Next Article in Journal
A Hierarchical Machine Learning Method for Detection and Visualization of Network Intrusions from Big Data
Next Article in Special Issue
Wireless Dynamic Sensor Network for Water Quality Monitoring Based on the IoT
Previous Article in Journal
Particle Size Distribution in Holby–Morgan Degradation Model of Platinum on Carbon Catalyst in Fuel Cell: Normal Distribution
Previous Article in Special Issue
Quad-Band Rectifier Circuit Design for IoT Applications
 
 
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

An Efficient CNN-Based Intrusion Detection System for IoT: Use Case Towards Cybersecurity

by
Amogh Deshmukh
*,† and
Kiran Ravulakollu
School of Technology, Woxsen University, Sangareddy District, Hyderabad 502345, Telangana, India
*
Author to whom correspondence should be addressed.
These authors contributed equally to this work.
Technologies 2024, 12(10), 203; https://doi.org/10.3390/technologies12100203
Submission received: 19 September 2024 / Revised: 6 October 2024 / Accepted: 9 October 2024 / Published: 17 October 2024
(This article belongs to the Special Issue IoT-Enabling Technologies and Applications)

Abstract

:
Today’s environment demands that cybersecurity be given top priority because of the increase in cyberattacks and the development of quantum computing capabilities. Traditional security measures have relied on cryptographic techniques to safeguard information systems and networks. However, with the adaptation of artificial intelligence (AI), there is an opportunity to enhance cybersecurity through learning-based methods. IoT environments, in particular, work with lightweight systems that cannot handle the large data communications typically required by traditional intrusion detection systems (IDSs) to find anomalous patterns, making it a challenging problem. A deep learning-based framework is proposed in this study with various optimizations for automatically detecting and classifying cyberattacks. These optimizations involve dimensionality reduction, hyperparameter tuning, and feature engineering. Additionally, the framework utilizes an enhanced Convolutional Neural Network (CNN) variant called Intelligent Intrusion Detection Network (IIDNet) to detect and classify attacks efficiently. Layer optimization at the architectural level is used to improve detection performance in IIDNet using a Learning-Based Intelligent Intrusion Detection (LBIID) algorithm. The experimental study conducted in this paper uses a benchmark dataset known as UNSW-NB15 and demonstrated that IIDNet achieves an outstanding accuracy of 95.47% while significantly reducing training time and excellent scalability, outperforming many existing intrusion detection models.

1. Introduction

Security is essential for modern information systems, networks, storage infrastructures, and various cyberspace-linked facilities. Considering the rise in system assaults and enterprises each year, it is crucial to enhance security levels continuously. It is not a one-time task but rather a continuous process to keep up with adversaries who are constantly developing new methods to compromise systems. Quantum computing is expected to pose a potential threat to system security in the near future if misused by hackers. The appearance of AI (artificial intelligence), deep learning, and machine learning technologies has paved the way for an additional layer of security for information systems and networks. With a learning-based approach, it becomes dynamic and effective in understanding real-time situations and detecting various cyberattacks. Although existing cryptographic methods effectively protect information systems and data, learning-based approaches can aid in analyzing network traffic in real time to detect attacks. Therefore, it is essential to harness artificial intelligence to develop security mechanisms that enhance overall cybersecurity. A literature review has found that deep learning models are extensively utilized for developing an IDS, as explored in references [1,2,3], to name a few. There are several drawbacks to the deep learning-based IDS systems that are in use today. For example, feature engineering, layer enhancement, and hyperparameter tuning are not available. The improved CNN model and deep learning framework for effective intrusion detection are presented in this study.
Deep learning models, especially Convolutional Neural Networks (CNNs), are known for their computationally expensive operations, particularly in the convolutional and pooling layers. Given the relevance of time complexity for real-time applications such as intrusion detection, it is crucial to analyze the time complexity of our proposed Intelligent Intrusion Detection Network (IIDNet). The primary computational cost in CNN models arises from the convolutional layers, where the time complexity is approximately O ( n × f × m 2 ) , where n is the number of input feature maps, f is the filter size, and m is the spatial size of the output feature map. This complexity can become a bottleneck in real-time applications such as intrusion detection, where timely responses are critical.
Deep Learning Framework with Enhanced CNN Architecture (IIDNet): The deep learning framework is presented in this study with optimizations for automatically detecting and classifying cyberattacks. To effectively identify and categorize assaults, this system makes use of an improved version of Convolutional Neural Networks (CNNs) known as Intelligent Intrusion Detection Network (IIDNet). IIDNet uses optimized layers and hyperparameters to enhance attack detection performance. We have made the following contributions:
  • The LBIID algorithm is a learning-based and intelligent intrusion detection approach that combines feature engineering, hyperparameter adjustment, and lowering of dimensionality to enhance the precision and effectiveness of the IDS.
  • Good Accuracy and Efficiency: Based on empirical research with the UNSW-NB15 dataset, IIDNet outperforms existing models with an amazing 95.47% accuracy, proving its usefulness for practical applications.
  • IIDNet reduces training time compared with other models, efficiently handling large datasets with minimal resource consumption.
The rest of the document is organized as follows: The Section 2 examines the literature on the various methods currently used for detecting cyberattacks. Section 3 introduces the proposed deep learning framework, its mechanisms for enhancing the CNN architecture, and the algorithm for automatic detection and categorization of cyberattacks. Section 4 presents the results of our empirical study using a benchmark dataset. Section 5 concludes our research on enhancing cybersecurity and the ability to detect intrusions and provides directions for a future research scope.

2. Related Work

Numerous researchers have contributed to the development of deep learning techniques for intrusion detection applications. For more accuracy, Costa et al. [4] proposed a collaborative Feature Selection method to achieve efficient intrusion detection in cloud networks with time series data. The proposed method improved forecast accuracy by reducing the number of input predictors, which in turn reduced training time and saved resources. Liang et al. [5] to simplify calculations and achieve better results in Intrusion Detection Systems, the authors standardised the NSL-KDD dataset attributes using dummy variables and z-scores. They compared different optimizers, initialization modes, and activation functions to find a good Deep Neural Network model using the NSL-KDD dataset. According to Ashraf et al. [6], presents a detailed review of network threats from Internet of Things networks and machine learning and deep learning based attack detection techniques for an effective IDS.
Farhan and Jasim [7] identified fresh threats; deep learning improves Internet of Things security, and they use real-world traffic datasets to assess intrusion detection systems. Thamilarasu and Chawla [8] proposed an anomaly-based intrusion detection model for IoT networks using deep learning. The authors implemented and evaluated the model using a Raspberry Pi and the Cooja network simulator with a testbed of Texas Instruments sensor tags CC2650. Khan et al. [9] presented a deep neural network for intrusion detection in IoT networks based on classifying intruded patterns. They used three datasets to train and test their network and were able to achieve 90% accuracy on each dataset. Ge et al. [10] proposed an intrusion detection approach for IoT networks using a feed forward neural network for both binary and multi-class classification. They used the BoT-IoT dataset, and achieved 98% accuracy, for the multi-class classification.
Dawoud et al. [11] explores a deep learning (DL) based framework for network anomaly detection (AD) and compares two unsupervised DL algorithms: Restricted Boltzmann Machines (RBMs) and Autoencoders (AEs). The framework achieved over 99% detection accuracy, outperforming related works. Pampathi et al. [12] explored distributed sensor networks, which are essential, particularly for the IoT. The primary emphasis is on the advancement of an anomaly detection system’s intrusion detection capabilities. According to Qaddoura et al. [13], IoT network security must be guaranteed for user privacy and service availability. Unlike other methods with a higher G-mean, intrusion detection is improved via a deep multi-layer classification strategy. Awotunde et al. [14] developed it in response to the cyber risks that IoT faces. High assault detection accuracy is attained with a deep learning-based model. Saheed et al. [15] tested the machine learning models for both binary and multi-class classification scenarios. They conclude Random Forest, Decision Tree, and KNN are the best machine learning models for the KDD99 dataset.
Susilo and Sari [16] proposed an Intrusion Detection System (IDS) for IoT applications, tailored to IoT protocol requirements using the UNSW-NB15 dataset. It employs Min-Max normalization for feature scaling and Principal Component Analysis (PCA) for dimensionality reduction. According to Amouri et al. [17], particularly with MANETs and WSNs, intrusion detection systems are essential for identifying network threats. The proposed IDS attains high detection rates. Salman et al. [18] expanded telecommunications, necessitating safe data transfer. IoT networks need intrusion detection systems since they are vulnerable. Two deep learning models outperform Logistic Regression. Elsayed et al. [19] used LSTM-RNN and MRMR feature selection. SATIDS, a unique IDS, can identify anomalies in IoT networks and increase efficiency and security. Rani and Kaushal [20] suggested utilizing Random Forest for supervised machine learning. Proactive intrusion prediction and actual traffic implementation are part of the upcoming development. The NSL-KDD and KDDCUP99 datasets were used for testing and achieved high accuracy.
Alkahtani et al. [21] used cutting-edge AI algorithms like CNN, LSTM, and CNN-LSTM; a robust intrusion detection framework for IoT was able to achieve high accuracy. Murat and Ozcanhan [22] became vulnerable to attacks with Internet-connected IoT devices. High intrusion detection accuracy is attained with a hybrid BLSTM-GRU model. Gumusbas et al. [23] examined cybersecurity intrusion detection techniques, machine learning, intense learning, benchmark datasets, procedures, constraints, and analysis. Liu and Lang [24] used the KDD99 dataset and a sparse autoencoder in its simulation studies to improve the detection accuracy of classical machine learning algorithms using deep learning. According to Abdulhammed et al. [25], with high precision, different approaches address class imbalance in the CIDDS-001 dataset. Robust intrusion detection is necessary due to the increase in cyber threats. Dini et al. [26] highlighted the challenges posed by unbalanced databases. Intrusion Detection Systems (IDS) play a crucial role in maintaining cybersecurity. The study investigates machine learning techniques using KDD 99, UNSWNB15, and CSE-CIC-IDS 2018. Compared with standard ML techniques. According to Vigneswaran et al. [27], DNNs for N-IDS outperformed KDDCup-99. IDS is essential to ensure cyber safety in ICT systems. According to Liu et al. [28], unbalanced network traffic makes intrusion detection difficult. The DSSTE method uses deep learning and machine learning to obtain better classification accuracy by addressing class imbalance. Dini et al. [26] explores and tests numerous machine learning models for both binary and multi-class classification scenarios to address data traffic security issues. Jaimes et al. [29], reviews intrusion detection systems (IDSs) in Internet of Medical Things (IoMT) environments that utilise artificial intelligence (AI) based methods. They classify cyberattacks based on the targeted IoMT layer and the threatened Confidentiality, Integrity, and Availability (CIA) security aspects.
Keshk et al. [30] enhanced DL-based IDS for IoT provided by the proposed SPIP architecture, ensuring precise and comprehensible threat detection. A cybersecurity research on XAI is needed. Al-Ghuwairi et al. [31] used the CSE-CIC-IDS2018 dataset to evaluate a collaborative Features Selection method for intrusion detection. The results showed an improvement in forecast accuracy, a reduction in the number of input predictors, and reduced resource usage due to a reduction in training time. Anthi et al. [32] designed a supervised intrusion detection system for smart home IoT devices. The system successfully distinguishes between IoT devices on the network, malicious or benign activity, and the type of attack on each device, achieving an F-measure of 96.2% for device classification, 90.0% for activity classification, and 98.0% for attack classification. Pawlicki et al. [33] prevented assaults on machine learning-based cyberattack detectors. Adversarial assaults are assessed, and suggestions for detection are made. Ferrag et al. [34] examined seven deep learning approaches for intrusion detection, including recurrent neural networks, deep neural networks, restricted Boltzmann machines, deep belief networks, convolutional neural networks, deep Boltzmann machines, and deep autoencoders. The results indicate that these approaches, evaluated on the CSE-CIC-IDS2018 and Bot-IoT datasets, demonstrate effectiveness in detecting intrusions, with performance measured using accuracy, false alarm rate, and detection rate. Firoz [35] proposed an intrusion detection and prevention system prototype using Snort rules and indexing methods to reduce false positives. Testing showed that their prototype had a 2.28 times higher detection rate with a lower false-positive rate, indicating improved performance compared to a standard Snort sensor.
Kocher and Kumar [36] used the NSL-KDD dataset and a deep learning approach, sparse autoencoder, for intrusion detection as it achieved an F-measure of 98.84% and 96.79% for the sparse restricted Boltzmann machine. Tama [37] used a systematic mapping study to provide an overview of how ensemble learners are used in intrusion detection systems. The study also performed an empirical investigation of a new classifier ensemble approach, called a stack of ensembles, that combined three individual ensemble learners and achieved significant performance improvements in intrusion detection. Alkadi et al. [38] examined blockchain, cloud computing, and intrusion detection in cybersecurity. Future directions and challenges are emphasized. Santos et al. [39] used a taxonomy based on the characteristics of placement strategy, detection method, and security threat. The results showed that research on IDS solutions in IoT is still in its early stages and lacks consensus on the best options for placement strategies and detection methods. Macas et al. [40] reviews deep learning methods for intrusion detection, including restricted Boltzmann machines, deep belief networks, and convolutional neural networks. The findings suggest that deep learning, especially with autoencoders, enhances intrusion detection accuracy by reducing data dimensionality and extracting key features. Ashiku and Dagli [41] suggested using deep learning to identify network intrusions to successfully fend off changing security threats. Azam et al. [42] proposed a novel Machine-to-Machine (M2M) service architecture and gateway selection process to improve the Quality of Service (QoS) in M2M networks. Real-life experiments using Bluetooth Low Energy (BLE) signals transmitted by M2M devices and received by smartphones acting as M2M gateways demonstrated that the proposed selection method achieved 97.8% service availability, surpassing alternative methods like selecting based on the strongest signal or maintaining the current connection. Sarhan et al. [43] demonstrated the requirement for universal benchmark features by examining different ML algorithms and feature reduction strategies for NIDS across various datasets. The literature review indicates that DL models are extensively utilized in the creation of IDS, as explored in references [1,3,6], to name a few. However, existing IDSs based on DL have limitations, such as the lack of optimizations like hyperparameter tuning, effective preprocessing techniques, and a lightweight architectural approach.

3. Methods and Techniques

This section details the proposed deep learning framework, including the optimizations incorporated, the enhanced CNN model, dataset details, the proposed algorithm, and the performance evaluation methodology.

3.1. Problem Definition

The proliferation of IoT environments necessitates lightweight systems to manage large-scale, distributed devices. Traditional IDSs often rely on substantial data communications to identify anomalous patterns, presenting a challenge in IoT settings where resource constraints and minimal data communication are essential. In IoT environments, since there are so many networks and devices, high dimensionality, hyper-tuning, and feature engineering pose a significant challenge in automated intrusion detection. In this research work, the stated problem can be addressed with the help of a DL solution that uses a lightweight approach at multiple stages at the architectural level. These types of solutions not only provide an outcome but also improve performance and efficiency, especially in an IoT environment.

3.2. Methodology for the Proposed Framework

Our deep learning framework has been created to automatically detect and classify cyberattacks. The framework, illustrated in Figure 1, is designed to detect cyberattacks efficiently. In other words, Figure 1 shows a workflow illustrating the intrusion detection system with an improved CNN model. The process begins with the dataset, followed by Exploratory Data Analysis (EDA), preprocessing, and dimensionality reduction using t-SNE (t-distributed stochastic neighbor embedding) and PCA (principal component analysis). Next, there are separate test and train sets in the dataset, and then feature selection and hyperparameter tuning are implemented. The model is then configured, compiled, trained, and finally used for intrusion detection and classification. First, we perform exploratory data analysis on the given dataset to understand its distribution and dynamics. Based on the findings from the data analysis, we carry out preprocessing, which may include data improvement mechanisms and measures to prevent overfitting. After the preprocessing is finished, we use methods like PCA and t-SNE to reduce dimensionality. Following dimensionality reduction, we carry out hyperparameter tuning to enhance the deep learning framework that was employed in the framework by setting appropriate values to different hyperparameters. The goal is to optimize the model’s performance for cyberattack detection.
In addition to hyperparameter tuning, we apply feature engineering in the framework. Features extracted from the dataset undergo a feature selection methodology to identify contributing features after computing the importance of each feature. Subsequently, 80% of the dataset is labeled, while the remaining 20% is unlabeled, making up the training set. As shown in Figure 1, the improved CNN model is set up, organized, and taught using the instruction package. Following the completion of the training, the model and its weights are saved for future retrieval and reuse. The trained model is then used for intrusion detection to enhance cybersecurity. The framework uses the enhanced CNN model for multi-class classification, detecting cyberattacks and classifying them to aid network administrators in making well-informed decisions. This approach may be used, all things considered, to protect networks and information systems from cyberattacks.

3.3. Dimensionality Reduction

Dimensionality reduction methods like PCA and t-SNE are widely employed in intrusion detection to improve the precision and efficacy of systems that detect irregularities. PCA aims to reduce a dataset’s feature count while maintaining critical information. It is a linear technique to reduce dimensionality. The initial characteristics are changed into a new collection of uncorrelated variables known as principal components throughout the principal component analysis (PCA) process. These may be used to more effectively spot patterns and abnormalities in high-dimensional data. The second method is a non-linear way of lowering the dimensionality of the data, called t-SNE. When displaying high-dimensional data in fewer dimensions, it works very well because of its emphasis on maintaining its usefulness as a tool for analyzing the local structure of the data points examining and comprehending intricate datasets. Combining PCA with t-SNE in intrusion detection can aid in data preprocessing, noise reduction, and visualization, making it simpler to spot anomalies or suspicious patterns. Intrusion detection systems can become more effective and precise in identifying possible security risks by employing these strategies in order to decrease the data’s dimensionality.

3.4. Hyperparameter Tuning

Tweaking the hyperparameters is essential to maximize the performance of CNNs. The network’s learning process and performance are greatly impacted by hyperparameters, which are model-external values that cannot be learned during training. When fine-tuning CNNs, take into account the following important hyperparameters. Since the learning rate dictates the number of steps performed during optimization, it has an impact on both the pace of learning and the convergence to a solution. Changing the learning rate can improve convergence and prevent the model from becoming stuck in local minima. The number of samples is determined by the batch size handled prior to updating the model’s parameters. The model’s rate of generalization and convergence can be affected by changing the batch size. One important hyperparameter that affects a CNN’s capacity to learn how many intricate layers there are in the model is called patterns. The efficiency of the network in extracting features can be affected by the addition or deletion of layers. The receptive field and the amount of information in the features that are collected are impacted by the filter size in a CNN. Filter sizes are adapted to enhance the model’s ability to capture significant input data characteristics. By arbitrarily deactivating certain input units during training, overfitting is prevented in part by the dropout rate. The capacity of the model to generalize may be improved by varying the dropout rate.
It is important to consider the learning potential of the model while selecting activation functions (such as ReLU, Sigmoid, and Tanh) for the various CNN layers. The capabilities of the model can be improved by experimenting with various activation functions. The model’s parameter adjustments during training may be influenced by the optimizer selected, such as Adam, SGD, or RMSprop. Changing the optimizer’s settings or experimenting with other optimizers can affect the model’s ultimate performance and rate of convergence. When modifying CNN hyperparameters, it is imperative to employ methods like grid search, random search, or Bayesian optimization. They are essential for delving deep into the hyperparameter space and finding the best set of parameters to improve model performance. Utilizing programs like GridSearchCV from scikit-learn or Keras Tuner from TensorFlow can also assist in speeding up the hyperparameter tuning process. We tuned the hyperparameters in this study using the GridSearchCV approach.

3.5. Feature Selection

When developing efficient intrusion detection algorithms, feature selection is crucial when working with the UNSW-NB15 dataset. Researchers often use this dataset to study intrusion detection since it includes network traffic data that display both normal activity and different sorts of attacks. It is crucial to prioritize features that can discriminate between malicious and valid network traffic when selecting features for intrusion detection in the UNSW-NB15 dataset. Several feature selection strategies may be used to identify the most important features for creating a potent intrusion detection model. Filter, wrapper, and embedded methods are some of these tactics. Wrapper approaches assess feature subsets that maximize model performance using a particular machine learning algorithm. To choose the most important features for training, embedded methods such as decision trees and random forests integrate feature selection during model construction. These methods evaluate features based on their importance during the learning process, which improves the model’s accuracy and efficiency. Filter approaches use statistical measurements like correlation or information gain to assess the significance of features. It is recommended that different feature selection techniques be experimented with and that the intrusion detection model performance be assessed using selected features through metrics like F1-score, precision, recall, and accuracy. This step-by-step method is useful for identifying the most important characteristics to accurately identify breaches within the UNSW-NB15 dataset. In this study, feature selection is performed by feature significance computation using the XGBoost model.

3.6. Enhanced CNN Model

We have developed a new architecture for intrusion detection based on a CNN model. We chose a CNN variant because it has proven efficient in extracting features and learning from training data, which is crucial for intelligent cyberattack detection. We used a multi-class classification approach with the softmax function. The model we developed is IIDNet and includes customized layers and hyperparameter optimization to improve its performance in intrusion detection. Optimizing the hyperparameters of IIDNet can help determine the best values for its performance. Figure 2 illustrates the proposed architecture for effective detection. The architecture has a number of layers.
Convolutional layers play a crucial role in developing an effective CNN model. They are widely utilized DL models for handling data and tasks related to computer vision. In these layers, convolution operations are applied to the input data, typically images (textual data in this paper), to extract features through filters or kernels. These filters move across the input information, carrying out multiplication and aggregation on each element to create feature maps highlighting patterns and structures within the data. The layers of convolution are essential for capturing spatial hierarchies and allowing the network to develop hierarchical representations of the input data, resulting in enhanced performance in activities like object detection, image classification, segmentation, and intrusion detection (the focus of this paper).
CNNs frequently employ max pooling layers to decrease the spatial dimensions of the input volume. After splitting the input data into non-overlapping rectangles, this layer outputs the maximum value from each rectangle. The most crucial characteristics within the designated area are preserved by the max pooling layer through the selection of the maximum value. This process reduces the network’s computational complexity and increases the network’s resistance to changes in the input data.
CNNs use the flatten layer to transform the output of the convolutional or pooling layer before it into a one-dimensional array. The neural network’s topology has to be changed in order to provide a link between the fully connected levels and the pooling/convolutional layers. Flattening the output reduces the spatial dimensions of the data to a single dimension, enabling data processing by conventional fully connected layers. In essence, the flatten layer converts the 2D or 3D output into a 1D vector to allow for further processing for tasks such as regression or classification. An entirely connected layer in a CNN model is also known as a dense layer. In a layer, every neuron is connected to every other neuron in the layer above it. The layer may learn intricate patterns by taking into account the interactions between each feature, thanks to this connectedness. In order to complete classification tasks using the features that were derived from the pooling and convolution layers earlier in the architecture, fully connected layers are usually employed at the conclusion of a CNN design. For tasks like intrusion detection, the mapping of high-level characteristics to the output classes requires the existence of these layers.
The improved architecture of the CNN is utilized to classify different types of network attacks. It starts with an input sample of a 9 × 9 matrix with 77 features and 4 zero pads. Max pooling is used to minimize spatial dimensions after the first layer creates 16 feature maps using a 9 × 9 convolution kernel. After applying a 5 × 5 kernel, 32 feature maps and an additional max pooling layer are produced in the next layer. A total of 32 feature maps are produced by the 3 × 3 kernel used in the third layer. Following flattening, turning the result into a single, completely linked vector layer is provided with the vector to facilitate pattern recognition and classification. The neurons in the final output layer, which reflect the likelihood that the input sample falls into one of these categories, are classified as Benign, DDoS, DoS, Portscan, and Webattack. An improved deep learning-based CNN model for intrusion detection is described in Table 1, along with the kind and functions of each layer.

3.7. Proposed Algorithm

Utilizing the suggested deep learning architecture and improvements, we presented the Learning-Based Intelligent Intrusion Detection (LBIID) method.
The dataset UNSW-NB15 is used by the intrusion detection Algorithm 1, sometimes referred to as Learning-Based Intelligent Intrusion Detection (LBIID). The procedure has multiple step and includes preprocessing data, dimensionality reduction, feature selection, neural network model (IIDNet) configuration and training, hyperparameter tweaking, and performance evaluation. Prior to using dimensionality reduction techniques like t-SNE and PCA on the preprocessed dataset, the LBIID algorithm first preprocesses the UNSW-NB15 dataset (D). (D’). XGBoost is used for feature selection, and its threshold (th) is specified. According to Figure 2, the IIDNet model has been set up and built. Using Grid Search with Cross-Validation (GridSearchCV), the method continues with hyperparameter tweaking of the IIDNet model. A testing set (T1) and a training set (T2) are separated out of the dataset. After the model has been trained using T2, it is stored for further use. When the model is loaded and trained, it can identify intrusions in the test set (T2). The detection results (R) and the ground truth are compared in the performance evaluation. The intrusion detection findings (R) and performance statistics (P) are printed out when the process comes to an end. In conclusion, the LBIID algorithm provides a systematic approach to intrusion detection that includes training, feature selection, model construction, data preprocessing, and performance assessment. To optimize the model’s performance, hyperparameters are optimized. Neural networks (IIDNet) are used for intrusion detection, while machine learning methods like XGBoost are used for feature selection.
Algorithm 1 Learning-Based Intelligent Intrusion Detection (LBIID)
Require: UNSW-NB15 dataset D, threshold th
Ensure: Intrusion detection results R, performance statistics P
  1: B e g i n
  2: D P r e P r o c e s s ( D )
  3: D D i m R e d u c t i o n ( P C A , t S N E )
  4: F F e a t u r e S e l e c t i o n ( X G B o o s t m o d e l , t h , D )
  5: C o n f i g u r e I I D N e t m o d e l m a s i n F i g u r e
  6: C o m p i l e m
  7: m H y p e r p a r a m e t e r T u n i n g ( G r i d S e a r c h C V )
  8: ( T 1 , T 2 ) S p l i t D a t a ( D , F )
  9: m T r a i n M o d e l ( T 1 )
10: P e r s i s t m
11: L o a d m
12: R D e t e c t I n t r u s i o n s ( T 2 )
13: P E v a l u a t e P e r f o r m a n c e ( R , g r o u n d t r u t h )
14: P r i n t R
15: P r i n t P
16: E n d

3.8. Dataset

The UNSW-NB15 [44] dataset was used in this investigation. The dataset consists of 49 features and is used to evaluate the performance of intrusion detection systems [45]. It contains realistic network traffic, simulating both normal and malicious activities. This dataset is significant because it reflects modern-day cyberattack scenarios, making it suitable for testing the efficacy of detection models. To replicate both typical actions and other kinds of assaults, these data are created in a controlled setting. Among other things, included in the dataset are protocol types, port numbers, and source and destination IP addresses. In order to improve cybersecurity safeguards, researchers utilize this information to create and assess intrusion detection systems.

3.9. Performance Evaluation

Since we utilized a learning-based strategy, as shown in Figure 3, metrics obtained from the confusion matrix are utilized to evaluate our methodology.
Precision ( p ) = T P T P + F P
Recall ( r ) = T P T P + F N
F 1 - score ( f ) = 2 p r p + r
Accuracy ( a ) = T P + T N T P + T N + F P + F N
A number between 0 and 1 is produced by the performance evaluation metrics. In machine learning research, these measures are often employed.

4. Experiment Results

4.1. Feature Importance

Analyzing the scores of key features is essential for increasing the efficacy, comprehensibility, and overall functionality of the intrusion detection model. ‘Sbytes’ with an F Score of 69 has the highest importance score, indicating that it is the most significant feature for the model. ‘Sbytes’ captures critical information related to the size of network packets, which is a strong indicator of different types of network traffic, including potential attacks. Figure 4 shows the importance scores of various features in building an effective intrusion detection model. The second most important feature is ‘ct_srv_src’ with an F Score of 50, indicating that how many connections there are from the same source to the same service identical origin has a significant impact on detecting anomalies. ‘ct_srv_dst’ with an F Score of 44 is the third most important feature.
The importance of the number of connections to the identical service endpoint is evident, suggesting that patterns in destination connections are important for identifying malicious activities. ‘dbytes’ with an F Score of 43 is the fourth most important feature, capturing the volume of data being transferred, which is a key indicator of certain types of attacks. ’proto’ with an F Score of 39, ’ct_dst_src_itm’ with an F Score of 32, ’sinpkt’ with an F Score of 28, and others indicate their significant contributions to the model. For example, ’proto’ relates to the protocol type, which differentiates between normal and suspicious traffic types. ’ct_src_dport_itm’ with an F Score of 27, ’dmean’ with an F Score of 19, ’ct_src_itm’ with an F Score of 17, etc., have mid-range importance scores. They capture important aspects of network behavior and help refine the model’s detection capabilities. Features with lower F scores (e.g., ’ackdat’, ’dtcpp’, ’trans_depth’, ’spkts’) still contribute to the model but have a lesser impact individually. By focusing on the key elements, we built a robust and effective model that accurately detects and classifies cyberattacks, while also being resource efficient.

4.2. Data Distribution

The distributions (Figure 5) in the processed training set illustrate various feature distributions after preprocessing. This phase is essential because it guarantees that the data given into the model are normalized and ready for efficient training for achieving high performance. Several features exhibit skewed distributions, such as ’duration’, ’spkts’, and ’dpkts’. These features have a large number of instances clustered around low values with a long tail towards higher values, which requires normalization for better model performance. Features like ’sload’ and ’sttl’ display more uniform distributions, indicating a more even spread of data points across different values.
Some features, such as ’rate’ and ’swin’, show bimodal or multimodal distributions, indicating the presence of multiple clusters within the data. Features like ’sbytes’ and ’dbytes’ show high variability, with values ranging widely across instances. Features such as ’ackdat’ and ’dwin’ have relatively low counts compared with others. This paper addresses skewness, handles class imbalances and high variability, and reduces noise in the dataset. These preprocessing steps ensure that the data fed into the CNN are optimal for learning which increases accuracy. The model is robust and an efficient intrusion detection system with a broad spectrum of identification of cyberattacks in IoT environments.

4.3. Dimensionality Reduction

A visual depiction of the dataset’s normal/malicious distinction is provided by the t-SNE dimensionality reduction plot (see Figure 6). The t-SNE plot clearly separates and groups the data, suggesting that the selected features are quite unique and contribute significantly to the model’s capacity to distinguish between malicious and legitimate traffic. This division suggests that the model’s attributes are successful in differentiating between the two groups. These kinds of visualizations aid in verifying the robustness and significance of the model’s feature set.
Within each cluster, the data points are densely packed, suggesting that the instances within the same class (normal or malicious) are very similar to each other in the feature space. The uniformity within groupings improves the model’s capability to make reliable predictions across different scenarios. The visual representation assists in comprehending the fundamental organization of the information, recognizing trends, and identifying irregularities or exceptional data points.

4.4. Model Accuracy and Loss

The evaluation of a DL model is heavily reliant on the metrics of model accuracy and loss. The accuracy of the enhanced CNN model for both training and validation is displayed across 50 epochs in Figure 7. The training accuracy is rather poor at the start (epoch 0), but it rises quickly in the first few epochs, reaching around 93%. This rapid growth indicates that, early in the training phase, the model is successfully assimilating the fundamental patterns and characteristics from the training data. Following the initial sharp rise, the training accuracy steadily increases, hitting around 95.47% by the 50th epoch. The model is continuously learning from and improving its comprehension of the training data over time, as seen by this continual progress. The strong correlation between the accuracy of the training and validation sets indicates that fresh data may be successfully applied to the model and do not suffer from substantial overfitting. The model seems to be converging steadily without significant signs of overfitting, as indicated by the parallel trends in training and validation accuracy.
The loss of the enhanced CNN model for training and validation across 50 epochs is displayed in Figure 8. The model is only beginning to learn the patterns in the data in the beginning (epoch 0), as shown by the relatively large training loss (around 0.19). In the first few epochs, the training loss drops off quickly; by the tenth epoch, it is only around 0.14. The sharp fall indicates that the model picks up the most important patterns and characteristics from the training set rather fast. The training loss steadily declines after the initial sharp fall, peaking at 0.11 by the 50th epoch. This gradual decrease shows that the model’s comprehension of the data is continuously being refined and improved. Increasing the number of epochs could improve performance even more, but it is important to watch out for overfitting and modify training approaches as needed. The way the model is now performing suggests that it is a strong learner, appropriate for jobs like intrusion detection in Internet of Things configurations.

4.5. Confusion Matrix and Attack Category Distribution

The confusion matrix (Figure 9) for the CNN model shows robust performance, with 51,494 instances correctly classified as non-attacks (true negatives) and 114,834 instances correctly identified as attacks (true positives). The numbers of false positives and false negatives were 4506 and 4507, respectively, suggesting that the system was very accurate in differentiating between benign and malicious activity. The model appears to maintain a decent balance between sensitivity (identifying assaults) and specificity (preventing false alarms), as shown by the comparatively low numbers of false positives and false negatives.
The attack category distribution graph (Figure 10) reveals a significant imbalance in the dataset, with a much greater proportion of attack cases than non-attack ones. This disparity is indicative of real-world situations when networks are frequently the target of several assaults. Despite the imbalance, the CNN model demonstrates strong performance as effective preprocessing techniques were applied. The confusion matrix and attack category distribution together illustrate the CNN model’s robustness and dependability in identifying different IoT network attacks. While the current model performs well, further improvements can be made to reduce false positives and false negatives. A continued focus on techniques to handle data imbalance will further strengthen the model’s performance.

4.6. Performance Metrics

The F1-score, accuracy, recall, and precision metrics were compared among Multi-Layer Perceptron (MLP), Baseline CNN, and the proposed IIDNet models. The performance data are displayed in Table 2 alongside various models. The IIDNet model consistently outperformed the other models across all metrics.
The precision (Figure 11) for IIDNet was 97.98%, significantly higher than the 83.74% for MLP and 92.74% for Baseline CNN. Similarly, IIDNet achieved a recall (Figure 12) of 93.86%, matching MLP and surpassing Baseline CNN’s 91.29%. The F1-score for IIDNet was 95.87%, compared with 88.51% for MLP and 92.01% for Baseline CNN. Finally, IIDNet demonstrated superior accuracy at 95.47%, higher than MLP’s 89.75% and Baseline CNN’s 91.67%.

4.6.1. Time Complexity of IIDNet Model

In the proposed model, the optimized CNN architecture incorporates dimensionality reduction techniques such as PCA and t-SNE to mitigate computational costs. These methods, while having their own complexity, help reduce the input size and, consequently, the computation load for the CNN layers. The hyperparameter tuning, especially of batch size and filter size, further contributes to a reduction in computational overhead.
The time taken for training and inference was measured using the UNSW-NB15 dataset in a GPU-powered environment. Table 1 presents a comparison of the training times for our IIDNet model with other models [46,47,48].
The empirical analysis of IIDNet’s performance revealed that this approach strikes a good balance between computational complexity and accuracy. The training time complexity of IIDNet was calculated, and empirical runtime results were measured in terms of both the training and inference phases.

4.6.2. Training Time Analysis with Different Data Scales

We conducted experiments to analyze the training time of IIDNet under different data scales using the UNSW-NB15 dataset. By varying the number of input samples and feature sizes, we measured the training time and resource utilization in terms of GPU memory consumption and CPU usage. Table 3 summarizes the results for different dataset sizes. The results indicate that, as the dataset size increases, both the training time and the resource usage increase approximately linearly. The model scales well across different data sizes, maintaining a practical balance between computational cost and performance. For instance, training IIDNet on 100,000 samples took approximately 360 s and used 6.2 GB of GPU memory. This makes IIDNet efficient and scalable, even for larger datasets.
The scalability of IIDNet is particularly important for its application in large-scale networks where datasets can grow significantly over time. As shown in Table 3, the GPU memory usage remains manageable even as the dataset size increases. Furthermore, the CPU usage during training indicates that the model effectively leverages the parallel processing capabilities of the GPU, reducing the strain on the CPU.
We also observed that the use of dimensionality reduction (PCA and t-SNE) helps to limit the input feature size, reducing the model’s resource demands while preserving accuracy. This makes IIDNet suitable for environments with constrained computational resources, such as edge devices or cloud-based intrusion detection systems.

4.7. Performance Comparison

This section presents the proposed model’s performance compared with state-of-the-art models explored in [3,6,12,14]. As presented in Table 4, the performance of the proposed intrusion detection model is compared against state-of-the-art models found in the literature.
The efficacy of several intrusion detection methods in identifying intrusions is assessed, as shown in Figure 13. The accuracies of the methods in [3,6,12] are 97.15%, 98.92%, and 97.98%, respectively. The accuracy of the suggested intrusion detection model is also 97.15%. Comparing the suggested intrusion detection model with the state of the art, it obtains the best accuracy.

5. Discussion

A new intelligent intrusion detection framework, grounded in deep learning, is proposed by this study. The framework is equipped with several optimizations to leverage performance in the intrusion detection process. The quality of training data is critical for the model’s performance as it is a supervised learning-based approach. High-quality data help the model learn meaningful patterns, while noisy or imbalanced data lead to inaccurate predictions. The training process needs to be optimized to be feasible. In this research, data preprocessing steps such as normalization and feature scaling were implemented to improve the dataset quality. The framework utilizes dimensionality reduction, feature engineering, and hyperparameter tuning. Additionally, a CNN model named IIDNet is optimized with layers and parameters to improve performance. In this research, feature engineering is based on the XGBoost model, which selects features contributing to the class label prediction for intrusion detection. The proposed deep learning model uses a softmax function for multi-class classification. It has several layers to process input data and generate different class labels.
The proposed IIDNet model outperformed existing intrusion detection models, as demonstrated by our empirical results. Compared with traditional CNNs and other deep learning models, IIDNet achieved higher accuracy, precision, recall, and F1-scores. The ability of IIDNet to maintain a balance between detecting attacks and minimizing false positives and false negatives is particularly notable. This demonstrates the model’s robustness in real-world scenarios, where the imbalance between benign and malicious network traffic poses significant challenges for detection systems.
By optimizing the CNN layers and hyperparameters, IIDNet can handle large-scale datasets efficiently. Empirical analysis showed that IIDNet scales well with increasing dataset sizes, with reasonable resource consumption (GPU memory and CPU usage). This scalability makes IIDNet suitable for deployment in environments with limited computational resources, such as edge computing devices in IoT networks. The use of dimensionality reduction techniques also aids in managing the computational complexity, ensuring that the model remains efficient even when the dataset grows significantly.
The findings from this research have practical implications for the cybersecurity domain, particularly in the context of IoT environments. The proposed IIDNet model not only excels in detecting intrusions but also offers a framework that can be adapted to various network configurations. The high accuracy and scalability make it a viable option for real-time intrusion detection in critical infrastructures, where latency and accuracy are of utmost importance. The system is adequate for intrusion detection and classification, although its restrictions are outlined in Section 5.1.

5.1. Limitations

There are several restrictions on the system that this study suggests.The dataset used for this research is commonly employed for intrusion detection tasks. Nonetheless, depending just on a single, diversified dataset might support the establishment of broadly applicable conclusions for the suggested methodology. The lack of hybrid techniques in the feature selection procedure is another area in need of development. Furthermore, real-time network traffic data have not been used to assess the suggested CNN model upgrade. Only a synthetic dataset has been used to test the model, as opposed to a real-time dataset for validation.

6. Conclusions and Future Work

In order to identify and categorize cyberattacks automatically, this study presents a deep learning system with many improvements. Hyperparameter tweaking, feature engineering, and dimensionality reduction are some of these improvements. The framework employs the Intelligent Intrusion Detection Network (IIDNet), an improved version of CNN, to efficiently identify and classify attacks. By maximizing layers and hyperparameters, IIDNet is intended to improve attack detection efficiency. These deep learning optimizations and architecture are used by the proposed Learning-Based Intelligent Intrusion Detection (LBIID) method. An accuracy of 95.47% is really impressive; IIDNet exceeded several other intrusion detection models, according to an empirical research conducted with the UNSW-NB15 benchmarking set. The cybersecurity of current networks or information systems can be strengthened by integrating this deep learning architecture. Hybrid deep learning models and ensemble techniques might be added to the system to increase intrusion detection performance.

Author Contributions

Conceptualization, A.D.; methodology, A.D.; software, A.D.; validation, A.D.; formal analysis, A.D.; investigation, A.D.; resources, A.D.; data curation, A.D.; writing—original draft preparation, A.D.; writing—review and editing, K.R.; visualization, A.D.; supervision, K.R.; project administration, A.D. All authors have read and agreed to the published version of the manuscript.

Funding

This research received no external funding.

Institutional Review Board Statement

Not applicable.

Informed Consent Statement

Not applicable.

Data Availability Statement

The dataset UNSW-NB15 used for this research is available at https://research.unsw.edu.au/projects/unsw-nb15-dataset (accessed on 10 May 2024).

Acknowledgments

This research is carried out under Center of Excellence AI/Robotics at Woxsen University.

Conflicts of Interest

The authors declare no conflicts of interest.

Correction Statement

This article has been republished with a minor correction to the image quality of Figures 3,5,6–10. This change does not affect the scientific content of the article.

Abbreviations

The following abbreviations are used in this manuscript:
CNNConvolutional Neural Network
IDSintrusion detection system
IIDNetIntelligent Intrusion Detection Network
LBIIDLearning-Based Intelligent Intrusion Detection

References

  1. Ge, M.; Syed, N.F.; Fu, X.; Baig, Z.; Robles-Kelly, A. Towards a deep learning-driven intrusion detection approach for Internet of Things. Comput. Netw. 2021, 186, 107784. [Google Scholar] [CrossRef]
  2. Roy, B.; Cheung, H. A Deep Learning Approach for Intrusion Detection in Internet of Things using Bi-Directional Long Short-Term Memory Recurrent Neural Network. In Proceedings of the 2018 28th International Telecommunication Networks and Applications Conference (ITNAC), Sydney, NSW, Australia, 21–23 November 2018; pp. 1–6. [Google Scholar] [CrossRef]
  3. Fu, X.; Zhou, N.; Jiao, L.; Li, H.; Zhang, J. The robust deep learning-based schemes for intrusion detection in Internet of Things environments. Ann. Telecommun. 2021, 76, 273–285. [Google Scholar] [CrossRef]
  4. Da Costa, K.A.P.; Papa, J.P.; Lisboa, C.O.; Munoz, R.; de Albuquerque, V.H.C. Internet of Things: A Survey on Machine Learning-based Intrusion Detection Approaches. Comput. Netw. 2019, 151, 147–157. [Google Scholar] [CrossRef]
  5. Liang, C.; Shanmugam, B.; Azam, S.; Jonkman, M.; Boer, F.D.; Narayansamy, G. Intrusion Detection System for Internet of Things based on a Machine Learning approach. In Proceedings of the 2019 International Conference on Vision Towards Emerging Trends in Communication and Networking (ViTECoN), Vellore, India, 30–31 March 2019; pp. 1–6. [Google Scholar] [CrossRef]
  6. Asharf, J.; Moustafa, N.; Khurshid, H.; Debie, E.; Haider, W.; Wahab, A. A Review of Intrusion Detection Systems Using Machine and Deep Learning in Internet of Things: Challenges, Solutions and Future Directions. Electronics 2020, 9, 1177. [Google Scholar] [CrossRef]
  7. Farhan, B.I.; Jasim, A.D. Survey of Intrusion Detection Using Deep Learning in the Internet of Things. Iraqi J. Comput. Sci. Math. 2022, 3, 83–93. [Google Scholar] [CrossRef]
  8. Thamilarasu, G.; Chawla, S. Towards Deep-Learning-Driven Intrusion Detection for the Internet of Things. Sensors 2019, 19, 1977. [Google Scholar] [CrossRef]
  9. Choudhary, S.; Kesswani, N. Analysis of KDD-Cup’99, NSL-KDD and UNSW-NB15 Datasets using Deep Learning in IoT. Procedia Comput. Sci. 2020, 167, 1561–1573. [Google Scholar] [CrossRef]
  10. Ge, M.; Fu, X.; Syed, N.; Baig, Z.; Teo, G.; Robles-Kelly, A. Deep Learning-Based Intrusion Detection for IoT Networks. In Proceedings of the 2019 IEEE 24th Pacific Rim International Symposium on Dependable Computing (PRDC), Kyoto, Japan, 1–3 December 2019; pp. 256–25609. [Google Scholar] [CrossRef]
  11. Dawoud, A.; Sianaki, O.A.; Shahristani, S.; Raun, C. Internet of Things Intrusion Detection: A Deep Learning Approach. In Proceedings of the 2020 IEEE Symposium Series on Computational Intelligence (SSCI), Canberra, ACT, Australia, 1–4 December 2020; pp. 1–7. [Google Scholar] [CrossRef]
  12. Ma, P.B.; Guptha, N.; Hema, M.S. Towards an effective deep learning-based intrusion detection system in the Internet of Things. Telemat. Inform. Rep. 2022, 7, 1–11. [Google Scholar]
  13. Qaddoura, R.; Al-Zoubi, A.M.; Faris, H.; Almomani, I. A Multi-Layer Classification Approach for Intrusion Detection in IoT Networks Based on Deep Learning. Sensors 2021, 21, 2987. [Google Scholar] [CrossRef]
  14. Awotunde, J.B.; Chakraborty, C.; Adeniy, A.E. Intrusion Detection in Industrial Internet of Things Network-Based on Deep Learning Model with Rule-Based Feature Selection. Hindawi Wirel. Commun. Mob. Comput. 2021, 2021, 7154587. [Google Scholar] [CrossRef]
  15. Saheed, Y.K.; Abiodun, A.I.; Misra, S.; Kristi, M. A machine learning-based intrusion detection for detecting Internet of Things network attacks. Alex. Eng. J. 2021, 61, 9395–9409. [Google Scholar] [CrossRef]
  16. Susilo, B.; Sari, R.F. Intrusion Detection in IoT Networks Using Deep Learning Algorithm. Information 2020, 11, 279. [Google Scholar] [CrossRef]
  17. Amouri, A.; Alaparthy, V.T.; Morgera, S.D. A Machine Learning Based Intrusion Detection System for Mobile Internet of Things. Sensors 2020, 20, 461. [Google Scholar] [CrossRef]
  18. Salman, E.H.; Taher, M.A.; Hammadi, Y.I.; Abdul, O. An Anomaly Intrusion Detection for High-Density Internet of Things Wireless Communication Network Based Deep Learning Algorithm. Sensors 2023, 23, 206. [Google Scholar] [CrossRef]
  19. Elsayed, R.; Hamada, R.; Hammoudeh, M.; Abdalla, M. A Hierarchical Deep Learning-Based Intrusion Detection Architecture for Clustered Internet of Things. J. Sens. Actuator Netw. 2023, 12, 3. [Google Scholar] [CrossRef]
  20. Rani, D.; Kaushal, N.C. Supervised Machine Learning Based Network Intrusion Detection System for Internet of Things. In Proceedings of the 2020 11th International Conference on Computing, Communication and Networking Technologies (ICCCNT), Kharagpur, India, 1–3 July 2020; pp. 1–7. [Google Scholar] [CrossRef]
  21. Alkahtani, H.; Aldhyani, T.H.H. Intrusion Detection System to Advance Internet of Things Infrastructure-Based Deep Learning Algorithms. Complexity 2021, 2021, 5579851. [Google Scholar] [CrossRef]
  22. Emeç, M.; Özcanhan, M.H. A Hybrid Deep Learning Approach for Intrusion Detection in IoT Networks. Adv. Electr. Comput. Eng. 2022, 22, 1–10. [Google Scholar] [CrossRef]
  23. Gumusbas, D.; Yldrm, T.; Genovese, A.; Scotti, F. A Comprehensive Survey of Databases and Deep Learning Methods for Cybersecurity and Intrusion Detection Systems. IEEE Syst. J. 2020, 15, 1717–1731. [Google Scholar] [CrossRef]
  24. Liu, H.; Lang, B. Machine Learning and Deep Learning Methods for Intrusion Detection Systems: A Survey. Appl. Sci. 2019, 9, 1–28. [Google Scholar] [CrossRef]
  25. Abdulhammed, R.; Faezipour, M.; Abuzneid, A.; AbuMallouh, A. Deep and Machine Learning Approaches for Anomaly-Based Intrusion Detection of Imbalanced Network Traffic. IEEE Sens. Lett. 2018, 3, 1–4. [Google Scholar] [CrossRef]
  26. Dini, P.; Elhanashi, A.; Begni, A.; Saponara, S. Overview on Intrusion Detection Systems Design Exploiting Machine Learning for Networking Cybersecurity. Appl. Sci. 2023, 13, 7507. [Google Scholar] [CrossRef]
  27. Vigneswaran, R.; Vinayakumar, V.; Soman, K.P.; Poornachandran, P. Evaluating Shallow and Deep Neural Networks for Network Intrusion Detection Systems in Cyber Security. In Proceedings of the 2018 9th International Conference on Computing, Communication and Networking Technologies (ICCCNT), Bengaluru, India, 10–12 July 2018; pp. 1–6. [Google Scholar]
  28. Liu, L.; Wang, P.; Lin, J.; Liu, L. Intrusion Detection of Imbalanced Network Traffic Based on Machine Learning and Deep Learning. IEEE Access 2021, 9, 7550–7563. [Google Scholar] [CrossRef]
  29. Hernandez-Jaimes, M.L.; Martinez-Cruz, A.; Alejandra, K. Artificial Intelligence for IoMT Security: A Review of Intrusion Detection Systems, Attacks, Datasets and Cloud–Fog; Elsevier: Amsterdam, The Netherlands, 2023; pp. 1–33. [Google Scholar]
  30. Keshk, M.; Koroniotis, N.; Pham, N.; Moustafa, N.; Benjamin, T. An Explainable Deep Learning-Enabled Intrusion Detection Framework in IoT Networks; Elsevier: Amsterdam, The Netherlands, 2023; pp. 1–20. [Google Scholar]
  31. Al-Ghuwairi, A.R.; Sharrab, Y.; Al-Fraihat, D.; AlElaimat, M.; Alsarhan, A.; Algarni, A. Intrusion detection in cloud computing based on time series anomalies utilizing machine learning. J. Cloud Comp. 2023, 12, 127. [Google Scholar] [CrossRef]
  32. Anthi, E.; Williams, L.; Słowinska, M.; Theodorakopoulos, G.P. A Supervised Intrusion Detection System for Smart Home IoT Devices. IEEE Internet Things J. 2019, 6, 9042–9053. [Google Scholar] [CrossRef]
  33. Pawlicki, M.; Chora, M.; Kozik, R. Defending network intrusion detection systems against adversarial evasion attacks. Future Gener. Comput. Syst. 2020, 110, 148–154. [Google Scholar] [CrossRef]
  34. Ferrag, M.A.; Maglaras, L.; Moschoyiannis, S.; Helge, H. Deep learning for cyber security intrusion detection: Approaches, datasets, and comparative study. J. Inf. Secur. Appl. 2019, 50, 102419. [Google Scholar] [CrossRef]
  35. Firoz, K.M.; Hartmann, S. Cyber security challenges: An efficient intrusion detection system design. In Proceedings of the 2018 International Young Engineers Forum (YEF-ECE), Costa da Caparica, Portugal, 4 May 2018; pp. 19–24. [Google Scholar] [CrossRef]
  36. Kocher, G.; Kumar, G. Machine learning and deep learning methods for intrusion detection systems: Recent developments and challenges. Soft Comput. 2021, 25, 9731–9763. [Google Scholar] [CrossRef]
  37. Tama, B.A.; Lim, S. Ensemble learning for intrusion detection systems: A systematic mapping study and cross-benchmark evaluation. Comput. Sci. Rev. 2021, 39, 100357. [Google Scholar] [CrossRef]
  38. Alkadi, O.; Moustafa, N.; Turnbull, B. A Review of Intrusion Detection and Blockchain Applications in the Cloud: Approaches, Challenges and Solutions. IEEE Access 2020, 8, 104893–104917. [Google Scholar] [CrossRef]
  39. Santos, L.; Rabadao, C.; Goncalves, R. Intrusion detection systems in Internet of Things: A literature review. In Proceedings of the 2018 13th Iberian Conference on Information Systems and Technologies (CISTI), Caceres, Spain, 13–16 June 2018; pp. 1–7. [Google Scholar] [CrossRef]
  40. Macas, M.; Wu, C. Review: Deep Learning Methods for Cybersecurity and Intrusion Detection Systems. In Proceedings of the 2020 IEEE Latin-American Conference on Communications (LATINCOM), Santo Domingo, Dominican Republic, 18–20 November 2020; pp. 1–6. [Google Scholar] [CrossRef]
  41. Ashiku, L.; Dagli, C. Network Intrusion Detection System using Deep Learning. Procedia Comput. Sci. 2021, 185, 239–247. [Google Scholar] [CrossRef]
  42. Azam, R.; Siddique, M.J.; Munir, A.S. Machine and Deep Learning Based Comparative Analysis Using Hybrid Approaches for Intrusion Detection System. In Proceedings of the 3rd International Conference on Advancements in Computational Sciences (ICACS), Lahore, Pakistan, 17–19 February 2020; pp. 1–9. [Google Scholar] [CrossRef]
  43. Sarhan, M.; Layeghy, S.; Moustafa, N.; Gallagher, M. Feature extraction for machine learning-based intrusion detection in IoT networks. Digit. Commun. Netw. 2022, 10, 205–216. [Google Scholar] [CrossRef]
  44. Moustafa, N.; Slay, J. The UNSW-NB15 Dataset; University of New South Wales: Canberra, ACT, Australia, 2015; Available online: https://research.unsw.edu.au/projects/unsw-nb15-dataset (accessed on 10 May 2024).
  45. Moustafa, N.; Slay, J. UNSW-NB15: A comprehensive data set for network intrusion detection systems (UNSW-NB15 network data set). In Proceedings of the 2015 Military Communications and Information Systems Conference (MilCIS), Canberra, ACT, Australia, 10–12 November 2015; pp. 1–6. [Google Scholar] [CrossRef]
  46. Dong, S.; Xia, Y.; Peng, T. Network Abnormal Traffic Detection Model Based on Semi-Supervised Deep Reinforcement Learning. In Proceedings of the IEEE Transactions on Network and Service Management; IEEE: Piscataway, NJ, USA, 2021; Volume 18, pp. 4197–4212. [Google Scholar] [CrossRef]
  47. Mauro, M.D.; Galatro, G.; Liotta, A. Experimental Review of Neural-Based Approaches for Network Intrusion Management. IEEE Trans. Netw. Serv. Manag. 2020, 17, 2480–2495. [Google Scholar] [CrossRef]
  48. Jahangir, M.T.; Wakeel, M.; Asif, H.; Ateeq, A. Systematic Approach to Analyze The Avast IOT-23 Challenge Dataset For Malware Detection Using Machine Learning. In Proceedings of the 2023 18th International Conference on Emerging Technologies (ICET), Peshawar, Pakistan, 6–7 November 2023; pp. 234–239. [Google Scholar] [CrossRef]
Figure 1. Overview of the proposed deep learning framework for intelligent intrusion detection.
Figure 1. Overview of the proposed deep learning framework for intelligent intrusion detection.
Technologies 12 00203 g001
Figure 2. Architecture of proposed enhanced CNN known as IIDNet.
Figure 2. Architecture of proposed enhanced CNN known as IIDNet.
Technologies 12 00203 g002
Figure 3. Confusion matrix.
Figure 3. Confusion matrix.
Technologies 12 00203 g003
Figure 4. Feature importance for intrusion detection model.
Figure 4. Feature importance for intrusion detection model.
Technologies 12 00203 g004
Figure 5. Distributions of features in the processed training set.
Figure 5. Distributions of features in the processed training set.
Technologies 12 00203 g005
Figure 6. t-SNE dimensionality reduction for normal and malicious instances.
Figure 6. t-SNE dimensionality reduction for normal and malicious instances.
Technologies 12 00203 g006
Figure 7. Model accuracy over epochs for training and validation sets.
Figure 7. Model accuracy over epochs for training and validation sets.
Technologies 12 00203 g007
Figure 8. Model loss over epochs for training and validation sets.
Figure 8. Model loss over epochs for training and validation sets.
Technologies 12 00203 g008
Figure 9. IDS confusion matrix.
Figure 9. IDS confusion matrix.
Technologies 12 00203 g009
Figure 10. Attack category distribution in the dataset, where 0 is Benign and 1 is Attack.
Figure 10. Attack category distribution in the dataset, where 0 is Benign and 1 is Attack.
Technologies 12 00203 g010
Figure 11. Recall, F1-score, precision, and accuracy comparison for different models.
Figure 11. Recall, F1-score, precision, and accuracy comparison for different models.
Technologies 12 00203 g011
Figure 12. Deep learning model comparison.
Figure 12. Deep learning model comparison.
Technologies 12 00203 g012
Figure 13. Performance comparison of different intrusion detection methods across four metrics: Accuracy, F1-Score, Precision, and Recall. Each colored bar represents a method from a different research paper: Xingbing Fu et.al (2021) [3] (blue), Javed Asharf et.al (2020) [6] (red), B.M. Pampapathi et.al (2022) [12] (green), Hongyu Liu et.al (2019) [24] (purple), and IIDNet (Proposed) (light blue). The methods are evaluated based on data extracted from their respective publications, showcasing the relative performance of each method on various metrics. comparison among intrusion detection models.
Figure 13. Performance comparison of different intrusion detection methods across four metrics: Accuracy, F1-Score, Precision, and Recall. Each colored bar represents a method from a different research paper: Xingbing Fu et.al (2021) [3] (blue), Javed Asharf et.al (2020) [6] (red), B.M. Pampapathi et.al (2022) [12] (green), Hongyu Liu et.al (2019) [24] (purple), and IIDNet (Proposed) (light blue). The methods are evaluated based on data extracted from their respective publications, showcasing the relative performance of each method on various metrics. comparison among intrusion detection models.
Technologies 12 00203 g013
Table 1. Architecture of the enhanced deep learning-based CNN model for intrusion detection.
Table 1. Architecture of the enhanced deep learning-based CNN model for intrusion detection.
LayerTypeDetails
Input Layer-9 × 9 matrix with 77 features and 4 zero
pads
Convolutional Layer 1Conv2D9 × 9 kernel, 16 feature maps
Max Pooling Layer 1MaxPooling2DReduces spatial dimensions
Convolutional Layer 2Conv2D5 × 5 kernel, 32 feature maps
Max Pooling Layer 2MaxPooling2DReduces spatial dimensions
Convolutional Layer 3Conv2D3 × 3 kernel, 32 feature maps
Flatten LayerFlattenTransforms 2D feature maps into a single
vector
Fully Connected Layer 1DensePattern learning and classification
Output LayerDense (Softmax)Neurons for each class: Benign, DDoS, DoS,
Portscan, and Webattack, representing
probabilities
Table 2. Performance metrics comparison for different models.
Table 2. Performance metrics comparison for different models.
PrecisionRecallF1-ScoreAccuracy
MLP83.7493.8688.5189.75
Baseline CNN92.7491.2992.0191.67
IIDNet (Proposed)97.9893.8695.8795.47
Table 3. Training time and resource usage of IIDNet for different data scales.
Table 3. Training time and resource usage of IIDNet for different data scales.
Dataset Size
(Number of
Samples)
Training Time
(Seconds)
GPU Memory
Usage (GB)
CPU Usage
(%)
10,000902.335
50,0001804.750
100,0003606.265
200,0007209.880
Table 4. Performance comparison.
Table 4. Performance comparison.
Intrusion Detection ModelAccuracyF1-ScorePrecisionRecall
Method in [3]97.1598.0099.0097.00
Method in [6]81.9275.6385.2181.92
Method in [12]79.1278.9178.3479.50
Method in [24]97.6197.6097.8397.37
IIDNet (Proposed)97.9893.8695.8795.47
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Deshmukh, A.; Ravulakollu, K. An Efficient CNN-Based Intrusion Detection System for IoT: Use Case Towards Cybersecurity. Technologies 2024, 12, 203. https://doi.org/10.3390/technologies12100203

AMA Style

Deshmukh A, Ravulakollu K. An Efficient CNN-Based Intrusion Detection System for IoT: Use Case Towards Cybersecurity. Technologies. 2024; 12(10):203. https://doi.org/10.3390/technologies12100203

Chicago/Turabian Style

Deshmukh, Amogh, and Kiran Ravulakollu. 2024. "An Efficient CNN-Based Intrusion Detection System for IoT: Use Case Towards Cybersecurity" Technologies 12, no. 10: 203. https://doi.org/10.3390/technologies12100203

APA Style

Deshmukh, A., & Ravulakollu, K. (2024). An Efficient CNN-Based Intrusion Detection System for IoT: Use Case Towards Cybersecurity. Technologies, 12(10), 203. https://doi.org/10.3390/technologies12100203

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop