Intrusion Detection Systems (IDS) play a key role in protecting networks and systems from malicious activities and unauthorized access. With the increasing complexity of cyber threats, traditional methods for detecting intrusions often fail to meet the demands of modern network security. This paper proposes a method based on version of Recurrent Neural Networks (RNNs) called Long Short-Term Memory (LSTM) to improve the eficiency of Anomaly-Based Intrusion Detection Systems (AIDS). LSTM-RNNs approach are particularly well-suited for analyzing time-based network trafic and identifying deviations from normal behavior. The paper proposes a new method based on LSTM-RNNs of AIDS, to improve anomaly detection capabilities and the system's performance. The research also addresses the benefits and limitations of using LSTM-RNNs for intrusion detection, as well as potential future developments in this area.
The proliferation of networked devices and the rise of digital platforms bring significant benefits to
modern society. At the same time, this also leads to a wide range of cyber threats. Intrusion Detection
Systems (IDS) are software tools that monitor network or system activities for malicious actions or
policy violations [
When network trafic matches a pattern in the database, the system alerts the control center and/or
performs procedures to protect against the attack. Although the Signature-Based Detection (SBD)
approach is efective against known threats, it fails to detect new, unknown attacks or "zero-day"
exploits, as there is no predefined signature for these intrusions. Anomaly-based intrusion detection
systems monitor the normal behavior of a network or system and raise an alert when deviations
from this baseline are observed. This approach is especially useful for detecting unknown attacks,
such as "zero-day attacks" and other emerging threats, as it does not require prior knowledge of the
attack’s signature [
Machine learning (ML) is emerging as a powerful tool for improving IDS performance [
IDS due to their ability to process sequential and temporal data, making them particularly suitable for
detecting anomalies in network trafic, which often follows temporal patterns [
Recurrent Neural Networks (RNNs) are a class of artificial neural networks designed to recognize
patterns in sequences of data, such as time series. Unlike feedforward neural networks, RNNs have
loops that allow information to persist as a form of memory. This memory enables RNNs to capture
temporal dependencies and process sequences of inputs in a more context-aware manner [
The implementation of reliable IDS is crucial for the network security of systems handling data, as it
can detect attempts by hackers and bots to hack the network, steal sensitive data, or initiate DOS or
DDOS attacks. The present study focuses on the development of a new method and software algorithm
based on Machine Deep Learning, which can be implemented in Anomaly-based Intrusion Detection
Systems to improve eficiency by reducing False Positives. The authors in [
The authors in [13] propose an IDS using the Support Vector Machine (SVM) for classification and the multiple learning automata (MLA) method for identifying optimal and significant features, removing redundant features, and fully accounting for the redundancy of one function and multiple embedded functions. The authors in [14] demonstrate the use of ML-based technologies such as the restricted Boltzmann machine (RBM) in combination with Persistent Contrastive Divergence (PCD) and Contrastive Divergence (CD) for tuning intrusion detection parameters. The authors in [15] use LSTM-RNN as the algorithm for their proposed Anomaly IDS for the Internet of Drones (IoD) network, but the focus in this study is on implementation rather than performance and accuracy of the proposed algorithm.
The basic architecture of an RNN consists of a series of nodes (neurons) arranged in layers, similar to a traditional feedforward neural network [16]. At the same time, the type of RNNs called LSTM (Long Short-Term Memory) difer in that each node in a hidden layer not only receives input from the previous layer but also from the previous step of the same layer [17] as is shown in Fig. 1.
This recurrent connection allows the network to retain information from previous inputs when processing new ones. Mathematically, the hidden state ℎ at time in an RNN is defined as: ℎ = (ℎℎℎ − 1 + ℎ) (1) where ℎ is the hidden state at time , ℎℎ and ℎ are weight matrices, is the input at time , and is the activation function.
The key to the ability of LSTM-RNNs to process sequential data lies in their hidden state, which acts as memory, capturing relevant information from previous time steps.
One of the main limitations of standard LSTM-RNNs is the vanishing gradient problem, which makes it dificult for the network to retain information over long sequences. To address this, Long Short-Term
An LSTM cell contains several components that regulate the flow of information through the network, allowing it to decide what information to keep, update, or discard. These components include:
Forget Gate: Decides how much of the previous memory to retain.
Input Gate: Controls how much of the current input should be stored in the cell. = ( + ℎ ℎ− 1 + ) = ( + ℎℎ− 1 + ) ˜ = tanh ( + ℎℎ− 1 + )
= ⊙ − 1 + ⊙ ˜ = ( + ℎℎ− 1 + 0) (2) (3) (4) (5) (6)
Cell State: The memory of the LSTM cell that carries relevant information across time steps. It is updated as follows:
Output Gate: Determines how much of the memory should be used to compute the current output.
The memory cell allows LSTM networks to capture long-term dependencies, while the gating mechanisms control the flow of information, ensuring that irrelevant or outdated information is discarded.
In an anomaly-based intrusion detection system, network trafic can be modeled as a sequence of feature vectors over time. These feature vectors are typically derived from network packets and can include attributes such as packet size, protocol type, connection duration, and more.
Since network trafic naturally occurs in a temporal order, LSTM-RNNs, particularly LSTMs, are well-suited for learning and modeling normal network behavior over time. An LSTM network processes the sequence of network features and captures the underlying patterns.
By training the LSTM on normal trafic data, the network learns to recognize the typical behavior of the system. Any significant deviations from this learned behavior are flagged as potential anomalies, signaling the presence of an intrusion or malicious activity. 5.1. Anomaly Detection Process The typical process for using an LSTM-RNN in an Anomaly-based IDS can be broken down into the following steps.
Network trafic data is collected and preprocessed to generate feature vectors that describe each packet or flow. Common preprocessing steps include: • Feature Extraction: Relevant features, such as packet size, flow duration, protocol, and flags, are extracted from the raw network trafic data. • Normalization: Feature values are often normalized to ensure that all features are on the same scale, which helps improve the training eficiency of the LSTM model. • Sequence Creation: The data is divided into overlapping sequences of fixed length. Each sequence represents a window of consecutive feature vectors from the network trafic.
The LSTM model is trained on sequences of normal network trafic. During training, the model learns to predict the next data point in the sequence or reconstruct the input sequence itself. The goal is to minimize the error between the predicted and actual values, efectively teaching the model the normal patterns of network trafic.
The loss function commonly used in this setting is Mean Squared Error (MSE): where is the actual input at time , ˆ is the predicted value, is the total number of time steps in the sequence.
Anomaly Detection
Once the LSTM model is trained, it can be deployed to monitor real-time network trafic. For each sequence of input data, the model predicts the expected next data point or reconstructs the sequence.
If the prediction error (or reconstruction error) exceeds a predefined threshold, the system flags the current sequence as anomalous. The anomaly score at time can be defined as the magnitude of the prediction error:
= ‖ − ˆ‖
If exceeds a certain threshold , the system raises an alert, indicating a potential intrusion. 5.2. Advantages of LSTM-RNNs for AIDS LSTM-RNNs are well-suited for detecting anomalies in network trafic due to several key advantages: • Temporal Context: LSTM-RNNs excel at capturing temporal dependencies, which are critical for identifying patterns in network trafic over time. • Adaptive Learning: LSTM-RNNs can adapt to changing network behavior and detect deviations from normal patterns, even as normal behavior evolves. • Sequential Data Processing: Network trafic is inherently sequential, and LSTM-RNNs are designed to eficiently process sequential data, making them an ideal choice for IDS. (7) (8)
To build a reliable anomaly-based IDS using LSTM-RNNs, the following methodology is proposed.
This includes the following tasks: • Feature Extraction: Relevant features from network trafic, such as packet size, flow duration, and protocol type, are extracted. These features serve as inputs to the RNN model. • Normalization: The extracted features are often normalized to ensure that the RNN can process the data eficiently. • Labeling: If labeled data is available, attacks and normal trafic are labeled to create a training dataset. Unlabeled data can also be used in an unsupervised learning approach.
The LSTM model is then trained on the preprocessed data. During training, the RNN learns the normal behavior of the network by analyzing temporal patterns in network trafic. The goal of the training process is to minimize the error between the predicted output and the actual output (e.g., normal or anomalous). Supervised learning techniques can be used if labeled data is available, where the RNN is trained to classify network trafic as either normal or anomalous as is shown on Fig. 2.
For this study, the training dataset UNSW-NB15 was used. This dataset was created at the Cyber Range Lab of UNSW Canberra for generating a hybrid of real modern normal activities and synthetic contemporary attack behaviors.
The dataset contains a mix of normal and malicious trafic, covering nine diferent attack categories. It is widely used in research for machine learning and anomaly detection in network security, and it has become one of the benchmarks for evaluating the performance of intrusion detection models.
The UNSW-NB15 dataset consists of over 2 million records, with each record representing a network connection or flow. Each connection in the dataset is characterized by a set of features extracted from the network trafic. The dataset provides 49 features for each connection, plus a class label indicating whether the trafic is normal or associated with an attack illustrated on Fig. 3.
The used in the research data set has the following features: • Source IP, Destination IP: The IP addresses of the source and destination hosts. • Source Port, Destination Port: The port numbers used for the connection. • Protocol: The network protocol used in the connection (e.g., TCP, UDP, ICMP). • Service: The type of network service involved in the connection (e.g., HTTP, FTP, DNS). • Packet Size: The size of the packets transmitted during the connection. • Duration: The length of the connection or session. • Flow Duration: The duration of trafic flow between the source and destination. • Bytes Sent and Received: The total number of bytes transmitted from the source to the destination and vice versa.
• Label: Indicates whether the trafic is normal or belongs to one of the nine attack categories.
The features in UNSW-NB15 include both continuous and categorical attributes, which are handled diferently by machine learning models:
Feature explanations: • rc_ip: Source IP address.
• dst_ip: Destination IP address.
• src_port: Source port number. • dst_port: Destination port number. • proto: Protocol used for the connection (e.g., TCP, UDP). • state: The state of the connection (e.g., FIN: finished, EST: established, CON: connected). • dur: Duration of the connection (in seconds). • sbytes: Number of bytes sent by the source. • dbytes: Number of bytes received by the destination. • service: Service or application type (e.g., HTTP, DNS, FTP).
• label: Class label indicating whether the trafic is normal (0) or anomalous (1).
Continuous Features: These include numeric features such as packet size, duration, and the number of bytes transmitted.
Categorical Features: These include attributes like protocol type and service type, which must be converted to numerical representations (e.g., using one-hot encoding) for machine learning algorithms.
The dataset has nine types of attacks, namely Fuzzers, Analysis, Backdoors, DoS, Exploits, Generic, Reconnaissance, Shellcode, and Worms.
Alternatively, learning techniques can also be applied where the RNN algorithm learns normal behavior without any labeled data and marks deviations as potential anomalies, which are manually processed during the training phase.
Anomaly Detection
Once trained, the LSTM model is deployed to monitor network trafic in real-time as is shown on Fig. 4.
The model analyzes incoming trafic and compares it to the learned patterns of normal behavior. If the network trafic deviates significantly from the expected behavior, the system raises an alert, indicating a potential intrusion.
To test the proposed LSTM-RNNs based method and algorithm was developed a test environment including data server with installed UNSW-NB15 dataset, trafic generator, router, and computer with installed Wireshark tool and software IDS with implemented the LSTM based algorithm written on Python code with installed pandas, numpy, torch, and scikit-learn libraries.
The main steps in the proposed algorithm include the following steps: • Building the LSTM model • Train the LSTM model • Evaluate the LSTM model • Run the trained model with mixed with real trafic UBSW-NB15 dataset.
Scale the features UNSW-NB15 data set features.
An example Python code related to the process of building the LSTM model is shown below: #Build the LSTM model model = Sequential() # Add an LSTM layer with 1000 units model.add(LSTM(units=1000, return_sequences=True,
input_shape=(X_train.shape[
The part of the 1000 records UNSW-NB15 dataset with extracted and specified anomalies is shown bellow on Fig. 5.
In the lab environment the experimental results on Fig. 6. illustrate that the proposed LSTM-RNN model implemented in Anomaly-Based Intrussion Detection systems achieves 98.7% accuracy
While LSTM-RNNs ofer significant advantages for anomaly detection, several challenges must be addressed: • Data Imbalance: Network trafic data often sufers from class imbalance, where normal trafic vastly outnumbers anomalous trafic. This can lead to models that are biased toward normal trafic. • Computational Complexity: Training RNNs, especially LSTMs, can be computationally intensive and may require significant resources, particularly for large-scale networks. • Interpretability: Deep learning models like LSTM-RNNs are often considered "black boxes," making it dificult to interpret the model’s decisions. This lack of transparency can be a concern in security applications where explainability is crucial. LSTM-RNN based IDS for anomaly detection has been applied in various network security scenarios, such as: • DDoS Attack Detection: LSTM-RNNs can analyze network trafic patterns to identify abnormal spikes in trafic that may indicate a DDoS attack. • Insider Threat Detection: LSTM-RNNs can monitor user behavior within a network and detect deviations from normal patterns, which may indicate insider threats. • Botnet Detection: LSTM-RNNs can detect botnet activity by identifying anomalous communication patterns between infected devices.
The proposed LSTM-RNNs based method ofer a powerful solution for intrusion detection in Anomalybased Intrusion Detection Systems (AIDS). Their ability to capture temporal dependencies in network trafic makes them particularly suited for detecting anomalous behavior that may indicate cyber-attacks. While RNN-based IDS face challenges, such as data imbalance and computational complexity, they have shown significant potential in improving the accuracy and eficiency of IDS. As cyber threats evolve, the development and application of LSTM-RNNs in AIDS will play a key role in protecting modern networks.
Future research directions include combining LSTM-RNNs with other machine learning models, such as Convolutional Neural Networks (CNNs) or auto encoders, to explore the accuracy and robustness of AIDS. Further research should also investigate the reliability of RNN-based IDS deployed at the network periphery to explore latency and improve real-time detection capabilities in distributed environments.
[12] S. Krishnaveni, P. Vigneshwar, S. Kishore, B. Jothi, S. Sivamohan, Anomaly-based intrusion detection system using support vector machine, in: Artificial intelligence and evolutionary computations in engineering systems, Springer, 2020, pp. 723–731. [13] Y. Su, K. Qi, C. Di, Y. Ma, S. Li, Learning automata based feature selection for network trafic intrusion detection, in: 2018 IEEE Third International Conference on Data Science in Cyberspace (DSC), IEEE, 2018, pp. 622–627. [14] T. Aldwairi, D. Perera, M. A. Novotny, An evaluation of the performance of restricted boltzmann machines as a model for anomaly network intrusion detection, Computer Networks 144 (2018) 111–119. [15] R. A. Ramadan, A.-H. Emara, M. Al-Sarem, M. Elhamahmy, Internet of drones intrusion detection using deep learning, Electronics 10 (2021) 2633. [16] G. Ciaburro, Machine fault detection methods based on machine learning algorithms: A review,
Mathematical Biosciences and Engineering 19 (2022) 11453–11490. [17] A. Sherstinsky, Fundamentals of recurrent neural network (rnn) and long short-term memory (lstm) network, Physica D: Nonlinear Phenomena 404 (2020) 132306.