300) 60300 crucial network traffic aspects, enhancing system reliability
dropout 63 (Dropout) (None, 300) 0 and performance. Fig. 2 shows the LIME output for a single
dense 75 (Dense) (None, 400) 120400
instance prediction by the Deep CNN model in intrusion
dropout 64 (Dropout) (None, 400) 0
dense 76 (Dense) (None, 2) 802 detection, detailing how various features influence the model’s
decision. The model predicts with complete certainty (prob-
Total Params 229514 ability of 1.00) that the instance is an intrusion (class 1).
(896.54 KB)
Trainable Params 229514 The intercept value is 0.0176, and the local prediction prob-
(896.54 KB) ability is 0.5081, with the final prediction probability being
Non-trainable Params 0 (0.00 Byte) very close at 0.9999. The chart shows significant feature
Optimizer Adam
contributions, with L4 DST PORT ≤ -0.42, PROTOCOL
Learning Rate 0.0001
Validation Split 0.2 ≤ -0.30, and FLOW DURATION MILLISECONDS > -
Batch size 128 0.05 being the top factors pushing the prediction towards
Verbose 1 class 1. Conversely, negative contributions from features
such as FLOW DURATION MILLISECONDS and 0.58 <
The Conv1D layer extracts local patterns from network TCP FLAGS ≤ 0.71 slightly support class 0 but are out-
traffic using filters, helping the model detect important features weighed by the positive influences.By identifying the most
for intrusion detection. It identifies key spatial patterns in influential features, such as L4 DST PORT, PROTOCOL, and
sequential data, capturing features that distinguish between dif- FLOW DURATION MILLISECONDS, researchers can fo-
ferent network behaviors and potential threats. In mathematical cus on these critical factors to enhance feature engineering and
terms, given an input sequence X with a length of L and N optimize data collection. This understanding encourages model
features, along with a filter W of length F, the convolution transparency and validation, building trust among stakeholders
operation can be expressed as equation (1): by aligning model behavior with domain knowledge. This
F −1 output shows how specific network traffic features significantly
X
Conv1D(X, W )[i] = X[i + j] · W [j] (1) influence the model’s prediction, improving the interpretability
j=0 of its decisions.
The MaxPooling1D layer reduces the feature map’s dimen-
sions by selecting key features, cutting down on computational IV. P ERFORMANCE A NALYSIS
load while retaining essential information. This improves the After training, the model achieved 99.23% accuracy on both
model’s resilience to variations and simplifies processing in the training and testing datasets. However, to fully assess its
subsequent layers. Given an input feature map X, the max performance, it’s crucial to consider additional metrics such
pooling operation is defined in eqn. (2): as precision, recall, F1-score, and the confusion matrix. These
metrics, detailed in Tables II, offer a more comprehensive
MaxPooling(X)[i] = max(X[i : i + K]) (2) evaluation of the model’s effectiveness.

Authorized licensed use limited to: VNR Vignana Jyothi Inst of Eng & Tech. Downloaded on March 07,2025 at 17:28:18 UTC from IEEE Xplore. Restrictions apply.
 TABLE II: Ablation Study of Proposed DCNN Architecture for IoT NIDS
Optimizer Learning Rate Accuracy Precision Recall F1 Score
Adam 0.001 0.9867 0.9842 0.9996 0.9918
Adam 0.0001 0.9923 0.9925 0.9979 0.9952
Adam 0.00001 0.9873 0.9850 0.9994 0.9921
SGD 0.001 0.9776 0.9854 0.9938 0.9957
SGD 0.0001 0.9611 0.9883 0.9930 0.9844
SGD 0.00001 0.9356 0.9338 0.9232 0.9414
RMSprop 0.001 0.9856 0.9828 0.9995 0.9911
RMSprop 0.0001 0.9872 0.9845 0.9977 0.9939
RMSprop 0.00001 0.9869 0.9844 0.9995 0.9919
Adagrad 0.001 0.9669 0.9645 0.9695 0.9619
Adagrad 0.0001 0.9557 0.9458 0.9768 0.9834
Adagrad 0.00001 0.8697 0.8697 0.9045 0.8957

optimizer and learning rate selection. Table III shows that

our model achieves superior performance with an accuracy of
0.9923, precision of 0.9925, recall of 0.9979, and an F1 score
of 0.9952, surpassing DNN, CNN-BiLSTM, GRU-RNN, and
CNN-LSTM models.

Fig. 2: Feature Contribution

(a) Confusion Matrix when (b) Confusion Matrix when

optimizer=adam, Learning optimizer=adam, Learning
Rate=0.0001 (Best Case) Rate=0.001

(a) Accuracy graph when (b) Loss graph graph when

optimizer=adam optimizer=adam

(c) Confusion Matrix when (d) Confusion Matrix when

optimizer=rmsprop, Learning optimizer=rmsprop, Learning
Rate=0.0001 Rate=0.001
(c) Accuracy graph when (d) Loss graph when
optimizer=Rmsprop optimizer=Rmsprop Fig. 4: Confusion Matrix Visualization
Fig. 3: The Accuracy and Loss Metrics of Deep CNN Model
on NF-ToN-IoT Dataset with Learning Rate=0.0001 High accuracy on a single dataset does not guarantee
robustness. To assess our model’s robustness, we retrained it
on three benchmark datasets, as shown in Table IV. We ensured
Table II summarizes an ablation study on a deep CNN- that the model was trained from scratch for each dataset to
based NIDS with the NF-ToN-IoT dataset, testing various avoid bias or overfitting. The performance metrics, detailed
optimizers (Adam, RMSprop, Adagrad, and SGD) across dif- in Table IV, indicate that the model performs consistently
ferent learning rates. Adam, especially at 0.0001, consistently well across all three datasets, demonstrating its robustness.
outperformed the others. Adagrad and SGD showed poorer Fig. 3 compares the performance of a Deep CNN model for
performance at lower rates, emphasizing the need for careful IoT network intrusion detection on the NF-ToN-IoT dataset

Authorized licensed use limited to: VNR Vignana Jyothi Inst of Eng & Tech. Downloaded on March 07,2025 at 17:28:18 UTC from IEEE Xplore. Restrictions apply.
TABLE III: Prior Study/Approach Comparison with our Universal and Resilient Systems,” in IEEE Communications Surveys
proposed Approach (Params: optimizer=adam and Learning & Tutorials, vol. 20, no. 4, pp. 3496-3509, Fourthquarter 2018, doi:
Rate=0.0001) 10.1109/COMST.2018.2844742.
[2] R. Tahri, Y. Balouki, A. Jarrar, and A. Lasbahani, “Intrusion De-
Model Accuracy Precision Recall F1 Score tection System Using machine learning Algorithms,” ITM Web of
Deep Neural Net- 0.8638 0.8638 0.9612 0.8912 Conferences, vol. 46. EDP Sciences, p. 02003, 2022. doi: 10.1051/itm-
work [13], [14] conf/20224602003.
CNN-LSTM [18], 0.9875 0.9858 0.9988 0.9923 [3] T. Kim and W. Pak, ”Early Detection of Network Intrusions Using a
[19] GAN-Based One-Class Classifier,” in IEEE Access, vol. 10, pp. 119357-
GRU-RNN [16], 0.9772 0.9749 0.9894 0.9821 119367, 2022, doi: 10.1109/ACCESS.2022.3221400.
[17] [4] L. Yang, J. Li, L. Yin, Z. Sun, Y. Zhao and Z. Li, ”Real-Time Intrusion
CNN-BiLSTM [5], 0.9501 0.9460 0.9698 0.9577 Detection in Wireless Network: A Deep Learning-Based Intelligent
[15] Mechanism,” in IEEE Access, vol. 8, pp. 170128-170139, 2020, doi:
OUR MODEL 0.9923 0.9925 0.9979 0.9952 10.1109/ACCESS.2020.3019973.
[5] R. Ben Said, Z. Sabir and I. Askerzade, ”CNN-BiLSTM: A Hybrid
Deep Learning Approach for Network Intrusion Detection System
TABLE IV: Model performance on benchmark datasets in Software-Defined Networking With Hybrid Feature Selection,” in
(Learning Rate=0.0001, optimizer=adam) IEEE Access, vol. 11, pp. 138732-138747, 2023, doi: 10.1109/AC-
CESS.2023.3340142.
Dataset Accuracy Precision Recall F1 Score [6] X. Gao, Q. Wu, J. Cai and Q. Li, ”A Fusional Intrusion Detection
NF-ToN-loT 0.9923 0.9925 0.9979 0.9952 Method Based on the Hierarchical Filtering and Progressive Detection
NF-BoT-loT 0.9954 0.9950 0.9994 0.9953 Model,” in IEEE Access, vol. 11, pp. 131409-131417, 2023, doi:
NF-UNSW-NB15 0.9853 0.9767 0.9716 0.9836 10.1109/ACCESS.2023.3335669.
NF-UNSW-NB15-v2 0.9957 0.9275 0.9777 0.9519 [7] L. Zou, X. Luo, Y. Zhang, X. Yang and X. Wang, ”HC-DTTSVM:
A Network Intrusion Detection Method Based on Decision Tree Twin
Support Vector Machine and Hierarchical Clustering,” in IEEE Access,
vol. 11, pp. 21404-21416, 2023, doi: 10.1109/ACCESS.2023.3251354.
with a learning rate of 0.0001, using Adam and RMSprop [8] S. Dong, Y. Xia and T. Peng, ”Network Abnormal Traffic Detection
optimizers. Adam shows steady improvements in accuracy Model Based on Semi-Supervised Deep Reinforcement Learning,” in
IEEE Transactions on Network and Service Management, vol. 18, no.
and decreasing loss over 9 epochs, with minor validation 4, pp. 4197-4212, Dec. 2021, doi: 10.1109/TNSM.2021.3120804.
fluctuations. RMSprop achieves rapid accuracy gains early, [9] X. Ma and W. Shi, ”AESMOTE: Adversarial Reinforcement Learning
then plateaus, indicating quick convergence and minimal over- With SMOTE for Anomaly Detection,” in IEEE Transactions on Net-
work Science and Engineering, vol. 8, no. 2, pp. 943-956, 1 April-June
fitting, with loss decreasing sharply and stabilizing, reflecting 2021, doi: 10.1109/TNSE.2020.3004312.
better stability and faster learning. Fig. 4 presents confusion [10] M. Al-Fawa’reh, J. Abu-Khalaf, P. Szewczyk and J. J. Kang, ”MalBoT-
matrices for a Deep CNN model on IoT network intrusion DRL: Malware Botnet Detection Using Deep Reinforcement Learning
in IoT Networks,” in IEEE Internet of Things Journal, vol. 11, no. 6,
detection using different optimizers (Adam and RMSprop) and pp. 9610-9629, 15 March15, 2024, doi: 10.1109/JIOT.2023.3324053.
learning rates (0.0001 and 0.001). Adam with a learning rate of [11] C. Picard and S. Pierre, ”RLAuth: A Risk-Based Authentication System
0.0001 (subplot (a)) delivers the best performance, achieving Using Reinforcement Learning,” in IEEE Access, vol. 11, pp. 61129-
61143, 2023, doi: 10.1109/ACCESS.2023.3286376.
the highest true positives (221,272) and true negatives (52,459) [12] M. Sarhan, S. Layeghy, and M. Portmann, “Towards a Standard Feature
with the fewest misclassifications. Increasing the learning rate Set for Network Intrusion Detection System Datasets,” Mobile Networks
to 0.001 (subplots (b) and (d)) slightly worsens misclassifica- and Applications, vol. 27, no. 1. Springer Science and Business Media
LLC, pp. 357–370, Nov. 10, 2021. doi: 10.1007/s11036-021-01843-0.
tion rates. RMSprop also performs better with lower learning [13] K. Jiang, W. Wang, A. Wang and H. Wu, ”Network Intrusion Detec-
rates (subplots (c) and (d)), but Adam at 0.0001 remains the tion Combined Hybrid Sampling With Deep Hierarchical Network,”
most effective. in IEEE Access, vol. 8, pp. 32464-32476, 2020, doi: 10.1109/AC-
CESS.2020.2973730.
[14] V. K. Navya, J. Adithi, D. Rudrawal, H. Tailor and N. James, ”In-
V. C ONCLUSION trusion Detection System using Deep Neural Networks (DNN),” 2021
International Conference on Advancements in Electrical, Electronics,
This study introduces a novel Deep CNN architecture for Communication, Computing and Automation (ICAECA), Coimbatore,
efficiently detecting stealthy and polymorphic intrusions in India, 2021, pp. 1-6, doi: 10.1109/ICAECA52838.2021.9675513.
[15] W. Dai, X. Li, W. Ji and S. He, ”Network Intrusion Detection Method
IoT networks. A multi-dataset validation approach shows Based on CNN-BiLSTM-Attention Model,” in IEEE Access, vol. 12,
the model’s outstanding performance across diverse datasets. pp. 53099-53111, 2024, doi: 10.1109/ACCESS.2024.3384528.
Comparative analysis reveals that it significantly outperforms [16] T. A. Tang, L. Mhamdi, D. McLernon, S. A. R. Zaidi and M. Ghogho,
”Deep Recurrent Neural Network for Intrusion Detection in SDN-based
established models like CNN+BiLSTM, DNN, GRU+RNN, Networks,” 2018 4th IEEE Conference on Network Softwarization and
and CNN+LSTM. An ablation study, detailed in Table II, Workshops (NetSoft), Montreal, QC, Canada, 2018, pp. 202-206, doi:
highlights the contributions of individual components to mal- 10.1109/NETSOFT.2018.8460090.
[17] I. I. Kurochkin and S. S. Volkov, “Using GRU based deep neural network
ware traffic detection, providing insights for optimizing future for intrusion detection in software-defined networks,” IOP Conference
NIDS. To promote further research, the model is open-sourced Series: Materials Science and Engineering, vol. 927, no. 1. IOP Publish-
on GitHub, offering valuable resources for the cybersecurity ing, p. 012035, Sep. 01, 2020. doi: 10.1088/1757-899x/927/1/012035.
[18] M. Abdallah, N. An Le Khac, H. Jahromi, and A. Delia Jurcut, “A
community. In the future, we’ll explore hybrid models that Hybrid CNN-LSTM Based Approach for Anomaly Detection Sys-
combine DCNNs with techniques like RNNs or Transformers tems in SDNs,” Proceedings of the 16th International Conference
to enhance detection of advanced attack patterns. on Availability, Reliability and Security. ACM, Aug. 17, 2021. doi:
10.1145/3465481.3469190.
[19] L. Karanam, K. K. Pattanaik and R. Aldmour, ”Intrusion Detec-
R EFERENCES tion Mechanism for Large Scale Networks using CNN-LSTM,” 2020
13th International Conference on Developments in eSystems Engi-
[1] E. Benkhelifa, T. Welsh and W. Hamouda, ”A Critical Review of neering (DeSE), Liverpool, United Kingdom, 2020, pp. 323-328, doi:
Practices and Challenges in Intrusion Detection Systems for IoT: Toward 10.1109/DeSE51703.2020.9450732.

Authorized licensed use limited to: VNR Vignana Jyothi Inst of Eng & Tech. Downloaded on March 07,2025 at 17:28:18 UTC from IEEE Xplore. Restrictions apply.