An Imbalanced Generative Adversarial Network-Based Approach for Network Intrusion Detection in an Imbalanced Dataset

In modern networks, a Network Intrusion Detection System (NIDS) is a critical security device for detecting unauthorized activity. The categorization effectiveness for minority classes is limited by the imbalanced class issues connected with the dataset. We propose an Imbalanced Generative Adversarial Network (IGAN) to address the problem of class imbalance by increasing the detection rate of minority classes while maintaining efficiency. To limit the effect of the minimum or maximum value on the overall features, the original data was normalized and one-hot encoded using data preprocessing. To address the issue of the low detection rate of minority attacks caused by the imbalance in the training data, we enrich the minority samples with IGAN. The ensemble of Lenet 5 and Long Short Term Memory (LSTM) is used to classify occurrences that are considered abnormal into various attack categories. The investigational findings demonstrate that the proposed approach outperforms the other deep learning approaches, achieving the best accuracy, precision, recall, TPR, FPR, and F1-score. The findings indicate that IGAN oversampling can enhance the detection rate of minority samples, hence improving overall accuracy. According to the data, the recommended technique valued performance measures far more than alternative approaches. The proposed method is found to achieve above 98% accuracy and classifies various attacks significantly well as compared to other classifiers.


Introduction
Network intrusion detection faces a growing number of difficulties as the primary method for preventing advanced threat attacks. A long time has passed since the employment of the conventional feature-based IDS [1]. The scope and refresh rate of the established signature database mean that signature-based intrusion detection systems cannot detect all forms of attacks, especially novel attack variations [2]. Researchers have focused significantly on adding new intrusion detection algorithms to address this issue, and one approach is to apply machine learning methods.
Network information security is significantly aided by intrusion detection. However, the network's traffic types are expanding daily and the features of network behavior are growing more complicated due to the explosive rise of Internet commerce, which poses significant hurdles to intrusion detection [3,4]. The challenge of identifying different harmful network traffic, especially unanticipated hostile network traffic, cannot be ignored. In reality, there are two sorts of network traffic (normal traffic and malicious traffic). Additionally, there are five ways to categorize network traffic: normal, dos, R2L, U2R, and Probe [5][6][7]. Therefore, it is possible to classify ID as a categorization issue. The accuracy of network intrusion detection can be significantly increased by enhancing the classifier's ability to recognize malicious traffic [8][9][10].
class. The resampled data is trained by random forest (RF), a common ML technique, to evaluate the classifier's effectiveness. When compared to existing methodologies, the suggested solution outperforms them.
To address the network intrusion data imbalance problem, Fu et al. [22] suggested an ADASYN oversampling algorithm as the class imbalance approach and a SA model with a higher dropout structure as the data downscaling method. A DL approach for NIDS was proposed for traffic anomaly detection, which integrates a Bi-LSTM network, initially retrieving consecutive characteristics from data traffic via a CNN model, then reconfiguring the weights of every channel via the attention mechanism, and at last employing Bi-LSTM to discover the network of sequential features. When compared to existing techniques, the suggested model achieved 90.73% accuracy and an 89.65% F1 score.
Jiang et al. [23] suggested the ensemble approach that integrates CNN with Bi-LSTM. This method effectively extracts the features of the data. The SMOTE and OSS method was employed to decrease the majority samples and increase the minority samples. OSS was used to decrease the majority samples, and the SMOTE was used to boost the minority samples. In this manner, a balanced dataset for model training is created. The input data is then classified using the network model built by CNN and BiLSTM. Using deep learning's remarkable characteristics, the algorithm collects characteristics dynamically through recurrent multi-level learning. When evaluated against a testing set, the proposed method produces enhanced outcomes in terms of performance metrics.
Al. S and Denver. M [24] presented an HDL network consisting of CNN and LSTM that is used for better IDS. Furthermore, data imbalance processing, which included the Synthetic SMOTE approach and Tomek-Links sampling approach known as STL, was utilized to mitigate the impacts of class imbalance on system effectiveness. It is possible that you might be interested in the fact that you might be interested in the use of this website. As a consequence, the suggested technique achieved 99.82% accuracy in multicategorization and 99.16% accuracy in binary categorization. In comparison to existing methods, the suggested approach has obtained relatively good outcomes in identifying network assaults in imbalanced data sets, according to the results.
To tackle the issue of negative and positive instance imbalance in the initial dataset, Cao et al. [25] developed an ensemble sampling method that combines ADASYN and RENN. To solve the issue of feature redundancy, the RF algorithm and Pearson correlation analysis are combined to pick the features. The spatial features are then retrieved using a CNN and further extracted by fusing average pooling and maxpooling, as well as utilizing an attention strategy to apply varying weights to the features, decreasing overhead and boosting method effectiveness. To ensure effective and useful feature learning, the longdistance dependent information features are extracted using a gated recurrent unit (GRU). The experimental results show that the suggested approach yields greater performance.
Mulyanto et al. [26] developed the focal loss NIDS, a cost-sensitive neural network based on focal loss, to tackle the problem of unbalanced data. FL-NIDS was employed in conjunction with DNN and CNN to evaluate intrusion detection data with skewed distributions. To overcome the problem of unbalanced data, focal loss was utilized. When contrasted with other techniques, the presented method applying FL-NIDS in the DNN and CNN framework provides more effectiveness.
Man. J. and Sun. G. [27] presented a NIDS architecture based on DCNN. DCNN with residual blocks was used to learn more essential properties. To detect minor assaults in the testing set, the modified FL function was analyzed instead of the cross-entropy FL to address the imbalanced data issue in the training set. To avoid overfitting, the system is improved with batch normalization and global average pooling. According to test findings, the suggested method can enhance attack detection precision over existing methods. An overview of relevant studies is shown in Table 1. In terms of computation, it is more expensive than the other approaches.
The main disadvantage of this model is that crucial data can be lost.

Cao et al. [25]
RF algorithm Reduces the rate at which duplicate data is created In multiclass, the performance standard falls.

Mulyanto et al. [26]
FL-NIDS Faster training speed of undersampling Only focusing on problems with binary classification

Man. J and Sun. G [27]
residual learning Increased accuracy level Unable to resolve the issue of imbalance class highly Despite the high detection accuracies obtained, our related work demonstrated that there are still improvements to be made. Such problems include inconsistent or average accuracy levels and substantial dataset change. The region is still in its early stages of development. The majority of the researchers focused on ML techniques and integrated many algorithms to create a more realistic and effective solution for a detailed dataset with restricted attacks. Many other important classifiers are overlooked in the analysis. Although most of them attempt to address some of the shortcomings of existing oversampling techniques, they are unable to eliminate noise while also distributing the generated samples in a minority of data centers. This is because the closer the samples are to the data center, the higher their contribution to categorization. In addition, the more apparent the traits, the larger the contribution of the samples to categorization. As a consequence, we assume that the approach and work provided in this paper will yield credible findings. This work will enhance and integrate several single learners to train a model more precisely and faster. Greater precision will result in faster training and detection speeds.

Proposed Methodology
The proposed method is thoroughly discussed in this portion. The main framework of the system proposed in this research is given in Figure 1, which is built on the IGAN technique and a hybrid technique of LeNet 5 and LSTM. Data preprocessing is a very important component of data analysis that directly affects prediction accuracy. To make the original data more suitable for the model's prediction, the data preparation module is in charge of conducting operations on the data, such as one-hot encoding and data normalization.
Resampling the training dataset is the imbalance processing module's main task to lessen the bias that the original dataset's imbalance has on the results of experiments. We presented a novel approach called IGAN that integrates over-and under-sampling to produce a perfectly balanced dataset. We provided an ensemble of LeNet 5 and LSTM in the categorization decision module to conclude the attack types. We carry out multi-class categorization employing two different datasets. Resampling the training dataset is the imbalance processing module's main task to lessen the bias that the original dataset's imbalance has on the results of experiments. We presented a novel approach called IGAN that integrates over-and under-sampling to produce a perfectly balanced dataset. We provided an ensemble of LeNet 5 and LSTM in the categorization decision module to conclude the attack types. We carry out multi-class categorization employing two different datasets.

Problem Statement
This section discusses the problem statement identified by IDS research using existing methodologies.
An ML-based IDS creates a higher false detection ratio and experiences data imbalance concerns due to a restricted training dataset in the UNSW-NB15 and CICIDS2017 datasets. This imbalance causes problems for classifiers and leads to poor detection accuracy for these minority classes. Existing intrusion detection systems (IDS) are insufficient in dealing with new attack types in networks due to low recognition and detection rates. Overfitting is also another major concern in IDS research. Furthermore, most existing MLbased IDS have a higher computational time. Existing methods are not broadly applicable, because most existing ID systems are incapable of detecting major threats due to out-ofdate ID datasets. The data is thought to be noisy, with inaccuracies, and unpredictable, with code or name variances. To alleviate the imbalance issues, we used over-sampling, which involved arbitrarily repeating data in the minority class to boost the minority class's presence in the sample. Despite the possibility of overfitting, no data was destroyed, and the oversampling method beat the undersampling method.

Problem Statement
This section discusses the problem statement identified by IDS research using existing methodologies.
An ML-based IDS creates a higher false detection ratio and experiences data imbalance concerns due to a restricted training dataset in the UNSW-NB15 and CICIDS2017 datasets. This imbalance causes problems for classifiers and leads to poor detection accuracy for these minority classes. Existing intrusion detection systems (IDS) are insufficient in dealing with new attack types in networks due to low recognition and detection rates. Overfitting is also another major concern in IDS research. Furthermore, most existing ML-based IDS have a higher computational time. Existing methods are not broadly applicable, because most existing ID systems are incapable of detecting major threats due to out-of-date ID datasets. The data is thought to be noisy, with inaccuracies, and unpredictable, with code or name variances. To alleviate the imbalance issues, we used over-sampling, which involved arbitrarily repeating data in the minority class to boost the minority class's presence in the sample. Despite the possibility of overfitting, no data was destroyed, and the oversampling method beat the undersampling method.

Preprocessing
We organize the data in such a way that it is ready for the learning algorithm right away. In a circulation manner, the CICDDoS2017 and UNSW-NB15 datasets are provided. Before the component testing, we go through a few processes to collect the data required.

One-Hot Processing
Symbolic features in the dataset are converted into numerical features using the onehot approach. One-hot encoding is the major often utilized approach for dealing with the

Normalization
The value of the original data may be excessively high, which could lead to issues like "large numbers to eat decimals", data processing overflows inconsistent weights, etc. The continuous data is normalized into the range [0, 1] using a conventional scaler. The normalization process removes the measurement unit's influence from the model's training and increases the reliance of the training outcome on the properties of the data itself. The min-max method is used to normalize the data. Normalization Equations (1) and (2) present the formula. r = r − r min r max − r min (1) Herein, r min and r max denote minimum and maximum eigenvalues respectively, and the normalized eigenvalue is denoted by x and the original eigenvalue is denoted by r.

Imbalanced Data Handling Using IGAN
The training approach will be more biased towards correctly predicting the majority of samples because the training set's unbalanced data were used. Therefore, balancing the dataset is very important before classification. In the UNSW-NB15 dataset, 'Shellcode', 'Worms', 'analysis', and 'backdoor' classes are increased by the IGAN technique. Similarly, in CICIDS 2017 dataset, the 'Bot', 'MSSQL', and 'Heart bleed' classes are also increased.
A generative model is typically included in a GAN (Generator, G) as well as a discriminatory model (Discriminator, D). S creates noises z to create synthesized samples using them as inputs S(z). D produces the chance D(x) that sample x is the input sample derived from the true distribution. Jensen-Shannon (JS) divergence was initially defined as using the following formula to evaluate this similarity: JS(p data p g ) = 1 2 KL(p data p m ) + 1 2 KL(p g p m ) p m = 1 2 (p data + p g ) The maximized data can be represented as However, the standard GAN is intrinsically incapable of handling class because it seeks to generate samples without taking into account its class unbalance. Additionally, the multilayer perceptron used by the conventional GAN in G results in poor expression capabilities. For the minority classes, we, therefore, use an unbalanced data filter in IGAN. This also impacts the generating amount. We go on to think of the lessons as prerequisites for teaching IGAN, including the features of the network. Additionally, we update the design by combining convolutional layers in model G, and the expression capability is improved.  Figure 2. To begin, the FE component converts raw network characteristics into latent extracted features. The proposed model then produces instance data, as described in Section 3.3. Lastly, the deep neural network component is trained with balanced samples, and the detection technique is tested on novel data. To recap, IGAN uses network characteristics as input and forecasts their likelihood function p(y, j) across various ID classes.

Model Description
GAN is a technique for learning from unstructured data distributions and generating similar samples. GAN presents two types, one generative and one discriminative. G generates a distribution of new instances, whereas D differentiates from genuine ones. Following a minimax two-player game among both methods, G's generative distribution may describe the true one, whereas D cannot discriminate among the two and converges to 0.5. We proposed the IGAN model. To perform class imbalance ID, we develop an IGAN-based NIDS. To tackle the issue of imbalance in NIDS, we improve the standard generative adversarial network (GAN) by creating examples for minority classes. Discriminator D, the unbalanced data filter, and Generator G are the three components of IGAN. Minority-class samples are selected for the unbalanced data filter, which then determines the producing quantity. Figure 2 represents the architecture diagram of IGAN.

Model Description
GAN is a technique for learning from unstructured data distributions and generating similar samples. GAN presents two types, one generative and one discriminative. G generates a distribution of new instances, whereas D differentiates from genuine ones. Following a minimax two-player game among both methods, G's generative distribution may describe the true one, whereas D cannot discriminate among the two and converges to 0.5. We proposed the IGAN model. To perform class imbalance ID, we develop an IGANbased NIDS. To tackle the issue of imbalance in NIDS, we improve the standard generative adversarial network (GAN) by creating examples for minority classes. Discriminator D, the unbalanced data filter, and Generator G are the three components of IGAN. Minority-class samples are selected for the unbalanced data filter, which then determines the producing quantity. Figure 2 represents the architecture diagram of IGAN.
(a) Imbalanced data filter It requires ordinary instance s = (x, y) as input and outcome instance S = (x , y ). In common, the filtering process can be stated as follows: where c = {c 1, . . . . . . . ., c τ } the set of various classes n c τ represents the quality of instances in class c τ . We established a created ratio to objectively reduce the ratio, which represents the split between synthesized and genuine data. r = i:j, while i and j are the number of synthesized instances. Multilayer perceptron is the main component of the discriminative model D. An MLP is used to construct method D. D is given either generative results G(z; y ), as well as the corresponding class labels y , as input. y must be incorporated in one-hot matrices before the conjunction. D calculates the likelihood D (x; y) that a given input (x; y) is derived from realistic samples rather than sG. The following are the connecting layers d: where v is the input of every layer, while ω d and b d are the weights and bias. Convolutional layers and sigmoid output layers, as well as numerous fully linked layers, are used to implement G. The linked layers are formalized.
(c) Generator (G) G is implemented using various layers. G requires minority-class labels y and noises z as input and produces relevant features xG = G(z; y ) for minority classes. In particular, z and y can be combined by convolving to v = [z; y ]. Before summation, y must be integrated into one-hot vectors, which is identical to D.
The convolutional layer performs the following one-dimensional convolution among the kernels f and the input v: As the value function, we use the condensed form of the JS divergence, which will be covered in more detail in the following section.
Data filtering, adversarial learning, and sample production are the three phases of the training phase. When filtering data, as stated in Equation (8), we initially build a subset of minority classes s and then estimate the producing quantity.
In adversarial learning, the outcome samples s G = (x G;y ). In IDS, the outcome instance s G is combined with the ordinary instance to address the issue of class imbalance. IGAN working process is shown in Algorithm 1. To explain the such process, one possibility is to train on a valueV(D; G), which is expressed as follows While D has not converged to 0.5 do For t steps do Optimization of the discriminator

Classification
A new classifier LeNet 5 and LSTM are combined for classification to obtain results with higher accuracy and achieve the highest performance of IDS. Figure 3 represents the flow chart of the proposed methodology.
Optimization of the generator Samples can be changed as a batch form End Generating the samples Return G s

Classification
A new classifier LeNet 5 and LSTM are combined for classification to obtain results with higher accuracy and achieve the highest performance of IDS. Figure 3 represents the flow chart of the proposed methodology.  LeNet-5 was pre-trained as a feature extraction network. It has a total of seven layers. The LeNet-5 precise framework is depicted in Table 2. The LeNet-5's several weighted layers are built on the idea of reducing blocks of convolutional layers by using shortcut connections. The "bottleneck" blocks are fundamental building blocks that typically adhere to two design principles: employ the same number of filters for extracted features of similar size and twice as many filters for features of half the size. Furthermore, batch normalized is done after every convolution and before activating the ReLU, and down sampling is done with convolution layers with a stride of 2. Convolutional neural networks are difficult to create because every layer's input distribution varies during training. This problem can be solved by employing batch normalization (BN) layers, which ensure that the distribution of input data in each layer is stable by normalizing the input to each layer. To increase the speed of model consolidation and training we inserted BN in each convolutional layer. Table 2 shows the architectural details.
Another benefit of our framework is that we used LeakyReLU instead of the standard Tanh, ReLU, and sigmoid activation functions found in the LeNet-5 model. Although it appears to be a linear function, ReLU has a derived function and supports backpropagation, which aids the network in convergent. The ReLU function was chosen to avoid this problem. The equation for the LeakyReLU function The function ReLU has as an equation Our model proposes that in addition to adding the fully connected layer before the output layer and the LeakyReLU activation function after every convolution layer.

Long Short-Term Memory (LSTM)
The LSTM neural network is a commonly used approach for classification tasks. The model includes an LSTM layer and a mean-pooling layer with fully connected input layers. Because it performs better when processing a group of data, we chose LSTM as a great architecture for the classification. We start the method to understand the long-term dependency issue better. In the LSTM neural network, a DL net, long-term dependencies are explicitly designed to be learned. The newly developed gates are designed to store data for a very long time instead. The current input x t , the output c t−1 of the cells at the (t − 1) phase, the terms of bias b g , and the time interval of the forget gates are used to determine the p t activation value in forget gates and t. Finally, the sigmoid function adjusts all initiate numbers to a scale between 0 and 1 The method handles the specifics and can connect to the cell states in the next section. The value of the initial choice can be computed and included in cell states. Following that, the input activating values are calculated in the subsequent phase.
Depending on the resolution of the previous two phases, which can be represented by the Hadamard consequence, the following step is a novel cell state. The following equations can be used to represent how memory cells are generated.
LSTM neurons have a variety of gates, as well as a cell state and a control state. Long-term memory is present in LSTM during the entire sequence.
The weight of the input can be denoted W x . The chain rule W x that resulted from the moment t is Sensors 2023, 23, 550

of 26
Hence S j represents the unit of RNN in the state at the samples j. We stated as for the input layer of tan h in neurons.
The range of tan h's value (.) is 0 to 1. The derivation number of tan h (.) is often reduced throughout the preparatory process, and then t increases.
The controlling gate for the LSTM, as well as information from the previous cell state that is currently secured, was retained.
To start the bias and right of the forget gate, the activation function is represented by the symbols, Wi and bi. The output gate and its input gate can be expressed in a form to determine the current moment: The mathematical model is employed to upgrade the cell state and provide information The forget gate is represented as Every gate outcome measure is evaluated, while b [i,k,c,o] bias vectors An appropriate amount of LSTM blocks are combined to form a layer in the empirical technique.
Working process of the proposed methodology Step 1. Start.
Step 2. Intrusion detection data is an input.
Step 3. Apply preprocessing in the IDS dataset, and one hot-encoding and normalization operation are performed.
Step 4. Symbolic features in the dataset are converted into numerical features using the one-hot approach.
Step 5. Normalization processing removes the measurement unit's influence from the model training and increases the reliance on the training outcome. Step 6. Employ an imbalanced generative adversarial network (IGAN) to address the problem of class imbalance by increasing the detection rate of minority classes. Step 7. Lenet 5 and LSTM are employed to classify the various attack categories in NIDS.

Result and Discussions
To assess the efficiency and effectiveness of the proposed framework, several investigations were carried out on UNSW-NB15 and CICIDS2019 datasets using standard performance metrics. The effectiveness of our proposed approach is then examined. Finally, we evaluate our model's performance with various start-of-the-art work to confirm the development and feasibility of the proposed model.

Experimental Setting
Using 4 GB RAM and an Intel i5 2.60 GHz processor, it runs Windows 10. The studies were carried out in the Anaconda3 environment using Python and KERAS with Tensor flow as a backdrop. The UNSW-NB15 and CICIDS2017 datasets were utilized for validation in this paper to estimate the effectiveness of our proposed approach. The data samples were split into two sections, one of which was utilized to create a classifier and is referred to as the training dataset. The testing dataset was used in the second step to evaluate the classifier. The parameter configuration is shown in Table 3.

UNSW-NB15:
There are nine different attack categories included in the 2.54 million network packets that make up this dataset. This dataset shows severe class imbalances, with total attack traffic making up only 12.65% of the dataset, while regular traffic makes up 87.35% of the overall dataset. Table 4 details the data distribution for every class. When compared to other sorts of samples, the samples for the categories of backdoors, worms shell code, and analysis are substantially lesser. In particular, worms attacks make up only 130 of the training set's total attacks and represent 0.07% of it.
The ratio of samples of the normal type to samples of the worm attack type across the entire data set is 534:1. Less than 1% of the attack samples for backdoors and shell code are presented. The class distribution of the UNSW-NB15 dataset is shown in Figure 4. Table 5 represents the features of the UNSW-NB15 dataset. When compared to other sorts of samples, the samples for the categories doors, worms shell code, and analysis are substantially lesser. In particular, worms make up only 130 of the training set's total attacks and represent 0.07% of it.
The ratio of samples of the normal type to samples of the worm attack typ the entire data set is 534:1. Less than 1% of the attack samples for backdoors and sh are presented. The class distribution of the UNSW-NB15 dataset is shown in F Table 5 represents the features of the UNSW-NB15 dataset.     19.70%. There is one normal class and 14 assault types. The assault types include the most prevalent attack types, like port scan, DDoS, web attacks, botnet, DoS, etc. The last column of the dataset, which contains the multiclass label, contains 84 features that were extracted from the generated network traffic. Table 6 provides the data distribution for each class. The amount of samples from regular traffic is substantially higher than the other categories, and it makes up 80.3% of this data set. DoS Hulk, one of the attack types with the most samples, barely makes up 8.16% of the total data set.
The percentages of web attacks, bots, and infiltration in the total data set are 0.08%, 0.07%, and 0.001%, respectively. The lowest amount of samples is for heart bleed. Table 7 and Figure 5 represent the features of the CICIDS2017 dataset.

Evaluation Metrics
The efficiency of the proposed method is evaluated in this research using accuracy (A). In addition to false positive rates (FPR), accuracy, and false positive rates (TPR), recall and precision are also discussed. In the subject of NIDS detection research, these indicators are frequently employed. The calculation formula is presented below. While true positive (TP) denotes the Intruder's proper classification, false positive (FP) refers to the misidentification of a legitimate user as an unauthorized user. True negative (NP) denotes an accurately classified average user. False negative (FN) refers to a situation in which the intruder is mistakenly categorized as a regular user.
The percentage of all correctly classified is measured by accuracy.
The true positive rate (TPR) stands for the proportion of records properly detected over all records with anomalies, which is similar to the detection rate (DR). The false positive rate (FPR) is the division of wrongly rejected records over all normal records. The following definitions apply to the evaluation metrics: Precision measures the percentage of actual attack records versus expected attack records.
The percentage of authentic attack samples that were initially detected as attacks in the data set is known as the detection rate (recall rate).
As a derived effectiveness metric, the F1-score calculates the harmonic mean of precision and recall.

Performance Evaluation of the UNSW-NB15 Dataset
Several investigations on the UNSW-NB15 dataset were done to assess the efficacy of the proposed strategy. Table 8 shows the multi-class categorization results of the proposed technique.  Table 8 shows that the suggested approach outperforms all other attacks on the CICIDS2019 dataset. All the classes attain above 99% accuracy for all the classes. Specifically, the proposed approach classifies normal, fuzzers, and shellcode with 99.76%, 99.72%, and 99.81% accuracy. Compared to all attacks, the classification performance on the proposed approach of DoS average 99% accuracy. These values are the best. However, compared to all other classes, these values are very low. The graphical representation of this table is represented in Figure 6. Table 8 shows that the suggested approach outperforms all other attacks on the CI-CIDS2019 dataset. All the classes attain above 99% accuracy for all the classes. Specifically, the proposed approach classifies normal, fuzzers, and shellcode with 99.76%, 99.72%, and 99.81% accuracy. Compared to all attacks, the classification performance on the proposed approach of DoS average 99% accuracy. These values are the best. However, compared to all other classes, these values are very low. The graphical representation of this table is represented in Figure 6.

Performance Evaluation on the CICIDS2017 Dataset
Several experiments are carried out using the CICIDS2017 dataset to determine the effectiveness of the suggested approach. The multi-class classification result of our approach is given in Table 9.

Performance Evaluation on the CICIDS2017 Dataset
Several experiments are carried out using the CICIDS2017 dataset to determine the effectiveness of the suggested approach. The multi-class classification result of our approach is given in Table 9. From Table 8, it is observed that the proposed approach's multi-classification performance is superior and achieves better values for all the attack classes. All the classes attain above 99% accuracy for all the classes. Particularly, the normal, SYN, and UDP classes attain superior results with 99.82%, 99.78%, and 99.78% accuracy, respectively. Moreover, the classification performance on other attack types also provides the best performance. Compared to all the classes, MSSQL detection performance is average with 98.79% accuracy, 98.37% precision, 98.61% recall, and 98.92% f1-score. The graphical representation of Table 8 is shown in Figure 7. mance is superior and achieves better values for all the attack classes. All the classes attain above 99% accuracy for all the classes. Particularly, the normal, SYN, and UDP classes attain superior results with 99.82%, 99.78%, and 99.78% accuracy, respectively. Moreover, the classification performance on other attack types also provides the best performance. Compared to all the classes, MSSQL detection performance is average with 98.79% accuracy, 98.37% precision, 98.61% recall, and 98.92% f1-score. The graphical representation of Table 8 is shown in Figure 7.

Comparison of CICIDS-2017 and UNSW-NB15 Datasets with Various Approaches
CICIDS-2017 and UNSW-NB15 datasets' performances can be compared with the existing approaches. The existing approaches like DBN and RBN are compared with the proposed approach. Table 10 compares the performance of the proposed work to that of other cuttingedge approaches tested on the CICIDS2019 and UNSW-NB15 datasets. Based on the table, the proposed approach-based IDS model achieves the highest results in terms of recall, accuracy, F1-Score, and precision.

Comparison of CICIDS-2017 and UNSW-NB15 Datasets with Various Approaches
CICIDS-2017 and UNSW-NB15 datasets' performances can be compared with the existing approaches. The existing approaches like DBN and RBN are compared with the proposed approach. Table 10 compares the performance of the proposed work to that of other cuttingedge approaches tested on the CICIDS2019 and UNSW-NB15 datasets. Based on the table, the proposed approach-based IDS model achieves the highest results in terms of recall, accuracy, F1-Score, and precision.  Figure 8 represents the graphical representation of accuracy and TPR on the CICIDS-2017 dataset. When the differentiation can be made with the existing techniques, our proposed approach yields greater performance. Figure 9 depicts the effectiveness of the suggested UNSW-NB15 dataset technique versus the existing one. When compared to existing strategies, our proposed strategy outperforms them.  Figure 8 represents the graphical representation of accuracy and TPR on the CICIDS-2017 dataset. When the differentiation can be made with the existing techniques, our proposed approach yields greater performance.   When the comparison can be made with the existing techniques, our proposed approach yields greater performance. The FPR metrics performances are compared and represented in Figure 10.  Figure 8 represents the graphical representation of accuracy and TPR on the CICIDS-2017 dataset. When the differentiation can be made with the existing techniques, our proposed approach yields greater performance.  Figure 9 depicts the effectiveness of the suggested UNSW-NB15 dataset technique versus the existing one. When compared to existing strategies, our proposed strategy outperforms them. When the comparison can be made with the existing techniques, our proposed approach yields greater performance. The FPR metrics performances are compared and represented in Figure 10. When the comparison can be made with the existing techniques, our proposed approach yields greater performance. The FPR metrics performances are compared and represented in Figure 10.  Table 11 shows the comparative performance of the proposed approach with the existing one. The existing approaches like Adaboost, CNN, LSTM, MLP, RF, and LuNet are compared. When compared with existing approaches, our proposed approach yields  Table 11 shows the comparative performance of the proposed approach with the existing one. The existing approaches like Adaboost, CNN, LSTM, MLP, RF, and LuNet are compared. When compared with existing approaches, our proposed approach yields greater performance. Figures 11 and 12 show a comparison of existing approaches with the proposed ones.   Table 11 shows the comparative performance of the proposed approach with the existing one. The existing approaches like Adaboost, CNN, LSTM, MLP, RF, and LuNet are compared. When compared with existing approaches, our proposed approach yields greater performance. Figures 11 and 12 show a comparison of existing approaches with the proposed ones.  Figure 11. Accuracy and detection rate compared with existing approaches. Figure 11. Accuracy and detection rate compared with existing approaches.  The existing approaches, such as LSTM, CNN, RNN-ABC, HCRNNIDS, and ABC-BWO-CONV-LSTM, are differentiated from the proposed method. When differentiating with accuracy metrics, the proposed approach achieves 98.97% accuracy, LSTM achieves 94.73% accuracy, CNN achieves 93.8%, RNN-ABC achieves 96.89%, HCRNNIDS achieves 94.58%, and ABC-BWO-CONV-LSTM achieves 97.03%. While analyzing the performance of accuracy metrics, the proposed method yields the best solution. Then a comparison can be made in precision metrics, and the proposed method yields the best solution, which is 99.06%. The second greater solution presents in ABC-BWO-CONV-LSTM. Similarly, in recall and F1-score, the proposed approach achieves the best outcome. Performance evaluation with the existing approaches is represented in Table 12. When comparing FPR and FNR metrics performance, the proposed approach achieves a greater solution. Figures 13 and 14 show the overall performance comparison. Furthermore, a pair-wise t-test was conducted, and the findings confirmed that the proposed technique was statistically significantly distinct from the existing strategies. However, our proposed ensemble model generated a high accuracy of 98.97, a detection rate of 0.989, and a low FNR of 3.93. Additionally, pair-wise t-test statistics of 0.0224 were compared to the existing method.

Data Imbalance Comparison
The influence of data imbalance on the evaluation criteria of the classifier for both datasets is shown in Figure 15. This graph makes it obvious that using the data augmentation strategy improves classifier performance. In CICIDS2017dataset, the classifier achieves 98.96% accuracy with the IGAN-based imbalance technique. Without IGAN, it achieves only 95.13%. Similarly, the classifier attains 98.02% accuracy for the UNSW-NB15 dataset with the use of data augmentation techniques. The number of training samples generated by this technique is significantly more than training samples without data imbalance.

Data Imbalance Comparison
The influence of data imbalance on the evaluation criteria of the classifier for both datasets is shown in Figure 15. This graph makes it obvious that using the data augmentation strategy improves classifier performance. In CICIDS2017dataset, the classifier achieves 98.96% accuracy with the IGAN-based imbalance technique. Without IGAN, it achieves only 95.13%. Similarly, the classifier attains 98.02% accuracy for the UNSW-NB15 dataset with the use of data augmentation techniques. The number of training samples generated by this technique is significantly more than training samples without data imbalance. The same set of training samples is used for every epoch when there is no data augmentation; when there is data imbalance, various sets of training samples are produced for every epoch. As a result, the suggested classifier performs better and achieves higher accuracy in both datasets using the IGAN data imbalance strategy. Figures 16 and 17 depict a graph of the IDS's categorization accuracy and loss value as the quantity of iteration steps increases. The graphic shows that the strategy described in this paper has a good convergence impact. We divided the dataset into two stages: training and testing. For this investigation, we generated 75% of the training data and 25% The same set of training samples is used for every epoch when there is no data augmentation; when there is data imbalance, various sets of training samples are produced for every epoch. As a result, the suggested classifier performs better and achieves higher accuracy in both datasets using the IGAN data imbalance strategy. Figures 16 and 17 depict a graph of the IDS's categorization accuracy and loss value as the quantity of iteration steps increases. The graphic shows that the strategy described in this paper has a good convergence impact. We divided the dataset into two stages: training and testing. For this investigation, we generated 75% of the training data and 25% of the testing data. The suggested technique is trained for 200 epochs using the processed training set during the training phase. The learning rate has been set to 0.1. The same set of training samples is used for every epoch when there is no data augmentation; when there is data imbalance, various sets of training samples are produced for every epoch. As a result, the suggested classifier performs better and achieves higher accuracy in both datasets using the IGAN data imbalance strategy. Figures 16 and 17 depict a graph of the IDS's categorization accuracy and loss value as the quantity of iteration steps increases. The graphic shows that the strategy described in this paper has a good convergence impact. We divided the dataset into two stages: training and testing. For this investigation, we generated 75% of the training data and 25% of the testing data. The suggested technique is trained for 200 epochs using the processed training set during the training phase. The learning rate has been set to 0.1.  This portion explores the details of the analytical outcomes employing the proposed approach. Dataset description, preprocessing, handling data imbalance, classification method, and results in the analysis are the five processes in this research. An ensemble of LeNet 5 and LSTM-based approaches are utilized to classify the attack types. In UNSW-NB15 and CICIDS 2017 datasets, some attacks contain minority samples that lead to an imbalance problem that can affect the proposed method's classification effectiveness. To tackle the class imbalance problem, we introduce the IGAN method. It increases the minority samples.

Evaluation of Training and Testing Set
After that, we classify the attacks with the help of LeNet 5 and LSTM. The batch size, momentum, learning rate, and weight decay are 1, 0.9, 0.03, and 0.001, respectively. The initial learning rate is 0.01. The learning rate in the ReLu layer is saturated. Because the network might be under-or over-fitted, the epoch count is an important training parameter. For this dataset, we trained the network for 200 epochs. The proposed model's training and testing accuracy vary, and it ranges from 0.98 to 0.99, and loss values range from 0.001 to 0.004.

Case Study
In this example, we show how an attacker can change normal packets so that the NIDS considers their security concerns. As a result, the secured service will reject all ordinary packets, resulting in a huge number of unexpected FPs. This portion explores the details of the analytical outcomes employing the proposed approach. Dataset description, preprocessing, handling data imbalance, classification method, and results in the analysis are the five processes in this research. An ensemble of LeNet 5 and LSTM-based approaches are utilized to classify the attack types. In UNSW-NB15 and CICIDS 2017 datasets, some attacks contain minority samples that lead to an imbalance problem that can affect the proposed method's classification effectiveness. To tackle the class imbalance problem, we introduce the IGAN method. It increases the minority samples.
After that, we classify the attacks with the help of LeNet 5 and LSTM. The batch size, momentum, learning rate, and weight decay are 1, 0.9, 0.03, and 0.001, respectively. The initial learning rate is 0.01. The learning rate in the ReLu layer is saturated. Because the network might be under-or over-fitted, the epoch count is an important training parameter. For this dataset, we trained the network for 200 epochs. The proposed model's training and testing accuracy vary, and it ranges from 0.98 to 0.99, and loss values range from 0.001 to 0.004.

Case Study
In this example, we show how an attacker can change normal packets so that the NIDS considers their security concerns. As a result, the secured service will reject all ordinary packets, resulting in a huge number of unexpected FPs.

(a) Experimental setup and configuration
For the camera surveillance scenario, we use the UNSW-NB15 and CICIDS2017 datasets, which total 5.37 million packets. In Section 4.1, we take a look at the same setup function. The first half of the packets are employed to train the proposed IGAN method, and the remainder of the packets are utilized to train the Ensemble approach. T = 0.04 is chosen to yield the best results.

(b) Results
The main aim of these assaults is to disrupt regular packets to such an extent that the yield of the proposed detection mechanism deviates significantly from distributions, prompting the NIDS to interpret them as malicious packets. To develop adversarial perturbations, the attacker can continue the attack technique on normal data. The extractor component first assesses 10 vectors picked at random from the usual traffic stream. To ascertain which key elements have the most influence on the score value, these properties are intimately connected to the timestamp property. The attacker can then modify the time interval among packets. Drop UDP packets at random with a likelihood of p to achieve this. The sum of the computational gap among two packets is then converted to (1/1 + p) t. We take into account the following dropping rates: p = {0.1, 0.3, 0.5, and 0.7}. Packets are discarded among index 2 million and 1.8 million. The threshold T = 0.04, which yields the best false positive rate and false negative rate under normal conditions. We see that our assault raises the RMSE scores during the packet loss period. While p = 0.3, many regular packets with RMSE values more than the threshold are blacklisted as malignant. When the detection threshold is lower, it is simpler to carry such an attack with a lower packet-dropping rate.

Conclusions
One of the worst issues in all communication networks is NIDS. This study examined the present restrictions and suggested a hybrid IDS approach combining Lenet 5 and LSTM. This article focuses on using the IGAN technique to address the issue of class imbalance in the data set, in contrast to the majority of existing NIDS. Additionally, the hybrid LSTM ensemble model approach is employed to address the issue of complicated models' extended training and detection times. The outcome of the evaluation using the UNSW-NB15 and CICIDS2017 data sets demonstrates that the proposed NIDS developed in the study has a high detection accuracy, with test sets of 98.96% and 98.02%, respectively. It also achieves the best TPR and FPR in both datasets. In the UNSW-NB15 dataset, the TPR is 95.77% and the FPR is 1.15%. Similarly, in the CICIDS2017 data sets, the TPR is 96.13% and the FPR is 0.76%. The training and detection times of this method are relatively fast when compared to other algorithms. It enhances accuracy and eliminates the FPR and FNR. The proposed approach yield overall 99.06% precision, 98.17% recall, 99.73% F1-Score, and 98.97% accuracy.
Due to the poor error tolerance of IDSs, the UNSW-NB15 data set only comprises a few different types of attacks. In the future, we will integrate additional data sets to cover a wider range of attack types. Last but not least, due to a lack of processing power, testing deeper neural networks with more residual and regular blocks is not possible. As a result, we will carry out more trials in the future with more potent resources and might produce better findings when it comes to identifying network threats. It is planned to integrate various hybrid deep learning techniques in the future and analyze the outcomes. Furthermore, various methods for data balancing will be investigated. Furthermore, the proposed method is intended to be applied instantly to network traffic in a big data environment.