DeepInsight Convolutional Neural Network for Intrusion Detection Systems DeepInsight Convolutional Neural Network for Intrusion Detection Systems Tuan Phong Tran, Van Cuong Nguyen, Ly Vu and Quang Uy[.]
2021 8th NAFOSTED Conference on Information and Computer Science (NICS) DeepInsight-Convolutional Neural Network for Intrusion Detection Systems Tuan Phong Tran, Van Cuong Nguyen, Ly Vu and Quang Uy Nguyen Le Quy Don Technical University, Hanoi, Vietnam Abstract—Intrusion detection systems (IDSs) play a critical role in many computer networks to combat attacks from external environments However, due to the rapid spread of various new attacks, developing a robust IDS that can effectively detect novel attacks and prevent them from devastating network systems is a challenging task Recently, deep neural networks (DNNs) have been widely used to enhance the accuracy of IDSs in detecting network intrusions Nevertheless, the performance of DNN highly depends on the representation of the input data In this paper, we introduce a novel method called DeepInsight-Convolutional Neural Network-Intrusion Detection System (DC-IDS) In CDIDS, the DeepInsight technique is used to transform the network traffic data into a new representation in the form of an image This new representation of the traffic data is then used as the input of a Convolutional Neural Network (CNN) We evaluate our proposed technique using an extensive experiment on five IDS datasets The experimental results show that the proposed model enhances the performance of IDSs in detecting various network attacks compared to different popular machine learning algorithms Keywords- CNN, DeepInsight, IDS, DC-IDS I I NTRODUCTION Cyber-security intrusion detection plays a crucial role in protecting information and communication systems, thus it has received a great attention from the research community in recent years For example, European countries have invested a huge amount of budget to build a coherent framework for securing networks as well as electronic communication systems [1] However, developing a robust and efficient Intrusion Detection System (IDS) is one of the most challenging tasks in the cyber world This is because of the fast growth of the volume of network data, the difficulty of building an accurate detection model, and the diversity of data being transferred via networks Generally, IDSs are classified into two categories by methodologies [2], signature-based methods and machine learning-based methods The signature-based methods match the signatures of incoming network traffic data with predefined signatures and filters of intrusions Thus, they effectively identify known intrusions while unknown malicious behavior remains undetected Conversely, the machine learning-based methods focus on detecting patterns and comparing them to those extracted from regular traffic by using machine learning models These models are capable of extracting high levels of features from huge quantities and complex properties of traffic data Moreover, they are able to detect unknown attacks [3]– [5] Due to the effectiveness to detect various network attacks, a number of machine learning models including traditional machine learning such as Support Vector Machine (SVM), 978-1-6654-1001-4/21/$31.00 ©2021 IEEE Random Forest (RF), Decision Tree (DT) and deep neural networks (DNNs) such as Autoencoder (AE), Convolutional Neural Network (CNN) [6] have been used for IDSs However, the performance of machine learning models highly depends on the representation of the input data A good representation for the detection problem separates data samples of different classes and thus it favors the machine learning methods On the contrary, an unsatisfied representation mixes the data samples of different classes and hinders the machine learning algorithms from achieving good performance In xthis paper, we introduce a new method to improve the accuracy of IDSs by transforming the network traffic data into a new representation in the form of an image using the DeepInsight technique [7] Then, we extract high-level features of network traffic data using a CNN model This proposed technique, namely DeepInsight-Convolutional Neural Network-IDS (DCIDS), is evaluated on various IDS datasets The experimental results show that DC-IDS enhances the accuracy in detecting network intrusions compared to popular machine learning algorithms The main contributions of this paper are as follows: • We propose a method to transform the network traffic into a new representation using DeepInsight in which each data sample is transformed into an image • We evaluate the proposed technique by performing intensive experiments on five intrusion datasets to show the superiority of the proposed solution The rest of paper is organized as follows Section II briefly reviews related works on IDS Section III presents the fundamental background of CNN and DeepInsight The proposed method is then described in Section IV The experimental settings are provided in Section V After that, Section VI presents experimental results together with analysis Conclusions and future works are discussed in Section VII II R ELATED W ORK This section briefly reviews the previous research on the IDS signature-based approach and the machine learning-based approach In the signature-based approach, an IDS usually matches incoming network traffic to some pre-defined pattern that describes the behavior of intrusions If pattern-matching is successful, the incoming packets will be reported as an intrusion [8] There are an increasing number of studies and enhancements of pattern-matching algorithms The BoyerMoore (BM) algorithm has been popular in IDSs due to its great efficiency [9] The BM method has several drawbacks, including slow detection speed and high memory consumption [10] These drawbacks might affect the robustness of IDSs in real-world applications 120 2021 8th NAFOSTED Conference on Information and Computer Science (NICS) The machine learning-based approach has received more attention due to its effectiveness in IDSs The popular machine learning models for IDSs include Logistic Regression (LR) [11], RF [12], SVM [12] and DT [13] These models are based on hand-crafted data features, thus the performance of IDSs depends heavily on human experts Recently, deep neural network (DNN) is used overcome the above aforementioned limitation of the IDSs using the traditional machine learning models In [14], the authors described an effective and flexible IDS based on DNN Their proposed model uses an one-dimensional CNN (1D-CNN) to enhance the accuracy of the IDS problem compared with the traditional machine learning methods, including SVM and RF The authors in [15] improved the detection accuracy of an IDS using a fully connected network However, this approach was ineffective when dealing with time series data, such as distributed denial of service (DDoS) attacks [15] Ly et al [5], [16] proposed two new versions of an AutoEncoder and a Variational AutoEncoder for learning the representation of network traffic data Their models improve the accuracy of IoT anomaly detection problems CNN has proved to be the most popular and effective DNN for image analysis problems [17], [18] However, the network traffic data is not extracted in image form, thus it is challenging to apply the CNN model to enhance the performance of an IDS Recently, Sharma et al [7] proposed the DeepInsight technique that enables the possibility of using CNN to improve the classification performance of various data types The authors of [7] evaluated classification accuracy across a variety of datasets, including gene expression, text, vowels, and artificial datasets The authors compared the DeepInsight method to popular classifiers such as DT, Ada-Boost (AB), and RF Experiments demonstrated that DeepInsight outperformed all other models on all datasets DeepInsight’s accuracy averaged 95% across all datasets, RF was second at 86%, while DT and AB were 80% and 73%, respectively However, DeepInsight has not been investigated for analyzing the network traffic data In this paper, we utilize the benefit of DeepInsight to transform the network traffic data into the image form This allows the CNN model to learn effectively from network traffic data to identify attacks in IDSs x0 x1 x2 x3 kPCA/ tSNE Convex Hull xd Rotation Framing & Mapping Pixel Coordinates Fig 1: DeepInsight Pipeline An illustration of how DeepInsight converts a feature vector to image pixels uses a dimension reduction method such as t-SNE [19] or principal component analysis (PCA) [20] to produce a twodimensional plane The data features now are represented by the points in a Cartesian plane [21] Second, the convex hull algorithm [22] is used to determine the smallest rectangle that contains all the points Third, this rectangle is rotated to form an image horizontally or vertically Following that, the Cartesian coordinates are transformed to pixel coordinates by averaging certain characteristics The final step is to associate the feature values with the pixel coordinates If more than one feature acquires the same position in the pixel frame, the corresponding features will be averaged and put in the same location during feature mapping B Convolutional neural network (CNN) CNN architecture is a type of DNN that is developed rapidly due to it’s effectiveness in extracting features from an image dataset [17] The basic architecture of CNN is described in Fig which has the following layers: Conv + Maxpool III BACKGROUND Conv + Maxpool Conv + Maxpool Input This section presents the fundamental background of DeepInsight and CNN that will be used in our proposed technique Conv + Maxpool Output Fully Connected A DeepInsight It is necessary to convert non-image data, such as genes, text, financial, banking, and network traffic, to image data before using the CNN model DeepInsight [7] generates images by grouping similar components or features together and spacing them apart As a result, this technique improves the flexibility of CNN by allowing it to cope with non-image data Fig illustrates the process of DeepInsight to convert data from a vector to an image This process aims to determine where features are located in the 2D space First, DeepInsight 121 Fully Connected Fig 2: The CNN architecture • • Input layer: It receives two-dimensional input data (e.g., image data) Convolutional layer: It is the primary component of CNN It generates an output by multiplying a portion of the image by a kernel (filter) Convolution is accomplished by sliding the kernel over the input image At each position, 2021 8th NAFOSTED Conference on Information and Computer Science (NICS) This section presents our proposed model that utilizes the strength of DeepInsight and CNN to improve the accuracy of IDSs We named the proposed model DeepInsight-CNN-IDS (DC-IDS) Fig illustrates the architecture of the DC-IDS model Data Pre-processing (c) kPCA Output Softmax Layer Dense Layer Dense Layer Dense Layer Dropout Layer Flatten Layer Max-pool Layer Conv Layer Fig 5: CNN architecture used in DC-IDS IV M ETHODS Network Dataset ReLU Layer Input Max-pool Layer • (b) PCA Fig 4: An illustration showing the difference when using different feature extraction methods with the same data sample Conv Layer • (a) t-SNE ReLU Layer • matrix multiplication is done element-wise, followed by a cumulative total throughout the multiplication range Max pooling layer: Pooling is the next operation after convolution It is used to reduce the dimension of the feature map without affecting the depth In max pooling, we slide the window across the feature map and take the maximum value of the window Fully connected layer: By adding weight and bias to each connected neuron in the current layer, fully connected layers, also known as dense layers, connect each neuron in the current layer to every neuron in the preceding layer Output layer: This layer is configured depending on the type of machine learning task Image Transformation C Classification Once converted into an image form, the network traffic data in the form of images is input to the CNN model Fig illustrates the CNN architecture of our proposed technique The CNN model includes two blocks, each of which has a 2D Convolution layer, a ReLU activation layer, and a Max Pooling layer The output of the second block is flattened and fed to a Dropout layer The Dropout layer is used to randomly set neurons to for preventing overfitting Several dense layers and the Softmax layer are utilized for classification Output V E XPERIMENTAL S ETTING CNN Model Image Dataset This section presents the datasets, the performance metric, and the experimental settings used in the paper Fig 3: DC-IDS architecture A Dataset A Data pre-processing Because IDS datasets are gathered from a variety of sources, they need to be processed before being used as input to the model First, the samples with null values are eliminated Second, we removed features that not generally describe network behavior, such as Flow ID, Source IP, Destination IP and Time stamp Third, categorical features will be transformed to numerical types by one-hot encoding Finally, the datasets will be rescaled to the range of and B Image Transformation After preprocessing, the data is fed into the DeepInsight model for image transformation In DeepInsight, there are three feature extraction options, including t-SNE, PCA, and kernel PCA (kPCA) Fig presents the output of a sample randomly selected from the Phishing Websites dataset [23] using these three options This figure shows that the t-SNE can generate a higher quality image since the image has discrepant locations Thus, we selected t-SNE for our DC-IDS model The experiment was conducted using five IDS datasets, including Phishing Websites [23], Spambase [23], CIC-IDS 2017 [24], BGP-RIPE and BGP-Route Views [25] Table I shows these datasets in detail The features of data are originally formed as one-dimensional vectors We randomly divided the datasets into a training set (80%) and a testing set (20%) except for the CIC-IDS 2017 dataset, since this dataset has been divided into independent training and testing sets For early stopping, we randomly selected 10% data samples from the training set for validation If the validated accuracy is decreased by 10 epoches, the training process is stopped • The Spambase dataset [23] was constructed from spam email collection using postmaster and reported spam The label indicates whether the email was classified as spam (1) or not (0) The majority of the characteristics reflect the frequency of presence of a specific word or character in the e-mail • The Phishing dataset [26] has the fewest features among the datasets in our experiments The bulk of the attributes in this data collection are binary in nature, which assess the criteria for determining whether a sample is a phishing website attack or not 122 2021 8th NAFOSTED Conference on Information and Computer Science (NICS) TABLE I: General information about datasets Dataset Traning samples Features Testing samples Benign Malicious Benign Malicious Spambase 57 2230 1450 558 363 Phishing Websites 30 4926 3918 1231 980 BGP-Route Views 37 15119 5442 3824 1317 BGP-RIPE 37 33257 7035 8338 CIC-IDS 2017 • • we utilized the default Skicit-Learn parameters The hyperparameters of the AE and 1D-CNN are used the same as in the previous works [32] and in [31], respectively We set the general hyper-parameters of the DC-IDS model as in Table II TABLE II: DC-CNN hyper-parameters 80 219068 46859 153091 Hyper-parameter Value 1735 input size 64 × 64 × 32806 kernel size 3×3 pool size 2×2 Both BGP-RIPE and BGP-Route Views are Border Gateway Protocol (BGP) datasets [25] that were collected through RIPE (Reseaux IP Europeens) NCC (Network Coordination Center) and project Route Views, respectively Two BGP datasets contain information which was analyzed from five well-known BGP attacks, including WannaCrypt, Moscow Blackout, Slammer, Nimda, Code Red I, and a subset of harmless traffic The CIC-IDS-2017 dataset [24] is a contemporary anomaly-based dataset that includes benign and the most popular attacks [27] This dataset contains about million network flows [24] In the experiments, we only used 10% of the data samples for training and testing in order to decrease training and testing times dropout rate 0.2 learning rate 0.00001 VI R ESULTS AND D ISCUSSIONS This sections presents the experimental results in the four following scenarios • Accuracy Comparison: Evaluating the accuracy of the proposed model in comparison to that of the other models • Lack of training data: Measuring the influence of the lack of training data problems on IDSs • Lack of training attack type: Evaluating the ability of machine learning models to detect unknown attacks • Predicting time: Comparing the predicting time between all evaluated models B Evaluation Method We use a popular and reliable performance metric, Area Under Curve (AUC), to evaluate the tested methods The AUC value is calculated based on the True Positive Rate (TPR) and the False Positive Rate (FPR): TPR = TP TP + FN (1) FPR = FP TN + FP (2) where TP and FP denote the number of correctly predicted samples for a single class, respectively, while TN and FN denote the number of correctly predicted samples for all other classes We then plot TPR and FPR at different classification thresholds to get the Receiver Operating Characteristic (ROC) curve The AUC is then defined as the total area under the ROC curve A higher AUC indicates a better model at classifying different classes correctly This metric indicates the average quality of a classification model over a range of threshold values A Accuracy Comparison Table III presents the AUC of DC-IDS compared to the other tested methods The table shows that our proposed model, DC-IDS, has higher accuracy than those achieved by the other models For example, compared with RF, AE, and 1D-CNN, DC-IDS improves the AUC score by 0.001, 0.123, and 0.226, respectively, on the CIC-IDS 2017 dataset Similarly, the DC-IDS’s AUC score on the BGP-RIPE dataset is 0.954, whereas the second best model’s AUC score is 0.940 The results from BGP-Route Views and Spambase also show the best performance of DC-IDS On the Phishing Websites dataset, DC-IDS achieves the second best AUC behind RF TABLE III: AUC for both DC-IDS and the competitors on all datasets The best results are in bold Dataset C Experimental Setting We implemented the experiments using two popular machine learning frameworks, i.e., TensorFlow [28] and ScikitLearn [29] We compared our proposed model to the four traditional machine learning models (i.e., SVM [12], DT [13], LR [11], RF [12]) and two DNN models (i.e., AE [30] and 1D-CNN [31]) With traditional machine learning models, LR DT RF SVM AE 1D-CNN DC-IDS BGP-RIPE 0.819 0.767 0.940 0.848 0.612 0.916 0.954 BGP-Route Views 0.827 0.757 0.928 0.846 0.771 0.900 0.934 CIC-IDS 2017 0.971 0.968 0.994 0.992 0.872 0.769 0.995 Phishing Websites 0.978 0.969 0.995 0.986 0.953 0.986 0.989 Spambase 0.930 0.890 0.978 0.959 0.872 0.953 0.979 To better understand the reason for the better results of DC-IDS compared to the other methods, we visualize the 123 2021 8th NAFOSTED Conference on Information and Computer Science (NICS) representation of network traffic data of DC-IDS, AE, and 1DCNN using the Spambase dataset The visualized vector of AE is its latent layer, while the visualized vectors of DC-IDS and 1D-CNN are their flatten layer This visualization is presented in Fig This figure shows that the normal and attack traffic can be separated well when using DC-IDS compared to AE and 1D-CNN Thus, DS-IDS often achieves a higher AUC value than AE and 1D-CNN DT, RF, SVM, and AE are decreased by 0.34, 0.64, 0.25, 0.29 and 0.61, respectively These results show that our proposed model is robust with the lack of the training data TABLE IV: AUC for both DC-IDS and the competitors on CIC-IDS dataset with different sized training datasets The best results are in bold Num of samples LR DT RF SVM AE 1D-CNN DC-IDS 265927 0.971 0.968 0.992 0.992 0.872 0.769 0.995 20000 0.965 0.943 0.985 0.989 0.817 0.992 0.996 10000 0.963 0.953 0.984 0.986 0.803 0.990 0.992 1000 0.937 0.904 0.967 0.963 0.821 0.935 0.979 C Lack of training attack type (a) 1D-CNN This subsection evaluates the ability of DC-IDS to detect unknown attacks We eliminated the DoS Hulk attack type in the training set of the CIC-IDS 2017 Thus, this attack type is considered an unknown attack Fig shows AUC scores of the evaluated models trained by the CIC-IDS 2017 dataset without the DoS Hulk attack The AUC scores of DC-IDS, 1D-CNN, AE, SVM, RF, DT, and LR trained without the DoS Hulk attack samples are 0.971, 0.761, 0.796, 0.957, 0.942, 0.849, and 0.885, respectively Thus, the ability to detect unknown attacks by the DC-IDS model outperforms all other models (b) AE LR 0.885 DT 0.849 RF 0.942 SVM 0.957 AE (c) DC-IDS Fig 6: Data representation using (a) 1D-CNN, (b) AE and (c) DC-IDS 0.796 1D-CNN 0.761 DC-IDS 0.0 B Lack of training sample The lack of training data may have an adverse bearing on classification performance To assess the strength of the proposed model with the lack of training data, we conducted experiments with various training dataset sizes by randomly selecting training samples from the original training dataset We compared the AUC scores of the proposed model, i.e., DC-IDS to those of the other models on the most up-todate IDS dataset, i.e., the CIC-IDS 2017 dataset The results tested on the original test set are presented in Table IV This table demonstrates that the proposed model outperforms other models in the case of the lack of the training data Specifically, the proposed model achieved the best performance across all training dataset sizes When the number of training data samples is decreased from 265927 to 1000 samples, the AUC score of the DC-IDS model is reduced only by 0.16 while LR, 0.971 0.2 0.4 0.6 0.8 1.0 Fig 7: AUC for both DC-IDS and the competitors on CICIDS dataset with training dataset that is devoid of DoS Hulk samples D Predicting time This subsection presents the processing time to predict one data sample As shown in Fig 8, the predicting time of the DNN-based IDS models (i.e., AE, 1D-CNN, and DC-IDS) is much higher than the traditional machine learning-based IDS models (i.e., LR, DT, and RF) The reason is that the DNN models usually have a complex architecture compared with others However, this figure also shows that the predicting time of the proposed model ranges from 30 to 45 milliseconds in various datasets, and these values are adequate in real-world network systems [33] 124 2021 8th NAFOSTED Conference on Information and Computer Science (NICS) Fig 8: Predicting time comparison (in milliseconds) VII S UMMARY IDS is a topic of interest for academic and industrial researchers The most widely used methods for IDS are machine learning-based models However, the complicated representation of network traffic data is hard for some machine learning-based models, especially DNN This paper proposed a robust IDS, namely DC-IDS, based on DNN The proposed model converts the network traffic data into image form using DeepInsight Then, this new representation is fitted to the CNN model The experimental results show that our proposed model outperforms other IDS based on machine learning in various evaluation aspects In the future, we plan to extend this work by applying the Bayesian Optimization technique [34] for DCIDS to find the best hyper-parameters for our proposed model ACKNOWLEDGEMENT This research is funded by Vietnam National Foundation for Science and Technology Development (NAFOSTED) under grant number 102.05-2019.05 R EFERENCES [1] J Farwell and R Rohozinski, “Stuxnet and the future of cyber war,” Survival, vol 53, pp 23–40, 02 2011 [2] D Han, Z Wang, Y Zhong, W Chen, J Yang, S Lu, X Shi, and X Yin, “Evaluating and improving adversarial robustness of machine learning-based network intrusion detectors,” IEEE Journal on Selected Areas in Communications, vol 39, no 8, p 2632–2647, Aug 2021 [3] L Sacramento, I Medeiros, J Bota, and M Correia, Detecting Botnets and Unknown Network Attacks in Big Traffic Data, 03 2019 [4] M Al-Zewairi, S Almajali, and M Ayyash, “Unknown security attack detection using shallow and deep ann classifiers,” Electronics, vol 9, p 2006, 11 2020 [5] L Vu, V L Cao, Q U Nguyen, D N Nguyen, D T Hoang, and E Dutkiewicz, “Learning latent representation for iot anomaly detection,” IEEE Transactions on Cybernetics, pp 1–14, 2020 [6] M Z Alom and T M Taha, “Network intrusion detection for cyber security using unsupervised deep learning approaches,” in 2017 IEEE National Aerospace and Electronics Conference (NAECON), 2017, pp 63–69 [7] A Sharma, E Vans, D Shigemizu, K Boroevich, and T Tsunoda, “Deepinsight: A methodology to transform a non-image data to an image for convolution neural network architecture,” Scientific Reports, vol 9, 08 2019 [8] J Yuan, J Zheng, and S Ding, “An improved pattern matching algorithm,” in 2010 Third International Symposium on Intelligent Information Technology and Security Informatics, 2010, pp 599–603 [9] A Hasan, N Abdul Rashid, A Akram Abdulrazzaq, and M AbuHashem, “String matching algorithms for intrusion detection system a survey and taxonomy,” International Journal of Advancements in Computing Technology, vol 5, pp 317–333, 04 2013 [10] F Du, “An effective pattern matching algorithm for intrusion detection,” in 2012 International Conference on Computer Science and Electronics Engineering, vol 3, 2012, pp 34–38 [11] B Subba, S Biswas, and S Karmakar, “Intrusion detection systems using linear discriminant analysis and logistic regression,” 2015 Annual IEEE India Conference (INDICON), pp 1–6, 2015 [12] I Ahmad, M Basheri, J Iqbal, and A Raheem, “Performance comparison of support vector machine, random forest, and extreme learning machine for intrusion detection,” IEEE Access, vol PP, pp 1–1, 05 2018 [13] H Somashekar, “Performance analysis of decision tree classifier in network intrusion detection system,” International Journal of Innovative Research in Science Engineering and Technology, vol 10, p 9, 06 2021 [14] Y Ding and Y Zhai, “Intrusion detection system for nsl-kdd dataset using convolutional neural networks,” in Proceedings of the 2018 2nd International Conference on Computer Science and Artificial Intelligence, 12 2018, pp 81–85 [15] J Kim, N Shin, S Jo, and S Kim, “Method of intrusion detection using deep neural network,” 02 2017, pp 313–316 [16] L Vu, V L Cao, Q U Nguyen, D N Nguyen, D T Hoang, and E Dutkiewicz, “Learning latent distribution for distinguishing network traffic in intrusion detection system,” in ICC 2019 - 2019 IEEE International Conference on Communications (ICC), 2019, pp 1–6 [17] D Wagh, “Classification of image using convolutional neural networks,” International Journal for Research in Applied Science and Engineering Technology, vol 9, pp 1212–1214, 08 2021 [18] M Saqib, N Sharma, S Khan, and M Blumenstein, “A study on detecting drones using deep convolutional neural networks,” 08 2017 [19] L Maaten and G Hinton, “Visualizing high-dimensional data using tsne,” Journal of Machine Learning Research, vol 9, pp 2579–2605, 01 2008 [20] A Garc’ia-Gonz’alez, A Huerta, S Zlotnik, and P D’iez, “A kernel principal component analysis (kpca) digest with a new backward mapping (pre-image reconstruction) strategy,” ArXiv, vol abs/2001.01958, 2020 [21] F Simons and D Wang, “Spatiospectral concentration in the cartesian plane,” Gem - International Journal on Geomathematics, vol 2, pp 1–36, 04 2011 [22] L Li, S Luo, X.-C Tai, and J Yang, A Variational Convex Hull Algorithm, 06 2019, pp 224–235 [23] D Dua and C Graff, “UCI machine learning repository,” [Online] Available: http://archive.ics.uci.edu/ml, 2017, Accessed: 2021-09-10 [24] I Sharafaldin, A Habibi Lashkari, and A Ghorbani, “Toward generating a new intrusion detection dataset and intrusion traffic characterization,” 01 2018, pp 108–116 [25] A Gonzalez Rios, Z Li, G Xu, A Diaz, and L Trajkovic, “Detecting network anomalies and intrusions in communication networks,” 04 2019 [26] R Mohammad, “Predicting phishing websites based on self-structuring neural network,” Neural Computing and Applications, 12 2013 [27] M Prasad, S Tripathi, and K Dahal, “An efficient feature selection based bayesian and rough set approach for intrusion detection,” Applied Soft Computing, vol 87, p 105980, 12 2019 [28] D Yeboah, M Sanoussi, and G Agordzo, “Image classification using tensorflow gpu,” 08 2021, pp 1–5 [29] P Chary and R Singh, “Review on advanced machine learning model: Scikit-learn,” vol 3, pp 526–529, 09 2020 [30] N Shone, N Tran Nguyen, P Vu Dinh, and Q Shi, “A deep learning approach to network intrusion detection,” IEEE Transactions on Emerging Topics in Computational Intelligence, vol 2, pp 41–50, 02 2018 [31] Y XU, X ZHANG, T YE, Z QIU, L ZHANG, H ZHANG, and Y WU, “1d cnn for feature reconstruction on network threat detection,” in 2021 13th International Conference on Machine Learning and Computing, ser ICMLC 2021 New York, NY, USA: Association for Computing Machinery, 2021, p 127–132 [32] H Mac, D Tran, and H.-A Tran, “Detecting attacks on web applications using autoencoder,” 12 2018 [33] T Buddhika and S Pallickara, “Neptune: Real time stream processing for internet of things and sensing environments,” in 2016 IEEE International Parallel and Distributed Processing Symposium (IPDPS), 05 2016, pp 1143–1152 [34] J Snoek, H Larochelle, and R P Adams, “Practical bayesian optimization of machine learning algorithms,” in NIPS, 2012 125 ... “Learning latent representation for iot anomaly detection, ” IEEE Transactions on Cybernetics, pp 1–14, 2020 [6] M Z Alom and T M Taha, ? ?Network intrusion detection for cyber security using unsupervised... Raheem, “Performance comparison of support vector machine, random forest, and extreme learning machine for intrusion detection, ” IEEE Access, vol PP, pp 1–1, 05 2018 [13] H Somashekar, “Performance... intrusion detection using deep neural network, ” 02 2017, pp 313–316 [16] L Vu, V L Cao, Q U Nguyen, D N Nguyen, D T Hoang, and E Dutkiewicz, “Learning latent distribution for distinguishing network