Ain Shams Engineering Journal 14 (2023) 102211

Contents lists available at ScienceDirect

Ain Shams Engineering Journal

journal homepage: www.sciencedirect.com

Securing IoT and SDN systems using deep-learning based automatic

intrusion detection
Rania A. Elsayed, Reem A. Hamada ⇑, Mahmoud I. Abdalla, Shaimaa Ahmed Elsaid
Electronics and Communications Department, Faculty of Engineering, Zagazig University, Zagazig, Egypt

a r t i c l e i n f o a b s t r a c t

Article history: Both Internet of Things (IoT) and Software Defined Networks (SDN) have a major role in increasing effi-
Received 11 September 2021 ciency and productivity for smart cities. Despite that, they face potential security threats that need to be
Revised 16 January 2023 reduced. A new Intrusion Detection System (IDS) has become necessary to secure them. Many researchers
Accepted 18 February 2023
have recently used recent techniques such as machine learning to analyze and identify the rapid growth
Available online 03 March 2023
of attacks and abnormal behavior. Most of these techniques have low accuracy and less scalability. To
address this issue, this paper proposes a Secured Automatic Two-level Intrusion Detection System
Keywords:
(SATIDS) based on an improved Long Short-Term Memory (LSTM) network. The proposed system differ-
Intrusion Detection System (IDS)
Internet of Things (IOT)
entiates between attack and benign traffic, identifies the attack category, and defines the type of sub-
Deep Learning (DL) attack with high performance. To prove the efficiency of the proposed system, it was trained and evalu-
Long Short-Term Memory (LSTM) ated using two of the most recent realistic datasets; ToN-IoT and InSDN datasets. Its performance was
ToN-IoT dataset analyzed and compared to other IDSs. The experimental results show that the proposed system outper-
InSDN dataset forms others in detecting many types of attacks. It achieves 96.35 % accuracy, 96 % detection rate, and
98.4 % precision for ToN-IoT dataset. For InSDN dataset, the results were 99.73 % accuracy, 98.6 % detec-
tion rate, and 98.9 % precision.
Ó 2023 THE AUTHORS. Published by Elsevier BV on behalf of Faculty of Engineering, Ain Shams Uni-
versity. This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/
by-nc-nd/4.0/).

1. Introduction Physical and cyber-attacks are both possible in a smart city. Phys-
ical attacks are initiated when attackers are physically closer to the
To accommodate the rising population, metropolitan areas equipment and thus have the opportunity to adapt the network’s
require infrastructure that facilities addressing environmental devices or sensors. Malicious code injection, radio frequency jam-
and transportation concerns. The fast development of low-cost ming, fake node injection, permanent denial of service, side chan-
devices such as sensors, actuators and radio-frequency identifica- nel attack, and sleep denial assault are all examples of these
tion, combined with wireless communication technologies as attacks. On the other hand, in cyber-attacks, the attacker attempts
IoT-oriented infrastructure, has created an ideal environment for to inject malicious or malware software into network components
building numerous smart city applications [1–3], as in Fig. 1. IoT in order to obtain unauthorized access to them. Man-in-the-Middle
is a powerful platform for combining users worldwide without (MITM) attacks, Denial-of-Service (DoS) attacks, Distributed
human interference, as in Fig. 2. It connects everything to the Inter- Denial-of-Service (DDoS) attacks, and Ransomware assaults are
net via data sensing devices that enable intelligent identification, all examples of these types of attacks. Such attacks are becoming
tracking, localization, administration, and supervision. It has sev- more prevalent at an alarming rate and can threaten the confiden-
eral uses include intelligent health care, intelligent transport, and tiality, security, and availability of data [7,8].
smart grids. Like other networks, this technology seeks to enhance Software-Defined Networking (SDN) is a recent technology
our personal and professional lives [4,5]. which utilizes software-based controllers or application program-
Along with the fast growth of IoT systems and devices, the ming interfaces (APIs) to communicate with underlying hardware
interconnectedness of various IoT sensors in smart networks offers infrastructure and direct traffic on a network. It helps drive the
a multitude of potential dangers to IoT devices in smart cities. expansion of IoT-enabled devices, enhances the efficiency of net-
work resource sharing and improves IoT service-level agreements.
Although combining IoT and SDN improves IoT operations and
⇑ Corresponding author. security by allowing full and remote control of network setup
E-mail address: [email protected] (R.A. Hamada).

https://doi.org/10.1016/j.asej.2023.102211
2090-4479/Ó 2023 THE AUTHORS. Published by Elsevier BV on behalf of Faculty of Engineering, Ain Shams University.
This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/).
R.A. Elsayed, R.A. Hamada, M.I. Abdalla et al. Ain Shams Engineering Journal 14 (2023) 102211

Fig. 3. Deep Learning model architecture.

1.1. Problem statement

Fig. 1. Smart cities construction [1].

Extensive study has been conducted on data security, privacy,

reliability, detection, and mitigation of cyberattacks. However,
there are a range of issues that must be solved in order to establish
sustainable smart cities. Following are the issues to be addressed.

i. As the Internet of Things and other new technologies gain in

popularity, the amount of data being generated will only
increase. To examine such a large amount of data, new
methods should be used.
ii. It is difficult to create a security mechanism that accurately
distinguishes between normal and abnormal behavior in a
dynamic and large-scale IoT environment.
iii. Many new methods and a wide diversity of data make it
harder to learn features that can distinguish between normal
and abnormal traffic.
iv. Using a real-world IoT-based dataset that reflects real-world
IoT-based cyberattacks to evaluate the proposed IDS’s per-
formance is a challenging undertaking due to low-
frequency attacks resulting from an unbalanced training set.
Fig. 2. IOT illustration [6].
1.2. Our contribution
without requiring direct contacts with IoT devices, an efficient IDS
is required to protect the system from various types of attacks. An To address the issues raised in the preceding subsection, this
IDS system is a security mechanism that used to monitor the net- paper presents a SATIDS system to protect IoT and SDN networks.
work traffic and protects authorized users against any malicious It utilizes LSTM network that considered a qualified IDS to accu-
activities that compromises an information system’s confidential- rately identify suspicious activities and types of attack. The pro-
ity, reliability, and availability. It alerts network administrator posed system was trained and tested using two of the most
about that behaviors who acts to protect the network by prevent- recent datasets based on realistic data; ToN-IoT and InSDN data-
ing it [2,9–11]. To assess this massive amount of data and to give sets. The key contributions of this paper are:
relevant knowledge for classification, decision-making, and
cyber-attack detection, various IDS systems make use of artificial
Building the proposed SATIDS system utilizing improved LSTM
intelligence technologies such as machine learning (ML) or Deep that classifies traffic into normal or attack. Then, it determines
Neural Network (DNN) approaches. The more extensive DNN net- the attack category. Finally, it defines the attack sub-type.
works are called Deep Learning (DL), which consider an ML border
Testing the proposed system using the ToN-IoT and InSDN data-
subfield. It is an artificial intelligence function that simulates the sets, and comparing its performance was compared to other
human brain’s data processing and decision-making mechanisms. IDSs.
DL contains many hidden layers to solve many of the complicated
problems in various applications. The input of each layer is the out- 2. Literature review
put of the previous layer, as in Fig. 3. Although DL gives high per-
formance, its main limitation is a longer training time for more Deep learning has several benefits in cyber defense, as it can
essential training data [9]. Convolution Neural Network (CNN) help researchers and cyber analysts gain insights into threats and
and Recurrent Neural Networks (RNN) are two popular types of stay ahead of opponents. Attack detection and prevention continue
DL models. CNN is used in computer image processing and lan- to be a hot area of research that receives considerable attention
guage processing while RNN is used in the processing of natural due to the variety of attackers and possible damage. Recently,
language and text processing. LSTM network is considered an numerous researches have been carried out to detect network
extension of the RNN network which is able to learn using line attacks using various DLs.
sequences pattern. So, it can be used to identify traffic type into In [1], the authors presented a dependable privacy-preserving
attack or normal. The primary benefit of this form of deep learning secure framework (TP2SF) for smart cities. This framework is com-
is that the raw data is used directly [5]. prised of three modules: a module for trustworthiness, a module
2
R.A. Elsayed, R.A. Hamada, M.I. Abdalla et al. Ain Shams Engineering Journal 14 (2023) 102211

with two levels of privacy, and an intrusion detection module. They Table 1
used 19 features only from 43 features. The authors of [2] proposed Previous Ids Approaches.

a cyberattack detection system for IoMT networks based on Ref. Technique Dataset Perfomance Analysis
ensemble learning and fog-cloud architecture. The ensemble [1] Trustworthy Privacy- ToN-IoT Accuracy of 98.84%
design integrates the Decision Tree, Naive Bayes, and Random For- Preserving Secured BoT-IoT Accuracy of 99.99%
est models created by the individual learners. Framework for smart cities
A new method based on LSTM autoencoder and one-class sup- is presented using three
modules: a trustworthiness
port vector machine (OC-SVM) is shown in [9] to find anomaly- module, a two-level privacy
based attacks in an unbalanced dataset. The models are trained module, and an intrusion
with only examples of normal classes. In [10], a model was made detection module
that takes the given features and pulls out the important ones. It [2] Ensemble learning and fog- ToN-IoT Accuracy of 96.35%
cloud architecture-driven
then uses deep learning to classify incursions. Notably, the under-
cyberattack detection
lying data points can’t be thought of as samples from a single dis- framework for IoMT
tribution. Instead, they come from two different distributions, one networks
that applies to all network intrusions and the other that is specific [9] Hyper approach based on InSDN Accuracy of 90.5%
to one domain. Table 1 contains previous approaches in that field. LSTM autoencoder and
One-class Support Vector
Machine to detect
3. Subjects and methods anomalies based attacks in
an unbalanced dataset
[10] CNN technique with L2 InSDN Accuracy of 93.01%
3.1. Database description regularization and the
dropout methods to
The IDSs performance is based on the quality of the training address the overfitting
problem
dataset. The lack of up-to-date real-world dataset is one of the
[11] DL platform combination of CICIDS2017 Accuracy of 99.002%
key obstacles in deploying detection methods. The main reason binary bat algorithm,
why public data sets are not available for the intrusion detection binary genetic algorithm,
area is privacy and legal considerations. The proposed algorithm and binary gravitational
is trained and evaluated using two of the most recent realistic search algorithm.
[12] A clustering method based KDD Accuracy of 93.07%
datasets namely ToN-IoT and InSDN dataset.
on unsupervised CICIDS2017 Accuracy of 88%
component selection and Wormhole Accuracy of 94.06%
3.1.1. ToN-IoT dataset initialization of the cluster
centre
The ToN-IoT dataset is obtained from a practical and large-scale
[13] ML models (DNN and CICIDS2017 99.8% True Positive Rate
network developed by UNSW Canberra Cyber IoT Lab, School of LSTM) for binary prediction for DNN
Engineering and Information Technology (SEIT), UNSW Canberra of unknown DoS/DDoS 99.9% True Positive Rate
at The Australian Defense Force Academy (ADFA) [19,20]. The data- attacks for LSTM
[14] A novel technology for UNSW- Detection Rate of 99.74%
set is compiled in parallel processing to collect a range of routine
enhancing the high- NB15 for binary classification
and cyber-attack events from IoT networks. A new testbed was efficiency identification CICIDS2017 and 96.54% for multiclass
built at the IoT lab to connect a range of virtual computers, physical rate of minority groups classification Detection
tools, hacking systems, cloud and fog systems, and IoT sensors to rate of 99.85 %
simulate the functionality and scalability of the automotive IoT [15] A new method to reduce CICIDS2017 Accuracy = 99.6191%
the feature subset for the
and Enterprise 4.0 networks. This dataset contains different recent
web- attack classification.
smart city-based attacks such as DoS, DDoS, and ransomware. [16] Scale-hybrid-IDS-AlertNet KDDCup99 Accuracy = 93%
These attacks have been deployed against web applications, IoT NSL-KDD Accuracy = 80.1%
gateways, and computer systems across the IoT network. This UNSW- Accuracy = 84.5%
dataset contains 43 features with 4,61,043 total observations NB15 Accuracy = 99.2%
WSN-DS Accuracy = 96.3%
divided into 3,00000 normal and 1,61,043 attack observations. CICIDS2017 Accuracy = 88.5%
The dataset was divided into 70 % and 30 % of train and test set Kyoto
respectively. Table 2 shows the statistic of normal traffic and dif- [17] Secured Privacy-Preserving ToN-IoT Accuracy = 99.77%
ferent attack vectors which was presented in the dataset [1,2]. Framework (SP2F) for smart IoT Botnet Accuracy = 99.98%
agricultural UAV
[18] An enhanced-proof-of- Power Accuracy = 95.2%
3.1.2. InSDN dataset work-technique-based System Accuracy = 98.1%
The InSDN dataset covers many scenarios and attack classes, blockchain UNSW-
NB15
including Probe, DoS application, web attacks, Brute Force attack,
[19] Fuzzy Gaussian Mixture- NGIDS-DS Accuracy = 95.48%
password guessing, U2R, and DDos attacks. In addition, InSDN reg- based Correntropy, based KDD-98 Accuracy = 99.55%
ular traffic also encompasses several common features. The dataset on the fuzzy rough set ToN_IoT Accuracy = 97.54%
source of attacks originates from both an internal and an external attribute reduction method
network to imitate the actual attack scenarios. It covers about 80
statistical aspects in CSV format such as Protocol, Duration, Byte
number, Packet number, etc. The overall number of dataset
instances for normal and attack traffic is 343,939; a total of plane gives the attacker a new option compared to the traditional
68,424 for normal traffic and 275,515 for attack traffic as shown network of numerous attacks. These intrusions are not easy to be
in Table 3. detected since the intruder is permitted to access to the victims’
The attack traffic emulates the same normal behavior since nor- server.
mal and malicious traffics are transmitted to the SDN controller for As a result, such a data collection might be a good indicator for
decision-making. Furthermore, the centralized perspective of the the model assessment that reflects the real-world scenario.
SDN network and the separation of the data plane from the control Furthermore, the InSDN dataset contains no redundant records to

3
R.A. Elsayed, R.A. Hamada, M.I. Abdalla et al. Ain Shams Engineering Journal 14 (2023) 102211

Table 2 between memory units. The input gate decides whether the input
Ton-Iot Database. signal will alter the memory cell’s status or not. On the other hand,
Attacks No. of Instances % the output gate determines which memory cell status can be chan-
Normal 300,000 65.07 ged. The forgotten gate can decide to forget its status (or remember
Backdoor 20,000 4.34 it). The activity of the LSTM hidden layer is calculated at each step,
Scanning 20,000 4.34 depending on the configuration of the LSTM, as shown in Fig. 4. The
Injection 20,000 4.34 internal four memory gates are responsible for regulating the
Password 20,000 4.34
XSS 20,000 4.34
interlinkage. he interlinkage between memory units. The input
Ransomware 20,000 4.34 gate decides whether the input signal will alter the memory cell’s
DDOS 20,000 4.34 status or not. On the other hand, the output gate determines which
DOS 20,000 4.34 memory status can be changed depending on the previous input.
MITM 1043 0.23
The forgotten gate can decide to forget its status (or remember
it), under the following equations, at time t:

Table 3 it ¼ rðW xi xt þ W hi ht1 þ W ci ct1 þ bi Þ ð1Þ

InSDN Database.


Attacks No. of Instances % f t ¼ r W xf xt þ W hf ht1 þ W cf ct1 þ bf ð2Þ
Normal 68,424 52.32
DoS-Application 31,628 24.19 ot ¼ rðW xo xt þ W ho ht1 þ W co ct þ bo Þ ð3Þ
Probe 15,225 11.64
DDOS 9943 7.6
DoS-Network 3772 2.88 ct ¼ f t ct1 þ it tanhðW xc xt þ W hc ht1 þ bc Þ ð4Þ
Brute force attack 1405 1.07
Web Application 192 0.147
Botnet 164 0.125 ht ¼ ot  tanhðct Þ ð5Þ
U2R 17 0.013
Where it, ft, ot, and ct are the input, forget, output and cell gate
activations at any time t respectively.
r: Logistic sigmoid function.
prevent the learner model from distracting itself from the most
W*: Weight matrices.
common records [9,10,21].
b*: Variable biases.
ht-1: Hidden state at time step t  1.
ct-1: Cell state step at time t  1.
3.2. LSTM network

DNN is a type of neural network with a hierarchical structure 4. The proposed system
and many hidden layers. The network becomes denser when the
hidden layers increase. It becomes trendy among cybersecurity In multi-attack IDS system, the main target is to improve detec-
researchers in the last few years. LSTM network is RNN that uses tion efficiency to be more accurate in defining attack type. That
the input information to predict the next sequence according to helps to face various forms of attack. To accurately detect the
the detected pattern. The recurrence of the network delay, which attack type, a SATIDS system based on LSTM network is proposed.
represents the complex system output, is the RNN’s most essential This system achieves better performance than others IDSs. Fig. 5
characteristic. Furthermore, RNNs maintain an activation vector presents the inner structure of the proposed SATIDS system. Recti-
that makes the RNN an intense neural network. However, due to fied Linear Unit (Relu layer) activation function performs a thresh-
explosion and gradient difficulties, it’s also difficult to teach RNNs old operation to an input element concerning zero as some input
to rely on data from time series for a long time [17]. data contain negative values. Relu layer passes the positive input
LSTM architecture makes it a good choice for solving the RNN and gives zero value to the negative values. Then number of LSTM
extinction gradient problem. It uses a memory cell, which in layers are used; each of them is followed by a 0.2 probability drop-
sequential data may represent long-term dependencies. Fig. 4 out layer. The dropout layer probability value was chosen 0.2
shows the internal structure of the LSTM memory cell. The according to the try and error method to give the highest overall
performance parameters as in Fig. 6. The dropout layer sets the
input to avoid overfitting that decreases the network performance
parameters. The initial learning rate was set to 0.0001, and LSTM
batch size is 2000 to provide the highest performance parameters.
A fully connected layer flattens the output of the previous layers
and converts it to a single vector. Finally, the Softmax layer will

Fig. 4. LSTM internal architecture structure [18]. Fig. 5. Modified DL-based LSTM network.

4
R.A. Elsayed, R.A. Hamada, M.I. Abdalla et al. Ain Shams Engineering Journal 14 (2023) 102211

tested by comparing the network output category with the actual

testing record label.

5. Experimental results and discussion

Using MATLAB on an Intel Core-i7 processor with 8 GB RAM and

Windows 10 platform, the proposed SATIDS system was imple-
mented and its intrusion detection performance was tested. Using
the confusion matrix and Receiver Operating Characteristic (ROC)
curve, the system performance was measured. The performance
of the proposed system was analyzed and compared with others.
Confusion matrix is a table structure commonly used for multi-
Fig. 6. Proposed algorithm parameters (Accuracy vs. Dropout layer probability). class assessment. It includes information on current and forecast
classifications. It consists of four main values determined for each
class [17]:
eventually enter the classification layer classifying the data as
benign or a form of attack.

True Positive (TP): number of normal observations in dataset
traffic which were classified by the technique correctly.
Algorithm: SATIDS System
True Negative (TN): number of intrusion observations which is
Input: Dataset (ToN-IoT or InSDN) properly classified by the algorithm as normal.
Result: Traffic type
False Positive (FP): number of normal traffic observations
Procedures: wrongly identified by the algorithm as abnormal.
1 Remove IP address and time stack
False Negative (FN): number of irregular observations wrongly
2 Divide the dataset into 70 % for training & 30 % for testing identified by the algorithm as normal observations.
3 Insert training dataset to the proposed system
4 For each record The key parameters to measure the network efficiency are
train network with each traffic record and consider the Accuracy, Precision, Specificity, Detection rate, and F1 Score. The
traffic label END FOR following equations were used to compute these parameters:

6 Input testing records to the trained system
Accuracy: The ratio of correctly calculated observations by the
6 Identify traffic type (normal or malicious) network to the total number of samples in the dataset.
7 If the traffic classified as anomaly, detect the type of
attack TP þ TN
Accuracy ¼ ð6Þ
8 Calculate network performance TP þ TN þ FP þ FN

Precision: The number of corrected detected observations,

The block diagram of the proposed SATIDS system is shown in Fig. 7.
divided by the total number of observations that the model
The algorithm below demonstrates the process of SATIDS system.
identifies as an attack.
ToN-Iot & InSDN datasets are used to train and test the proposed
system. First, the IP address and time stake label were removed. TP
Then, the dataset is divided into 70 % for training and 30 % for test- Precision ¼ ð7Þ
TP þ FP
ing. Each line of data enters the network separately. After training
the system using the training dataset, the system became ready
to identify the category of data (normal or malicious traffic). For
each testing record, the system first categorizes it as normal or
Detection Rate (DR): The ratio of the corrected observations
attacks. observed by the model to the total number of tests.
If an attack occurs, it deduces the type of attack, whether it is
DDOS/DOS, Backdoor, Injection, Mitm, Password, Ransomware, TP
DR ¼ ð8Þ
Scanning, XSS, BFA, BotNet, Probe, U2R, or Web-Attack, according TP þ FN
to the learning pattern. Finally, the network performance was

Fig. 7. Block diagram of the proposed SATIDS system.

5
R.A. Elsayed, R.A. Hamada, M.I. Abdalla et al. Ain Shams Engineering Journal 14 (2023) 102211

Specificity (TNR): The proportion of negatives that are detected

correctly.

TN
Selectivity ¼ ð9Þ
FP þ TP

F1-score: Evaluating the test accuracy by calculating the aver-

age weight of the detection rate.

Precision  Recall
F1  score ¼ 2  ð10Þ
Precision þ Recall

5.1. Performance Analysis

Fig. 8. Performance Analysis of the proposed system using TON-IOT Dataset.
To get the highest performance of the proposed SATIDS model,
the system performance was tested using different number of
LSTM layers and various number of hidden layers.

5.1.1. TON-IOT dataset

– Binary Classification (normal/anomaly)

Table 4 and Fig. 8 represent the performance of the proposed
SATIDS system at different numbers of hidden layers (H) and LSTM
layers (L). It is obvious that the system records the highest accu-
racy in case of 500 hidden layers for 2 LSTM layers (accuracy = 9
6.35 %) and 3 LSTM layers (accuracy = 95.56 %). Also, the area under
ROC curve has its highest value with 97.03 % for 2 LSTM layers and
96.51 % for 3 layers. FAR is the lowest in case of 2 LSTM layers and
500 hidden layers. Precision has its highest value in case of 2 LSTM
layers and 500 hidden layers (Pr = 98.4 %).
Fig. 9 presents the performance of the proposed SATIDS system
when facing Backdoor attack. As shown, the system has its highest
performance when using 4 LSTM layers and 300 hidden layers:
95.7 % precision and 99.9 % detection rate. When facing DDOS
Fig. 9. Detecting Backdoor Attack.
attack, the performance of proposed SATIDS system is shown in
Fig. 10. The network has its highest performance when using 3
LSTM layers and 500 hidden layers: 94.8 % precision and 92.7 %
detection rate. respectively. As shown, the network has its highest performance
Figs. 11–13 represent the performance of proposed SATIDS sys- when using 3 LSTM layers and 500 hidden layers. When facing
tem when facing DOS attack, DDOS attack, and MITM attack, Password attack, Ransomware attack and scanning attack, the

Table 4
Performance Analysis of the proposed SATIDS system (using ToN-IoT Dataset).

# LSTM # Hidden ACC. ROC FAR Precision F1-Score Detection Rate

1 100 93.75 91.46 8.5 95.4 95.2 95
1 200 95.11 95.06 4.9 97.3 96.19 95.1
1 300 95.15 96.07 3.9 97.8 96.225 94.7
1 400 95.77 95.97 4 97.8 96.739 95.7
1 500 96.12 95.95 4.3 97.6 97 96.4
2 100 95.06 95.54 4.5 97.5 96.13 94.8
2 200 95.09 96.28 3.7 97.9 96.17 94.5
2 300 96.17 95.81 4.2 97.7 97.05 96.4
2 400 96.34 96.51 3.8 97.9 97.144 96.4
2 500 96.35 97.03 3 98.4 97.19 96
3 100 93.91 95.75 4.3 97.6 95.19 92.9
3 200 96.51 95.13 4.9 97.4 97.3 97.2
3 300 96.13 93.99 6.2 96.7 97.05 97.4
3 400 96.52 96.86 3.1 98.3 97.3 96.3
3 500 96.56 96.51 5.1 97.3 97.35 97.4
4 100 95.44 95.36 4.6 97.5 96.49 95.5
4 200 95.47 95.49 4.5 97.5 96.49 95.5
4 300 95.82 96.97 3 98.3 96.73 95.2
4 400 95.59 95.79 4.2 97.7 96.59 95.5
4 500 95.68 95.9 4.1 97.7 96.63 95.6

6
R.A. Elsayed, R.A. Hamada, M.I. Abdalla et al. Ain Shams Engineering Journal 14 (2023) 102211

Fig. 13. Detecting MITM Attack.

Fig. 10. Detecting DDOS Attack.

Fig. 14. Detecting Password Attack.

Fig. 11. Detecting DOS Attack.

Fig. 15. Detecting Ransomware Attack.

setting was selected as 3 LSTM layers and 500 hidden layers in case
of binary classification since it has the best performance.
Fig. 12. Detecting Injection Attack.
– Multi-attack classification

performance of the proposed SATIDS system is shown in Figs. 14– Table 5 and Figs. 9–13 show the performance of the proposed
16 respectively. As shown, the network also has its highest perfor- SATIDS system in case of multiclassification using ToN-IoT dataset.
mance when using 3 LSTM layers and 500 hidden layers. For each attack, the accuracy and detection rate were recorded at
Detection Rate in case of using 3 LSTM layers and 500 hidden different number of LSTM layers and hidden layers.
layers is the highest (DR = 97.4 %), unlike that of using 2 LSTM lay- Fig. 17 represents the performance of the proposed SATIDS sys-
ers and 500 hidden layers (DR = 96 %). For all that, the system tem when facing XSS attack. As shown, the network has its highest

7
R.A. Elsayed, R.A. Hamada, M.I. Abdalla et al. Ain Shams Engineering Journal 14 (2023) 102211

Fig. 17. Detecting XSS Attack.

Fig. 16. Detecting Scanning Attack.

detection rate of 98.9 % and 98.6 % respectively. So, 4 layers LSTM

performance when using 3 LSTM layers and 400 hidden layers:
and 500 hidden layers was selected in the proposed system as it
91.2 % precision and 93.1 % detection rate. From Table 5 and Figs. 9–
has the best performance in case of binary classification.
17, it is clear that using 3 LSTM layers and 500 hidden layers
achieves the highest accuracy, precision and detection rate.
– Multi-attack classification

5.1.2. INSDN dataset Table 7 presents the output of our proposed SATIDS system
when using InSDN database in case of identifying the type of
– Binary Classification (normal/anomaly) attack. In this table, the number of LSTM layer and the number
Table 6 presents the system intrusion detection performance at of hidden layers in LSTM layer are changed and the precision and
different numbers of hidden layers (H) and LSTM layers. As shown detection rate for each attack at each time are recorded. Fig. 19
in Fig. 18, in case of 500 hidden layers and 4 LSTM layers the net- shows the performance of proposed SATIDS system when facing
work has its highest accuracy of 99.51 %, the highest RoC of BFA attack. The network has its highest performance when using
99.73 %, the lowest FAR of 0.3, and the highest precision and

Table 5
Performance Analysis of the proposed system using ToN-IoT Database.

8
R.A. Elsayed, R.A. Hamada, M.I. Abdalla et al. Ain Shams Engineering Journal 14 (2023) 102211

Table 6
Performance analysis of the proposed system using InSDN Dataset.

# LSTM # Hidden layer ACC. ROC FAR Precision F1-Score Detection Rate
1 100 97.97 99 1 95.9 94.84 93.8
1 200 98.32 99.2 0.8 96.7 95.74 94.8
1 300 98.59 99.24 0.8 96.9 96.45 96
1 400 98.41 99.05 1 96.2 96 95.8
1 500 98.46 99.12 0.9 96.4 96.1 95.8
2 100 98.8 99.40 0.6 97.5 96.89 96.3
2 200 99.06 99.33 0.7 97.3 97.65 98
2 300 99.25 99.55 0.4 98.2 98.15 98.1
2 400 99.26 99.49 0.5 97.9 98.15 98.4
2 500 99.20 99.42 0.6 97.7 98 98.3
3 100 98.65 99.14 0.9 96.5 96.6 96.7
3 200 99.23 99.62 0.4 98.4 98.05 97.7
3 300 99.26 99.48 0.5 97.9 98.15 98.4
3 400 99.34 99.69 0.3 98.7 98.35 98
3 500 99.39 99.64 0.4 98.5 98.45 98.4
4 100 98.81 99.45 0.6 97.7 96.94 96.2
4 200 99.31 99.00 0.5 98.2 98.3 98.4
4 300 99.31 99.42 0.6 97.7 98.3 98.9
4 400 99.39 99.56 0.4 98.2 98.45 98.7
4 500 99.51 99.73 0.3 98.9 98.75 98.6

formance when using 1 LSTM layers and 300 hidden layers with
77.8 % precision and 24.6 % detection rate.
From Table 7 and Figs. 19–24, it is obvious that using 4 LSTM
layers (L) with 400 hidden layers (H) achieved the highest accu-
racy, precision and detection rate in multi classification
experiment.

5.2. Performance comparison

– TON-IOT DATASET
Table 8 and Fig. 25 show a performance comparison among the
proposed SATIDS system and other approaches when using ToN-
IoT dataset. The proposed system outperforms others with preci-
sion of 97.3 %, and F1-score of 97.35 %. As for the Detection rate,
techniques presented in [2] as E-ADS, SAE-IDS and Ensemble learn-
ing recorded higher DR than the proposed SATIDS.
Table 9 and Fig. 26 illustrate the comparison of performance
Fig. 18. Performance ANALYSIS OF the proposed system using InSDN DataSET. while utilizing the feature selection technique. Minimum Redun-
dancy Maximum Relevance (MRMR) approach was utilized with
the proposed SATIDS to select 20 features out of the 43 features
in ToN-IoT dataset. SP2F [17] extracted the 20 most essential fea-
4 LSTM layers and 300 hidden layers with 85.6 % precision and tures using a mutual information-based methodology. The TP2SF
59.1 % detection rate. Figs. 20 and 21 show the performance of pro- architecture proposed in [1] adopts the most fundamental statisti-
posed SATIDS system when facing BOTNET attack and DDOS attack cal method based on the Pearson correlation coefficient (PCC). In
respectively. As shown, the network has its highest performance terms of Accuracy, F1-score, precision, and detection rate, the pro-
when using 1 LSTM layer and 500 hidden layers for BOTNET attack posed MRMR-SATIDS outperforms TP2SF [1]. In terms of f1-score
and 3 LSTM layers and 500 hidden layers for DDOS attack. and detection rate, the proposed system outperformed SP2F [17]
For DOS attack, the performance of proposed SATIDS system is as well. However, SP2F [17] is 0.76 % more accurate than MRMR-
shown in Fig. 22, the network has its highest performance when SATIDS.
using 4 LSTM layers and 400 hidden layers with 98.5 % precision
and 99.1 % detection rate. Fig. 23 presents the performance of pro- – INSDN DATASET
posed SATIDS system when detecting Probe attack. As shown, the
system has its highest performance when using 4 LSTM layers Table 10 and Fig. 27 compare the performance of the proposed
and 300 hidden layers with 98.8 % precision and 98.8 % detection SATIDS system to other IDSs in case of using InSDN database. It is
rate. As for detecting Web-attack, the performance of proposed clear that the proposed system outperforms others with 98.4 %
SATIDS system is shown in Fig. 24, the system has its highest per- detection rate, 99.39 % accuracy, 99.64 % area under curve of

9
R.A. Elsayed, R.A. Hamada, M.I. Abdalla et al. Ain Shams Engineering Journal 14 (2023) 102211

Table 7
Performance Analysis of the proposed system using InSDN Database.

Fig. 21. Detecting DDOS Attack.

Fig. 19. Detecting BFA Attack.

Fig. 20. Detecting BOTNET Attack. Fig. 22. Detecting DOS Attack.

10
R.A. Elsayed, R.A. Hamada, M.I. Abdalla et al. Ain Shams Engineering Journal 14 (2023) 102211

Fig. 23. Detecting Probe Attack.

Fig. 25. Performance comparison using ToN-IoT Dataset.

Table 9
Performance comparison USING 20 features of ToN-IoT Database.

Technique Performance Metrics

Accuracy Precision F1- Detection
Score Rate
SP2F [17] 99.64 99.94 98.87 98.88
Tp2sf (with original) [1] 97.45 96.95 94.43 92.43
TP2SF (with transform) 98.84 97.23 95.28 94.03
[1]
Proposed MRMR-SATIDS 98.8 99.3 99.05 98.8

Fig. 24. Detecting Web-Attack.

Table 8
Performance comparison using ToN-IoT Database.

Technique Performance Metrics

Accuracy Precision F1-Score Detection Rate
Ensemble Learning [2] 96.352 90.545 95.03 99.983
SVM-IDS [2] 82.212 65.121 78.812 74.744
Health Guard [2] 88.677 60.983 83.542 82.299
SAE-IDS [2] 83.15 67.571 80.485 99.5
E-ADS [2] 96.353 90.545 95.03 99.983
Random Forest(RF) [2] 93.944 86.866 91.811 97.327
Decision Tree(DT)[1] 95.34 74.42 76.33 80
Naïve Bayes(NB) [1] 90.62 77.68 72.43 77.7
Proposed SATIDS 96.56 97.3 97.35 97.4

Fig. 26. Performance comparison using 20features of ToN-IoT Dataset.

ROC, and 0.9845 F1-score. It has almost equal precision to CNN
Model [10] with a little bit difference.
threats that needed to be reduced. This paper proposes a Secured
Automatic Two-level Intrusion Detection System (SATIDS) based
6. Conclusion and future work
on improved Long Short-Term Memory (LSTM) network to differen-
tiate between attack and benign traffic, identifies the attack cate-
Internet of Things is a powerful platform for combining users
gory, and defines the type of sub-attack with high-performance.
worldwide without human interference. It connects everything to
The proposed technique is trained and assessed using two of the lat-
the Internet via data sensing devices. Although SDN technology
est realistic IoT datasets; ToN-IoT and InSDN. To demonstrate the
enhances IoT security, IoT applications still face potential security

11
R.A. Elsayed, R.A. Hamada, M.I. Abdalla et al. Ain Shams Engineering Journal 14 (2023) 102211

Table 10
Performance comparison USING InSDN Database.

Technique Performance Metrics

Accuracy Detection Rate Precision F1-Score ROC
OC-SVM [9] 87.5 93 89 91 –
LSTM Autoencoder-OC-SVM [9] 90.5 93 93 93 90.6
CNN Model [10] 93.01 86.71 98.67 93.59 92.8
Proposed SATIDS 99.39 98.4 98.5 98.45 99.64

[8] Singh S, Sharma PK, Moon SY, Moon D, Park JH. A comprehensive study on APT
attacks and countermeasures for future networks and communications:
challenges and solutions. J Supercomput 2019;75(8):4543–74.
[9] Said Elsayed M, Le-Khac NA, Dev S, Jurcut AD. Network anomaly detection
using LSTM based autoencoder. In: Proceedings of the 16th ACM symposium
on QoS and security for wireless and mobile networks. p. 37–45.
[10] Elsayed M, Jahromi H, Nazir M, Jurcut A. The role of CNN for intrusion
detection systems: an improved CNN learning approach for SDNs. In: 2020
16th IEEE international colloquium on signal processing & its applications
(CSPA). IEEE; 2020. p. 29–34.
[11] Atefi K, Hashim H, Khodadadi T. A hybrid anomaly classification with deep
learning (DL) and binary algorithms (BA) as optimizer in the intrusion detection
system (IDS). In: Proceedings of the 16th IEEE international colloquium on
signal processing & its applications (CSPA). IEEE; 2020. p. 29–34.
[12] Prasad M, Tripathi S, Dahal K. Unsupervised feature selection and cluster
center initialization based arbitrary shaped clusters for intrusion detection.
Comput Secur 2020;99:102062.
[13] Sabeel U, Heydari SS, Mohanka H, Bendhaou Y, Elgazzar K, El-Khatib K.
Evaluation of deep learning in detecting unknown network attacks. In:
Proceedings of international conference on smart applications,
communications and networking (SmartNets). IEEE; 2019. p. 1–6.
[14] Zhang H, Huang L, Wu CQ, Li Z. An effective convolutional neural network
based on SMOTE and Gaussian mixture model for intrusion detection in
imbalanced dataset. Comput Netw 2020;177:107315.
[15] Kshirsagar D, Kumar S. An ensemble feature reduction method for web-attack
detection. J Discret Math Sci Cryptogr 2020;23(1):283–91.
[16] Vinayakumar R, Alazab M, Soman K, Poornachandran P, Al-Nemrat A,
Fig. 27. Performance comparison using InSDN Dataset. Venkatraman S. Deep learning approach for intelligent intrusion detection
system. IEEE Access 2019;7:41525–50.
[17] Kumar R, Kumar P, Tripathi R, Gupta GP, Gadekallu TR, Srivastava G. SP2F: a
efficiency of the suggested system, its performance has been studied privacy-preserving framework for smart agricultural Unmanned Aerial
Vehicles. Comput Netw 2021:107819.
and compared with other IDSs. Results reveal that the suggested IDS [18] Keshk M, Turnbull B, Moustafa N, Vatsalan D, Choo K-K-R. A privacy-
system outperforms other IDSs with 96.35 % accuracy, 96 % detec- preserving-framework-based blockchain and deep learning for protecting
tion rate, and 98.4 % precision for ToN-IoT dataset and 99.73 % accu- smart power networks. IEEE Trans Ind Inf 2019;16(8):5110–8.
[19] Haider W, Moustafa N, Keshk M, Fernandez A, Choo K-K-R, Wahab A.
racy, 98.6 % detection rate, and 98.9 % precision for InSDN dataset. FGMCHADS: Fuzzy Gaussian mixture-based correntropy models for
Our future research will focus on refining the model of the proposed detecting zero-day attacks from linux systems. Comput Secur 2020:101906.
system by exploiting feature selection, detect zero-day attacks on [20] Moustafa N. ToN_IoT datasets. IEEE Dataport; 2019. Online; Accessed 10-Feb-
2020. doi: 10.21227/fesz-dm97.
IoT systems, and apply the proposed system to real-world Internet [21] Elsayed MS, Le-Khac NA, Jurcut AD. InSDN: a novel SDN intrusion dataset. IEEE
of Things networks composed of mobile devices. Access 2020;8:165263–84.

Declaration of Competing Interest

Rania A. Elsayed received the M.Sc. degree in elec-
tronics and communications engineering from the
The authors declare that they have no known competing finan- University of Zagazig, Egypt in 2009. She received her
cial interests or personal relationships that could have appeared PhD in Electrical and Computer Engineering from the
to influence the work reported in this paper. University of Zagazig in 2018. She is currently a doctor
with the Department of Electronics and Communica-
tions Engineering, Faculty of Engineering, Zagazig
References University, Egypt.

[1] Kumar P, Govind PG, Rakesh T. TP2SF: A Trustworthy Privacy-Preserving

Secured Framework for sustainable smart cities by leveraging blockchain and
machine learning. J Syst Archit 2021;115:101954.
[2] Kumar P, Prabhat GP, Gupta R. Tripathi, An ensemble learning and fog-cloud
architecture-driven cyber-attack detection framework for IoMT networks.
Comput Commun 2021;166:110–24.
[3] Ashfaq Z, Rafay A, Mumtaz R, Zaidi SMH, Saleem H, Zaidi SAR, et al. A review of
enabling technologies for internet of medical things (IOMT) ecosystem. Ain
Shams Eng J 2022;13(4):101660.
[4] Slama SB. Prosumer in smart grids based on intelligent edge computing: a
review on Artificial Intelligence Scheduling Techniques. Ain Shams Eng J 2021. Reem Alaa Hamada is an Teachnig Assistant at Electronics and Communications
[5] Roopak M, Tian GY, Chambers J. Deep learning models for cyber security in IoT Dep., Faculty of Engineering, Zagazig University, Egypt She has received the BSc
networks. In: 2019 IEEE 9th annual computing and communication workshop (2010) and MSc (2011) in Network Communication from the Faculty of Engineering,
and conference (CCWC). p. 0452–7. Zagazig University (Egypt). Her current research interests include Cyber security,
[6] Doukas C. Building Internet of Things with the ARDUINO. CreateSpace Internet of things (IoT), Network Communication, Medical Imaging, and Soft
Independent Publishing Platform; 2012. Computing. She is author many research papers published at international journals,
[7] da Costa KA, Papa JP, Lisboa CO, Munoz R, de Albuquerque VHC. Internet of
and conference proceedings.
Things: a survey on machine learning-based intrusion detection approaches.
Comput Netw 2019;151:147–57.

12
R.A. Elsayed, R.A. Hamada, M.I. Abdalla et al. Ain Shams Engineering Journal 14 (2023) 102211

M. I. Abdalla is a full professor in the Electronics and Dr. Shaimaa Elsaid is an Associate Professor at Elec-
Communication Department, Faculty of Engineering, tronics and Communications Dep., Faculty of Engineer-
Zagazig University. He received his BSc degree from ing, Zagazig University, Egypt. She has received the MSc
University of Mansoura, Egypt in 1979, and also the (2006) in Networks Security and PhD (2011) in Multi-
Master of Science degree from the same university in media Security from the Faculty of Engineering, Zagazig
1984. He received his PhD degree from Zagazig University (Egypt). Her current research interests
University, Egypt in 1989. He worked as a lecturer in include Cyber security, Internet of things (IoT), Digital
Saudi Arabia from 1990 to 1993. He worked in a Post- Image Processing, Medical Imaging, and Soft Comput-
doctoral research in University of Connecticut, USA in ing. She is author of 2 books and many research papers
1996. His research interests are Wireless communica- published at international journals, and conference
tion, Signal processing, Image processing and Pattern proceedings. Also, she has supervised many graduation
Recognition. He has supervised different master and projects, Master, and PhD theses.
PhD theses. He has published many research papers in international conferences
and journals.

13