Hindawi

Wireless Communications and Mobile Computing

Volume 2022, Article ID 6155925, 8 pages
https://doi.org/10.1155/2022/6155925

Research Article
Deep Learning-Based Anomaly Traffic Detection Method in
Cloud Computing Environment

1 2
Junjie Cen and Yongbo Li
1
College of Computer Science and Technology, Henan Institute of Technology, Xinxiang, Henan 453002, China
2
College of Computer and Information Engineering, Henan Normal University, Xinxiang, Henan 453002, China

Correspondence should be addressed to Junjie Cen; [email protected]

Received 25 January 2022; Revised 3 March 2022; Accepted 7 March 2022; Published 31 March 2022

Academic Editor: Shalli Rani

Copyright © 2022 Junjie Cen and Yongbo Li. This is an open access article distributed under the Creative Commons Attribution
License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

To address the problem of poor detection performance of existing intrusion detection methods in the environment of high-
dimensional massive data with uneven class distribution, a deep learning-based anomaly traffic detection method in cloud
computing environment is proposed. First, the fuzzy C-means (FCM) algorithm is introduced and is combined with the general
regression neural network (GRNN) to cluster the samples to be classified in the original space by FCM. Then, the GRNN model
is trained and the center point is updated using the sample closest to the FCM clustering center until a stable cluster center is
obtained. The parameters in FCM-GRNN are optimized using the global optimization feature of the modified fruit fly
optimization algorithm (MFOA), and the optimal spread value is found using the three-dimensional search method through an
iterative search. Finally, experiments are conducted based on the KDD CUP99 dataset, and the results demonstrate that the
detection rate (DR) and false alarm rate (FAR) of the proposed FCM-MFOA-GRNN method are 91% and 1.176%, respectively,
which are better than those of the comparison methods. Therefore, the proposed method has good anomaly traffic detection ability.

1. Introduction received more and more attention because of the outstand-

ing achievements [8–11].
Nowadays, network traffic anomaly detection has become an Cloud computing can provide users with various
important part of cyberspace security, and the explosive resources in the form of services through the network.
growth of traffic data has led to increasing requirements “Everything can be a kind of service and can be provided
for efficiency and robustness when various methods are to users in the form of lease” is the basic concept of cloud
applied to learn data [1]. For example, the update of com- computing [12–14]. However, the rapid development and
munication protocols and hardware upgrades have a great the universal application of cloud computing brings some
impact on the stability of the whole network environment new problems which cannot be underestimated. The first
[2, 3]. On the other hand, the scenarios of network attacks and foremost problem is the security of cloud computing,
and the corresponding means of attack have become much which is increasingly widely concerned by the industry
more complex, and the currently used traffic anomaly detec- [15–17]. Cloud computing has many features, such as self-
tion techniques are likely to be no longer applicable at some service on demand, Internet access, fast elastic architecture,
point in the future. The development of traffic anomaly virtualized resource pools, measurability, and multiuser.
detection should always be one step ahead of the attackers, Although these features provide a more convenient and
especially when the current techniques are already relatively faster computing mode to users, they also pose new chal-
mature and well known to the attackers. It is necessary to lenges to the security of cloud computing platforms.
open up new research directions [4–7]. In recent years, To address the problem of poor detection performance
research on deep learning models has mainly focused on of existing intrusion detection methods in the environment
the fields of speech, image, and natural language and has of high-dimensional massive data with uneven class
2 Wireless Communications and Mobile Computing

distribution, a deep learning-based anomaly traffic detection algorithm of the ADE model was introduced in a supervised
method in cloud computing environment is proposed. The deep neural network model to efficiently tune its parameters
contributions are as follows: and classify the network traffic. Literature [26] proposed a
supervised LSTM-based intrusion detection algorithm that
(1) The fuzzy C-means (FCM) algorithm is introduced can detect DoS attacks and probe attacks that have unique
and combined with the general regression neural time series features. Zhang et al. proposed a parallel cross
network (GRNN). The samples to be classified in convolution neural network (PCCN) based on deep learning
the original space are clustered by the FCM algo- [27]. By fusing the traffic features learned from the two
rithm, and the sample closest to the FCM clustering branches of CNN, a better feature extraction effect is
center is used to train the GRNN model and update obtained. Literature [28] combines CNN and LSTM to learn
the center until a stable clustering center is obtained, the temporal and spatial characteristics of network traffic.
which improves the stability of the anomaly traffic The above methods are difficult to effectively mine data fea-
detection system tures and have poor detection performance in the face of
high-dimensional data, resulting in low detection rate as well
(2) The parameters of the FCM-GRNN method are
as high false alarm rate.
optimized by using the global search feature of the
modified fruit fly optimization algorithm (MFOA).
And the optimal spread value is found by an itera- 3. Application Scenarios of the Proposed Method
tive search using the three-dimensional search
In the design process of the anomaly traffic detection and
method with the keen olfactory and visual functions
analysis model, the principle of modular design is followed.
of fruit flies, so that the proposed algorithm can
The modular design of the anomaly traffic detection and anal-
converge faster
ysis is conducive to simplifying the complex problems, which
is easy to find the problem in the design and can facilitate the
2. Related Works update and maintenance of the system at a later stage. The
specific functions of each module are shown as follows. As
In recent years, scholars have conducted in-depth research shown in Figure 1, the whole model can be divided into four
on abnormal traffic detection methods. The results show major modules: SDN controller module, traffic collection
that for all abnormal traffic detection data sets, deep learning module, traffic analysis module and traffic cleaning module.
methods are better than traditional methods. Literature [18] SDN controller can realize the centralized control of the
proposed a sliding window abnormal traffic detection whole network. The floodlight controller is used to divert the
method based on the mixed dimension of time and space. traffic from each OpenFlow switch to the traffic collection
The detection algorithm adopts the combination of machine module to collect network traffic. As illustrated in Figure 1,
learning and neural network. A sliding window anomaly the traffic in switch A, switch B, and switch C will be con-
detection method based on network traffic was studied in trolled by the SDN controller and converged to the traffic
the Literature [19]. The method combined the sliding collection module through the secure channel. The traffic
window and deep learning architecture to analyze network analysis module is the core of the entire anomaly traffic
traffic, and features in each window were extracted, vectored detection model. It uses the FCM-MFOA-GRNN algorithm
and then put into a deep neural network for training. Liter- to cluster and analyze the collected traffic to separate the
ature [20] proposed a network intrusion detection method normal traffic from the attack traffic with different attack
based on a lenet5 model, which improved the detection behaviors. The traffic cleaning module consists of many
accuracy. Blanco et al. used the genetic algorithm (GA) to physical devices that can clean different attack traffic, such
optimize a CNN classifier to find better input feature combi- as IDS, UTM, WAF, and other physical devices.
nation [21]. Literature [22] converts variable length data
sequence into fixed length data through LSTM and uses an 4. The Proposed Method
automatic encoder to process fixed length data under unsu-
pervised conditions, so as to reduce the dimension of input 4.1. Algorithm Flow Chart. Although the FCM algorithm can
data and extract reliable features at the same time. On the cluster the data and perform mining analysis, many intru-
basis of cross validation, the threshold is set to classify the sion ways cannot be accurately classified because there are
abnormal parts in the input traffic data series. In Literature many kinds of data characterizing intrusion categories in
[23], a deep autoencoder-based intrusion detection method intrusion detection systems and the differences between
was investigated with layer-by-layer greedy training to avoid these data are subtle. Therefore, combined with the charac-
overfitting. A self-learning framework based on stacked self- teristics of GRNN, this paper proposes an improved FCM-
encoders for feature learning and dimensionality reduction MFOA-GRNN algorithm based on the FCM algorithm.
was proposed in Literature [24]. It applied the support vec- The flow chart of FCM-MFOA-GRNN algorithm is shown
tor machine (SVM) approach for classification, which shows in Figure 2. It can be seen that the core module of the
good performance in two-class and multiclass classification. algorithm includes five parts, which are the FCM clustering
In Literature [25], an unsupervised deep autoencoder model algorithm, initial selection of network training data,
was used for training so as to learn normal network behav- MFOA-GRNN network training, MFOA-GRNN network
iors and generate optimal parameters. Then, the estimation prediction, and network training data selection in order.
Wireless Communications and Mobile Computing 3

pi = e½−ðX−X i Þ ðX−X i Þ/2σ2 

T
Flow cleaning , ð1Þ
module
IDS where X is the network input variable and X i is the learning
Flow analysis
sample corresponding to the ith neuron.
module UTM The input of neurons is

... D2i = ðX − X i ÞT ðX − X i Þ: ð2Þ

Switch A (2) There are two types of summation applied in the

Flow acquisition
module summation layer; the first one is
Switch B
n
〠 e½−Di /2σ  :
2 2
Switch C ð3Þ
i=1

Application
It performs arithmetic summation on the outputs of all
Flow controller module neurons in the mode layer, and the transfer function can
be written as
Figure 1: Anomaly traffic detection model based on FCM-MFOA-
GRNN. n
SD = 〠 P i : ð4Þ
Network attack data i=1

Another calculation formula is

FCM clustering algorithm
n
〠 Y i e½−Di /2σ 
2 2
ð5Þ
Initial selection of network training data i=1

MFOA-GRNN network training It performs a weighted summation of all neurons in the

mode layer, and the connection weight between the ith neu-
ron in the mode layer and the jth neuron in the summation
MFOA-GRNN network prediction layer is the jth element of the ith output sample Y i . Thus, the
transfer function can be formulated as
n
Data selection
SN j = 〠 yij Pi : ð6Þ
i=1

Iterative
results

(3) The output of the neuron corresponds to the jth

Clustering results element of the estimation result, and the output
can be written as
Figure 2: Flow chart of the FCM-MFOA-GRNN algorithm.

SN j
yi = : ð7Þ
4.2. MFOA-GRNN Network SD
4.2.1. Network Structure of GRNN. Figure 3 shows the 4.2.2. Network Flow of MFOA-Optimized GRNN. The per-
structure diagram of the GRNN network. The input of formance of GRNN can be directly affected by the value of
the network is X = ½x1 , x2 , ⋯, xn T , the output is Y = σ. This paper proposes a new MFOA-optimized GRNN,
½y1 , y2 , ⋯, yn T . which is named as MFOA-GRNN, for the purpose of opti-
mizing the spread value. FOA is prone to local extremes
(1) The number of neurons in the input layer is equal to and cannot search for the global optimum, which is mainly
the vector dimension of the learning sample and is caused by its fitness function. Hence, the fitness function
the same as the number of neurons in the mode layer. must be modified to get rid of the local extremes. On the
The neuron transfer function in the mode layer is other hand, if the distance DistðiÞ is positive, its reciprocal
4 Wireless Communications and Mobile Computing

x1 x2 xn 1
Si = + Δ, ð10Þ
DistðiÞ

... Input layer where Si is the distribution parameter of GRNN.

Step 4. The mean square error is used as the determination

function of taste concentration:
... Mode layer
1  
SmellðiÞ = MSEðiÞ = 〠 ypre − y : ð11Þ
n

... Summation layer Step 5. Find the individual with the optimal SmellðiÞ in the
population, i.e., the minimal value of MSE.

Step 6. Retain the optimal taste concentration value Si and

Output layer the corresponding coordinate; the population will fly
towards that position using visual advantage.
y1 y2
Step 7. Repeat steps 2 to 5 to repeatedly find the best solu-
Figure 3: Structure of GRNN.
tion. If true, proceed to step 6.
must be positive, which is the lack of negative values of Step 8. Determine whether the maximum number of itera-
fitness function as pointed out by many scholars. By add- tions is reached, and take the optimal spread value retained
ing Si to an escape parameter, not only can the local into the GRNN model to obtain the final prediction result.
minima be got rid of but also the fitness function can
get negative values. 4.3. Intrusion Detection Model Based on the FCM-MFOA-
In addition, the flight area of fruit flies in real life is GRNN Algorithm. The intrusion detection model based on
three-dimensional space, which is different from the two- FCM-MFOA-GRNN algorithm consists of the FCM cluster-
dimensional search space of the original fruit fly algo- ing algorithm, initial selection of network training data,
rithm. Using the three-dimensional space search method, MFOA-GRNN network training, MFOA-GRNN network
the optimal spread value can be found iteratively by using prediction, and network training data selection.
the sharp olfactory and visual abilities of fruit flies. At this
point, the mean squared error (MSE) is the smallest and σ (1) The role of the FCM clustering algorithm is that
is the optimal concentration value for taste. The foraging when a large number of network attack data streams
diagram of fruit flies in the three-dimensional space is drained from the software-defined network enter
illustrated in Figure 4. into the system, these data streams are preprocessed
The specific implementation steps are as follows. first and then divided into n classes using the FCM
algorithm, in which the clustering center ci and affil-
iation matrix U of each class can be obtained
Step 1. Randomly generate the initial position ðX Init , Y Init ,
Z Init Þ, the number of individuals, and the maximum number (2) The selection of the initial data of network training is
of iterations of the fruit fly group. based on the selection of those samples closest to
each type of center from the results of FCM cluster-
ing as the initial data of network training:
Step 2. Define random flight direction and distance:

xi = X Init + random value, (3) Randomly generate the initial position ðX Init , Y Init ,
yi = Y Init + random value, ð8Þ Z Init Þ, number of individuals, and maximum number
of iterations of the Drosophila population and gener-
z i = Z Init + random value: ate the random direction and distance of flight

Step 3. Calculate the distance DistðiÞ between each point and Step 1. First find the sample mean meani of each class in the
the initial point. n classes divided from the FCM clustering separately.

Step 2. Then, for all samples X in each class, calculate their

qffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi
 2 2 2
ð9Þ distances to the sample mean meani separately to form a
DistðiÞ = xi + yi + z i ,
distance matrix d i .
Wireless Communications and Mobile Computing 5

z is the abnormal data detected as normal, TN is the normal

Fly1 (x1, y1, z1) data detected as normal, and FP is the normal data
Smell (1) Food detected as abnormal.
y

5. Experiment and Analysis

Fly2 (x2, y2, z2)
Smell (2) 5.1. Hardware. The experimental platform is based on
Dist1 Iterative path Windows 8, configured with Intel(R) Core(TM) i7 CPU
M370 @ 2.7 GHz, 16 G memory, 500 G hard disk. The
simulation is conducted on MATLAB R201b6 and neural
network toolbox. Hadoop is used to build a cloud comput-
Dist2 Fly group ing platform. Hadoop is an open-source distributed data
Fly3(x3, y3, z3) processing framework and contains the functions needed
Smell (3) for cloud computing, mainly including distributed file
Dist3
system HDFS, distributed computing model MapReduce,
x unstructured file storage system HBase, relational database
transfer tool Sqoop, and distributed cluster negotiation
Figure 4: Schematic diagram of the iterative search for food of the service software Zookeeper.
fruit fly group.
5.2. Dataset and Preprocessing. In this paper, the algorithm is
Step 3. Find m number of samples with the shortest distance trained using the KDD CUP99 dataset with 500,000 training
in the matrix d i , and compose them into a group. Assume subsets and 500,000 test subsets, using the training subsets as
that their corresponding outputs are i. As n classes are the data for the training section of the algorithm. In the
divided finally, a total of n × m groups of training data 500,000 training subsets, there are 97,278 pieces of Normal,
can be obtained after this step. At this point, the network 391,458 pieces of DoS, 52 pieces of U2R, 1,126 pieces of R2L,
intrusion feature vector is the input, and the intrusion and 4,107 pieces of Probe. The KDD CUP99 dataset is proc-
class is its output. essed network traffic data with 41 features for each connec-
tion, including 9 basic TCP features, 13 content features of
Calculate the distance DistðiÞ between each point and TCP connections, 9 time-based network traffic statistics fea-
the initial point and the taste concentration determination tures, and 10 host-based network traffic statistics features.
value Si . Let Si be the distribution parameters of GRNN. These features are character-based and numeric, where
numeric features contain discrete numbers and continuous
(4) MFOA-GRNN network training. The role of this numbers. And the data range of each feature varies greatly,
section is to take the selected training data to train which would make the features with low order of magnitude
the FOA-GRNN network. This is done in MATLAB lose information if the raw data is used directly. In order to
by using the GRNN network training function improve the accuracy of the machine learning algorithm, the
newgrnnðÞ dataset is standardized and normalized, which is processed
(5) Based on all input sample data X, the network as follows.
output sequence Y corresponding to them can
(1) Numerical processing: convert character-based fea-
be predicted
tures to numerical features
4.4. Evaluation Metrics. The algorithm performance is dem- (2) Standardization: first, the mean value of each attri-
onstrated by metrics such as the detection rate (DR) and bute and mean absolute error can be calculated as
false alarm rate (FAR). DR refers to the percentage of the
number of abnormal data correctly detected in the actual
number of abnormal data, which reflects the probability that
an attack will be detected. FAR refers to the percentage of 1 n
the number of abnormal data incorrectly detected in the xk = 〠x , ð14Þ
n i=1 ik
number of all detected abnormal data, which reflects the
probability of a normal behavior being treated as an attack.
These two metrics are calculated as
sffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi
TP 1 n
DR = , ð12Þ Sk = 〠 ðx − xk Þ2 , ð15Þ
TP + FN n i=1 ik

FP
FAR = , ð13Þ where xk denotes the mean value of the kth attribute, Sk
TN + FP
denotes the mean absolute error of the kth attribute, and
where TP is the abnormal data detected as abnormal, FN xik denotes the kth attribute of the ith record.
6 Wireless Communications and Mobile Computing

Next, each data record is standardized, which can be z

calculated as 3

y
xik − xk
Z ik = , ð16Þ
Sk
2 2
where Z ik represents the value of the kth attribute in the ith
data record after normalization.
1
(3) Normalization: normalize each value after standard- 1
ization to the interval [0,1].

X − min
X′ = , ð17Þ
max − min
0 1 2 3 4 x
where max and min are the maximum and minimum values
Figure 5: Iterative optimization trajectory of fruit flies in the
of the sample data, respectively.
proposed method.
5.3. Iterative Optimization Trajectory of the Proposed
Method. Let the initial position of Drosophila population Table 1: Intrusion detection results based on the FCM-MFOA-
be ½0, 0:5, 0, the population size be 8, and the number of GRNN method.
iterations be 150. Select 200 groups as training samples Normal Attack DR FAR
and 10 groups as prediction samples. The models proposed
Date set 1 3742 91 91% 1.175%
in this paper are used for prediction at the same time, and
the results are shown in Figure 5. It can be seen that the fruit Date set 2 3758 93 93% 1.297%
fly group in the proposed model does not follow a certain Date set 3 3756 90 90% 1.138%
directional path to find the optimal solution sequentially, Date set 4 3697 89 89% 1.109%
but there are only 6 position points in the trajectory route. Date set 5 3762 92 92% 1.161%
Average value 3743 91 91% 1.176%
5.4. Intrusion Detection Results Based on the FCM-MFOA-
GRNN Algorithm. In order to reflect a real network environ-
ment as much as possible, a number of data are selected
Table 2: Performance comparison of different methods in
from the KDD CUP99 dataset to create 5 groups of datasets,
intrusion detection.
each of which contains 3800 normal data and 100 attack
data. And these 5 groups of datasets need to be as even as Method DR FAR
possible in selecting attack categories. Table 1 shows the Literature [27] 89.24% 2.075%
results of three simulation experiments on each dataset using
Literature [28] 90.1% 1.237%
the FCM-MFOA-GRNN algorithm, respectively, and the
experimental results are taken as the average of the three Proposed method 91.0% 1.176%
results. Among them, two parameters are important metrics
that can indicate the performance of the algorithm, i.e., DR
and FAR. As shown in Table 1, DR and FAR of the proposed small differences of attributes in complex spatial data
method are 91% and 1.176%, respectively. and improve the accuracy of detection. In contrast, the
In order to demonstrate the performance of the pro- comparison methods do not effectively mine the features
posed method, it is compared with the methods proposed of high-dimensional data, and therefore, the detection per-
in Literature [27] and Literature [28] under the same exper- formance is poor.
imental conditions, and the comparison results are shown in In order to compare the running time of the proposed
Table 2. From the experimental results, it can be noted that method with the methods of Literature [27] and Literature
DR of the method proposed in Literature [27] is only 89.24% [28], different amount of data are selected from the KDD
and FAR is 2.075%. DR of the method of Literature [28] is CUP99 dataset for testing. The running time of each
90.1% and FAR is 1.237%. DR and FAR of the proposed algorithm was compared, and the results are shown in
method are 91% and 1.176%, respectively, which are better Figure 6. The minimum number of data selected is 200,
than those of the comparison methods. This is because the and the maximum number is 20000. It can be easily seen
proposed method combines the FCM algorithm with from Figure 6 that the method of Literature [27] takes the
GRNN, so as to cluster the samples to be classified in the most average detection time during the whole experiment,
original space by the FCM algorithm and then use the sam- and the proposed method takes the shortest time. This is
ple closest to the FCM clustering center to train the GRNN because the parameters of the FCM-GRNN model are opti-
model and update the center point until a stable clustering mized by using the global search feature of MFOA, and the
center is obtained. Therefore, it can better distinguish the three-dimensional search method is used to find the optimal
Wireless Communications and Mobile Computing 7

100

80

Test run time (s)

60

40

20

0
103 104 105
Dataset size

Literature[27]
Literature[28]
Proposed method

Figure 6: Comparison of running time when different sizes of datasets are detected by different methods.

spread value iteratively by using the sharp olfactory and References

visual advantages of fruit flies, making the algorithm
converge faster and the time consumption be shortened. [1] Z. H. A. N. G. Yong-dong, C. H. E. N. Si-yang, P. E. N. G.
Therefore, the FCM-MFOA-GRNN method is feasible Yu-he, and Y. A. N. G. Jian, “A survey of deep learning
and efficient for processing large data volumes in cloud based network intrusion detection,” Journal of Guangzhou
University Natural Science Edition, vol. 18, no. 3, pp. 17–
computing environments.
26, 2019.
[2] J. Huang, W. Zhang, W. Huang, W. Huang, L. Wang, and
Y. Luo, “High-resolution fiber optic seismic sensor array for
6. Conclusion intrusion detection of subway tunnel,” in 2018 Asia Communi-
Aiming at the poor detection performance of existing cations and Photonics Conference (ACP), pp. 1–3, Hangzhou,
China, October 2018.
intrusion detection methods in the environment of high-
[3] C. Deng and H. Qiao, “Network security intrusion detection
dimensional massive data and uneven class distribution, an
system based on incremental improved convolutional neural
anomaly traffic detection method based on deep learning network model,” in International Conference on Communica-
in cloud computing environment is proposed. By introduc- tion and Electronics Systems., pp. 1–5, Coimbatore, India,
ing the combination of the FCM algorithm and GRNN, the 2016.
stability of anomaly traffic detection system is improved. [4] M. H. Bhuyan, D. K. Bhattacharyya, and J. K. Kalita, “Network
Meanwhile, MFOA is used to optimize the parameters of anomaly detection: methods, systems and tools,” IEEE Com-
the FCM-GRNN method to speed up the convergence. munication Surveys and Tutorials, vol. 16, no. 1, pp. 303–
Experimental results show that the proposed method has 336, 2014.
good detection ability. [5] N. El Moussaid and A. Toumanari, “Overview of intrusion
The experiment only considers one intrusion detection detection using data-mining and the features selection,” in
dataset, so more datasets can be involved to train the detec- International Conference on Multimedia Computing and Sys-
tion model in the future. Moreover, anomaly detection is tems, pp. 1269–1273, Marrakech, Morocco, 2014.
only one aspect. How to take mitigation measures to reduce [6] A. Milenkoski, M. Vieira, S. Kounev, A. Avritzer, and B. D.
the damage caused by network attack is also a direction of Payne, “Evaluating computer intrusion detection systems,”
great research value. ACM Computing Surveys, vol. 48, no. 1, pp. 1–41, 2015.
[7] A. Khraisat, I. Gondal, P. Vamplew, and J. Kamruzzaman,
“Survey of intrusion detection systems: techniques, datasets
Data Availability and challenges,” Cybersecurity, vol. 2, no. 1, pp. 1–22,
2019.
The data used to support the findings of this study are [8] R. Domingues, M. Filippone, P. Michiardi, and J. Zouaoui, “A
included within the article. comparative evaluation of outlier detection algorithms: exper-
iments and analyses,” Pattern Recognition, vol. 74, no. 4,
pp. 406–421, 2018.
Conflicts of Interest [9] Y. Mehmood, M. A. Shibli, U. Habiba, and R. Masood, “Intru-
sion detection system in cloud computing: challenges and
The authors declare that there is no conflict of interest opportunities,” in 2nd National Conference on Information
regarding the publication of this paper. Assurance, pp. 59–66, Rawalpindi, Pakistan, 2013.
8 Wireless Communications and Mobile Computing

[10] A. Drewek Ossowicka, M. Pietrołaj, and J. Rumiński, “A sur- on deep learning models,” Journal of Information Security
vey of neural networks usage for intrusion detection systems,” and Applications, vol. 41, no. 12, pp. 1–11, 2018.
Journal of Ambient Intelligence and Humanized Computing, [26] R. C. Staudemeyer and C. W. Omlin, “Evaluating performance
vol. 12, no. 1, pp. 497–514, 2021. of long short-term memory recurrent neural networks on
[11] M. Ring, S. Wunderlich, D. Scheuring, D. Landes, and intrusion detection data,” in Proceedings of the South African
A. Hotho, “A survey of network-based intrusion detection data Institute for Computer Scientists and Information Technologists
sets,” Computers & Security, vol. 86, no. 6, pp. 147–167, 2019. Conference, pp. 218–224, New York, NY, United States, 2013.
[12] A. Bakshi and Sunanda, A comparative analysis of different [27] Y. Zhang, X. Chen, D. Guo, M. Song, Y. Teng, and X. Wang,
intrusion detection techniques in cloud computing, Springer, “PCCN: parallel cross convolutional neural network for abnor-
Singapore, 2019. mal network traffic flows detection in multi-class imbalanced
[13] S. G. Kene and D. P. Theng, “A review on intrusion detection network traffic flows,” IEEE Access, vol. 7, no. 9, pp. 119904–
techniques for cloud computing and security challenges,” in 119916, 2019.
2nd international conference on electronics and communica- [28] A. Pektaş and T. Acarman, “A deep learning method to detect
tion systems, pp. 227–232, Coimbatore, India, 2015. network intrusion through flow-based features,” International
[14] N. Keegan, S. Y. Ji, A. Chaudhary, C. Concolato, B. Yu, and Journal of Network Management, vol. 29, no. 3, pp. 2019–2026,
D. H. Jeong, “A survey of cloud-based network intrusion 2019.
detection analysis,” Human-centric Computing and Informa-
tion Sciences, vol. 6, no. 1, pp. 1–16, 2016.
[15] A. Aburomman and M. B. I. Reaz, “A survey of intrusion
detection systems based on ensemble and hybrid classifiers,”
Computers & Security, vol. 65, no. 4, pp. 135–152, 2017.
[16] A. Nisioti, A. Mylonas, P. D. Yoo, and V. Katos, “From intru-
sion detection to attacker attribution: a comprehensive survey
of unsupervised methods,” IEEE Communication Surveys and
Tutorials, vol. 20, no. 4, pp. 3369–3388, 2018.
[17] L. N. Tidjon, M. Frappier, and A. Mammar, “Intrusion detec-
tion systems: a cross-domain overview,” IEEE Communication
Surveys and Tutorials, vol. 21, no. 4, pp. 3639–3681, 2019.
[18] C. Liu, J. Wang, J. Xu, J. Wang, C. Liu, and Y. Wang, “Abnor-
mal data flow detection in the Internet of things,” in 4th Inter-
national Conference on Electronics and Communication
Engineering, Xi'an, China, 2021.
[19] M. Alauthman, N. Aslam, M. Al-Kasassbeh, S. Khan,
A. Al-Qerem, and K. K. R. Choo, “An efficient reinforce-
ment learning-based Botnet detection approach,” Journal
of Network and Computer Applications, vol. 150, no. 11,
article 102479, 2020.
[20] W.-H. Lin, H.-C. Lin, P. Wang, B.-H. Wu, and J.-Y. Tsai,
“Using convolutional neural networks to network intrusion
detection for cyber threats,” international conference on
applied system invention, 2018, pp. 1107–1110, Chiba, Japan,
2018.
[21] R. Blanco, P. Malagón, J. J. Cilla, and J. M. Moya, “Multiclass
network attack classifier using CNN tuned with genetic algo-
rithms,” in 28th international symposium on power and timing
modeling, optimization and simulation, pp. 177–182, Platja
d'Aro, Spain, 2018.
[22] A. H. Mirza and S. Cosan, “Computer network intrusion
detection using sequential LSTM neural networks autoenco-
ders,” 26th signal processing and communications applications
conference, 2018, pp. 1–4, Izmir, Turkey, 2018.
[23] F. Farahnakian and J. Heikkonen, “A deep auto-encoder based
approach for intrusion detection system,” in 20th international
conference on advanced communication technology, pp. 178–
183, Chuncheon, Korea (South), 2018.
[24] M. Al-Qatf, Y. Lasheng, M. Al-Habib, and K. Al-Sabahi, “Deep
learning approach combining sparse autoencoder with SVM
for network intrusion detection,” IEEE Access, vol. 6, no. 5,
pp. 52843–52856, 2018.
[25] A. L. H. Muna, N. Moustafa, and E. Sitnikova, “Identification
of malicious activities in industrial Internet of things based
 Copyright © 2022 Junjie Cen and Yongbo Li. This work is licensed under
http://creativecommons.org/licenses/by/4.0/(the “License”). Notwithstanding
the ProQuest Terms and Conditions, you may use this content in accordance
with the terms of the License.