Adversarial Reinforcement Learning(ARL)models for intelligent devices and Network Intrusion Detection Systems(NIDS)improve systemresilience against sophisticated cyber-attacks.As a core component of ARL,Adversarial Tr...Adversarial Reinforcement Learning(ARL)models for intelligent devices and Network Intrusion Detection Systems(NIDS)improve systemresilience against sophisticated cyber-attacks.As a core component of ARL,Adversarial Training(AT)enables NIDS agents to discover and prevent newattack paths by exposing them to competing examples,thereby increasing detection accuracy,reducing False Positives(FPs),and enhancing network security.To develop robust decision-making capabilities for real-world network disruptions and hostile activity,NIDS agents are trained in adversarial scenarios to monitor the current state and notify management of any abnormal or malicious activity.The accuracy and timeliness of the IDS were crucial to the network’s availability and reliability at this time.This paper analyzes ARL applications in NIDS,revealing State-of-The-Art(SoTA)methodology,issues,and future research prospects.This includes Reinforcement Machine Learning(RML)-based NIDS,which enables an agent to interact with the environment to achieve a goal,andDeep Reinforcement Learning(DRL)-based NIDS,which can solve complex decision-making problems.Additionally,this survey study addresses cybersecurity adversarial circumstances and their importance for ARL and NIDS.Architectural design,RL algorithms,feature representation,and training methodologies are examined in the ARL-NIDS study.This comprehensive study evaluates ARL for intelligent NIDS research,benefiting cybersecurity researchers,practitioners,and policymakers.The report promotes cybersecurity defense research and innovation.展开更多
Modern intrusion detection systems(MIDS)face persistent challenges in coping with the rapid evolution of cyber threats,high-volume network traffic,and imbalanced datasets.Traditional models often lack the robustness a...Modern intrusion detection systems(MIDS)face persistent challenges in coping with the rapid evolution of cyber threats,high-volume network traffic,and imbalanced datasets.Traditional models often lack the robustness and explainability required to detect novel and sophisticated attacks effectively.This study introduces an advanced,explainable machine learning framework for multi-class IDS using the KDD99 and IDS datasets,which reflects real-world network behavior through a blend of normal and diverse attack classes.The methodology begins with sophisticated data preprocessing,incorporating both RobustScaler and QuantileTransformer to address outliers and skewed feature distributions,ensuring standardized and model-ready inputs.Critical dimensionality reduction is achieved via the Harris Hawks Optimization(HHO)algorithm—a nature-inspired metaheuristic modeled on hawks’hunting strategies.HHO efficiently identifies the most informative features by optimizing a fitness function based on classification performance.Following feature selection,the SMOTE is applied to the training data to resolve class imbalance by synthetically augmenting underrepresented attack types.The stacked architecture is then employed,combining the strengths of XGBoost,SVM,and RF as base learners.This layered approach improves prediction robustness and generalization by balancing bias and variance across diverse classifiers.The model was evaluated using standard classification metrics:precision,recall,F1-score,and overall accuracy.The best overall performance was recorded with an accuracy of 99.44%for UNSW-NB15,demonstrating the model’s effectiveness.After balancing,the model demonstrated a clear improvement in detecting the attacks.We tested the model on four datasets to show the effectiveness of the proposed approach and performed the ablation study to check the effect of each parameter.Also,the proposed model is computationaly efficient.To support transparency and trust in decision-making,explainable AI(XAI)techniques are incorporated that provides both global and local insight into feature contributions,and offers intuitive visualizations for individual predictions.This makes it suitable for practical deployment in cybersecurity environments that demand both precision and accountability.展开更多
Zero-day attacks present a critical cybersecurity challenge for Internet of things(IoT)infrastructures,where the inability of signature-based intrusion detection systems(IDSs)to recognize novel threat behaviors compro...Zero-day attacks present a critical cybersecurity challenge for Internet of things(IoT)infrastructures,where the inability of signature-based intrusion detection systems(IDSs)to recognize novel threat behaviors compromises both system reliability and operational continuity.Existing hybrid IDS solutions often struggle to balance accurate classification of known attacks with reliable anomaly detection,particularly under the computational constraints of IoT environments.To address this gap,we introduce ZeroDefense,an adaptive fusion-based IDS designed for simultaneous detection of known intrusions and emerging zero-day threats.The framework employs a four-layer architecture consisting of i)feature standardization and class balancing,ii)anomaly detection using isolation forest,autoencoder,and local outlier factor,iii)fine-grained attack classification via random forest,extreme gradient boosting(XGBoost),light gradient boosting machine(LightGBM),and attentive interpretable tabular learning(TabNet),and iv)a confidence-aware fusion engine that adaptively selects the most reliable decision path.Suspicious or previously unseen traffic is isolated early through fused anomaly scoring,while benign and known-malicious flows are processed through supervised classification for precise attack labeling.With an anomaly cascaded decision pipeline,a dynamic confidence-driven fusion mechanism,and a deploymentconscious design,ZeroDefense enables real-time inference on IoT edge gateways.Evaluation on the CICIoT2023 benchmark demonstrates 99.94% overall accuracy and 95.64%macro-average F1-score for known attacks,while 5.76% of traffic is successfully flagged as potential zero-day activity,with inference latency maintained below 100 ms/flow.These results indicate that ZeroDefense offers a scalable,resilient,and practically deployable defense capability for modern IoT infrastructures.展开更多
The rapid growth of IoT networks necessitates efficient Intrusion Detection Systems(IDS)capable of addressing dynamic security threats under constrained resource environments.This paper proposes a hybrid IDS for IoT n...The rapid growth of IoT networks necessitates efficient Intrusion Detection Systems(IDS)capable of addressing dynamic security threats under constrained resource environments.This paper proposes a hybrid IDS for IoT networks,integrating Support Vector Machine(SVM)and Genetic Algorithm(GA)for feature selection and parameter optimization.The GA reduces the feature set from 41 to 7,achieving a 30%reduction in overhead while maintaining an attack detection rate of 98.79%.Evaluated on the NSL-KDD dataset,the system demonstrates an accuracy of 97.36%,a recall of 98.42%,and an F1-score of 96.67%,with a low false positive rate of 1.5%.Additionally,it effectively detects critical User-to-Root(U2R)attacks at a rate of 96.2%and Remote-to-Local(R2L)attacks at 95.8%.Performance tests validate the system’s scalability for networks with up to 2000 nodes,with detection latencies of 120 ms at 65%CPU utilization in small-scale deployments and 250 ms at 85%CPU utilization in large-scale scenarios.Parameter sensitivity analysis enhances model robustness,while false positive examination aids in reducing administrative overhead for practical deployment.This IDS offers an effective,scalable,and resource-efficient solution for real-world IoT system security,outperforming traditional approaches.展开更多
The increasing interconnection of modern industrial control systems(ICSs)with the Internet has enhanced operational efficiency,but alsomade these systemsmore vulnerable to cyberattacks.This heightened exposure has dri...The increasing interconnection of modern industrial control systems(ICSs)with the Internet has enhanced operational efficiency,but alsomade these systemsmore vulnerable to cyberattacks.This heightened exposure has driven a growing need for robust ICS security measures.Among the key defences,intrusion detection technology is critical in identifying threats to ICS networks.This paper provides an overview of the distinctive characteristics of ICS network security,highlighting standard attack methods.It then examines various intrusion detection methods,including those based on misuse detection,anomaly detection,machine learning,and specialised requirements.This paper concludes by exploring future directions for developing intrusion detection systems to advance research and ensure the continued security and reliability of ICS operations.展开更多
The increased connectivity and reliance on digital technologies have exposed smart transportation systems to various cyber threats,making intrusion detection a critical aspect of ensuring their secure operation.Tradit...The increased connectivity and reliance on digital technologies have exposed smart transportation systems to various cyber threats,making intrusion detection a critical aspect of ensuring their secure operation.Traditional intrusion detection systems have limitations in terms of centralized architecture,lack of transparency,and vulnerability to single points of failure.This is where the integration of blockchain technology with signature-based intrusion detection can provide a robust and decentralized solution for securing smart transportation systems.This study tackles the issue of database manipulation attacks in smart transportation networks by proposing a signaturebased intrusion detection system.The introduced signature facilitates accurate detection and systematic classification of attacks,enabling categorization according to their severity levels within the transportation infrastructure.Through comparative analysis,the research demonstrates that the blockchain-based IDS outperforms traditional approaches in terms of security,resilience,and data integrity.展开更多
Network attacks have become a critical issue in the internet security domain.Artificial intelligence technology-based detection methodologies have attracted attention;however,recent studies have struggled to adapt to ...Network attacks have become a critical issue in the internet security domain.Artificial intelligence technology-based detection methodologies have attracted attention;however,recent studies have struggled to adapt to changing attack patterns and complex network environments.In addition,it is difficult to explain the detection results logically using artificial intelligence.We propose a method for classifying network attacks using graph models to explain the detection results.First,we reconstruct the network packet data into a graphical structure.We then use a graph model to predict network attacks using edge classification.To explain the prediction results,we observed numerical changes by randomly masking and calculating the importance of neighbors,allowing us to extract significant subgraphs.Our experiments on six public datasets demonstrate superior performance with an average F1-score of 0.960 and accuracy of 0.964,outperforming traditional machine learning and other graph models.The visual representation of the extracted subgraphs highlights the neighboring nodes that have the greatest impact on the results,thus explaining detection.In conclusion,this study demonstrates that graph-based models are suitable for network attack detection in complex environments,and the importance of graph neighbors can be calculated to efficiently analyze the results.This approach can contribute to real-world network security analyses and provide a new direction in the field.展开更多
The Intrusion Detection System(IDS)is a security mechanism developed to observe network traffic and recognize suspicious or malicious activities.Clustering algorithms are often incorporated into IDS;however,convention...The Intrusion Detection System(IDS)is a security mechanism developed to observe network traffic and recognize suspicious or malicious activities.Clustering algorithms are often incorporated into IDS;however,conventional clustering-based methods face notable drawbacks,including poor scalability in handling high-dimensional datasets and a strong dependence of outcomes on initial conditions.To overcome the performance limitations of existing methods,this study proposes a novel quantum-inspired clustering algorithm that relies on a similarity coefficient-based quantum genetic algorithm(SC-QGA)and an improved quantum artificial bee colony algorithm hybrid K-means(IQABC-K).First,the SC-QGA algorithmis constructed based on quantum computing and integrates similarity coefficient theory to strengthen genetic diversity and feature extraction capabilities.For the subsequent clustering phase,the process based on the IQABC-K algorithm is enhanced with the core improvement of adaptive rotation gate and movement exploitation strategies to balance the exploration capabilities of global search and the exploitation capabilities of local search.Simultaneously,the acceleration of convergence toward the global optimum and a reduction in computational complexity are facilitated by means of the global optimum bootstrap strategy and a linear population reduction strategy.Through experimental evaluation with multiple algorithms and diverse performance metrics,the proposed algorithm confirms reliable accuracy on three datasets:KDD CUP99,NSL_KDD,and UNSW_NB15,achieving accuracy of 98.57%,98.81%,and 98.32%,respectively.These results affirm its potential as an effective solution for practical clustering applications.展开更多
Existing feature selection methods for intrusion detection systems in the Industrial Internet of Things often suffer from local optimality and high computational complexity.These challenges hinder traditional IDS from...Existing feature selection methods for intrusion detection systems in the Industrial Internet of Things often suffer from local optimality and high computational complexity.These challenges hinder traditional IDS from effectively extracting features while maintaining detection accuracy.This paper proposes an industrial Internet ofThings intrusion detection feature selection algorithm based on an improved whale optimization algorithm(GSLDWOA).The aim is to address the problems that feature selection algorithms under high-dimensional data are prone to,such as local optimality,long detection time,and reduced accuracy.First,the initial population’s diversity is increased using the Gaussian Mutation mechanism.Then,Non-linear Shrinking Factor balances global exploration and local development,avoiding premature convergence.Lastly,Variable-step Levy Flight operator and Dynamic Differential Evolution strategy are introduced to improve the algorithm’s search efficiency and convergence accuracy in highdimensional feature space.Experiments on the NSL-KDD and WUSTL-IIoT-2021 datasets demonstrate that the feature subset selected by GSLDWOA significantly improves detection performance.Compared to the traditional WOA algorithm,the detection rate and F1-score increased by 3.68%and 4.12%.On the WUSTL-IIoT-2021 dataset,accuracy,recall,and F1-score all exceed 99.9%.展开更多
The expansion of 5G-enabled Internet of Things(IoT)networks,while enabling transformative applications,significantly increases the attack surface and necessitates security solutions that extend beyond traditional intr...The expansion of 5G-enabled Internet of Things(IoT)networks,while enabling transformative applications,significantly increases the attack surface and necessitates security solutions that extend beyond traditional intrusion detection.Existing intrusion detection systems(IDSs)mainly operate in an open-loop manner,excelling at classification but lacking the ability for autonomous,safety-aware remediation.This gap is particularly critical in 5G environments,where manual intervention is too slow and naive automation can lead to severe service disruptions.To address this issue,we propose a novel Self-Healing Intrusion Detection System(SH-IDS)framework that develops a closed-loop cyber defense mechanism.The main technical contribution is the integration of a deep neural networkbased threat detector,which offers uncertainty-quantified predictions,with a safety-aware reinforcement learning(RL)engine formulated as a Constrained Markov Decision Process(CMDP).The CMDP explicitly models operational safety as cost constraints,and a new runtime safety shield actively adjusts any unsafe action proposed by the RL agent to the nearest safe alternative,ensuring operational integrity.Additionally,we introduce a composite utility function for the comprehensive evaluation of the system.Empirical analysis on the 5G-NIDD dataset demonstrates the superior performance of our framework:the detector achieves 98.26%accuracy,while the safe RL agent learns effective mitigation policies.Importantly,the safety shield blocked up to 70 unsafe actions under strict constraints,and analysis of the learned Q-tables confirms that the agent internalizes safety,avoiding overly disruptive actions,such as isolating nodes for minor threats.The system also maintains high efficiency with a compact model size of 121.7 KB and sub-millisecond latency,confirming its practical deployability for real-time 5G-IoT security.展开更多
In the dispersed computing environment driven by intelligent networks,intrusion detection faces significant challenges.This paper proposes a multilayer decentralized federated learning framework based on mean field ga...In the dispersed computing environment driven by intelligent networks,intrusion detection faces significant challenges.This paper proposes a multilayer decentralized federated learning framework based on mean field game theory(MFG-DFL).The framework organizes networked computing points(NCPs)into a three-layer collaborative architecture,and innovatively introduces MFG theory to model the complex dynamic interactions,which among large-scale NCPs as a game between a representative NCP and the mean field.By solving the coupled HJB and FPK equations,we design a dynamic incentive mechanism to fairly quantify and reward NCP contributions,thus aligning individual rationality with the global objectives of the system.The simulation results on the CICIoT2023 data set demonstrate the outstanding performance of the proposed framework.Specifically,it achieves an intrusion detection accuracy of 81.09%in highly non-IID scenarios,showcasing a well-balanced trade-off between computational efficiency and performance enhancement.展开更多
Safeguarding modern networks from cyber intrusions has become increasingly challenging as attackers continually refine their evasion tactics.Although numerousmachine-learning-based intrusion detection systems(IDS)have...Safeguarding modern networks from cyber intrusions has become increasingly challenging as attackers continually refine their evasion tactics.Although numerousmachine-learning-based intrusion detection systems(IDS)have been developed,their effectiveness is often constrained by high dimensionality and redundant features that degrade both accuracy and efficiency.This study introduces a hybrid feature-selection framework that integrates the exploration capability of Prairie Dog Optimization(PDO)with the exploitation behavior of Ant Colony Optimization(ACO).The proposed PDO–ACO algorithm identifies a concise yet discriminative subset of features from the NSLKDD dataset and evaluates them using a Support Vector Machine(SVM)classifier.Experimental analyses reveal that the PDO–ACO model achieves superior detection accuracy of 98%while significantly lowering false alarms and computational overhead.Further validation on the CEC2017 benchmark suite confirms the robustness and adaptability of the hybrid model across diverse optimization landscapes,positioning PDO–ACO as an efficient and scalable approach for intelligent intrusion detection.展开更多
With the growing complexity and decentralization of network systems,the attack surface has expanded,which has led to greater concerns over network threats.In this context,artificial intelligence(AI)-based network intr...With the growing complexity and decentralization of network systems,the attack surface has expanded,which has led to greater concerns over network threats.In this context,artificial intelligence(AI)-based network intrusion detection systems(NIDS)have been extensively studied,and recent efforts have shifted toward integrating distributed learning to enable intelligent and scalable detection mechanisms.However,most existing works focus on individual distributed learning frameworks,and there is a lack of systematic evaluations that compare different algorithms under consistent conditions.In this paper,we present a comprehensive evaluation of representative distributed learning frameworks—Federated Learning(FL),Split Learning(SL),hybrid collaborative learning(SFL),and fully distributed learning—in the context of AI-driven NIDS.Using recent benchmark intrusion detection datasets,a unified model backbone,and controlled distributed scenarios,we assess these frameworks across multiple criteria,including detection performance,communication cost,computational efficiency,and convergence behavior.Our findings highlight distinct trade-offs among the distributed learning frameworks,demonstrating that the optimal choice depends strongly on systemconstraints such as bandwidth availability,node resources,and data distribution.This work provides the first holistic analysis of distributed learning approaches for AI-driven NIDS and offers practical guidelines for designing secure and efficient intrusion detection systems in decentralized environments.展开更多
With the increasing severity of network security threats,Network Intrusion Detection(NID)has become a key technology to ensure network security.To address the problem of low detection rate of traditional intrusion det...With the increasing severity of network security threats,Network Intrusion Detection(NID)has become a key technology to ensure network security.To address the problem of low detection rate of traditional intrusion detection models,this paper proposes a Dual-Attention model for NID,which combines Convolutional Neural Network(CNN)and Bidirectional Long Short-Term Memory(BiLSTM)to design two modules:the FocusConV and the TempoNet module.The FocusConV module,which automatically adjusts and weights CNN extracted local features,focuses on local features that are more important for intrusion detection.The TempoNet module focuses on global information,identifies more important features in time steps or sequences,and filters and weights the information globally to further improve the accuracy and robustness of NID.Meanwhile,in order to solve the class imbalance problem in the dataset,the EQL v2 method is used to compute the class weights of each class and to use them in the loss computation,which optimizes the performance of the model on the class imbalance problem.Extensive experiments were conducted on the NSL-KDD,UNSW-NB15,and CIC-DDos2019 datasets,achieving average accuracy rates of 99.66%,87.47%,and 99.39%,respectively,demonstrating excellent detection accuracy and robustness.The model also improves the detection performance of minority classes in the datasets.On the UNSW-NB15 dataset,the detection rates for Analysis,Exploits,and Shellcode attacks increased by 7%,7%,and 10%,respectively,demonstrating the Dual-Attention CNN-BiLSTM model’s excellent performance in NID.展开更多
The Internet of Things(IoT)is integral to modern infrastructure,enabling connectivity among a wide range of devices from home automation to industrial control systems.With the exponential increase in data generated by...The Internet of Things(IoT)is integral to modern infrastructure,enabling connectivity among a wide range of devices from home automation to industrial control systems.With the exponential increase in data generated by these interconnected devices,robust anomaly detection mechanisms are essential.Anomaly detection in this dynamic environment necessitates methods that can accurately distinguish between normal and anomalous behavior by learning intricate patterns.This paper presents a novel approach utilizing generative adversarial networks(GANs)for anomaly detection in IoT systems.However,optimizing GANs involves tuning hyper-parameters such as learning rate,batch size,and optimization algorithms,which can be challenging due to the non-convex nature of GAN loss functions.To address this,we propose a five-dimensional Gray wolf optimizer(5DGWO)to optimize GAN hyper-parameters.The 5DGWO introduces two new types of wolves:gamma(γ)for improved exploitation and convergence,and theta(θ)for enhanced exploration and escaping local minima.The proposed system framework comprises four key stages:1)preprocessing,2)generative model training,3)autoencoder(AE)training,and 4)predictive model training.The generative models are utilized to assist the AE training,and the final predictive models(including convolutional neural network(CNN),deep belief network(DBN),recurrent neural network(RNN),random forest(RF),and extreme gradient boosting(XGBoost))are trained using the generated data and AE-encoded features.We evaluated the system on three benchmark datasets:NSL-KDD,UNSW-NB15,and IoT-23.Experiments conducted on diverse IoT datasets show that our method outperforms existing anomaly detection strategies and significantly reduces false positives.The 5DGWO-GAN-CNNAE exhibits superior performance in various metrics,including accuracy,recall,precision,root mean square error(RMSE),and convergence trend.The proposed 5DGWO-GAN-CNNAE achieved the lowest RMSE values across the NSL-KDD,UNSW-NB15,and IoT-23 datasets,with values of 0.24,1.10,and 0.09,respectively.Additionally,it attained the highest accuracy,ranging from 94%to 100%.These results suggest a promising direction for future IoT security frameworks,offering a scalable and efficient solution to safeguard against evolving cyber threats.展开更多
The rapid rise of cyberattacks and the gradual failure of traditional defense systems and approaches led to using artificial intelligence(AI)techniques(such as machine learning(ML)and deep learning(DL))to build more e...The rapid rise of cyberattacks and the gradual failure of traditional defense systems and approaches led to using artificial intelligence(AI)techniques(such as machine learning(ML)and deep learning(DL))to build more efficient and reliable intrusion detection systems(IDSs).However,the advent of larger IDS datasets has negatively impacted the performance and computational complexity of AI-based IDSs.Many researchers used data preprocessing techniques such as feature selection and normalization to overcome such issues.While most of these researchers reported the success of these preprocessing techniques on a shallow level,very few studies have been performed on their effects on a wider scale.Furthermore,the performance of an IDS model is subject to not only the utilized preprocessing techniques but also the dataset and the ML/DL algorithm used,which most of the existing studies give little emphasis on.Thus,this study provides an in-depth analysis of feature selection and normalization effects on IDS models built using three IDS datasets:NSL-KDD,UNSW-NB15,and CSE–CIC–IDS2018,and various AI algorithms.A wrapper-based approach,which tends to give superior performance,and min-max normalization methods were used for feature selection and normalization,respectively.Numerous IDS models were implemented using the full and feature-selected copies of the datasets with and without normalization.The models were evaluated using popular evaluation metrics in IDS modeling,intra-and inter-model comparisons were performed between models and with state-of-the-art works.Random forest(RF)models performed better on NSL-KDD and UNSW-NB15 datasets with accuracies of 99.86%and 96.01%,respectively,whereas artificial neural network(ANN)achieved the best accuracy of 95.43%on the CSE–CIC–IDS2018 dataset.The RF models also achieved an excellent performance compared to recent works.The results show that normalization and feature selection positively affect IDS modeling.Furthermore,while feature selection benefits simpler algorithms(such as RF),normalization is more useful for complex algorithms like ANNs and deep neural networks(DNNs),and algorithms such as Naive Bayes are unsuitable for IDS modeling.The study also found that the UNSW-NB15 and CSE–CIC–IDS2018 datasets are more complex and more suitable for building and evaluating modern-day IDS than the NSL-KDD dataset.Our findings suggest that prioritizing robust algorithms like RF,alongside complex models such as ANN and DNN,can significantly enhance IDS performance.These insights provide valuable guidance for managers to develop more effective security measures by focusing on high detection rates and low false alert rates.展开更多
Intrusion attempts against Internet of Things(IoT)devices have significantly increased in the last few years.These devices are now easy targets for hackers because of their built-in security flaws.Combining a Self-Org...Intrusion attempts against Internet of Things(IoT)devices have significantly increased in the last few years.These devices are now easy targets for hackers because of their built-in security flaws.Combining a Self-Organizing Map(SOM)hybrid anomaly detection system for dimensionality reduction with the inherited nature of clustering and Extreme Gradient Boosting(XGBoost)for multi-class classification can improve network traffic intrusion detection.The proposed model is evaluated on the NSL-KDD dataset.The hybrid approach outperforms the baseline line models,Multilayer perceptron model,and SOM-KNN(k-nearest neighbors)model in precision,recall,and F1-score,highlighting the proposed approach’s scalability,potential,adaptability,and real-world applicability.Therefore,this paper proposes a highly efficient deployment strategy for resource-constrained network edges.The results reveal that Precision,Recall,and F1-scores rise 10%-30% for the benign,probing,and Denial of Service(DoS)classes.In particular,the DoS,probe,and benign classes improved their F1-scores by 7.91%,32.62%,and 12.45%,respectively.展开更多
The rapid development and widespread adoption of Internet technology have significantly increased Internet traffic,highlighting the growing importance of network security.Intrusion Detection Systems(IDS)are essential ...The rapid development and widespread adoption of Internet technology have significantly increased Internet traffic,highlighting the growing importance of network security.Intrusion Detection Systems(IDS)are essential for safeguarding network integrity.To address the low accuracy of existing intrusion detection models in identifying network attacks,this paper proposes an intrusion detection method based on the fusion of Spatial Attention mechanism and Residual Neural Network(SA-ResNet).Utilizing residual connections can effectively capture local features in the data;by introducing a spatial attention mechanism,the global dependency relationships of intrusion features can be extracted,enhancing the intrusion recognition model’s focus on the global features of intrusions,and effectively improving the accuracy of intrusion recognition.The proposed model in this paper was experimentally verified on theNSL-KDD dataset.The experimental results showthat the intrusion recognition accuracy of the intrusion detection method based on SA-ResNet has reached 99.86%,and its overall accuracy is 0.41% higher than that of traditional Convolutional Neural Network(CNN)models.展开更多
The increasing popularity of the Internet and the widespread use of information technology have led to a rise in the number and sophistication of network attacks and security threats.Intrusion detection systems are cr...The increasing popularity of the Internet and the widespread use of information technology have led to a rise in the number and sophistication of network attacks and security threats.Intrusion detection systems are crucial to network security,playing a pivotal role in safeguarding networks from potential threats.However,in the context of an evolving landscape of sophisticated and elusive attacks,existing intrusion detection methodologies often overlook critical aspects such as changes in network topology over time and interactions between hosts.To address these issues,this paper proposes a real-time network intrusion detection method based on graph neural networks.The proposedmethod leverages the advantages of graph neural networks and employs a straightforward graph construction method to represent network traffic as dynamic graph-structured data.Additionally,a graph convolution operation with a multi-head attention mechanism is utilized to enhance the model’s ability to capture the intricate relationships within the graph structure comprehensively.Furthermore,it uses an integrated graph neural network to address dynamic graphs’structural and topological changes at different time points and the challenges of edge embedding in intrusion detection data.The edge classification problem is effectively transformed into node classification by employing a line graph data representation,which facilitates fine-grained intrusion detection tasks on dynamic graph node feature representations.The efficacy of the proposed method is evaluated using two commonly used intrusion detection datasets,UNSW-NB15 and NF-ToN-IoT-v2,and results are compared with previous studies in this field.The experimental results demonstrate that our proposed method achieves 99.3%and 99.96%accuracy on the two datasets,respectively,and outperforms the benchmark model in several evaluation metrics.展开更多
Quality of Service(QoS)assurance in programmable IoT and 5G networks is increasingly threatened by cyberattacks such as Distributed Denial of Service(DDoS),spoofing,and botnet intrusions.This paper presents AutoSHARC,...Quality of Service(QoS)assurance in programmable IoT and 5G networks is increasingly threatened by cyberattacks such as Distributed Denial of Service(DDoS),spoofing,and botnet intrusions.This paper presents AutoSHARC,a feedback-driven,explainable intrusion detection framework that integrates Boruta and LightGBM–SHAP feature selection with a lightweight CNN–Attention–GRU classifier.AutoSHARC employs a two-stage feature selection pipeline to identify the most informative features from high-dimensional IoT traffic and reduces 46 features to 30 highly informative ones,followed by post-hoc SHAP-guided retraining to refine feature importance,forming a feedback loopwhere only the most impactful attributes are reused to retrain themodel.This iterative refinement reduces computational overhead,accelerates detection latency,and improves transparency.Evaluated on the CIC IoT 2023 dataset,AutoSHARC achieves 98.98%accuracy,98.9%F1-score,and strong robustness with a Matthews Correlation Coefficient of 0.98 and Cohen’s Kappa of 0.98.The final model contains only 531,272 trainable parameters with a compact 2 MB size,enabling real-time deployment on resource-constrained IoT nodes.By combining explainable AI with iterative feature refinement,AutoSHARC provides scalable and trustworthy intrusion detection while preserving key QoS indicators such as latency,throughput,and reliability.展开更多
文摘Adversarial Reinforcement Learning(ARL)models for intelligent devices and Network Intrusion Detection Systems(NIDS)improve systemresilience against sophisticated cyber-attacks.As a core component of ARL,Adversarial Training(AT)enables NIDS agents to discover and prevent newattack paths by exposing them to competing examples,thereby increasing detection accuracy,reducing False Positives(FPs),and enhancing network security.To develop robust decision-making capabilities for real-world network disruptions and hostile activity,NIDS agents are trained in adversarial scenarios to monitor the current state and notify management of any abnormal or malicious activity.The accuracy and timeliness of the IDS were crucial to the network’s availability and reliability at this time.This paper analyzes ARL applications in NIDS,revealing State-of-The-Art(SoTA)methodology,issues,and future research prospects.This includes Reinforcement Machine Learning(RML)-based NIDS,which enables an agent to interact with the environment to achieve a goal,andDeep Reinforcement Learning(DRL)-based NIDS,which can solve complex decision-making problems.Additionally,this survey study addresses cybersecurity adversarial circumstances and their importance for ARL and NIDS.Architectural design,RL algorithms,feature representation,and training methodologies are examined in the ARL-NIDS study.This comprehensive study evaluates ARL for intelligent NIDS research,benefiting cybersecurity researchers,practitioners,and policymakers.The report promotes cybersecurity defense research and innovation.
基金funded by Princess Nourah bint Abdulrahman University Researchers Supporting Project number(PNURSP2025R104)Princess Nourah bint Abdulrahman University,Riyadh,Saudi Arabia.
文摘Modern intrusion detection systems(MIDS)face persistent challenges in coping with the rapid evolution of cyber threats,high-volume network traffic,and imbalanced datasets.Traditional models often lack the robustness and explainability required to detect novel and sophisticated attacks effectively.This study introduces an advanced,explainable machine learning framework for multi-class IDS using the KDD99 and IDS datasets,which reflects real-world network behavior through a blend of normal and diverse attack classes.The methodology begins with sophisticated data preprocessing,incorporating both RobustScaler and QuantileTransformer to address outliers and skewed feature distributions,ensuring standardized and model-ready inputs.Critical dimensionality reduction is achieved via the Harris Hawks Optimization(HHO)algorithm—a nature-inspired metaheuristic modeled on hawks’hunting strategies.HHO efficiently identifies the most informative features by optimizing a fitness function based on classification performance.Following feature selection,the SMOTE is applied to the training data to resolve class imbalance by synthetically augmenting underrepresented attack types.The stacked architecture is then employed,combining the strengths of XGBoost,SVM,and RF as base learners.This layered approach improves prediction robustness and generalization by balancing bias and variance across diverse classifiers.The model was evaluated using standard classification metrics:precision,recall,F1-score,and overall accuracy.The best overall performance was recorded with an accuracy of 99.44%for UNSW-NB15,demonstrating the model’s effectiveness.After balancing,the model demonstrated a clear improvement in detecting the attacks.We tested the model on four datasets to show the effectiveness of the proposed approach and performed the ablation study to check the effect of each parameter.Also,the proposed model is computationaly efficient.To support transparency and trust in decision-making,explainable AI(XAI)techniques are incorporated that provides both global and local insight into feature contributions,and offers intuitive visualizations for individual predictions.This makes it suitable for practical deployment in cybersecurity environments that demand both precision and accountability.
文摘Zero-day attacks present a critical cybersecurity challenge for Internet of things(IoT)infrastructures,where the inability of signature-based intrusion detection systems(IDSs)to recognize novel threat behaviors compromises both system reliability and operational continuity.Existing hybrid IDS solutions often struggle to balance accurate classification of known attacks with reliable anomaly detection,particularly under the computational constraints of IoT environments.To address this gap,we introduce ZeroDefense,an adaptive fusion-based IDS designed for simultaneous detection of known intrusions and emerging zero-day threats.The framework employs a four-layer architecture consisting of i)feature standardization and class balancing,ii)anomaly detection using isolation forest,autoencoder,and local outlier factor,iii)fine-grained attack classification via random forest,extreme gradient boosting(XGBoost),light gradient boosting machine(LightGBM),and attentive interpretable tabular learning(TabNet),and iv)a confidence-aware fusion engine that adaptively selects the most reliable decision path.Suspicious or previously unseen traffic is isolated early through fused anomaly scoring,while benign and known-malicious flows are processed through supervised classification for precise attack labeling.With an anomaly cascaded decision pipeline,a dynamic confidence-driven fusion mechanism,and a deploymentconscious design,ZeroDefense enables real-time inference on IoT edge gateways.Evaluation on the CICIoT2023 benchmark demonstrates 99.94% overall accuracy and 95.64%macro-average F1-score for known attacks,while 5.76% of traffic is successfully flagged as potential zero-day activity,with inference latency maintained below 100 ms/flow.These results indicate that ZeroDefense offers a scalable,resilient,and practically deployable defense capability for modern IoT infrastructures.
文摘The rapid growth of IoT networks necessitates efficient Intrusion Detection Systems(IDS)capable of addressing dynamic security threats under constrained resource environments.This paper proposes a hybrid IDS for IoT networks,integrating Support Vector Machine(SVM)and Genetic Algorithm(GA)for feature selection and parameter optimization.The GA reduces the feature set from 41 to 7,achieving a 30%reduction in overhead while maintaining an attack detection rate of 98.79%.Evaluated on the NSL-KDD dataset,the system demonstrates an accuracy of 97.36%,a recall of 98.42%,and an F1-score of 96.67%,with a low false positive rate of 1.5%.Additionally,it effectively detects critical User-to-Root(U2R)attacks at a rate of 96.2%and Remote-to-Local(R2L)attacks at 95.8%.Performance tests validate the system’s scalability for networks with up to 2000 nodes,with detection latencies of 120 ms at 65%CPU utilization in small-scale deployments and 250 ms at 85%CPU utilization in large-scale scenarios.Parameter sensitivity analysis enhances model robustness,while false positive examination aids in reducing administrative overhead for practical deployment.This IDS offers an effective,scalable,and resource-efficient solution for real-world IoT system security,outperforming traditional approaches.
文摘The increasing interconnection of modern industrial control systems(ICSs)with the Internet has enhanced operational efficiency,but alsomade these systemsmore vulnerable to cyberattacks.This heightened exposure has driven a growing need for robust ICS security measures.Among the key defences,intrusion detection technology is critical in identifying threats to ICS networks.This paper provides an overview of the distinctive characteristics of ICS network security,highlighting standard attack methods.It then examines various intrusion detection methods,including those based on misuse detection,anomaly detection,machine learning,and specialised requirements.This paper concludes by exploring future directions for developing intrusion detection systems to advance research and ensure the continued security and reliability of ICS operations.
基金supported by the National Research Foundation(NRF),Republic of Korea,under project BK21 FOUR(4299990213939).
文摘The increased connectivity and reliance on digital technologies have exposed smart transportation systems to various cyber threats,making intrusion detection a critical aspect of ensuring their secure operation.Traditional intrusion detection systems have limitations in terms of centralized architecture,lack of transparency,and vulnerability to single points of failure.This is where the integration of blockchain technology with signature-based intrusion detection can provide a robust and decentralized solution for securing smart transportation systems.This study tackles the issue of database manipulation attacks in smart transportation networks by proposing a signaturebased intrusion detection system.The introduced signature facilitates accurate detection and systematic classification of attacks,enabling categorization according to their severity levels within the transportation infrastructure.Through comparative analysis,the research demonstrates that the blockchain-based IDS outperforms traditional approaches in terms of security,resilience,and data integrity.
基金supported by the MSIT(Ministry of Science and ICT),Republic of Korea,under the ICAN(ICT Challenge and Advanced Network of HRD)support program(IITP-2025-RS-2023-00259497)supervised by the IITP(Institute for Information&Communications Technology Planning&Evaluation)and was supported by Institute of Information&Communications Technology Planning&Evaluation(IITP)grant funded by the Republic of Korea government(MSIT)(No.IITP-2025-RS-2023-00254129+1 种基金Graduate School of Metaverse Convergence(Sungkyunkwan University))was supported by the Basic Science Research Program of the National Research Foundation(NRF)funded by the Republic of Korean government(MSIT)(No.RS-2024-00346737).
文摘Network attacks have become a critical issue in the internet security domain.Artificial intelligence technology-based detection methodologies have attracted attention;however,recent studies have struggled to adapt to changing attack patterns and complex network environments.In addition,it is difficult to explain the detection results logically using artificial intelligence.We propose a method for classifying network attacks using graph models to explain the detection results.First,we reconstruct the network packet data into a graphical structure.We then use a graph model to predict network attacks using edge classification.To explain the prediction results,we observed numerical changes by randomly masking and calculating the importance of neighbors,allowing us to extract significant subgraphs.Our experiments on six public datasets demonstrate superior performance with an average F1-score of 0.960 and accuracy of 0.964,outperforming traditional machine learning and other graph models.The visual representation of the extracted subgraphs highlights the neighboring nodes that have the greatest impact on the results,thus explaining detection.In conclusion,this study demonstrates that graph-based models are suitable for network attack detection in complex environments,and the importance of graph neighbors can be calculated to efficiently analyze the results.This approach can contribute to real-world network security analyses and provide a new direction in the field.
基金supported by the NSFC(Grant Nos.62176273,62271070,62441212)The Open Foundation of State Key Laboratory of Networking and Switching Technology(Beijing University of Posts and Telecommunications)under Grant SKLNST-2024-1-062025Major Project of the Natural Science Foundation of Inner Mongolia(2025ZD008).
文摘The Intrusion Detection System(IDS)is a security mechanism developed to observe network traffic and recognize suspicious or malicious activities.Clustering algorithms are often incorporated into IDS;however,conventional clustering-based methods face notable drawbacks,including poor scalability in handling high-dimensional datasets and a strong dependence of outcomes on initial conditions.To overcome the performance limitations of existing methods,this study proposes a novel quantum-inspired clustering algorithm that relies on a similarity coefficient-based quantum genetic algorithm(SC-QGA)and an improved quantum artificial bee colony algorithm hybrid K-means(IQABC-K).First,the SC-QGA algorithmis constructed based on quantum computing and integrates similarity coefficient theory to strengthen genetic diversity and feature extraction capabilities.For the subsequent clustering phase,the process based on the IQABC-K algorithm is enhanced with the core improvement of adaptive rotation gate and movement exploitation strategies to balance the exploration capabilities of global search and the exploitation capabilities of local search.Simultaneously,the acceleration of convergence toward the global optimum and a reduction in computational complexity are facilitated by means of the global optimum bootstrap strategy and a linear population reduction strategy.Through experimental evaluation with multiple algorithms and diverse performance metrics,the proposed algorithm confirms reliable accuracy on three datasets:KDD CUP99,NSL_KDD,and UNSW_NB15,achieving accuracy of 98.57%,98.81%,and 98.32%,respectively.These results affirm its potential as an effective solution for practical clustering applications.
基金supported by the Major Science and Technology Programs in Henan Province(No.241100210100)Henan Provincial Science and Technology Research Project(No.252102211085,No.252102211105)+3 种基金Endogenous Security Cloud Network Convergence R&D Center(No.602431011PQ1)The Special Project for Research and Development in Key Areas of Guangdong Province(No.2021ZDZX1098)The Stabilization Support Program of Science,Technology and Innovation Commission of Shenzhen Municipality(No.20231128083944001)The Key scientific research projects of Henan higher education institutions(No.24A520042).
文摘Existing feature selection methods for intrusion detection systems in the Industrial Internet of Things often suffer from local optimality and high computational complexity.These challenges hinder traditional IDS from effectively extracting features while maintaining detection accuracy.This paper proposes an industrial Internet ofThings intrusion detection feature selection algorithm based on an improved whale optimization algorithm(GSLDWOA).The aim is to address the problems that feature selection algorithms under high-dimensional data are prone to,such as local optimality,long detection time,and reduced accuracy.First,the initial population’s diversity is increased using the Gaussian Mutation mechanism.Then,Non-linear Shrinking Factor balances global exploration and local development,avoiding premature convergence.Lastly,Variable-step Levy Flight operator and Dynamic Differential Evolution strategy are introduced to improve the algorithm’s search efficiency and convergence accuracy in highdimensional feature space.Experiments on the NSL-KDD and WUSTL-IIoT-2021 datasets demonstrate that the feature subset selected by GSLDWOA significantly improves detection performance.Compared to the traditional WOA algorithm,the detection rate and F1-score increased by 3.68%and 4.12%.On the WUSTL-IIoT-2021 dataset,accuracy,recall,and F1-score all exceed 99.9%.
基金appreciation to the Deanship of Research and Graduate Studies at King Khalid University for funding this work through the Large Group Project under grant number(RGP2/245/46)Princess Nourah bint Abdulrahman University Researchers Supporting Project number(PNURSP2026R333)Princess Nourah bint Abdulrahman University,Riyadh,Saudi Arabia.
文摘The expansion of 5G-enabled Internet of Things(IoT)networks,while enabling transformative applications,significantly increases the attack surface and necessitates security solutions that extend beyond traditional intrusion detection.Existing intrusion detection systems(IDSs)mainly operate in an open-loop manner,excelling at classification but lacking the ability for autonomous,safety-aware remediation.This gap is particularly critical in 5G environments,where manual intervention is too slow and naive automation can lead to severe service disruptions.To address this issue,we propose a novel Self-Healing Intrusion Detection System(SH-IDS)framework that develops a closed-loop cyber defense mechanism.The main technical contribution is the integration of a deep neural networkbased threat detector,which offers uncertainty-quantified predictions,with a safety-aware reinforcement learning(RL)engine formulated as a Constrained Markov Decision Process(CMDP).The CMDP explicitly models operational safety as cost constraints,and a new runtime safety shield actively adjusts any unsafe action proposed by the RL agent to the nearest safe alternative,ensuring operational integrity.Additionally,we introduce a composite utility function for the comprehensive evaluation of the system.Empirical analysis on the 5G-NIDD dataset demonstrates the superior performance of our framework:the detector achieves 98.26%accuracy,while the safe RL agent learns effective mitigation policies.Importantly,the safety shield blocked up to 70 unsafe actions under strict constraints,and analysis of the learned Q-tables confirms that the agent internalizes safety,avoiding overly disruptive actions,such as isolating nodes for minor threats.The system also maintains high efficiency with a compact model size of 121.7 KB and sub-millisecond latency,confirming its practical deployability for real-time 5G-IoT security.
基金National Science Foundation Project of China(62436004,62372317)National Key Research and Development Program of China(2023YFC3331702)。
文摘In the dispersed computing environment driven by intelligent networks,intrusion detection faces significant challenges.This paper proposes a multilayer decentralized federated learning framework based on mean field game theory(MFG-DFL).The framework organizes networked computing points(NCPs)into a three-layer collaborative architecture,and innovatively introduces MFG theory to model the complex dynamic interactions,which among large-scale NCPs as a game between a representative NCP and the mean field.By solving the coupled HJB and FPK equations,we design a dynamic incentive mechanism to fairly quantify and reward NCP contributions,thus aligning individual rationality with the global objectives of the system.The simulation results on the CICIoT2023 data set demonstrate the outstanding performance of the proposed framework.Specifically,it achieves an intrusion detection accuracy of 81.09%in highly non-IID scenarios,showcasing a well-balanced trade-off between computational efficiency and performance enhancement.
基金funded by Princess Nourah bint Abdulrahman University Researchers Supporting Project number(PNURSP2026R500)Princess Nourah bint Abdulrahman University,Riyadh,Saudi Arabia.
文摘Safeguarding modern networks from cyber intrusions has become increasingly challenging as attackers continually refine their evasion tactics.Although numerousmachine-learning-based intrusion detection systems(IDS)have been developed,their effectiveness is often constrained by high dimensionality and redundant features that degrade both accuracy and efficiency.This study introduces a hybrid feature-selection framework that integrates the exploration capability of Prairie Dog Optimization(PDO)with the exploitation behavior of Ant Colony Optimization(ACO).The proposed PDO–ACO algorithm identifies a concise yet discriminative subset of features from the NSLKDD dataset and evaluates them using a Support Vector Machine(SVM)classifier.Experimental analyses reveal that the PDO–ACO model achieves superior detection accuracy of 98%while significantly lowering false alarms and computational overhead.Further validation on the CEC2017 benchmark suite confirms the robustness and adaptability of the hybrid model across diverse optimization landscapes,positioning PDO–ACO as an efficient and scalable approach for intelligent intrusion detection.
基金supported by the Research year project of the KongjuNational University in 2025 and the Institute of Information&Communications Technology Planning&Evaluation(IITP)grant funded by the Korea government(MSIT)(No.RS-2024-00444170,Research and International Collaboration on Trust Model-Based Intelligent Incident Response Technologies in 6G Open Network Environment).
文摘With the growing complexity and decentralization of network systems,the attack surface has expanded,which has led to greater concerns over network threats.In this context,artificial intelligence(AI)-based network intrusion detection systems(NIDS)have been extensively studied,and recent efforts have shifted toward integrating distributed learning to enable intelligent and scalable detection mechanisms.However,most existing works focus on individual distributed learning frameworks,and there is a lack of systematic evaluations that compare different algorithms under consistent conditions.In this paper,we present a comprehensive evaluation of representative distributed learning frameworks—Federated Learning(FL),Split Learning(SL),hybrid collaborative learning(SFL),and fully distributed learning—in the context of AI-driven NIDS.Using recent benchmark intrusion detection datasets,a unified model backbone,and controlled distributed scenarios,we assess these frameworks across multiple criteria,including detection performance,communication cost,computational efficiency,and convergence behavior.Our findings highlight distinct trade-offs among the distributed learning frameworks,demonstrating that the optimal choice depends strongly on systemconstraints such as bandwidth availability,node resources,and data distribution.This work provides the first holistic analysis of distributed learning approaches for AI-driven NIDS and offers practical guidelines for designing secure and efficient intrusion detection systems in decentralized environments.
基金supported by the High-Level Talent Foundation of Jinling Institute of Technology(grant number.JIT-B-202413).
文摘With the increasing severity of network security threats,Network Intrusion Detection(NID)has become a key technology to ensure network security.To address the problem of low detection rate of traditional intrusion detection models,this paper proposes a Dual-Attention model for NID,which combines Convolutional Neural Network(CNN)and Bidirectional Long Short-Term Memory(BiLSTM)to design two modules:the FocusConV and the TempoNet module.The FocusConV module,which automatically adjusts and weights CNN extracted local features,focuses on local features that are more important for intrusion detection.The TempoNet module focuses on global information,identifies more important features in time steps or sequences,and filters and weights the information globally to further improve the accuracy and robustness of NID.Meanwhile,in order to solve the class imbalance problem in the dataset,the EQL v2 method is used to compute the class weights of each class and to use them in the loss computation,which optimizes the performance of the model on the class imbalance problem.Extensive experiments were conducted on the NSL-KDD,UNSW-NB15,and CIC-DDos2019 datasets,achieving average accuracy rates of 99.66%,87.47%,and 99.39%,respectively,demonstrating excellent detection accuracy and robustness.The model also improves the detection performance of minority classes in the datasets.On the UNSW-NB15 dataset,the detection rates for Analysis,Exploits,and Shellcode attacks increased by 7%,7%,and 10%,respectively,demonstrating the Dual-Attention CNN-BiLSTM model’s excellent performance in NID.
基金described in this paper has been developed with in the project PRESECREL(PID2021-124502OB-C43)。
文摘The Internet of Things(IoT)is integral to modern infrastructure,enabling connectivity among a wide range of devices from home automation to industrial control systems.With the exponential increase in data generated by these interconnected devices,robust anomaly detection mechanisms are essential.Anomaly detection in this dynamic environment necessitates methods that can accurately distinguish between normal and anomalous behavior by learning intricate patterns.This paper presents a novel approach utilizing generative adversarial networks(GANs)for anomaly detection in IoT systems.However,optimizing GANs involves tuning hyper-parameters such as learning rate,batch size,and optimization algorithms,which can be challenging due to the non-convex nature of GAN loss functions.To address this,we propose a five-dimensional Gray wolf optimizer(5DGWO)to optimize GAN hyper-parameters.The 5DGWO introduces two new types of wolves:gamma(γ)for improved exploitation and convergence,and theta(θ)for enhanced exploration and escaping local minima.The proposed system framework comprises four key stages:1)preprocessing,2)generative model training,3)autoencoder(AE)training,and 4)predictive model training.The generative models are utilized to assist the AE training,and the final predictive models(including convolutional neural network(CNN),deep belief network(DBN),recurrent neural network(RNN),random forest(RF),and extreme gradient boosting(XGBoost))are trained using the generated data and AE-encoded features.We evaluated the system on three benchmark datasets:NSL-KDD,UNSW-NB15,and IoT-23.Experiments conducted on diverse IoT datasets show that our method outperforms existing anomaly detection strategies and significantly reduces false positives.The 5DGWO-GAN-CNNAE exhibits superior performance in various metrics,including accuracy,recall,precision,root mean square error(RMSE),and convergence trend.The proposed 5DGWO-GAN-CNNAE achieved the lowest RMSE values across the NSL-KDD,UNSW-NB15,and IoT-23 datasets,with values of 0.24,1.10,and 0.09,respectively.Additionally,it attained the highest accuracy,ranging from 94%to 100%.These results suggest a promising direction for future IoT security frameworks,offering a scalable and efficient solution to safeguard against evolving cyber threats.
文摘The rapid rise of cyberattacks and the gradual failure of traditional defense systems and approaches led to using artificial intelligence(AI)techniques(such as machine learning(ML)and deep learning(DL))to build more efficient and reliable intrusion detection systems(IDSs).However,the advent of larger IDS datasets has negatively impacted the performance and computational complexity of AI-based IDSs.Many researchers used data preprocessing techniques such as feature selection and normalization to overcome such issues.While most of these researchers reported the success of these preprocessing techniques on a shallow level,very few studies have been performed on their effects on a wider scale.Furthermore,the performance of an IDS model is subject to not only the utilized preprocessing techniques but also the dataset and the ML/DL algorithm used,which most of the existing studies give little emphasis on.Thus,this study provides an in-depth analysis of feature selection and normalization effects on IDS models built using three IDS datasets:NSL-KDD,UNSW-NB15,and CSE–CIC–IDS2018,and various AI algorithms.A wrapper-based approach,which tends to give superior performance,and min-max normalization methods were used for feature selection and normalization,respectively.Numerous IDS models were implemented using the full and feature-selected copies of the datasets with and without normalization.The models were evaluated using popular evaluation metrics in IDS modeling,intra-and inter-model comparisons were performed between models and with state-of-the-art works.Random forest(RF)models performed better on NSL-KDD and UNSW-NB15 datasets with accuracies of 99.86%and 96.01%,respectively,whereas artificial neural network(ANN)achieved the best accuracy of 95.43%on the CSE–CIC–IDS2018 dataset.The RF models also achieved an excellent performance compared to recent works.The results show that normalization and feature selection positively affect IDS modeling.Furthermore,while feature selection benefits simpler algorithms(such as RF),normalization is more useful for complex algorithms like ANNs and deep neural networks(DNNs),and algorithms such as Naive Bayes are unsuitable for IDS modeling.The study also found that the UNSW-NB15 and CSE–CIC–IDS2018 datasets are more complex and more suitable for building and evaluating modern-day IDS than the NSL-KDD dataset.Our findings suggest that prioritizing robust algorithms like RF,alongside complex models such as ANN and DNN,can significantly enhance IDS performance.These insights provide valuable guidance for managers to develop more effective security measures by focusing on high detection rates and low false alert rates.
基金Researcher Supporting Project number(RSPD2025R582),King Saud University,Riyadh,Saudi Arabia.
文摘Intrusion attempts against Internet of Things(IoT)devices have significantly increased in the last few years.These devices are now easy targets for hackers because of their built-in security flaws.Combining a Self-Organizing Map(SOM)hybrid anomaly detection system for dimensionality reduction with the inherited nature of clustering and Extreme Gradient Boosting(XGBoost)for multi-class classification can improve network traffic intrusion detection.The proposed model is evaluated on the NSL-KDD dataset.The hybrid approach outperforms the baseline line models,Multilayer perceptron model,and SOM-KNN(k-nearest neighbors)model in precision,recall,and F1-score,highlighting the proposed approach’s scalability,potential,adaptability,and real-world applicability.Therefore,this paper proposes a highly efficient deployment strategy for resource-constrained network edges.The results reveal that Precision,Recall,and F1-scores rise 10%-30% for the benign,probing,and Denial of Service(DoS)classes.In particular,the DoS,probe,and benign classes improved their F1-scores by 7.91%,32.62%,and 12.45%,respectively.
基金supported by National Natural Science Foundation of China(62473341)Key Research and Development Special Project of Henan Province(221111210500)Key Research and Development Special Project of Henan Province(242102211071,242102210142,232102211053).
文摘The rapid development and widespread adoption of Internet technology have significantly increased Internet traffic,highlighting the growing importance of network security.Intrusion Detection Systems(IDS)are essential for safeguarding network integrity.To address the low accuracy of existing intrusion detection models in identifying network attacks,this paper proposes an intrusion detection method based on the fusion of Spatial Attention mechanism and Residual Neural Network(SA-ResNet).Utilizing residual connections can effectively capture local features in the data;by introducing a spatial attention mechanism,the global dependency relationships of intrusion features can be extracted,enhancing the intrusion recognition model’s focus on the global features of intrusions,and effectively improving the accuracy of intrusion recognition.The proposed model in this paper was experimentally verified on theNSL-KDD dataset.The experimental results showthat the intrusion recognition accuracy of the intrusion detection method based on SA-ResNet has reached 99.86%,and its overall accuracy is 0.41% higher than that of traditional Convolutional Neural Network(CNN)models.
文摘The increasing popularity of the Internet and the widespread use of information technology have led to a rise in the number and sophistication of network attacks and security threats.Intrusion detection systems are crucial to network security,playing a pivotal role in safeguarding networks from potential threats.However,in the context of an evolving landscape of sophisticated and elusive attacks,existing intrusion detection methodologies often overlook critical aspects such as changes in network topology over time and interactions between hosts.To address these issues,this paper proposes a real-time network intrusion detection method based on graph neural networks.The proposedmethod leverages the advantages of graph neural networks and employs a straightforward graph construction method to represent network traffic as dynamic graph-structured data.Additionally,a graph convolution operation with a multi-head attention mechanism is utilized to enhance the model’s ability to capture the intricate relationships within the graph structure comprehensively.Furthermore,it uses an integrated graph neural network to address dynamic graphs’structural and topological changes at different time points and the challenges of edge embedding in intrusion detection data.The edge classification problem is effectively transformed into node classification by employing a line graph data representation,which facilitates fine-grained intrusion detection tasks on dynamic graph node feature representations.The efficacy of the proposed method is evaluated using two commonly used intrusion detection datasets,UNSW-NB15 and NF-ToN-IoT-v2,and results are compared with previous studies in this field.The experimental results demonstrate that our proposed method achieves 99.3%and 99.96%accuracy on the two datasets,respectively,and outperforms the benchmark model in several evaluation metrics.
文摘Quality of Service(QoS)assurance in programmable IoT and 5G networks is increasingly threatened by cyberattacks such as Distributed Denial of Service(DDoS),spoofing,and botnet intrusions.This paper presents AutoSHARC,a feedback-driven,explainable intrusion detection framework that integrates Boruta and LightGBM–SHAP feature selection with a lightweight CNN–Attention–GRU classifier.AutoSHARC employs a two-stage feature selection pipeline to identify the most informative features from high-dimensional IoT traffic and reduces 46 features to 30 highly informative ones,followed by post-hoc SHAP-guided retraining to refine feature importance,forming a feedback loopwhere only the most impactful attributes are reused to retrain themodel.This iterative refinement reduces computational overhead,accelerates detection latency,and improves transparency.Evaluated on the CIC IoT 2023 dataset,AutoSHARC achieves 98.98%accuracy,98.9%F1-score,and strong robustness with a Matthews Correlation Coefficient of 0.98 and Cohen’s Kappa of 0.98.The final model contains only 531,272 trainable parameters with a compact 2 MB size,enabling real-time deployment on resource-constrained IoT nodes.By combining explainable AI with iterative feature refinement,AutoSHARC provides scalable and trustworthy intrusion detection while preserving key QoS indicators such as latency,throughput,and reliability.
