Received: 3 December 2020 Accepted: 3 January 2021

DOI: 10.1002/ett.4221

RESEARCH ARTICLE

An intrusion detection system using optimized deep neural

network architecture

Mangayarkarasi Ramaiah1 Vanmathi Chandrasekaran1

Vinayakumar Ravi2 Neeraj Kumar3,4,5

1
School of Information Technology and
Engineering, Vellore Institute of Abstract
Technology, Vellore, India Internet usage became increasingly ubiquitous. The concern regarding security
2
Center for Artificial Intelligence, Prince and privacy has become essential for Internet users. As the usage of the Inter-
Mohammad Bin Fahd University, Khobar,
net increases the number of cyber-attacks also increases substantially. Intrusion
Saudi Arabia
3
Department of Computer Science and
detection is one of the challenging aspects of network security. Efficient intru-
Engineering, Thapar University, Patiala, sion detection is crucial for every organization to mitigate the vulnerability. This
India paper presents a novel intrusion detection system to detect malicious attacks
4
Department of Computer Science and
targeted at a smart environment. The proposed Intrusion detection method
Information Engineering, Asia University,
Taichung City, Taiwan uses a correlation tool and a random forest method to detect the predominant
5
School of Computing, University of independent variables for improvising neural-based attack classifier. To detect
Petroleum and Energy Studies, Dehradun, a malicious attack, a shallow neural network and an optimized neural-based
India
classifier are presented. The designed intrusion detection system has experi-
Correspondence mented on the KDDCUP99 dataset. The experimental results reveal that the
Vinayakumar Ravi, Center for Artificial performance of the proposed intrusion detection system is superior in terms of
Intelligence, Prince Mohammad Bin Fahd
University, Khobar, Saudi Arabia. quantitative metrics. Thus, the proposed system can be deployed in the IoT and
wireless networks to detect cyber-attacks.

1 I N T RO DU CT ION

The great usage of the Internet and the number of applications running on them enables hackers aimed threats against
the assets of any organization. As the network flooded with proliferated network traffic data, it is inevitable to anticipate
threats and attacks. Over the last three decades, intrusion detection systems are being highly researched and methods
to improve their efficiency are being put forward one by one. Intrusion detection systems (IDS) are capable of monitor-
ing traffic in the network given the finding of abnormal or suspicious activity. The possible attacks such as brute force,
denial of service, and infiltration from within the network are very commonly found to be used nowadays, which could
change the dataset or disallows a legitimate user from accessing the data. Broadly, the Intrusion detection system is cat-
egorized into two kinds, Network Intrusion detection system (NIDS) can be deployed to monitor the network traffic for
any anomalies. Host Intrusion Detection System (HIDS), designed to detect attacks, where the NIDS has failed to detect
or any malicious traffic inside the organization itself. IDS (Intrusion detection system) can either be hardware or software,
whereas IDS software is considered to be more flexible than the hardware-based IDS. Recent day’s picture reveals that
detecting a network attack is a big challenge for any organization. The possible network attacks detected through NIDS,
are as follows1 normal, DoS, R2L, probe, and U2R. The normal class has data about the servers that are not anomalous in
other words where no attacks were detected. DoS is an abbreviation for Denial of Service attack wherein legitimate users

Trans Emerging Tel Tech. 2021;32:e4221. wileyonlinelibrary.com/journal/ett © 2021 John Wiley & Sons, Ltd. 1 of 17
https://doi.org/10.1002/ett.4221
2 of 17 RAMAIAH et al.

are unable to login and use the system. This type of attack is particularly planned in high-profile organizations such as
banks and multimedia companies to shut down a system or a network. R2L or a Remote to User attack targets one or
many systems connected by a network and installs malicious files or software in it. The attacker here tries to find some
vulnerable points in the computer’s security system to gain access to personal data. The advantage of attackers is, here
that they can steal precious information from the user by accessing the system remotely. Probing is the method where
an attacker inserts a program or any other device at the key juncture of a network. The purpose of the aiming probe is
to monitor and collect information about the network activity along with the weak spots in network devices or connec-
tions to compromise the system. U2R or a User to Root Attack, the hacker uses certain privileges as a normal user, then,
later on, tries to exploit the vulnerabilities of the system to gain super user benefits that is, it is the act of illegitimately
procuring the root’s privileges while accessing a local machine legally. Even though various research studies established
for intrusion detection,2,3 but still the amount of new kind of attacks are increasing day by day. Such attacks cause severe
damage in IoT smart environments,4 wireless networks,5 cyber-physical systems,6 and fog computing.7 The incremental
nature of cyber-attacks stresses the demand for a robust and efficient Intrusion detection system. The conventional secu-
rity technologies do not cope with the variation dynamism evolved in the smart wireless environment. To demonstrate
the efficacy of the Intrusion detection system there are many datasets have been used so far. Most of the bench-marking
dataset has more number of independent variables, which may burden the Intrusion classifier. And also may lead the
classifier to end up with poor classification due to uncorrelated independent variables.
A classifier model can be designed either using supervised or unsupervised methods. A supervised learning category
technique requires dependant variable, needs to be specified explicitly. Wherein unsupervised learning techniques, the
dependant variable needs not to be known or it can be known to only a subset of instances. A support vector machine
(SVM) is one of the supervised learning methods. This method is preferred to complete the feature selection.8 SVM pro-
duces higher classification efficiency while comparing the other models. SVM spends more time on training and this
fact restricted its usage in many classifier models. In most cases, the feature selection module facilitates the classifier
by selecting an optimal subset of features.9 Use a correlation tool to remove the redundant independent variables. The
authors of References 10,11 used PCA (principal component analysis) for reducing the number of independent variables,
and thereby facilitates faster classification. This motivated the authors to develop a good stack of feature selection mod-
ule. In this paper, predominant independent variables are filtered through correlation and random forest method and
chi-square test. Then the selected independent variables are feed into a shallow neural network and an optimized neural
network classifier to detect as well as classify the attacks. The performance of the proposed intrusion detection software
is compared with the state of the art IDS.
The main contributions of the proposed work are:

• A shallow and optimized deep neural network classifier is proposed, to stress the importance of various
hyper-parameters.
• Improvement in the performance of attack detection model by choosing the prevalent features by using Correlation
and Random forest
• A further enhancement is obtained through Random forest, using a rank score of the chi-square test in identifying an
optimal set of features.
• Reducing the work-load of the optimized neural classifier.
• The results of the proposed models are compared with a state-of-the-art Intrusion detection classifier.

The rest of the paper is organized as follows in Section 2 presents the literature review for the area. Section 3 Discuss
the proposed Intrusion Detection framework. Section 4 discusses the efficacy of the proposed framework in anomaly
detection and the results of the proposed one are compared with the state of the art Intrusion detection classifier. Section 5
conclusion is drawn.

2 RELATED WORK

The diversity of data in trend networks and various types of new protocols have made intrusion detection even more
robust and challenging. In trend, there is a great interest in developing robust and efficient Network Intrusion Detection
Systems (NIDS) capable of identifying the potential or unforeseen threat and consequently denying access to the system.
RAMAIAH et al. 3 of 17

Ultimately, a simple and robust NIDS is in greater demand for ensuring network security. This section briefly summa-
rizes the various researchers’ contributions in solving the Intrusion detection problem. Tsai et al12 analyze the various
classical machine learning algorithms to implement NIDS (Network Intrusion Detection System). Also, the study report
discusses the hybrid and ensemble classifier for Intrusion detection. The preciseness of the classifier relies on various
factors. Though a Machine learning model precisely predicts the unseen pattern, still it remains deficient in handling a
huge amount of data. Some of the authors researched Gao et al13 to resolve efficacy issues associated with machine learn-
ing approaches on Intrusion detection datasets. Park et al14 have also implemented IDS using a random forest classifier
on the intrusion dataset sample. Such a method helped in analyzing various datasets from a different perspective. Peng
et al15 have designed IDS for fog environments using Decision Tree. To demonstrate the performance of IDS, experimen-
tation carried with 10% as well as 100% of the dataset, and results are compared with other machine learning methods
such as Naive Bayes and KNN.
ANN is one of the most promising machine-learning methods that proved its efficiency in detecting malware. Again
ANN could learn the context features either supervised or unsupervised mode. While designing IDS using ANN, a sample
against all class labels should be sufficient enough. Otherwise, the fewer class samples may be considered an outlier
while detecting cyber-attacks Wang et al16 say in some cases, the learning process could be time-consuming and there
are a lot of chances it may be struck with local minima. ANNs often suffer from local minima and that makes learning a
time-consuming process. The main highlight of using ANN is the inclusion of the varying amount of hidden layers based
on the problem may facilitate the classifier to learn the hidden complex patterns found in the input. Such development lays
the foundation for designing the complex neural architectures, Recurrent NN (RNN), and convolutional NN (CNN). Wu
etal17 has demonstrated a powerful NIDS using CNN and RNN to learn spatial and temporal patterns. The experimental
results reveal that the presented NIDS attack detection ability is greatly improved. Yin et al18 present the steps to build
IDS using RNN (Recurrent neural network). The proficiency in attack classification is improvised by changing the various
hyper-parameters. Presented binary and multiclass attack classification are compared with the results obtained through
various machine learning models upon the IDS dataset.
Nguyen et al19 present a system to monitor as well as track the network data thereby suggests the possible action. As
the network is loaded with a huge amount of data, detecting malicious traffics is the most challenging and prevalent too.
This CNN-based IDS is designed to detect DoS attack. The preciseness of the system in terms of accuracy is 99.87%. Javaid
et al20 presents a Network Intrusion Detection System (NIDS) for assisting the network administrators to detect security
breaches. The presented IDS is designed upon the deep learning models.
Ahamed et al21 present an elaborate study of various Machine learning and Deep learning methodologies in the pro-
cess of designing NIDS. This study article highlights the merits and challenges faced by various methodologies while
detecting the attacks. The future scopes of various works are also discussed. Elhag et al22 believed that fuzzy logic can
decrease the false alarm rate in intruder actions. Fuzzy rules are drafted to discriminate between normal and abnormal
action.
In the research community, some of the researchers preferred bio-inspired optimization techniques to classify the sam-
ples against the labels. Preferably machine learning or deep learning models are hybridized with bio-inspired optimization
techniques to score a good number against accuracy. Balasaraswathi et al23 experimented with several bioinspired opti-
mization techniques for feature engineering upon the KDDCUP99 dataset. Sweta et al24 proposed a hybrid feature
selection comprised the result PCA with a firefly optimization algorithm. Authors claimed the preciseness in attack classi-
fication has been improvised due to the optimal set of features obtained through hybrid feature selection. But the authors
did not reveal the process of obtaining the computation absorption coefficient of the firefly algorithm. Alazzam25 uses
pigeon inspired algorithm as a wrapper method for designing NIDS. The proposed feature selection component experi-
ments on KDDCUP99, NSL-KDD, and UNSW-NB15 datasets. Thaseen et al26 present a NIDS using LSTM architecture
with a genetic algorithm. The attack classifier scored 99.3% accuracy.
Most of the articles discussed in this domain have mainly focused on the application of various machine learning
and deep learning approaches for attack detection as well as classification. However, the preciseness of malicious attack
classifiers still needs to be improvised. In the literature, most of the researchers had given the focus on handling several
artificial Intelligence techniques by varying their experimental parameters. Very few articles focus on feature selection or
feature engineering. In trend, methods in References 24,25 use bio-inspired optimization algorithms as a wrapper method
for feature extraction. Optimality cannot be guaranteed just because of the application of optimization techniques. Still, a
lack of focus is observed for the feature selection component. So, the study presented in this paper attempted to derive the
feature selection package using a simple hybridization tool. The proposed IDS use the feature obtained through correlation
4 of 17 RAMAIAH et al.

tool to remove the redundant features and the results are feed random forest wrapper method, eventually, the final set of
feature is obtained with help of chi-square test.

3 PROPOSED FRAMEWORK

This section discusses the proposed methodology. The outline of the proposed framework is presented in Figure 1. The
reliability of the proposed framework is tested with the IDS dataset found in Reference 27. Data pre-processing phase is
essential for ensuring data preparedness. The dataset has 38 numeric features and three categorical features. As a first,
the pre-processing phase implements an encoding process to transform the categorical feature “protocol type” column
into numerical values so that they can be used for further calculations and curve fitting. There are three alternative values
in the column “protocol type” namely, ICMP(Internet Control Message Protocol), UDP(User Datagram Protocol), and
TCP(Transmission Control Protocol) Using Label encoder, IMCP value has been changed to 0, UDP to 1 and TCP to 2
demonstrated through the given snapshots in Figures 2 and 3. In the next step pre-processing a statistical analysis has
been carried out over the numeric features such as the number of entries against each column attribute, mean of the
attribute, the maximum or minimum value present in the column, and soon.
These statistical data reveal the richness of all feature attribute. Before designing a classifier model, ensuring
the quality, as well as its compatibility for the candidate problem, is necessary. The next step in pre-processing is
data-standardization. Standardization brings the data in various formats into a format, where the AI (Artificial Intelli-
gence) techniques can infer the insight about the data. The standardized value for the feature column is computed using
Equation (1).

xij − x
zij = − (1)
si

FIGURE 1 Outline of the proposed framework

RAMAIAH et al. 5 of 17

FIGURE 2 Snapshot of the

feature column (protocol_type) before
applying the label encoding

FIGURE 3 Snapshot of the

feature column (protocol_type) after the
label encoding

FIGURE 4 Boxplot
analysis considering the first 10
features of KDDCUP99 data set

where Z ij represents the standardized values for each tuple, X ij represents the data present in each tuple, ′X represents
the mean of the current attribute from which the tuple is taken and ′Si is the SD of the above-selected attribute from
its mean.
As a final step, in the pre-processing, a boxplot is used to discard the outliers.28 The boxplot graph in Figure 4 shows
how the data points are scattered out in the sample space. Outliers are those observations made in the data which lies
at an abnormal distance from the other values in a sample population. In short, these are the data points, which have
been plotted quite high or quite low from the majority of data points that are plotted in a similar place, forming clusters.
Figure 4 shows the box-plot obtained from plotting the values of every row against its output classes which made the
outliers visible. The data points that have been plotted away from most of the points are in the range of 100 to 350 can be
easily classified as outliers and by considering the values within 0 to 50 alone are considered. The Maximum outlier lies
in the range Q3 + 1.5*IQR and the Minimum outlier lies in the range Q1-1.5*IQR. The interpretation is any values that
are greater than the value of “maximum outlier” and which is less than the value of “minimum outlier” is declared as an
outlier and those data removed from the sample.
6 of 17 RAMAIAH et al.

FIGURE 5 A portion of the Correlation matrix of 42 features

3.1 Feature selection

Identifying the optimal set of features is essential not only to improvise the classification accuracy but also to reduce
the classification time. There are cases where improper feature selection leads to overfitting issues. Feature selection
is possible either in an automated manner or manually.19 Presents wrangler models for feature selection. Correlation
feature selection (CFS) is used to remove the redundant features from the given set of samples. CFS29 based on a hypoth-
esis like a good set of features contain highly correlated features with the output class, yet uncorrelated with each
other. Based on CFS a correlation value for every feature vector to every other feature is computed. Features whose
correlation value is high is removed from the sample because either one among them is sufficient enough to decide
the output class. Figure 5 shows the correlation matrix value computed for the feature columns in the KDDCUP99
data set.
After computing the correlation value for every feature with every other the proposed technique removes those
features that have a correlation value of greater than or equal to 0.8. Since those features are considered as redun-
dant feature samples. Upon using correlation co-efficient values the 10 redundant features are removed out of 42
features. Then in the next step, to deduce the feature set importance, a Random forest classifier has been used as a
wrangler model. Then the output of this step has undergone a chi-square-feature-score computation as mentioned in
Equation (2). The chi-square test has come up with the top 20 scored attributes. Table 1 displays the 20 top-scored fea-
tures and their descriptions. These 20 features are used in the upcoming steps to train as well as test the proposed
models.
The formula for chi-square is as follows

∑ (Oi − Ei )2
xc 2 = (2)
Ei

where C is degrees of freedom, O is observed values, and E is the expected values.

RAMAIAH et al. 7 of 17

T A B L E 1 Top 20 features selected through the chi-square test

Slno Attribute name Description Type

1 Duration Period of the connection Continuous

2 Protocol_type Type of protocol used for transmitting data Discrete
3 Service The type of network service the destination has Discrete
4 Flag Normal or error status by the connection Discrete
5 Src_bytes The number of data bytes transferred from source to destination Continuous
6 Dst_bytes The number of data bytes from destination to source Continuous
7 Wrong_fragment No. of wrong fragments picked up Continuous
8 Hot Number of hot indicators Continuous
9 Logged_in 1-Logged in, 2-Not logged in Discrete
10 Count Number of connections to the same host as the current Continuous
connection in last two secs.
11 Srv_count Number of connections to the same service as the current Continuous
connection in last 2 s.
12 Rerror_rate % of connections having REJ errors Continuous
13 Same_srv_rate % of connections that has same services Continuous
14 Diff_srv_rate % of connections that has different services Continuous
15 Srv_diff_host_rate % of connections with different hosts Continuous
16 Dst_host_count Number of hosts present in the destination Continuous
17 Dst_host_srv_count Number of host servers that are present in the destination Continuous
18 Dst_host_diff_srv_rate % of hosts which has different servers in the destination Continuous
19 Dst_host_same_src_port_rate % of hosts that have same port rate in destination. Continuous
20 Dst_host_srv_diff_host_rate % of connections with different hosts in destination. Continuous

3.2 Classification

In this section two neural network models are presented to classify the given Intruder feature row data into possible attack
output classes through the proposed feature selection stack followed by the Deep Neural Network classifier. The deep
neural architecture can apply the nonlinear transformation onto its input and creates a statistical model as output.

3.2.1 Shallow neural network model (S-NN)

The presented feature selection stack identified the optimal 20 features. These features are fed into the shallow neural
network model (S-NN), displayed in Figure 6. The S-NN model configuration includes one input layer with 100 neurons,
to receive 20 feature vectors. And one output layer with five neurons. The Rectified Linear Unit (ReLU) is preferred as an
activation function for the input layer, which is the positive part of its argument. For the given set of inputs, the activation
function of a node is the set of outputs of the node, which is used as an input for the next node. These output units are
called “neurons” and can take values depending upon the desired range such as between 0 and 1. The simple form of
ReLU activation function presented as an Equation (3)

f (x) = x+ = max (0, x) (3)

The second layer of the data is activated using the SoftMax activation function. This turns the data values into prob-
abilities that sum up to unity. The transformation from the input feature vector to output classes is interpreted as a
mathematical Equations (4)-(8).
8 of 17 RAMAIAH et al.

FIGURE 6 Structure of S-NN model for IDS

hunit−size = 𝜑 (Zunit−size ) (4)

T
Zunit−size = Wlunit−size F = Wln1 F1 + Wln2 F2+ WL0 (5)

F ⟹ 𝜑 (F) ⟹ W T F (6)

̂ = 𝜎 (𝜑)
Y (7)

𝜑k (F)
̂ = ∑e
Y (8)
k
k=1 e𝜑k (F)

The output function of the hidden layer is computed using Equation (4). Whereas every hidden layer contribution is
defined in Equation 5. And the transformation from input features vector to output classes is done using Equations (6)-(8)
Here 𝜎 is a sigmoid activation function 𝜑 is an activation function upon hidden-layer units. The designed model is com-
piled with Adam optimizer. Adam optimizer, a first-order gradient-based optimization algorithm that was first proposed
in Reference 30. Adam optimizer is straightforward, efficient, well-suited for large volumes of data, and has minimum
memory requirements. Adam optimizer removes the burden of tuning hyper parameters. Then the proposed S-NN model
fit the data with 15 numbers of epochs.

3.2.2 Deep-optimized neural network model (D-ONN)

An S-NN model is trained to detect and classify the attack as mentioned in the above section. This section narrates the
steps to design one more model called Deep optimized neural network (D-ONN). This presented D-ONN classifier is
designed for categorizing the attacks via optimizing the various hyper-parameters as well as the configuration setup. Here
the D-ONN model is designed with an input layer, two hidden layers, and an output layer as shown in Figure 7. The ReLU
activation function is used in all the layers except the output layer. The sigmoid function is preferred to use because the
proposed classifier is a multi-class classifier. The D-ONN is an optimized version of S-NN, thus it follows similar steps
RAMAIAH et al. 9 of 17

FIGURE 7 Structure of D-ONN model

as mentioned in Equations (4)-(8) to transform the input features to output classes. The proposed model is fit with 30
numbers of epochs.

4 R E S U LTS AN D D ISCU SSION

This section summarizes the results obtained through two models presented in the aforementioned sections. To demon-
strate the efficacy of the proposed IDS framework, the results are compared with the state of the art intrusion detection
classifier.

4.1 Dataset description

The experimented dataset has 38 numeric features and three categorical features. The dataset is split into a training
set of 122 375 (KDDTrain+) and a testing set of 13 598 samples (KDDTest+). Table 2 summarizes the different types of
attacks that can be classified as per proposed IDS. The data distribution of samples against various classes of attacks in
the KDDCUP99 dataset can be found in Figure 8.

4.2 Efficacy indicators

Accuracy, Precision, and Recall are the important metrics used to measures the performance of the machine learning
models. These metrics based on the confusion matrix. The four components of the confusion metrics are as follows.

T A B L E 2 Classes of attacks found in

Main-class Meanings
KDDCUP99 dataset
Normal Normal traffic: no intrusion found
DoS Denial of Service
Probing Monitoring other’s behaviors to particularly obtain their data
R2L Illegal access of data from a remote machine
U2R Unauthorized access for escalation of privileges
10 of 17 RAMAIAH et al.

FIGURE 8 Distribution of sample against the four types of

attacks, Representation of data points of each class of attack

• True positive (TP): Intruders activity that is successfully classified as attacks.

• True Negative (TN): Classify the normal activities are as normal.
• False-positive (FP): Wrongly classify the normal activity as an attack.
• False Negative (FN): Classify the intrusive activities as normal activity.

The expression of the metrics from the confusion matrix is described as an equation from (9)-(12)

TP + TN
AccuracyIDS = (9)
TP + TN + FP + FN
TP
PrecisionIDS = (10)
TP + FP
TP
RecallIDS = (11)
TP + FN
Precision.Recall
F1ScoreIDS = 2 (12)
Precision + Recall

4.3 Discussion

By considering the size of the dataset and the requirement of RAM, the proposed framework is carried out in the Google
Colab platform. The computational resources of the Google Colab assist well in the process of analyzing the multiple
feature columns. Keras31 Tensorflow32 from Python 3.7 are used to design the proposed framework. The prediction results
obtained through S-NN models are summarized as a confusion matrix in Figure 9. Among 13 598 samples 4667 samples
are classified as normal, 6856 samples are classified as DoS, and 1124 samples are considered as probing. After completing
the training phase S-NN model, the predictions are made found to be 91% accurate.
While comparing with the S-NN models performance the optimized model designed mode (D-ONN) produces 98%
as training accuracy. The relationship between the number of epochs vs accuracy and the number of epochs vs model
loss is displayed as a graph in Figure 10A,B. While evaluating the proposed model with the 13 598 testing samples,
4770 samples are classified as normal, 7138 samples are classified as DoS and 1243 samples are considered as prob-
ing. To present a precise picture of classifying the testing samples into various classes please see the confusion matrix
in Figure 11.
To demonstrate the competitiveness of the proposed models, the results published in different venues are compared
with proposed models for the reader’s perusal. The State of the art methods from References 33-35 are considered, the
method in Reference 33 use pigeon bio-inspired optimization, Reference 34 presents a NIDS based upon deep neural
network architectures, and wherein the method in Reference 35 uses the complex neural network architecture (CNN)
for approaching the Intrusion detection problem. Table 3 summarizes the performance of various methods in Refer-
ences 33-36 in terms of accuracy. While analyzing the results of the two proposed models along with the results in
Reference 33-36, being a simple architecture with minimal memory requirements, the proposed models work better than
RAMAIAH et al. 11 of 17

FIGURE 9 Confusion matrix for the five classes of attack

through S-NN

F I G U R E 10 (A) Numbers of epoch vs Accuracy. (B) Numbers of epoch vs Loss

the results of References 34-36. The proposed model attack classification accuracy is 98.0% whereas the method in Refer-
ence 33 presents the IDS using SVM-PIO. SVM parameters are fed into pigeon bio-inspired classifier, so the model yields
98.2% as its accuracy. The usage of the optimization tool is the reason for the observed output. Reference 33 not only
used PIO (Pigeon bio-inspired), the SVM parameter is optimized using GA (Genetic Algorithm) and PSO (Particle Swarm
Optimization).
In terms of accuracy S-NN model’s accuracy is better than SVM,23 CNN 3 layer,35 and D-ONN models accuracy better
than DNN-5, NB, KNN,34 GA-SVM,33 PSO-SVM,33 all the models in Reference 35 and almost comparable with PIO-SVM33
and CNN 2 layer+GRU.35
A hybrid scalable deep learning-based IDS is designed to demonstrate the superiority of the deep learning approaches
over machine learning approaches.36 While comparing the value of accuracy of the IDS in Reference 36, with the pro-
posed IDS, the results of the later one are impressive than the former one. The designed models have been finalized after
optimizing the several hyperparameters. 36 Presented an IDS, the performance multi-class attack classification accuracy
ranges between 92.5% and 93.5%. The authors in Reference 37 use deep long term short memory with RNN for design-
ing NIDS, though the method use complex architecture with huge memory requirement, it produces 98.2% as accuracy.
12 of 17 RAMAIAH et al.

F I G U R E 11 Confusion matrix of the five classes for the attack

classification

T A B L E 3 Comparison of
Methods Accuracy (%) Methods Accuracy (%)
experimented results33-35 with the
SVM33 88.43 CNN 3 layer.LSTM35 96.4 proposed work
PIO-SVM33 98.24 CNN 1 layer.GRU35 92.2
33 35
GA-SVM 95.09 CNN 2 layer.GRU 98.1
PSO-SVM33 96.88 CNN 3 layer.GRU35 93.6
DNN-134 92.9 CNN 3 layer.RNN35 93.8
DNN-534 92.5 DNN 2 layer36 92.5
Naïve Bayes34 92.9 DNN 3 layer36 93.5
KNN34 92.9 DNN 4 layer36 92.9
Random Forest34 92.7 DNN 5 layer36 92.5
CNN 3 layer35 80 Proposed S-NN 91
CNN 1 layer.LSTM35 94 Proposed D-ONN 98

And the results in PIO-SVM33 is comparable in terms of accuracy with the method in Reference 37. The overall inter-
pretation from Table 3, the proposed optimized model outperformed well than most of the methods considered. Despite
the NIDS in GA-SVM and PSO-SVM33 use optimization algorithms, the proposed NIDS model results are better in terms
of accuracy.
To highlight the performance of the proposed Deep optimized neural network-based IDS, Figures 12-14 present
the results of various attack classifier performance in terms of accuracy. In Figure 12, represents the results obtained
through various machine learning-based IDS along with the proposed IDS framework. The proposed IDS outper-
forms well than all other machine learning models by scoring 98% accuracy. In Figure 13, the author’s emphasis
on the performance of the proposed work is better than the models built upon complex neural network architec-
tures. And it is visible, convolution neural network 2 with Gated Recurring Unit-based IDS working better than
all, next the proposed model works better than others. Figure 14 shows the performance of the proposed IDs is no
longer less than the bio-inspired optimization-based IDS. Figure 14 reveals that the proposed model works better
than GA-SVM (Genetic Algorithm-Support vector machine) and PSO-SVM (Particle swarm optimization-support vector
machine).
RAMAIAH et al. 13 of 17

F I G U R E 12 Efficacy comparison of machine learning models

F I G U R E 13 Efficacy comparison of deep neural complex

architecture models

F I G U R E 14 Efficacy comparison of bio-inspired optimization models

T A B L E 4 F1 score of KNN15 with the proposed models

Methods 0 1 2 3 4
(Where 0, 1, 2, 3, and 4 denotes Normal, DoS, R2L, Probe, and
U2R respectively) KNN15 100 100 100 85 0
Proposed S-NN 96 94 87 23 0
Proposed D-ONN 98 98 98 82 0%

The proposed model results are compared with the results obtained through KNN (K-nearest neighbor) in Reference
15, where the IDS is developed using a decision tree. The results are summarized in Table 4 in terms of the F1-score
against five classes of attacks. Like KNN, the proposed model also did not impress well in detecting U2R attacks.
The other quantitative metrics to measure the efficiency of the intrusion detection classifier are precision and recall.
In Table 5, various machine learning results published in34,36,38,39 are compared with the proposed model. The proposed
model attains 98% in terms of precision as well as Recall.
The results are compared with LR (Logistic Regression), GNB (Gaussian Naive Bayes), SVM (Support Vector Machine),
and DNN (Deep Neural Network). Results of the proposed framework are appreciable while comparing with all other
methods using precision and recall except DNN with five layers presented in Reference 34. Vinayakumar et al39 made
an extensive review of Recurrent Neural Network architectures for approaching the attack classification problem. The
published results are summarized in Tables 5 and 6. In terms of Precision RNN-based IDS attains 100%, but in terms of
Recall scored 92%.
Figure 15 shows the efficacy of the proposed IDS along with state of the art IDS methods using Precision and Recall.
The disclosed data says that the proposed optimized model works better than all machine learning-based classifiers. Again
14 of 17 RAMAIAH et al.

T A B L E 5 Performance comparison of various methods using Precision and

Methods Precision Recall
Recall
DNN 534 99 91
DNN 436 91 93
DNN 536 92 92
LR38 83 85
GNB38 79 81
SVM38 76 79
39
RNN 100 92
Proposed S-NN 93 93
Proposed D-ONN 98 98

T A B L E 6 Performance comparison in terms of F1-Score

Methods F1-Score (%)

DNN 534 95
Random Forest34 95
35
CNN 1 layer 96
36
DNN 4 layer 91
36
DNN 5 layer 92
DLSTM+RNN37 99.5
SVM37 95.16
Naïve Bayes37 89.0
39
RNN 96.0
Proposed D-ONN 98

F I G U R E 15 Performance comparison in terms of

Precision and Recall

in terms of Precision and Recall, the proposal did not fail to impress. The results are better than the deep learning mod-
els presented in.36 Another performance indicator is F1-score. Table 6 shows the proposed model results are compared
with some of the output methods published in34-37,39 using F1-score. The proposed model obtains 98% as its F1-score,
which is better than DNN,35 Random Forest,34 CNN with one layer35 and SVM,37 Naive Bayes36 and RNN.39 The over-
all interpretation from Table 6 is, the proposed framework outperforms well all the mentioned methods except DLSTM,
RNN37 since the proposed architecture is predominant in others. The graphical representation of Table 6 can be found
in Figure 16.
RAMAIAH et al. 15 of 17

F I G U R E 16 Performance comparison in terms of F1-score

5 CO N C LU S I O N

The proposed Intrusion detection framework uses a correlation tool with Random forest as a wrapper method to define
the predominant independent variable from the IDS dataset. Two multiclass attack classifiers (S-NN, D-ONN) are pre-
sented in this paper to demonstrate the influence of the proposed feature selection module with the parameter tuning
method employed on classifier models. The proposed framework is built upon a simple and robust deep optimized neural
architecture to compete with the novel attack expected in IoT networks. The presented IDS system obtains 98% accu-
racy in attack classification. Thus, the experimented results confirm the competitiveness of the presented IDS is higher
in most of the cases than its counter-part Intrusion detection frameworks, which demand more memory and complex
neural architectures. In the future, the investigation will be established for cyber-physical system IDS.

ACKNOWLEDGMENT
The authors are thankful to all the reviewers and editors for their valuable suggestions to enhance the quality of the
manuscript.

DATA AVAILABILITY STATEMENT

The data that support the findings of this study are openly available in UCI Knowledge Discovery in Databases Archive
at http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html, reference number 27.

ORCID
Mangayarkarasi Ramaiah https://orcid.org/0000-0003-3088-6001
Vanmathi Chandrasekaran https://orcid.org/0000-0001-5833-8803
Vinayakumar Ravi https://orcid.org/0000-0001-6873-6469
Neeraj Kumar https://orcid.org/0000-0002-3020-3947

REFERENCES
1. Hindy H, Brosset D, Bayne E, Seeam A, Tachtatzis C, Atkinson R, Bellekens X. A taxonomy and survey of intrusion detection system
design techniques, network threats and datasets; 2018. arXiv preprint arXiv:1806.03517.
2. Buczak AL, Guven E. A survey of data mining and machine learning methods for cyber security intrusion detection. IEEE Commun Surv
Tutor. 2015;18(2):1153-1176.
3. Azeez NA, Ayemobola TJ, Misra S, Maskeliūnas R, Damaševičius R. Network intrusion detection with a hashing based apriori algorithm
using Hadoop MapReduce. Comput Secur. 2019;8(4):86.
4. Wazid M, Das AK, Bhat V, Vasilakos AV. LAM-CIoT: lightweight authentication mechanism in cloud-based IoT environment. J Netw
Comput Appl. 2020;150:102496.
5. Khan K, Mehmood A, Khan S, Khan MA, Iqbal Z, Mashwani WK. A survey on intrusion detection and prevention in wireless ad-hoc
networks. J Syst Archit. 2020;105:101701.
6. Farivar F, Haghighi MS, Jolfaei A, Alazab M. Artificial intelligence for detection, estimation, and compensation of malicious attacks in
nonlinear cyber-physical systems and industrial IoT. IEEE Trans Indus Informat. 2019;16(4):2716-2725.
7. Wazid M, Das AK, Kumar N, Vasilakos AV. Design of secure key management and user authentication scheme for fog computing services.
Future Gener Comput Syst. 2019;91:475-492.
8. Othman SM, Ba-Alwi FM, Alsohybe NT, Al-Hashida AY. Intrusion detection model using machine learning algorithm on big data
environment. J Big Data. 2018;5(1):34.
16 of 17 RAMAIAH et al.

9. Sumaiya Thaseen I, Saira Banu J, Lavanya K, Rukunuddin Ghalib M, Abhishek K. An integrated intrusion detection system using
correlation-based attribute selection and artificial neural network. Trans Emerg Telecommun Technol. 2020;31:e4014.
10. Zhang B, Liu Z, Jia Y, Ren J, Zhao X. Network intrusion detection method based on PCA and Bayes algorithm. Secur Commun Netw.
2018;2018:1-11.
11. Hadri A, Chougdali K, Touahni R. Intrusion detection system using PCA and Fuzzy PCA techniques. Paper presented at: 2016
International Conference on Advanced Communication Systems and Information Security (ACOSIS); 2016: IEEE:1–7.
12. Tsai CF, Hsu YF, Lin CY, Lin WY. Intrusion detection by machine learning: a review. Expert Syst Appl. 2009;36(10):11994-12000.
13. Gao X, Shan C, Hu C, Niu Z, Liu Z. An adaptive ensemble machine learning model for intrusion detection. IEEE Access.
2019;7:82512-82521.
14. Park K, Song Y, Cheong YG. Classification of attack types for intrusion detection systems using a machine learning algorithm. Paper
presented at: 2018 IEEE Fourth International Conference on Big Data Computing Service and Applications (BigDataService); March 2018:
IEEE:282–286.
15. Peng K, Leung V, Zheng L, Wang S, Huang C, Lin T. Intrusion detection system based on decision tree over big data in fog environment.
Wirel Commun Mobile Comput. 2018;2018:1-10.
16. Wang G, Hao J, Ma J, Huang L. A new approach to intrusion detection using artificial neural networks and fuzzy clustering. Expert Syst
Appl. 2010;37(9):6225-6232.
17. Wu P, Guo H. LuNet: A Deep Neural Network for Network Intrusion Detection. Paper presented at: 2019 IEEE Symposium Series on
Computational Intelligence (SSCI); December 2019: IEEE:617–624.
18. Yin C, Zhu Y, Fei J, He X. A deep learning approach for intrusion detection using recurrent neural networks. IEEE Access.
2017;5:21954-21961.
19. Nguyen SN, Nguyen VQ, Choi J, Kim K. Design and implementation of intrusion detection system using convolutional neural network
for DoS detection. Paper presented at: Proceedings of the 2nd international conference on machine learning and Soft Comput; February
2018:34–38.
20. Javaid A, Niyaz Q, Sun W, Alam M. A deep learning approach for network intrusion detection system. Paper presented at: Proceedings
of the 9th EAI International Conference on Bio-inspired Information and Communications Technologies (formerly BIONETICS); May
2016:21–26.
21. Ahmad Z, Shahid Khan A, Wai Shiang C, Abdullah J, Ahmad F. Network intrusion detection system: a systematic study of machine
learning and deep learning approaches. Trans Emerg Telecommun Technol. 2020;31:4150.
22. Elhag S, Fernández A, Bawakid A, Alshomrani S, Herrera F. On the combination of genetic fuzzy systems and pairwise learning for
improving detection rates on intrusion detection systems. Expert Syst Appl. 2015;42(1):193-202.
23. Balasaraswathi VR, Sugumaran M, Hamid Y. Feature selection techniques for intrusion detection using non-bio-inspired and bio-inspired
optimization algorithms. J Commun Inform Netw. 2017;2(4):107-119.
24. Bhattacharya S, Kaluri R, Singh S, Alazab M, Tariq U. A novel PCA-firefly based XGBoost classification model for intrusion detection in
networks using GPU. Electronics. 2020;9(2):219.
25. Alazzam H, Sharieh A, Sabri KE. A feature selection algorithm for intrusion detection system based on pigeon inspired optimizer. Expert
Syst Appl. 2020;148:113249.
26. Thaseen IS, Chitturi AK, Al-Turjman F, Shankar A, Ghalib MR, Abhishek K. An intelligent ensemble of long-short-term memory with
genetic algorithm for network anomaly identification. Trans Emerg Telecommun Technol. 2020;31:e4149.
27. KDD Cup. Data, Intrusion Detection. Irvine, CA: University of California; 1999. http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.
html Accessed June 6, 2020.
28. Escalante HJ. A comparison of outlier detection algorithms for machine learning. Proceedings of the International Conference on
Communications in Computer Security. Mexico: Researchgate; 2005:228-237.
29. Hall, M. A. Correlation-Based Feature Selection for Machine Learning. Hamilton, New Zealand: University of Waikato; (1999).
30. Kingma DP, Ba J. Adam: A method for stochastic optimization; 2014. arXiv preprint arXiv:1412.6980.
31. Keras: The Python Deep Learning Library [Online]. https://keras.io/.
32. TensorFlow: An end-to-end open source machine learning platform [Online]. Available: https://www.tensorflow.org/
33. Sun Y, Ye Z, Wang C, Yan L, Wang R. Research on network intrusion detection based on support vector machine optimized with
pigeon-inspired optimization algorithm. Paper presented at: 2018 IEEE 4th International Symposium on Wireless Systems within
the International Conferences on Intelligent Data Acquisition and Advanced Computing Systems (IDAACS-SWS); September 2018:
IEEE:62–67.
34. Vigneswaran KR, Vinayakumar R, Soman KP, Poornachandran P. Evaluating shallow and deep neural networks for network intru-
sion detection systems in cyber security. Paper presented at: 2018 9th International Conference on Computing, Communication and
Networking Technologies (ICCCNT); July 2018: IEEE:1–6.
35. Vinayakumar R, Soman KP, Poornachandran P. Applying convolutional neural network for network intrusion detection. Paper pre-
sented at: 2017 International Conference on Advances in Computing, Communications and Informatics (ICACCI); September 2017:
IEEE:1222–1228.
36. Vinayakumar R, Alazab M, Soman KP, Poornachandran P, Al-Nemrat A, Venkatraman S. Deep learning approach for intelligent intrusion
detection system. IEEE Access. 2019;7:41525-41550.
37. Kasongo SM, Sun Y. A deep long short-term memory based classifier for wireless intrusion detection system. ICT Express. 2020;6(2):98-103.
RAMAIAH et al. 17 of 17

38. Belavagi MC, Muniyal B. Performance evaluation of supervised machine learning algorithms for intrusion detection. Procedia Comput
Sci. 2016;89(2016:117-123.
39. Vinayakumar R, Soman KP, Poornachandran P. Evaluation of recurrent neural network and its variants for intrusion detection system
(IDS). Int J Inform Syst Model Design. 2017;8(3):43-63.

How to cite this article: Ramaiah M, Chandrasekaran V, Ravi V, Kumar N. An intrusion detection system
using optimized deep neural network architecture. Trans Emerging Tel Tech. 2021;32:e4221. https://doi.org/10.
1002/ett.4221