Digital systems are changing to security systems in contemporary days. It is time for the digital system to have sufficient security to defend against threats and attacks. The intrusion detection system can identify an anomaly from an external or internal source in the network system. Many kinds of threats are present, that is, active and passive. These dangers could lead to anomalies in the system by which data can be attacked and taken by attackers from the beginning to the destination. Machine learning nowadays is a developing topic; its applications are wide. We can forecast the future through machine learning and classify the right class. In this paper, we employed the new binary and multiclass classification model of Convolutional Neural Networks (CNNs) to identify the anomaly of the network system. In this respect, we used the NSLKDD dataset. Our model uses a Convolutional Neural Network (CNN) to conduct binary and multiclass classification. In both datasets, we build a DL-based DoS detection model. We focus on the DoS category in the most extensively used IDS dataset, KDD. As the name implies, CNN is the most extensively used the DL model for image recognition. Adding a pooling layer to the convolution layer minimizes the size of the feature data extracted from the image while maintaining I/O and spatial information. The CNN model has shown the promising results of multiclass and binary classification in terms of validation loss of 0.0012 at 11th epochs and validation accuracy of 98% and 99%, respectively.

1. Introduction

As computer network traffic and sensitive information on network systems grow, more firms are becoming vulnerable to a wider spectrum of attacks. The subject of how network systems might be protected from infiltration, disruption, and other abnormal actions of undesirable attackers is crucial [1]. Traditional intrusion prevention measures, like firewalls, access control, and SNP, and encryption technologies cannot always defend network systems because hostile traffic is channeled into the system [2].

The IDS [3] is an integral part of the security architecture that may be used to detect and identify threats and to monitor intruders. Internet Organized Crime Threat Assessment (IOCTA), Europol’s fourth annual presentation of the European Cyber Crime Center’s cybercrime threat picture, was released in 2016 and mid-2017 (EC3). As indicated by many big attacks between the end of 2016 and the middle of 2017, cybercrime has been shown to be growing and emerging and taking new paths [4].

A large number of gadgets are connected to the Internet and, thanks to the continual development of the Internet, communicate in real time. The Social Internet of Things (SIoT) (2) can offer people omnipresent Internet connectivity that combines social behavior with a physical Internet of Things (IoT) [5]. Through the broad application of SIoT, millions of sensors or devices continue to generate and share critical information [6]. Collaborative edge computer (CEC) is increasingly used by services providers to reduce the problem of resource congestion [7], which migrates data computation and storage to a network edge in close proximity to the users [8]. Figure 1 shows the basic terminology of the intrusion detection system.

For decades, anomaly detection has been a hot topic, with numerous applications in industries such as fault tolerance, financial and economic crisis detection, health diagnosis, extreme phenomena in Earth science and meteorology, atypical celestial object detection in astronomy or astrophysics, and system intrusion in cybersecurity [912]. The difficulty of detecting patterns that depart from a “normality” behavioral model is known as anomaly detection. The majority of approaches in the literature can be classified either by the model of normality used or by how they approach abnormality characterization and identification. The study in [1] proposes a comprehensive, albeit somewhat outdated, review of anomaly detection, which is followed by a more recent comparison analysis [1315].

The basic concept behind the method of isolating the forest is that, in general, isolating an “outlier” from the given data is much easier than isolating an “inlier” from the remainder. Convolutional Neural Networks select a feature randomly from a group of features, then select a range between maximum and minimum values of the selected feature, and then randomly select the split values of the minimum and maximum values of the selected features. Figure 2 shows the result of applying the Convolutional Neural Network on a real-time web-based system, which can potentially detect anomalous points in the given web traffic. In Figure 2, an example of web traffic with some anomalous points has been represented.

Figure 3 shows the idea behind isolating the forest in a random forest to split the features of the selected feature set. The anomaly score using a Convolutional Neural Network can be calculated as follows:

In equation (1), c (m) is the anomaly score and H is the harmonic feature whose range for splitting the maximum and minimum values has been settled between less than and greater than 2. Figure 3 shows the basic idea behind anomaly detection using Convolutional Neural Network trees.

Because of the likelihood of hostile traffic being injected into the system, traditional intrusion prevention methods like firewalls, access control, and secure network protocols (SNP), and encryption cannot always keep network systems safe. An integral part of the security infrastructure, which helps to detect and identify threats, as well as monitor intruders, is the intrusion detection system (IDS) [13, 14, 1719].

IDS is a famous and successful network security system, which offers security and safety for the transfers on network systems [2022]. Most work [2325] has tackled issues such as overfitting, replication, high-dynamics, and a small number of instances of workouts. For this purpose, we have used machine learning techniques to predict the types of attacks and anomalies in the security system.

Since typical machine learning algorithms are poorly generalized, deep learning algorithms take more time and are likely to disappear gradually or explosively. Although technology based on deep neural networks can tackle the problem of time-consuming and unknown attacks, the pretraining model still undergoes deep-school gradient disappearance or explosion. Finalizing a deep residual neural network can handle these difficulties at the same time.

The core contributions of this research are as described as follows:(i)For an intrusion detection system, we use a unique architecture called Convolutional Neural Networks (a form of decision tree) (IDS).(ii)No other IDS researcher has implemented the multiclass and binary classification model of Convolutional Neural Networks in line with what we have observed in recent studies.(iii)The CNN reduces the sparsity-related objective cost function of IDS classification.(iv)The IF displays numerous features exceptionally suited to IDS, including high accuracy, detection rate, training time for model creation, and average training time per sample.(v)We have built a new CNN-based intrusion detection system. The CNN-based technique can extract low-dimensional features for functional training from the original network streams.(vi)There is no great accuracy in intrusion detection for detecting repeated attacks.(vii)We build a CNN-based method that may be used to accurately capture diverse forms of attacks.(viii)We create several CNN-based intrusion detection systems. The proposed system can detect a number of new sorts of assaults through existing types of attacks.

2. Literature Review

This section discusses the present intrusion detection system strategies. The material now available is generally classed into supervised and unattended learning strategies.

Nowadays, the ever-increasing sophistication and severity of security attacks on computer networks have encouraged security experts to use diverse machine learning technologies to secure the organizations’ data and reputation. Deep learning is one of the interesting techniques which recently have been extensively adopted by the IDS or intrusion detection systems to boost their performance in securing the computer networks and hosts. The review article in [1] focuses on deep learning-based intrusion detection techniques and puts out an in-depth survey and classification of these schemes. It first introduces the basic background principles concerning IDS architecture and several deep learning approaches. It then classifies these schemes according to the type of deep learning algorithms applied in each of them. It describes how deep learning networks are applied in the intrusion detection process to recognize intrusions accurately. Finally, a thorough analysis of the researched IDS frameworks is offered, and concluding observations and future directions are noted.

When balancing the sample distribution, Hu et al. [3] employ the ADASYN approach, which can successfully avoid the model from becoming sensitive to large samples while being insensitive to small samples. For the second time, the upgraded CNN is built on the split convolution module (SPC-CNN), which can increase the diversity of features while also reducing the impact of interchannel information redundancy on the model training process. Then, for intrusion detection tasks, an AS-CNN model that is a combination of ADASYN and SPC-CNN is used. Finally, the standard NSLKDD dataset is used for testing the AS-CNN algorithm. Compared to classic CNN and RNN models, the simulation shows that the accuracy is 4.60 percent and 2.79 percent higher, respectively, and that the detection rate (DR) has grown by 11.34 percent and 10.27 percent, respectively. Additionally, the FAR reduced by 15.58 percent and 14.57 percent, respectively, when compared to the two models under consideration.

Yang et al. [4] ran a sample test to see how the network would react if it were attacked by an intruder. In our paper’s simulations, the authors demonstrate that the method proposed has higher detection accuracy and true positive rate, as well as a lower false positive rate, when compared to other methods. The test results on the test set KDDTest + in this paper show that when compared with the traditional models, the detection accuracy of LeNet-5 and DBN is 8.82 percent and 0.51 percent higher, respectively, and the recall rate of LeNet-5 and RNN is 4.24 percent and 1.16 percent higher, respectively, while the false positive rate is lower than the other three types of models (LeNet-5, RNN, and RNN).

It is proposed in research [5] that a novel ensemble intrusion detection method is used to defend network assaults against the train ECN, namely, IP Scan, Port Scan, Denial of Service (DoS), and Man in the Middle attacks (MITM). The raw data generated by our ECN testbed are processed to extract thirty-four features of distinct protocol contents, which are then combined to make a specific dataset. The dataset will be optimized through the use of a data imaging approach and a temporal sequence construction method. On the basis of various typical Convolutional Neural Networks and recurrent neural networks, six base classifiers are constructed: the LENET-5 (also known as AlexNet), the VGGNet (also known as SimpleRNN), the LSTM (also known as LSTM-R), and the GRU (also known as GRU-R). To incorporate all of the base classifiers, it is recommended to use a dynamic weight matrix voting approach. The proposed method is evaluated in light of the data authors have collected. In the experiments, the findings demonstrate that the proposed technique has an exceptional capacity for aggregating the advantages of all base classifiers and that it achieves superior detection performance with an accuracy of 0.975.

Kim et al. [6] proposed the Artificial Intelligence-Based Intrusion Detection System (AI-IDS) that was installed and put into use. With the help of an optimal Convolutional Neural Network and long short-term memory network (CNN-LSTM) model and normalized UTF-8 character encoding for Spatial Feature Learning (SFL), authors are able to adequately extract the characteristics of real-time HTTP traffic without the use of encryption, calculating entropy, or compressing the data in any way. Using repeated experiments on two publicly available datasets (CSIC-2010 and CICIDS2017) as well as fixed real-time data, authors established the system’s superiority. AI-IDS identifies sophisticated assaults, such as unknown patterns and encoded or obfuscated attacks, from innocuous traffic by training payloads that analyze true or false positives with a labeling tool and then compare the results. It is a versatile and scalable system that is implemented using Docker images, with user-defined functions being separated into independent images by independent images. It also aids in the development and improvement of Snort rules for signature-based intrusion detection systems based on newly discovered patterns. It is possible to accurately assess unknown web attacks due to the fact that the model determines harmful likelihood through continual training.

An approach for network intrusion detection that combines hybrid sampling with deep hierarchical networks is proposed here. First, Jiang et al. [7] employ one-side selection (OSS) to lower the number of noise samples in the majority category, and then the authors employ Synthetic Minority Oversampling Technique (SMOTE) to increase the number of minority samples. A balanced dataset can be created in this manner, allowing the model to completely learn the characteristics of minority samples while also significantly reducing the model training time. To extract spatial features, the authors utilize Convolution Neural Networks (CNNs), and to extract temporal features, the authors employ bidirectional long short-term memory (BiLSTMs), which are combined to produce a deep hierarchical network model. It has been demonstrated that the proposed network intrusion detection method is accurate on the NSLKDD and UNSW-NB15 datasets, with classification accuracy reaching 83.58 percent on the NSLKDD and 77.16% on the UNSW-NB15, respectively.

In this paper, Park et al. [8] describe an effective method for distinguishing between abandoned things, stolen objects, and ghost regions in the surveillance camera footage. For providing the object mask information, this method uses two main strategies: the first is a dual background model to extract candidate stationary objects, and the second is object segmentation based on mask regions with CNN features (Mask R–CNN) to extract candidate stationary objects from the background model. When given a candidate stationary item from the backdrop model, it is tested to see if an identical segmented object exists in the current video frame or the prior background frame in order to take into consideration both the present and previous conditions. And the ultimate state of the candidate stationary object is determined by taking into account a variety of different scenarios using the comparative analysis technique described in this paper, which is then applied. The suggested approach has been qualitatively tested with their own dataset, with particular attention paid to the discriminating problem, and the results have been good. Consequently, it is projected to be widely used in open environments such as exposition halls and public parks, where traditional intrusion detection-based security services are difficult to install, such as for automatic detection of stolen objects and abandoned items.

To improve the overall security of the Internet, the study in [26] proposes an intrusion detection system (IDS) based on the Convolutional Neural Network (CNN). The suggested intrusion detection system (IDS) is designed to identify network intrusions by categorizing every packet traffic in the network into benign and harmful classifications. The dataset CICIDS2017 (Canadian Institute for Cybersecurity Intrusion Detection System) was used to train and validate the proposed model, which is available online. The model has been examined in terms of overall accuracy, attack detection rate, false alarm rate, and training overhead. The model was found to be accurate in all of these areas. A comparison of the suggested model’s performance to the performance of nine other well-known classifiers is offered in this paper.

It is proposed in [27] to use a quantitative model of the interaction mode between ports as the basis for an intrusion detection system (IDS). Taking into account the arrival time distribution of traffic, the model provides a quantitative expression of Port Interaction Mode in Data Link Layer (PIMDL), with the goal of improving the accuracy and efficiency of intrusion detection by taking the arrival time distribution of traffic into account. The approach of phase space reconstruction and visualization is used to demonstrate the practicality of the model that has been proposed. An artificial neural network based on CNN and LSTM is being developed to mine the differences between normal and abnormal models, taking into consideration the characteristics of long and short sessions. As a result, a better intrusion detection algorithm based on a multimodel scoring mechanism is being developed to classify sessions in model space on the basis of this information. Furthermore, the experiments demonstrate that the quantitative model and the improved algorithm proposed can not only effectively avoid camouflaging identity information but also improve computational efficiency while simultaneously increasing the accuracy of small sample anomaly detection (as demonstrated by the experiments).

In order to tackle the aforesaid difficulties, we employ a selection technique to approximate discriminatory features of the IDS classification. This research presents a multiclass and binary classification model of CNN for a more efficient manner of finding abnormality.

3. Methodology

Unauthorized users, even insiders, are protected from a computer network by software that detects network intrusions. The purpose of the intrusion detector learning challenge is to develop a predictive model (i.e., a classifier) that can distinguish between “bad” and “good” connections (intrusions or attacks) (normal connections). In 1998, the DARPA Intrusion Detection Evaluation Program was created and led by MIT Lincoln Labs. The objective was to conduct a survey and evaluate intrusion detection research. A common collection of data for auditing was provided, which includes a variety of intrusions simulated in the setting of a military network. In the 1999 KDD intrusion detection challenge, a variation of this dataset was utilized. Using the CNN-based model, we can conduct binary classification and multiclass classification. The two datasets are used to construct a DL-based detection model for DoS assaults. In addition to KDD, the most extensively used IDS dataset, we pay particular attention to the DoS subcategory in both of these datasets. As far as image identification goes, CNN is the most often used DL model, consisting of a convolutional layer that extracts the image features and a fully connected layer that determines which class the input image falls into. Image features are extracted from the convolution layer while retaining I/O and spatial information and are reduced in size by using a pooling layer in conjunction with the convolution layer.

The raw training data was almost four terabytes of compressed binary TCP dump data collected over seven weeks of network traffic. This resulted in the creation of around five million connection records. Around two million connection records were created in two weeks of test data.

Validation of the process is done using performance criteria such as accuracy, AUC, sensitivity, and specificity.

The working flow of the proposed method using machine learning techniques is shown in Figure 4. The details of the block diagram are as follows: The data have been split into testing and training to validate the results. The different machine learning models have been used; the purpose of each model or classifier is to generate a result in a hybrid way by using an optimization technique.

The NSLKDD network security dataset is used for testing and evaluation of the offered method. The NSLKDD dataset contains different real-world data for network systems. As we know, the data are in the raw form, so we have converted the raw data into CSV data file for preprocessing and feature extraction.

The following three tables provide a complete listing of the collection of features specified for the link logs. You will use a machine-readable data scheme for the contest dataset. Table 1 shows the basic features of individual TCP connections. While Table 2 shows the content features within a connection suggested by domain knowledge, Table 3 shows the traffic features computed using a two-second time window.

Figure 5 shows the categorical variables of traffic proportions. 46.54% are malicious, shown as “1,” while normal instances are about 53.46%, represented as “0.” In Figure 6, correlation features means per class has been shown. The maximum correlation has been shown with 1, and the minimum correlation has been shown with 0.

3.1. Feature Selection

Feature selection techniques are different from feature extraction as in feature selection, we have taken a subset of input features, and in the extraction of features, we can extract new features from existing features.

3.2. Feature Selection (Minimum Redundancy Maximum Relevance)

In this case of feature selection, we select the features from data, which have the highest relevancy in predicting the output variable. And having minimum redundancy in the dataset, we can calculate the relevance of a feature set as follows:

In the following equation, fi and fj are the average of mutual redundant information between the subset of fi and fj feature set. Redundancy can be calculated as

The following equation is used to find out the maximum relevance and redundancy in the feature selection:

There are many linear techniques for reducing dimensionality, but the principal component analysis is the most commonly used. It makes linear mappings of the data to lower-dimensional space in such a way as to optimize variance, which can be seen in Figure 7. Figure 8 shows the variables’ ratio in terms of variance. There are a total of 37 variables; the highest variance ratio of variable “1” is 0.180.

This variance ratio can be used to see how each of the data’s primary components contributes to the variance in data. Scree plots are a visual method for determining how many of the main components want to retain in the study, which can be seen in Figure 9.

For dealing with categorical information, label encoding is a popular encoding approach. Using this method, an integer is assigned to each label depending on its alphabetical order. Figure 10 shows the Visualization of Traffic in Time using Label Encoder.

3.3. Convolutional Neural Networks

The simple concept behind this approach to CNN is, in general, that isolating an “outlier” from the other data is much easier than isolating an “inferior” of the remainder of the data. With the help of a Convolutional Neural Network (CNN), we can conduct binary classification and multiclass classification with the model we have developed. In the two datasets, we create a DL-based detection model for Denial of Service (DoS) assaults. We concentrate on the DoS category in not just the KDD dataset, which is the most extensively used IDS dataset, but also in other datasets. Cannon’s Convolutional Neural Network (CNN) is the most extensively used deep learning model for image identification. It is composed of a convolution layer that extracts the properties of an image and a fully connected layer that identifies which class the input image belongs to. Convolution layers extract the unique features of an image while maintaining the I/O and spatial information of the image. Adding a pooling layer to the convolution layer helps to minimize the size of the feature data by combining it with the previous convolution layer.

4. Results and Discussion

This section is about the model evaluation and results of this research work. In this section, we will discuss the accuracy of our model. We will try both multiclass and binary classification. In the case of binary, we will cluster all malicious data in a single class, using the “binary class” variable that we created earlier.

4.1. Model Evaluation

We have applied Convolutional Neural Networks to the dataset. The following are the results we have gained.

We use the Convolutional Neural Networks decision regression for an intrusion detection method as a special framework (IDS). As we know, in recent studies, CNN has been used by no other researcher in the field of IDS. The CNN decreases the cost function for sparsity classifying IDS. The CNN showed various qualities, such as high graduation precision, detection rate and a training time for a model, and average training duration per sample, which were especially suitable for IDS. Table 4 shows the model training and validation of 1D Convolutional Neural Network (binary classification).

Figure 11 shows the CNN-based binary classification accuracy, precision, recall, and F1 score, which are 99%, 98%, 97%, and 97%, respectively.

Figure 12 shows the CNN-based multiclassification accuracy, precision, recall, and F1 score, which are 98%, 99%, 98%, and 98%, respectively.

We can forecast the future through machine learning and classify the right class. In this research, we employed the new binary and multiclass classification model of Convolutional Neural Networks (CNN) to identify the anomaly of the network system. In this respect, we used the NSLKDD dataset. CNN model has shown the promising results of multiclass and binary classification in terms of validation loss of 0.0012 at 11th epochs and validation accuracy of 98% and 99%, respectively. Following is the comparison table with the state-of-the-art literature works; Table 5 shows the comparison table with the state-of-the-art literature works.

5. Some Common Mistakes

In the intrusion detection system, the system checks the blockage in the network due to traffic. It will check the firmware and detect the anomaly in the network. If the IDS detects any anomaly, it will send it back to the user. There are two types of threats, that is, active and passive. We have detected both threats using Convolutional Neural Networks, and our system detects the anomaly. The system accuracy is very good as compared to previous researches, and it reaches almost between 90 and 95% of the best possible accuracy. We use the Convolutional Neural Networks decision regression for an intrusion detection method as a special framework (IDS). As we know, in recent studies, CNN has been used by no other researcher in the field of IDS. The CNN reduces the cost function for sparsity classifying IDS. The CNN exhibited a number of characteristics that made it particularly ideal for IDS, including high graduation precision, detection rate, model training time, and average training length per sample. Our research can be carried out using optimization approaches such as particle swarm optimization, grey wolf optimization, and whale optimization techniques, which can improve the results of machine learning models. This implementation can be altered by using feature selection techniques. By using feature selection techniques, we can improve the results of machine learning models.

Data Availability

The dataset used in this paper is available from the author upon request.

Conflicts of Interest

The authors declare that they have no conflicts of interest.


This study was supported by the National Natural Science Foundation of China (Grant no. 662162039), Educational Commission of Gansu Province, China (Grant no. 2017C-05), and Foundation for the Key Research and Development Program of Gansu Province, China (Grant no. 20YF3GA016).