Deep learning method for efficient cloud IDS utilizing combined behavior and flow-based features

• Published in: Applied intelligence (Dordrecht, Netherlands) Vol. 54; no. 8; pp. 6738 - 6759
• Main Authors: T V, Geetha, A J, Deepa, M, Mary Linda
• Format: Journal Article
• Language: English
• Published: New York Springer US 01.04.2024; Springer Nature B.V
• Subjects: Artificial Intelligence; Artificial neural networks; Communications traffic; Computer Science; Cybersecurity; Deep learning; Domain names; Intrusion detection systems; Machine learning; Machines; Manufacturing; Mechanical Engineering; Neural networks; Processes; Flow-based features; Intrusion detection system; Behaviour-based features
• ISSN: 0924-669X; 1573-7497
• DOI: 10.1007/s10489-024-05505-y

The Intrusion Detection System (IDS) distinguishes the harmful entries from the normal ones in network traffic data and aids in network security. Due to the emergence of new and unknown network-connected devices, a lot of modern systems were penetrated. As a result, it is critical to improve information security and to detect new cyber-attacks exploiting various application protocols such as Hyper Text Transfer Protocol (HTTP) and Domain Name System (DNS). Therefore, this paper introduced an Optimized Bidirectional Convolutional Neural Network and Long-Short term Memory (OBCLSTM) method to detect whether the protocol HTTP and DNS is attacked or not. Initially, the records are fed to data normalization and data encoding. After pre-processing, the vectors are fed to the OBCLSTM model. The Bidirectional Channel Pooling (BiCP) layer is used to learn behavior-based features (which show interactions among hosts based on ports, destinations and behavior) and flow-based features (which identify basic flows, such as IP addresses of source-destination and ports), which improves the accuracy of detecting malicious attacks. In the OBCLSTM model, the best hyper parameter configuration for Convolutional Neural Network (CNN) to learn features is tuned using Enhanced Red Fox Optimization (ERFO). Then, bidirectional long short-term memory (BiLSTM) is used to extract features in the time domain and has the ability to preserve the long-term of the information from historical context, allowing attackers to be detected early before causing widespread damage to networks. Finally, the fully connected layer utilizes these features to classify the network data as attacks (types of attacks) or normal. Tests are conducted on the NSL - KDD99, TUIDS, UNSW-NB15 and BoT-IoT datasets. The proposed OBCLSTM method attains better performance in terms of precision, accuracy, recall, and F-measure.