=Paper=
{{Paper
|id=Vol-3742/paper7
|storemode=property
|title=Machine Learning system for detecting malicious traffic generated by IoT devices
|pdfUrl=https://ceur-ws.org/Vol-3742/paper7.pdf
|volume=Vol-3742
|authors=Yurii Klots,Nataliia Petliak,Serhii Martsenko,Vitaliy Tymoshchuk,Ievgen Bondarenko
|dblpUrl=https://dblp.org/rec/conf/citi2/KlotsPMTB24
}}
==Machine Learning system for detecting malicious traffic generated by IoT devices==
https://ceur-ws.org/Vol-3742/paper7.pdf
Machine Learning system for detecting malicious traffic
generated by IoT devices
Yurii Klots1,∗,†, Nataliia Petliak1,†, Serhii Martsenko2,†, Vitaliy Tymoshchuk2,† and
Ievgen Bondarenko3,†
1 Khmelnytskyi National University, Cyber Security Department, 11, Instytuts’ka str., Khmelnytskyi, Ukraine
2 Ternopil Ivan Puluj National Technical University, Ruska str., 56, Ternopil, Ukraine
3 West Ukrainian National University, Lvivska str., 11, Ternopil, Ukraine
Abstract
In this work, various combinations of artificial neural networks (CNN, LSTM, CNN-LSTM) are
investigated for the analysis of outgoing traffic from IoT devices for the purpose of traffic
classification and real-time attack detection. The focus is on the effectiveness of various
combined approaches to data processing and analysis in IoT networks. The work uses
KDDCup99, NSL-KDD, UNSW-NB15, WSN-DS and CICIoT2023 datasets for training and testing
networks. To assess the reliability of the work of various algorithms, calculations of accuracy,
specificity, sensitivity and other metric indicators determining the effectiveness of the proposed
solutions were carried out.
Keywords
IoT, CNN, LSTM, CNN-LSTM, Outgoing traffic, Malicious traffic. 1
1. Introduction
The Internet of Things (IoT) has a wide variety of applications, which makes it unique
among other types of computer networks. IoT networks can be built from devices of
different types, characterized by different hardware, functionality and topology.
Communication protocols can also vary from one implementation to another. Widespread
use of IoT includes smart homes, intelligent transportation, and other areas of modern life.
However, the incompatibility of security measures can create vulnerabilities that require
special solutions to protect IoT networks from attacks. Intrusion detection can be an
effective defense, but needs continuous improvement to ensure reliability. Innovations in
IoT technologies are driving data management strategies, but also increasing the need for
CITI’2024: 2nd International Workshop on Computer Information Technologies in Industry 4.0, June 12–14, 2024,
Ternopil, Ukraine
∗ Corresponding author.
† These authors contributed equally.
klots@khmnu.edu.ua (Y.Klots); npetlyak@khmnu.edu.ua (N.Petliak); marcenko@cei.net.ua (S.Martsenko);
Tymoshchuk@tntu.edu.ua (V.Tymoshchuk); ye.bondarenko@wunu.edu.ua (I.Bondarenko)
0000-0002-5385-5761 (Y.Klots); 0000-0001-5971-4428 (N.Petliak); 0000-0003-3301-0216 (S.Martsenko);
0009-0007-2858-9434 (V. Tymoshchuk); 0000-0001-6856-4855 (I.Bondarenko)
© 2024 Copyright for this paper by its authors. Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0).
CEUR
ceur-ws.org
Workshop ISSN 1613-0073
Proceedings
�security. One of the key challenges is the heterogeneity of the IoT network, which makes it
difficult to deploy comprehensive security systems. Topology, communication protocols,
and hardware can vary even within the same network, which increases the attack surface.
The ever-changing nature of IoT networks requires the creation of intrusion detection
systems that are effective in real-time and robust to changes in the network.
In [1], an intrusion detection model is considered, which combines the advantages of
spiking neural network (SNN) and convolutional neural networks (CNN) with the help of
rational algorithm design. This model allows efficient use of resources, which ensures
adaptability to limited computing capabilities.
In [2], the authors propose the use of a multi-scale convolutional feature fusion
network augmented with a Convolutional Block Attention Module (MCF-CBAM) for IoT
traffic classification. Their approach includes the following features: parallel convolution
obtains spatial characteristics from traffic data; the attention module mutes less
informative features while boosting the most discriminative ones to provide focused
learning on key features.
The authors of [3] propose a sequential approach to feature selection using an
optimized extreme learning machine (ELM) with a support vector machine (SVM)
classifier, where a genetic algorithm (GA) is used to optimize the ELM weights. The
optimized data set is used to classify traffic for intrusion detection in an IoT environment.
In [4], the authors demonstrate the synthesis of Decisive Red Fox (DRF) optimization
with a machine learning algorithm. Based on the optimized characteristics, the DBRF
classification process is used to identify and classify intrusion types.
The authors of [5] propose an intrusion detection system and configuration of dynamic
rules SecureFlow for IoT environments. This implementation is based on knowledge and
data, forming a two-level system. An environment with Software-defined Networking
(SDN) support allows you to configure rules according to detected incidents.
In [6], a hybrid deep learning model is proposed for detecting botnet attacks in IoT
networks. The two-stage hybrid model analyzes the network traffic data obtained from
three parallel sensors and detects the simultaneous characteristics of the attack traffic.
Features are extracted using the long-term memory-based autoencoder (LSTM-AE) using
the NCC-2 Simultaneous Botnet Dataset. LSTM-AE is trained on data from multiple sensors
to model temporal characteristics. The type of attack is identified using multi-class
classification using an ensemble learning algorithm with extreme gradient boosting
(XGBoost).
G. Parimala and R. Kayalvizhi [7] proposed a hybrid deep learning model (HDLM) based
on IoT device intrusion detection and prevention, where important features are taken
from the KDDCup99 and NSL-KDD datasets using a forward feature selection algorithm
(FFSA). . The features are then fed into the HDLM classifier. The proposed HDLM is a
combination of Ellman Recurrent Neural Network (ERNN) and Subtraction Based
Optimizer (SABO).
The authors of [8] analyzed three different models for intrusion detection in the
Industrial Internet of Things (IIoT) network using deep learning architectures: CNN, long-
short-term memory (LSTM), and a combination of CNN-LSTM, which were created based
on their hybrid combination. According to the obtained results, the CNN-LSTM model
�demonstrated higher accuracy for the binary and multi-class classification processes in
the UNSW-NB15 and X-IIoTID datasets compared to the other two models used in this
study, namely CNN and LSTM.
[9] presents an IDS architecture based on CNN and LSTM algorithms. The research
result of CNN-LSTM compared to CNN and machine learning models for both balanced and
unbalanced data showed better performance in detecting IoT security attacks using the
UNSW-NB15 dataset.
Shreeya Jain et al. [10] demonstrate a hybrid IoT intrusion detection model by
combining Deep Learning (DL), CNN, and LSTM techniques to achieve better attack
detection accuracy. The model is trained and evaluated using two different datasets,
namely UNSW-NB15 1 and NSL-Botnet 2.
[11] proposed a DL model for detecting anomalies in IoT networks using a recurrent
neural network (RNN). LSTM, Bidirectional LSTM and Gated Recurrent Unit (GRU)
methods are used to implement the proposed model. A hybrid DL model using CNN and
RNN networks was proposed. A DL model for binary classification using LSTM, BiLSTM
and GRU based approaches was also proposed. The described deep learning models are
tested using NSLKDD, BoT-IoT, IoT-NI, IoT-23, MQTT, MQTTset and IoT-DS2 datasets.
[12] presents a hybrid intrusion detection model (HIDM) that uses Optimized CNN-
LSTM (OCNN-LSTM) and Transfer learning (TL) for IIoT networks. The proposed model
uses an optimized CNN using advanced CNN parameters using the Gray wolf optimizer
(GWO) method, which tunes the CNN parameters and helps to improve the prediction
accuracy of the model. The transfer learning model helps train the model and transfers the
knowledge to the OCNN-LSTM model. The TL method improves the learning process by
obtaining the necessary knowledge from the OCNN-LSTM model. Classification analysis
was performed on several classes of different datasets (ToN-IoT and UNW-NB15).
[13] proposes an intrusion detection system (IDS), namely SafetyMed, which combines
CNN and LSTM to defend against intrusion from sequential and grid data. SafetyMed is an
IDS that protects Internet of Medical Things devices from malicious data and persistent
network traffic.
In [14], the DL model for detecting intrusions into the IoT network is described. To
obtain the sequence properties of the data stream through CNN, it combines a control
mechanism with an LSTM network. The paper used a feature selection strategy to train the
classifiers on the most significant correlation features while avoiding lost results during
training to obtain the best results. The proposed strategy focuses on binary classification
using DL methods.
In the considered works, machine learning methods are used, which mostly give a good
result, but they are aimed at the analysis of incoming traffic to the network (Fig.1). When
changing the type of attack, the class of attacked devices, the level of detection of attacks
decreases significantly [15,16].
�Figure 1: Classic traffic analyzer
One of the reasons for attacks on IoT systems is to create a network of bots or third-
party controlled devices to carry out large-scale attacks on government and commercial
systems.
In order to prevent the spread of an attack from the network, we will represent the
internal network as a black box and analyze the outgoing traffic in order to detect attacks
from the system (Fig.2).
Figure 2: Proposed traffic analyzer
The analysis carried out in [1-14] shows that CNN, LSTM and a combination of the
specified neural networks show the best result for investigating traffic and detecting
malicious actions related to IoT. Works [15,16] show the expediency of analyzing the
outgoing traffic.
Therefore, it is advisable to conduct a study on the use of CNN, LSTM and their
combinations on different data sets to detect malicious actions from IoT devices.
�2. Data sets for training neural networks
The standard datasets KDDCup99, NSL-KDD, UNSW-NB15, WSN-DS and CICIoT2023 were
used in this study. These sets make it possible to evaluate the effectiveness of the
developed model for detecting malicious traffic in the network.
The KDDCup99 dataset contains recordings from real network traffic, including normal
traffic and various types of attacks. It is one of the most widely used datasets for
evaluating anomaly detection techniques. Since 1999, KDDCup99 has been the most
widely used dataset for evaluating anomaly detection methods. Based on data collected by
the DARPA program, which is based on approximately 4 gigabytes of tcpdump data from
seven weeks of network traffic and approximately 5 million connections. The test data for
a two-week period is about 2 million connection records. The dataset consists of 4,94,021
data points and 42 features labeled as normal or attacks, with only one specific attack
type. It is categorized as a type of attack. Attacks are classified into one of the following
four categories: Denial of Service(DoS)attacks, User-to-Roo (U2R), Remote tolocal(R2L)
attacks, Probingattacks.
The NSL-KDD dataset is an improved version of the original KDDCup99 dataset. It was
designed to address some of the limitations and shortcomings of the KDDCup99 dataset in
the field of intrusion detection. The dataset was specifically designed to evaluate intrusion
detection systems, particularly in the context of network security.
The UNSW-NB15 dataset consists of raw network packets. The dataset contains nine
types of attacks, including phaser, analysis, backdoor, DoS, exploit, general purpose,
reconnaissance, shellcode, and worm. The dataset consists of 2,540,044 records stored in
four CSV files, and the training set and test set contain 175,341 and 82,332 records,
respectively. This dataset is used for a variety of research activities related to intrusion
detection, network forensics, privacy protection, and threat analysis in various systems such
as networked systems, Internet of Things (IoT), SCADA, Industrial IoT, and Industry 4.0.
WSN-DS is a data set specially created for detecting attacks in wireless sensor networks
(Wireless Sensor Networks, WSN). The ns-2 simulation environment was used for data
collection. The dataset includes 23 features obtained using the LEACH routing protocol
that describe the state of each sensor node in the wireless network. The WSN-DS dataset
consists of 374,661 tests divided into four attack types. The tests are divided into five
different classes: Blackhole, Grayhole, Flooding, TDMA and Typical, with four of them
dealing with different types of DoS attacks. The dataset tests are divided into five different
classes, four of which are related to different types of DoS attacks.
The CIC IoT 2023 dataset is a real-world testbed for large-scale Internet of Things (IoT)
attacks. Its primary goal is to provide an expanded and novel IoT attack dataset to support
the development of security analytics applications in real-world IoT environments. To
achieve this goal, 33 attacks were performed on an IoT topology consisting of 105 devices.
These attacks were divided into seven categories, including DDoS, DoS, Recon, Web
Attacks, Brute Force, Spoofing and Mirai. All attacks were performed by malicious IoT
devices that target other IoT devices.
Preparing datasets for ML involves several important steps to ensure that the data is
appropriate for effectively training a model to detect malicious network traffic (Fig.3). In
�the first step, a raw data set was loaded into the system. The data set then underwent a
coding step, which was necessary to convert the categorical variables into a format
understandable by the model. The data were then normalized to ensure that the
dimensionality of the input data did not negatively affect the learning process. The next
step was to select features. At the end, the dataset is split into training and testing sets.
Figure 3: Preparing datasets
The KDDCup99 dataset includes 5209460 records. For training neural networks, 80%
of the records from the total data set, namely 4167568 records, were selected. There are
20% of records left for testing, namely 1041892 records.
The NSL-KDD dataset consists of 5209458 records. 4,898,431 records are used for
training, of which 3,925,650 records are marked as malicious and 972,781 records are
marked as normal, reflecting real-world scenarios where malicious traffic often exceeds
normal traffic. The test set consisted of 311027 records, where 250436 records represent
attacks and 60591 records represent normal interactions, creating a realistic challenge for
ML.
The UNSW-NB15 data set is smaller compared to previous ones, consisting of 257,673
records. 175341 records from the dataset were used for training. The test set contained
82332 records in total, where the majority of interactions, namely 78832 records, are
malicious and 3500 records of normal traffic. It should be noted that the data sets are not
balanced in terms of the number of records of normal and malicious traffic, so the
accuracy parameter estimate is not informative.
The WSN-DS dataset, which is designed for wireless sensor networks, contains 374,661
records. They were divided by 60% for training, resulting in 224,796 records, of which
204,039 were identified as normal traffic. For testing, 40% was used, namely 149865
records in total, of which 136027 were identified as normal traffic. It should be noted that
the data sets are not balanced in terms of the number of records of normal and malicious
traffic, so the accuracy parameter estimate is not informative.
The CICIoT2023 dataset focuses on malicious activities and contains a total of
45588384 malicious entries, while 1098195 entries are identified as normal traffic.
36470707 malicious records and 878556 normal traffic records were selected for training,
which is 80% of the total number of malicious records. 9117677 malicious records and
219639 records of normal traffic were used for testing.
3. Neural networks for analyzing outgoing traffic from IoT
The CNN network is effective in analyzing network traffic because it excels at
automatically detecting and learning complex data patterns. The working principle of CNN
for network traffic analysis:
1. Removal of functions.
2. Activation functions.
� After each convolution operation, an activation function is applied to introduce
nonlinearity. The ReLU (Rectified Linear Unit) activation function for ML was used due to
its efficiency and computational simplicity.
𝑓 (𝑥) = max(0, 𝑥) (1)
ReLU is fast because it replaces all negative values with zero, thereby simply "turning
off" some neurons, which helps create sparse networks and potentially speeds up
computation.
3. Combining layers.
4. Fully connected layers.
5. Initial level.
The output layer uses a softmax activation function to classify incoming network traffic
into categories such as normal and malicious.
𝑒 𝑥𝑖 (2)
𝑠𝑜𝑓𝑡𝑚𝑎𝑥(𝑥𝑖 ) =
∑𝑗 𝑒 𝑥 𝑗
In general, the algorithm for preparing the CNN-LSTM neural network is shown in the
figure 4. The main steps are: data preparation and processing, training of the CNN-LSTM
network model, and evaluation of the test results using the confusion matrix.
Figure 4: Algorithm for preparing the CNN-LSTM neural network
The figure 5 illustrates a neural network architecture that combines CNN and LSTM.
Input values that have been preprocessed are received at the Input input. C1, C3 are
convolutional layers that are responsible for feature extraction, highlight important
characteristics in the data. S2 and S4 are pooling levels, specifically maximum size pooling
levels that follow some convolution layers. Pooling layers reduce the spatial dimensions of
the input volume for the next convolutional layer, which reduces the number of parameters
and computations in the network, thereby controlling reconfiguration. GlobalMaxPool is a
global maximum pool that further reduces each feature map to a single number by taking
the maximum value of the feature map sizes while keeping the most significant feature
response. This helps reduce the dimensionality of the data before passing it to the LSTM
layer, allowing the network to efficiently process data sequences. Next, the data is passed to
the LSTM layer. L6 is a fully connected layer, which means that every neuron in this layer is
connected to all neurons in the previous layer. This layer combines the features obtained by
CNN and LSTM to make a decision. Softmax output is the last output level with an activation
function.
�Figure 5: A neural network architecture that combines CNN and LSTM
4. Evaluation of the reliability of the use of neural networks
To assess the reliability of the developed system, a confusion matrix was used (Fig.6). True
Positive (TP) indicates the number of correctly identified malicious network traffic flows.
True Negative (TN) indicates the number of correctly identified normal network traffic
flows. False Positive (FP) is the number of times the system detects malicious traffic, even
though the traffic is normal. False Negative (FN) the number of system triggers where the
traffic flow was classified as normal even though it was malicious. The indicated results
allow the calculation of the following performance evaluation indicators: accuracy,
precision, recall, specificity and F-score.
Figure 6: Confusion matrix
Accuracy allows you to calculate the ratio of the total number of valid hits for the entire
data set:
𝑇𝑃 + 𝑇𝑁 (3)
𝐴𝑐𝑐𝑢𝑟𝑎𝑐𝑦 =
𝑇𝑃 + 𝐹𝑃 + 𝐹𝑁 + 𝑇𝑁
Precision measures how accurately the system classifies objects or events as malicious
when it detects them as such. This metric is calculated as the ratio of correctly identified
�malicious objects or events to all objects or events that the system identified as malicious:
𝑇𝑃 (4)
𝑃𝑟𝑒𝑐𝑖𝑠𝑖𝑜𝑛 =
𝑇𝑃 + 𝐹𝑃
Recall determines the system's ability to detect all existing malicious sessions without
missing any of them. It indicates how effectively the system responds to real threats:
𝑇𝑃 (5)
𝑅𝑒𝑐𝑎𝑙𝑙 =
𝑇𝑃 + 𝐹𝑁
Specificity is a metric that measures the effectiveness of a system in correctly
identifying benign objects or events. It is defined as the ratio of the number of correctly
identified non-malicious objects or events to the total number of non-malicious objects or
events:
𝐹𝑃 + 𝐹𝑁 (6)
𝑆𝑝𝑒𝑐𝑖𝑓𝑖𝑐𝑖𝑡𝑦 =
𝑇𝑃 + 𝐹𝑃 + 𝑇𝑁 + 𝐹𝑁
The F-score represents a weighted average of the true positive result and accuracy,
where:
2 × 𝑅𝑒𝑐𝑎𝑙𝑙 × 𝑃𝑟𝑒𝑐𝑖𝑠𝑖𝑜𝑛 (7)
𝐹 − 𝑠𝑐𝑜𝑟𝑒 =
𝑅𝑒𝑐𝑎𝑙𝑙 + 𝑃𝑟𝑒𝑐𝑖𝑠𝑖𝑜𝑛
The results of testing CNN, LSTM and CNN-LSTM networks with different data sets are
shown in table (1-3).
Table 1
Quality metrics for the CNN network
CNN TP TN FP FN
KDDCup99 654812 258258 60769 68053
NSL-KDD 235840 43835 15279 16073
UNSW-NB15 3297 78035 497 503
WSN-DS 12370 129344 3947 4194
CICIoT2023 8251354 158392 439470 488087
Table 2
Quality metrics for LSTM networks
LSTM TP TN FP FN
KDDCup99 674142 264400 45675 57675
NSL-KDD 239411 42935 13364 15317
UNSW-NB15 3341 78192 364 435
WSN-DS 12425 131976 2344 3120
CICIoT2023 8292540 169734 457622 417420
�Table 3
Quality metrics for CNN-LSTM networks
CNN-LSTM TP TN FP FN
KDDCup99 718514 234268 42756 46354
NSL-KDD 244493 38721 13874 13939
UNSW-NB15 3358 78542 197 235
WSN-DS 13572 134280 935 1078
CICIoT2023 8741953 203457 154384 237507
Performance indicators for CNN, LSTM, and CNN-LSTM networks when training and
testing using KDDCup99, NSL-KDD, UNSW-NB15, WSN-DS, and CICIoT2023 datasets are
shown in Table 4.
Table 4
Performance indicators
Data set Network type Acccuracy Precision Recall Specificity F-score
CNN 0,88 0,92 0,91 0,12 0,91
KDDCup99 LSTM 0,9 0,94 0,92 0,10 0,93
CNN-LSTM 0,91 0,94 0,94 0,09 0,94
CNN 0,90 0,94 0,94 0,10 0,94
NSL-KDD LSTM 0,91 0,95 0,94 0,09 0,94
CNN-LSTM 0,91 0,95 0,95 0,09 0,95
CNN 0,99 0,87 0,87 0,01 0,87
UNSW-NB15 LSTM 0,99 0,90 0,88 0,01 0,89
CNN-LSTM 0,99 0,94 0,93 0,01 0,94
CNN 0,95 0,76 0,75 0,05 0,75
WSN-DS LSTM 0,96 0,84 0,80 0,04 0,82
CNN-LSTM 0,99 0,94 0,93 0,01 0,93
CNN 0,90 0,95 0,94 0,10 0,95
CICIoT2023 LSTM 0,91 0,95 0,95 0,09 0,95
CNN-LSTM 0,96 0,98 0,97 0,04 0,98
The evaluation of the effectiveness of the test results is demonstrated in the form of
charts with a division by data sets.
The CNN-LSTM network on the KDDCup99 data set (Fig.7) demonstrated: accuracy,
recall and F-score 3% higher than the CNN network; accuracy and F-score by 1% more
than the LSTM network.
� KDDCup99
0.94
0.92
0.90
0.88
0.86
Acccuracy Precision Recall F-score
CNN LSTM CNN-LSTM
Figure 7: Performance evaluation for the KDDCup99 dataset
The CNN-LSTM network on the NSL-KDD data set (Fig.8) demonstrated: accuracy,
precision, recall and F-score 1% more than the CNN network; recall and F-score is 1%
higher than that of the LSTM network.
NSL-KDD
0.95
0.93
0.91
0.89
Acccuracy Precision Recall F-score
CNN LSTM CNN-LSTM
Figure 8: Performance evaluation for the NSL-KDD dataset
The CNN-LSTM network on the UNSW-NB15 data set (Fig.9) demonstrated: precision
by 7%, recall by 6% and F-score by 7% more than the CNN network; precision by 4%,
recall by 5% and F-score by 5% more than the LSTM network.
UNSW-NB15
1.00
0.96
0.92
0.88
0.84
Acccuracy Precision Recall F-score
CNN LSTM CNN-LSTM
Figure 9: Performance score for the UNSW-NB15 data set
� The CNN-LSTM network on the UNSW-NB15 data set (Fig.10) demonstrated: accuracy
by 4%, precision by 18%, recall by 18% and F-score by 18% more than the CNN network;
accuracy by 3%, precision by 10%, recall by 13% and F-score by 11% more than in the
LSTM network.
WSN-DS
1.00
0.95
0.90
0.85
0.80
0.75
0.70
Acccuracy Precision Recall F-score
CNN LSTM CNN-LSTM
Figure 10: Performance evaluation for the WSN-DS dataset
The CNN-LSTM network on the CICIoT2023 data set (Fig.11) demonstrated: accuracy
by 6%, precision by 3%, recall by 3% and F-score by 3% more than the CNN network;
accuracy by 5%, precision by 3%, recall by 2% and F-score by 3% more than in the LSTM
network.
CICIoT2023
0.99
0.97
0.95
0.93
0.91
0.89
Acccuracy Precision Recall F-score
CNN LSTM CNN-LSTM
Figure 11: Performance evaluation for the CICIoT2023 dataset
Specificity in the CNN-LSTM network when tested on the KDDCup99 dataset showed a
3% better result compared to CNN and a 1% better result compared to LSTM. Specificity
in the CNN-LSTM network when tested on the NSL-KDD dataset showed a 1% better result
compared to CNN. The specificity of the CNN-LSTM network when tested on the UNSW-
NB15 dataset showed the same result compared to CNN and LSTM. The specificity of the
CNN-LSTM network when tested on the WSN-DS dataset showed a 4% better result
compared to CNN and a 3% better result compared to LSTM. Specificity in the CNN-LSTM
network when tested on the CICIoT2023 dataset showed a 6% better result compared to
CNN and a 5% better result compared to LSTM.
The figure 12 shows the specificity parameter for all datasets and networks.
� Specificity
0.14
0.12
0.10
0.08
0.06
0.04
0.02
0.00
Figure 12: The specificity parameter for all datasets and networks
Conclusion
In view of the results of the conducted research, taking into account the types of
attacks, the traffic from the implementation of which is present in the analyzed data sets, it
can be concluded that the CNN-LSTM combination gives the highest reliability results and
the lowest error results. Therefore, it is advisable to use CNN-LSTM and train it on the
analyzed data sets for the detection system of the original malicious traffic.
References
[1] Wang, Z., Ghaleb, F.A., Zainal, A. et al. An efficient intrusion detection model based on
convolutional spiking neural network. Sci Rep 14, 7054 (2024).
https://doi.org/10.1038/s41598-024-57691-x
[2] Liao, N., Guan, J. Multi-scale Convolutional Feature Fusion Network Based on
Attention Mechanism for IoT Traffic Classification. Int J Comput Intell Syst 17, 36
(2024). https://doi.org/10.1007/s44196-024-00421-y
[3] Maseno, E.M., Wang, Z. Hybrid wrapper feature selection method based on genetic
algorithm and extreme learning machine for intrusion detection. J Big Data 11, 24
(2024). https://doi.org/10.1186/s40537-024-00887-9
[4] Rabie, O.B.J., Selvarajan, S., Hasanin, T. et al. A novel IoT intrusion detection
framework using Decisive Red Fox optimization and descriptive back propagated
radial basis function models. Sci Rep 14, 386 (2024).
https://doi.org/10.1038/s41598-024-51154-z
[5] Amritpal Singh, Pushpinder Kaur Chouhan and Gagangeet Singh Aujla. SecureFlow:
Knowledge and data-driven ensemble for intrusion detection and dynamic rule
configuration in software-defined IoT environment. Ad Hoc Networks, 156 (2024).
https://doi.org/10.1016/j.adhoc.2024.103404
[6] Belkacem, S. (2024). Simultaneous botnet attack detection using long short term
memory-based autoencoder and XGBoost classifier. International Journal of Safety
� and Security Engineering, Vol. 14, No. 1, pp. 155-163.
https://doi.org/10.18280/ijsse.140115
[7] G. Parimala and R. Kayalvizhi. Improved Elman Deep Learning Model for Intrusion
Detection System in Internet of Things. Journal of Internet Services and Information
Security, 14 (2024). https://doi.org/10.58346/JISIS.2024.I1.008
[8] Hakan Can Altunay, Zafer Albayrak. A hybrid CNN+LSTM-based intrusion detection
system for industrial IoT networks. Engineering Science and Technology, an
International Journal, vol 38 (2023). https://doi.org/10.1016/j.jestch.2022.101322
[9] Rasha Almarshdi, Laila Nassef, Etimad Fadel, Nahed Alowidi. Hybrid Deep Learning
Based Attack Detection for Imbalanced Data Classification. Intelligent Automation \&
Soft Computing, vol 35 (2023). https://doi.org/10.32604/iasc.2023.026799
[10] Shreeya Jain, Pranav M. Pawar, Raja Muthalagu. Hybrid intelligent intrusion detection
system for internet of things. Telematics and Informatics Reports, Volume 8, 2022.
https://doi.org/10.1016/j.teler.2022.100030.
[11] I. Ullah and Q. H. Mahmoud, "Design and Development of RNN Anomaly Detection
Model for IoT Networks," in IEEE Access, vol. 10, pp. 62722-62750, 2022, doi:
10.1109/ACCESS.2022.3176317
[12] Lilhore UK, Manoharan P, Simaiya S, Alroobaea R, Alsafyani M, Baqasah AM, Dalal S,
Sharma A, Raahemifar K. HIDM: Hybrid Intrusion Detection Model for Industry 4.0
Networks Using an Optimized CNN-LSTM with Transfer Learning. Sensors. 2023;
23(18):7856. https://doi.org/10.3390/s23187856
[13] Faruqui N, Yousuf MA, Whaiduzzaman M, Azad A, Alyami SA, Liò P, Kabir MA, Moni
MA. SafetyMed: A Novel IoMT Intrusion Detection System Using CNN-LSTM
Hybridization. Electronics. 2023; 12(17):3541.
https://doi.org/10.3390/electronics12173541
[14] Zakariah M, AlQahtani SA, Al-Rakhami MS. Machine Learning-Based Adaptive
Synthetic Sampling Technique for Intrusion Detection. Applied Sciences. 2023;
13(11):6504. https://doi.org/10.3390/app13116504
[15] Klots, Y., Titova, V., Petliak, N., Cheshun, V., Salem, A.-B.M. Research of the Neural
Network Module for Detecting Anomalies in Network Traffic. CEUR Workshop
Proceedings, 2022, 3156, pp. 378-389.
[16] Y. Klots, N. Petliak and V. Titova. Evaluation of the efficiency of the system for
detecting malicious outgoing traffic in public networks. 13th International Conference
on Dependable Systems, Services and Technologies (DESSERT), Athens, Greece, 2023,
pp. 1-5, https://doi.org/10.1109/DESSERT61349.2023.10416502.
�