A Hybrid Deep Learning Model Based on Spatio-Temporal Feature Mining for Traffic Analysis in Industrial Internet Gateway

Abstract

As the scale of the Industrial Internet continues to expand, the number of network connections and data traffic are experiencing explosive growth. Security threats and attack types targeting the Industrial Internet are becoming increasingly complex, rendering traditional firewalls and encryption/decryption technologies inadequate for addressing diverse and sophisticated attack scenarios. Furthermore, traffic characteristics within the Industrial Internet environment exhibit significant asymmetry, such as a highly imbalanced distribution between benign and malicious traffic. To address this challenge, this paper proposes CBiNet—a hybrid deep learning model that integrates a one-dimensional convolutional neural network (1D-CNN) with a bidirectional long short-term memory network (BiLSTM). Designed to effectively learn and leverage such asymmetric spatio-temporal patterns, experimental validation demonstrates that the CBiNet model can efficiently tackle complex traffic identification tasks in industrial internet environments. It provides a highly accurate, scalable intrusion detection method for securing industrial internet gateways.

1. Introduction

The Industrial Internet represents an industry formed by the comprehensive and deep integration of the Internet, next-generation information technologies, and industrial control systems (ICS) [1], serving as a crucial component of Industry 4.0. The high-level convergence of industrial elements such as physical equipment, production lines, and control systems, coupled with the introduction of new technologies like artificial intelligence, big data, and cloud computing, inevitably brings security and reliability challenges to the Industrial Internet. In recent years, the attack surface of the Industrial Internet has expanded dramatically, with frequent cybersecurity incidents such as the “Stuxnet” attack on Iran’s nuclear facilities and the “BlackEnergy” assault on Ukraine’s power grid causing significant economic losses [2]. These events demonstrate that the Industrial Internet has become a primary target for cyber attackers, posing severe threats to industrial production and national security. Within a single industrial internet system, multiple field devices such as programmable logic controllers (PLCs), cameras, and sensors may exist. These devices connect to the Industrial Internet Gateway via different communication protocols and data formats. As the number of connected devices increases, industrial internet network traffic is experiencing explosive growth.

Therefore, based on the aforementioned analysis, conducting data mining, feature extraction, and classification identification on network traffic to establish reliable gateway security policies holds practical significance for detecting and responding to potential threats or attacks in the industrial internet, thereby safeguarding the confidentiality, integrity, and availability (CIA) of network systems. In recent years, the number of network vulnerabilities has grown exponentially. According to a QiAnXin report, 43,757 new vulnerabilities were identified globally in 2024, representing a 46.7% year-on-year increase from 2023, with high-risk and critical vulnerabilities accounting for 17.8% [3]. Traditional firewalls and encryption/decryption technologies struggle to handle large-scale network load analysis and potential attack identification scenarios. Intrusion detection, as a novel security strategy for industrial internet gateways, aims to proactively defend against potential threats by monitoring network traffic, system operations, and data transmission to identify unauthorized access or malicious activities. This proactive security technology has been widely adopted in industrial internet network traffic analysis [4]. In recent years, deep learning technology has provided new impetus for the development of Network Intrusion Detection Systems (NIDS) due to its powerful feature extraction and construction capabilities. It can automatically extract features from massive network traffic data to identify potential security threats. Based on this, this paper proposes a hybrid deep learning model named 1D CNN-Bidirectional LSTM Network (CBiNet), which integrates a one-dimensional convolutional neural network and a bidirectional long short-term memory network for traffic analysis in industrial internet gateways. The 1D-CNN extracts local spatial features within time series, while the BiLSTM not only uncovers long-range dependencies during forward data propagation but also integrates reverse-direction features. Given the diverse devices and widespread mixed-traffic transmission in industrial internet environments, network loads are substantial and accurately capturing potential threats is challenging. Experimental validation demonstrates that the proposed CBiNet exhibits robust analytical capabilities for complex network traffic. This approach holds significant theoretical and practical implications for traffic analysis in industrial gateways and for ensuring network security.

The contributions of this paper are primarily reflected in the following two aspects:

• The loss function of the proposed CBiNet hybrid model is optimized by replacing cross-entropy loss with Focal-loss to address the issue of class imbalance in the dataset.
• We then employed the CICIDS2017 and UNSW-NB15 datasets to evaluate the proposed deep learning algorithm’s ability to identify attack types through both full classification and binary classification tasks, thereby validating the model’s generalization capability.

The subsequent structure of this paper is as follows: Section 2 reviews existing techniques, focusing on intrusion detection methods based on machine learning and deep learning; Section 3 elaborates on the proposed model and its components; Section 4 demonstrates the effectiveness of the model through rigorous experimental settings; Section 5 summarizes the conclusions drawn from this work and outlines potential future research directions.

2. Related Works

Intrusion detection systems serve as an active security defense mechanism, analyzing network traffic or system behavioral patterns to identify and alert potential malicious attacks or anomalous activities, forming a core defense mechanism within cybersecurity frameworks. Based on their identification methods, intrusion detection technologies can be categorized into misuse-based intrusion detection and anomaly-based intrusion detection. Misuse-based or signature-based intrusion detection methods are more suitable for addressing multi-classification problems in attack behavior. They heavily rely on the characteristics of security attacks or malicious activities but lack sensitivity to unknown attack patterns. Anomaly-based intrusion detection, however, can identify novel attacks by leveraging users’ normal behavioral patterns [5,6]. Based on the technologies employed, these methods can be further categorized into signature-based intrusion detection and temporal modeling-based intrusion detection. Recent research indicates that deep learning techniques have demonstrated significant effectiveness in addressing intrusion detection challenges [7]. This section lists several representative methods from the aforementioned classifications and highlights the shortcomings of current intrusion detection frameworks by examining the characteristics of each approach.

2.1. Feature-Based Intrusion Detection Methods

Such methods primarily refer to intrusion detection approaches utilizing traditional machine learning classifiers, including shallow classifiers such as K-Nearest Neighbor (KNN), Support Vector Machine (SVM), Random Forest (RF), and others. Various machine learning techniques and statistical methods have been employed to construct different types of intrusion detection systems for network security protection [8]. Aburomman et al. [9] employed a particle swarm optimization (PSO) algorithm to construct an integrated classifier combining KNN and SVM. Incorporating PSO achieved a classification accuracy of 92.7% on the KDD99 dataset. However, KNN is a lazy learning algorithm characterized by high computational complexity and poor real-time performance. Zheng [10] employed an improved particle swarm algorithm to optimize SVM parameters. Experimental validation demonstrated improvements in both false positive rate and false negative rate metrics. However, this model suffers from issues with sparse attack samples, which may degrade classification performance; Zhang et al. [11] combined random forests with convolutional neural networks (CNNs), employing CNNs for binary classification and random forests for multi-class classification. However, the integration and training of these two models proved complex, with interpretability and generalization capabilities remaining suboptimal.

Feature-based intrusion detection methods achieve high detection rates only for attack categories already present in the signature database, but perform poorly against unknown attacks or variants of known attack types [12]. In fact, real-world industrial internet scenarios involve diverse network attack types, making the approach of frequently updating signature databases to maintain detection accuracy clearly costly. Furthermore, these shallow classifiers rely heavily on manual feature extraction, making it difficult to extract complex high-dimensional features [13].

2.2. Time Series-Based Modeling Intrusion Detection Methods

In industrial internet, intrusion detection analysis methods based on time-series modeling are also frequently employed. According to the aforementioned classification, this approach falls under anomaly-based intrusion detection. Mohammed et al. [14] proposed a deep learning architecture integrating CNN, RNN (Recurrent Neural Network), and LSTM (Long Short-Term Memory). However, the combination of RNN and LSTM makes the model difficult to process in parallel, rendering it unsuitable for handling large-scale network traffic. Furthermore, the validation dataset is outdated, making it challenging to comprehensively describe contemporary real-world attack scenarios. During the evolution of models for long sequence processing, Hochreiter et al. [15] introduced the LSTM model in 1997, resolving the vanishing gradient problem inherent in RNNs

In today’s highly efficient deep learning networks, Long Short-Term Memory (LSTM) networks have emerged as a hot topic in deep learning research [16]. Compared to Recurrent Neural Networks (RNNs), LSTMs effectively handle long-term dependencies and successfully mitigate the issues of vanishing gradients and exploding gradients during training. However, even though LSTMs are designed to mitigate the vanishing gradient problem, they may still exhibit gradient decay, slow convergence, or reduced generalization capabilities when dealing with extremely long sequences or high-dimensional data, posing challenges for industrial systems with higher real-time requirements [17]. Cho et al. [18] proposed an improved version in 2014 featuring fewer parameters than LSTMs. Nevertheless, existing temporal processing models often neglect bidirectional contextual relationships in network behavior. Although Gueriani et al. [19] introduced an LSTM-CNN-Attention model with outstanding experimental results, it requires further optimization for edge device deployment and fails to meet the demands of real-time attack detection in industrial settings. With the rapid rise of large language model (LLM) technology, its core natural language processing (NLP) capabilities have gained significant attention. The Transformer architecture, capable of more thoroughly learning semantic information in NLP tasks, has been introduced into intrusion detection: Manocchio et al. [20] proposed a general framework named FlowTransformer, utilizing the Transformer’s attention mechanism to identify long-range contextual relationships within traffic. Ullah et al. [21] introduced a Transformer-based BERT-Large model, leveraging the multi-head self-attention mechanism within Transformers for semantic analysis of attack types. However, both approaches suffer from substantial computational overhead and reliance on robust computing infrastructure, making them difficult to deploy in industrial settings. Intrusion detection methods based on temporal modeling effectively capture temporal features but lack spatial feature extraction. Therefore, employing modules like CNNs for spatial feature extraction is essential.

2.3. Intrusion Detection Methods Based on Spatial Feature Modeling

Graph Neural Networks (GNNs) represent a class of deep learning methods specifically designed to process graph-structured data [22], where nodes correspond to IP addresses or ports, and neighborhood information reflects flow relationships. GNNs possess the advantage of extracting local features by aggregating neighborhood information. The E-GraphSAGE model proposed by Lo et al. [23] defines “IP + port” as nodes and network flow features as edges, mapping network data into a graph structure. After training, the model achieves an F1-score of 1.00. However, the model exhibits high time complexity, and training speed may be constrained. Compared to GNNs, CNNs—regardless of feature dimension transformation—achieve faster inference in large-scale parallel computing scenarios due to their parameter-sharing nature.

Given the potential correlations among network traffic features, it is necessary to extract features based on their local patterns. This ensures that during training, the model not only focuses on contextual information but also learns sufficient spatial local correlations. Convolutional neural networks typically convert one-dimensional traffic data into two-dimensional matrices or grayscale images, using sliding windows with convolutional kernels to extract local features. Xiao et al. [24] proposed an improved LeNet-5 architecture that employs Principal Component Analysis (PCA) and Autoencoders (AE) for feature dimensionality reduction. They then convert one-dimensional features into two-dimensional images to adapt to CNN input formats. However, this complex dimensionality transformation often introduces significant computational redundancy. Arsalan et al. [25] proposed using one-dimensional convolutional neural networks for network attack classification. Comparative experimental analysis demonstrated this method outperforms existing alternatives.

Based on the above analysis, this study selects 1D-CNN over 2D-CNN for local spatial feature extraction to reduce model complexity, while employing BiLSTM to enable bidirectional context learning. For edge deployment, 1D-CNN features substantially fewer parameters than 2D-CNN and Transformer architectures. BiLSTM processes feature sub-sequences compressed by 1D-CNN, significantly accelerating computation while maintaining minimal latency. This aligns with industrial gateway devices’ constraints of limited resources, high real-time requirements, and stringent accuracy demands.

3. Methodology

3.1. Data Selection and Description

With the deep integration of Industry 4.0 and IT/OT [26], modern industrial gateways no longer merely process underlying industrial protocols like Modbus and OPC-UA. Instead, they increasingly perform protocol conversion between edge devices and the cloud. Within the network architecture, industrial internet gateways primarily perform security detection, traffic aggregation and forwarding, and protocol conversion. Therefore, the selected dataset must simulate attack scenarios in which traffic from multiple hosts converges to a central node, specifically at the gateway level. Typically, industrial gateway devices have limited computational power. They must balance high-throughput data processing with maintaining detection accuracy. Using general-purpose datasets with high-dimensional features and diverse attack types can better simulate real industrial gateway traffic. Network attack types like DDoS, Brute Force, and Botnet are common threats, and the attack types targeting industrial gateways differ little from those targeting ordinary networks. Considering the above factors, this study selects CICIDS2017 and UNSW-NB15 as the datasets for the demonstration model. Both datasets not only comprehensively cover prevalent cyberattack types but are also suitable for scenarios in industrial settings, such as multi-stage attacks and multi-device interference.

3.1.1. CICIDS2017

CICIDS2017 is a benchmark dataset for intrusion detection released by the Canadian Institute for Cybersecurity, comprising 83 valid features [27]. Researchers simulated a real enterprise network environment by constructing an attacker network and a victim network. They simulated five consecutive days of network activity from 3–7 July 2017, and executed manual attacks against the victim network. By configuring mirrored ports on the main switch, all traffic received from the victim network was fully captured. This dataset includes both benign and malicious traffic. Benign traffic was extracted from the daily activities of 25 users, such as web browsing, email communication, and file transfers, and was feature-encapsulated using machine learning techniques. Attack behaviors primarily encompass seven major attack families: Brute Force, Heartbleed, Botnet, Denial of Service (DoS/DDoS), Port Scan, Web Attack, and Infiltration.

Table 1. CICIDS2017 Dataset Label Distribution.

Label	Count	Percentage
Total	2,830,540	100.00000%
Benign	2,359,087	83.34406%
DoS Hulk	231,072	8.16353%
PortScan	158,930	5.61483%
DDoS	41,835	1.47799%
DoS GoldenEye	10,293	0.36364%
FTP-Patator	7938	0.28044%
SSH-Patator	5897	0.20833%
DoS slowloris	5796	0.20477%
DoS Slowhttptest	5499	0.19427%
Bot	1966	0.06946%
Web Attack Brute Force	1507	0.05324%
Web Attack XSS	652	0.02303%
Infiltration	36	0.00127%
Web Attack Sql Injection	21	0.00074%
Heartbleed	11	0.00039%

shows the record distribution of the CICIDS2017 dataset. Different attack tools or scripts were employed to generate attack traffic for each type of attack behavior. Given that the CICIDS2017 dataset highly simulates real-world network environments and incorporates the latest network attack methods [28], it was selected for this study’s validation.

3.1.2. UNSW-NB15

UNSW-NB15 [29] is a dataset released by the University of New South Wales, Australia, designed to reflect modern real-world network environments and encompass prevalent cyberattack types. Researchers configured three virtual servers using IXIA traffic generators (http://www.ixiacom.com/products/perfectstorm, accessed 12 January 2026) for traffic generation: two servers generated normal traffic, while the third simulated malicious activity within the network. UNSW-NB15 contains 2,540,044 records, with 49 traffic features extracted using Argus and Bro-IDS tools (http://qosient.com/argus/index.shtml, accessed 12 January 2026). These features encompass both packet-level and flow-level characteristics, such as duration and protocol type. The experiment simulated nine attack types: Analysis, Backdoors, DoS, Exploits, Fuzzers, Generic, Reconnaissance, Shellcode, and Worms. Given that modern attack behaviors closely mimic normal network traffic, the UNSW-NB15 dataset exhibits high complexity. This makes it suitable for reliably evaluating existing and novel NIDS methods [30].

Table 2. UNSW-NB15 Dataset Label Distribution.

Label	Count	Percentage
Total	2,540,044	100.00000%
Normal	2,218,761	87.35128%
Analysis	2677	0.10539%
Backdoors	2329	0.09169%
DoS	16,353	0.64381%
Exploits	44,525	1.75292%
Fuzzers	24,246	0.95455%
Generic	215,481	8.48336%
Reconnaissance	13,987	0.55066%
Shellcode	1511	0.05949%
Worms	174	0.00685%

shows the record distribution within the UNSW-NB15 dataset.

3.2. Data Preprocessing

This study partitions the datasets into training, validation, and test sets in a 7:2:1 ratio. Except for feature encoding, all subsequent preprocessing operations are performed exclusively on the training process and training set.

3.2.1. Balanced Dataset

As shown in Table 1 and Table 2, the label distribution in both the CICIDS2017 and UNSW-NB15 datasets exhibits imbalance. The severe class imbalance in both datasets reflects an inherent asymmetry in real-world network traffic, where malicious events occur far less frequently than benign activities. This asymmetric distribution motivates the model to learn discriminative features that emphasize such non-uniform patterns. Certain categories contain an extremely low proportion of attack samples. Models may fail to adequately learn the features of these categories, leading to degraded classification performance [31], and tend to favor predicting categories with larger sample sizes. Approaches to handling imbalanced datasets can be categorized into two levels: first, processing at the dataset level, such as random oversampling or random resampling based on data distribution. For instance, Azizjon et al. [32] addressed the category label imbalance in traffic datasets by applying random oversampling to balance the number of normal and attack samples. However, simple sample replication does not enhance the dataset’s informative value and may significantly increase the risk of model overfitting [33]. The other approach involves optimizing the loss function at the model level, which is generally more robust. Therefore, this study improves the loss function to Focal-Loss. This loss function reduces the weight of the loss for the majority class, enabling the model to focus more on difficult-to-classify or minority classes during training. The calculation formula is as follows:

$$FL\left(p\right)=-\alpha {\left(1-p\right)}^{\gamma }\mathrm{l}\mathrm{o}\mathrm{g}\left(p\right)$$

(1)

where p is the model’s predicted probability, $\gamma$ is the focus parameter, and α is the modulation factor.

3.2.2. Feature and Label Encoding

Most features in the CICIDS2017 and UNSW-NB15 datasets are numerical. For string-type features such as protocol type and connection status, string values must be converted to numerical representations to meet the numerical input requirements of the CBiNet model. Attack category labels in both datasets are in string format, which the model cannot directly recognize; these also require numerical conversion. This paper employs label encoding [34] for both feature and label transformation, converting categorical data into numerical values to ensure consistency between input data format and model requirements.

3.2.3. Feature Normalization

Feature normalization refers to scaling each feature value within a specific numerical range. This study employs the Min-Max Normalization method, linearly mapping all feature values between the maximum and minimum values of that feature category. Data normalization has been proven critical for the performance and convergence speed of numerous machine learning and deep learning algorithms, as shown in Equation (1):

$$X_{scale}={\displaystyle \frac{X-X_{min}}{X_{max}-X_{min}}}$$

(2)

3.3. Hybrid 1D-CNN-BiLSTM Deep Learning Model

3.3.1. Convolutional Neural Network

CNN is a widely applied deep learning module. Its core principle involves extracting features from input data through convolutional operations and abstracting information via stacked neural network layers to achieve local feature perception and capture spatial correlations [35]. In current mainstream datasets for intrusion detection tasks, the raw network traffic data to be analyzed is typically packet-level pcap data. This often requires extracting flow-level CSV files from pcap-formatted packets. Given this characteristic of network traffic datasets, this paper employs a 1D-CNN for feature extraction rather than a 2D-CNN to avoid introducing redundant information and increasing computational complexity.

In intrusion detection, specific combinations of certain features typically indicate particular types of attacks. In the dataset used in this paper, the data is essentially structured tables. The convolutional kernel of the 1D-CNN slides along the feature dimension, capturing local correlations between adjacent features. The output tensor has dimensions (1, 80). In the CICIDS2017 and UNSW-NB15 datasets, the feature generation tools CICFlowMeter (https://www.unb.ca/cic/research/applications.html#CICFlowMeter, accessed 12 January 2026.) and Argus were used respectively. CICFlowMeter sequentially arranges 80 features based on forward flow, flags, etc. [27]; Argus arranges features sequentially based on basic, content, and temporal characteristics [29]. This arrangement enables the 1D-CNN to more accurately capture local spatial patterns in network traffic during convolution operations, forming the foundation for the 1D-CNN’s extraction of local spatial patterns.

The 1D-CNN network architecture employed in this paper is illustrated in Figure 1: The model sequentially incorporates Conv1D, ReLU activation function, and max pooling layers. Conv1D employs a one-dimensional convolution kernel to extract local spatial features from the input time-series data using a sliding window approach. Following the Conv1D operation, a Reshape operation is applied. Since the original UNSW-NB15 features lack sequence depth after vectorization, we reshape the 196-dimensional feature vectors into a 14 × 14 temporal feature matrix. This provides the contextual foundation for subsequent BiLSTM layers. By computing the dot product between the input data and the convolution kernel weights, it ultimately generates a one-dimensional feature map. The operation of Conv1D is illustrated in Figure 2. Following convolution, the ReLU activation function is applied, defined as follows:

$$ReLU\left(z_i\right)=\mathrm{m}\mathrm{a}\mathrm{x}(0,z_i)$$

(3)

Here, $z_i=\sum Wx+b$, where $z_i$ denotes the linear output value of the i-th output channel, W represents the weights of the one-dimensional convolution kernel, x is the input data, and b is the bias term. The ReLU function determines neuron activation based on a threshold [32], masking neurons with negative outputs to promote network sparsity. Following activation, feature maps undergo max pooling to retain salient features while reducing spatial dimensions, thereby preventing overfitting and enhancing learning efficiency. Max pooling reduces sample size without altering weights [36]. During early training phases, parameter updates across layers cause continuous shifts in input distributions, potentially slowing or destabilizing training. To prevent covariance drift between layers—which can hinder convergence or trigger vanishing/exploding gradients—a Batch Normalization (BN) layer is introduced after max pooling. The BN computation steps are as follows:

Let a batch of inputs be denoted as $\mathrm{x}=\{{\mathrm{x}}_1,{\mathrm{x}}_2,\dots ,{\mathrm{x}}_{\mathrm{m}}\}$, where m is the batch size. The mean of this batch is ${\mu }_B={\displaystyle \frac{1}{m}}\sum _{i=1}^m{x}_i$, and the variance is ${\sigma }_B^2={\displaystyle \frac{1}{m}}\sum _{i=1}^m{(x_i-{\mu }_B)}^2$.

Normalization:

$$\widehat{x_i}={\displaystyle \frac{x_i-{\mu }_B}{\sqrt{{\sigma }_B^2+ϵ}}}$$

(4)

To avoid a zero denominator, a small constant ϵ is introduced here. Finally, $\widehat{x_i}$ undergoes linear processing through two variables:

$$y_i=\gamma x_i+\beta$$

(5)

γ and β are learnable parameters during training, enabling the network to represent any distribution.

3.3.2. Bidirectional Long-Short-Term Memory

Long Short-Term Memory (LSTM) is a specialized type of RNN that utilizes gating mechanisms to learn long-term dependencies in data. Its architecture incorporates cell states and gating mechanisms, addressing the limitations of traditional RNNs in modeling long-term dependencies and mitigating vanishing or exploding gradients during training.

The LSTM network architecture, as shown in Figure 3, primarily consists of three gates: the forget gate, the input gate, and the output gate. The forget gate determines whether to retain or discard the memory from the previous time step. Let $X_t$ denote the input at time step t and $h_{t-1}$ denote the hidden state at the previous time step. The output of the forget gate is $f_t$, where $W_{fh}$ and $W_{fx}$ represent the weights, $b_f$ is the forget gate bias, and the sigmoid function serves as the activation function. The mathematical expression for the Forgetting Gate is as follows:

$$f_t=\sigma (W_{fh}{h}_{t-1}+W_{fx}{x}_t+b_f)$$

(6)

When the forget gate outputs $f_t$ = 1, all current information is retained; when $f_t$ = 0, all information is discarded.

The input gate updates memory by determining which information from the current input is written into the cell state. Here, $W_{ih}$ and $W_{ix}$ represent weights, while $b_i$ denotes the input gate bias. The mathematical expression for the input gate is as follows:

$$i_t=\sigma (W_{ih}{h}_{t-1}+W_{ix}{x}_t+b_i)$$

(7)

The input gate also incorporates a candidate memory unit, generating candidate memories using the tanh activation function. $W_{\tilde{c}h}$ and $W_{\tilde{c}x}$ represent the weights, while $b_{\tilde{c}}$ denotes the candidate memory unit bias. The expression for the candidate memory is:

$$\widetilde{c_t}=\mathrm{t}\mathrm{a}\mathrm{n}\mathrm{h}(W_{\tilde{c}h}{h}_{t-1}+W_{\tilde{c}x}{x}_t+b_{\tilde{c}})$$

(8)

After completing the selection of past memories and current information respectively, proceed with updating the memory unit state;

$$c_t=f_t{c}_{t-1}+i_t\widetilde{c_t}$$

(9)

The output gate determines which components of $c_t$ are used as the current state output to the next cell. $c_t$ is first scaled by the tanh function. Let $W_{oh}$ and $W_{ox}$ denote the weights, and $b_o$ denote the output gate bias. The mathematical expression for the output gate is as follows:

$$o_t=\mathrm{t}\mathrm{a}\mathrm{n}\mathrm{h}(W_{oh}{h}_{t-1}+W_{ox}{x}_t+b_o)$$

(10)

As previously mentioned, LSTMs demonstrate superior performance in processing time-series data. In certain network traffic scenarios, the characteristics of cyberattacks depend not only on historical traffic but also on subsequent traffic. Imrana et al. [37] proposed a bidirectional long short-term memory (LSTM) network. This model consists of forward and backward LSTM networks, in which the time series data are replicated and fed into both LSTMs. By collecting feature information from the reverse sequence for model training, this bidirectional dependency addresses the detection limitations inherent in traditional LSTMs. BiLSTM is a variant of LSTM characterized by learning data transmitted both forward from the model’s start to its end and backward from the end to the start [37]. Structurally, it incorporates two LSTMs, as shown in Figure 4: one processes the time series forward, the other backward, with the final output being concatenated. Thus, BiLSTM can process all available input data from both past and future within a specific time window. It retains the gating mechanism of traditional LSTMs, addressing potential gradient vanishing and gradient explosion issues during training.

As described in Section 3.3.1, during the LSTM phase, the feature vectors extracted by the 1D-CNN are segmented into equal-length sub-segments, each containing the same number of features. A single sub-segment serves as the input value for one time step of the LSTM, which learns the logical relationships between all features across steps. The BiLSTM employed in this paper is more suitable for later-stage features such as data backhaul, aiding in further confirmation of potential attack types.

Based on the above analysis, BiLSTM is highly suitable for network intrusion detection tasks. This study employs a dual-layer BiLSTM to capture the temporal features of network traffic. Combined with the 1D-CNN’s ability to capture local spatial features, the hybrid CNN-BiLSTM architecture integrates the strengths of both, effectively balancing temporal and spatial data characteristics to ensure maximum feature extraction.

3.3.3. CBiNet

Based on the preceding arguments, 1DCNNs can extract high-order features from massive datasets [38] and capture local spatial characteristics. BiLSTM networks build upon the technical advantages of basic LSTMs while further addressing the reverse temporal dependencies in sequences, yielding superior prediction performance compared to standard LSTMs [39]. Therefore, this paper combines the strengths of both approaches to propose CBiNet, a deep learning model integrating 1D-CNN and BiLSTM, for classifying attack traffic samples in intrusion detection. The model begins with a 1D-CNN layer, performing convolution on processed feature information. A max-pooling layer preserves dominant features, followed by a dropout layer to prevent overfitting. After spatial feature processing, a BiLSTM handles temporal features. This combination is repeated twice, culminating in a fully connected layer using the SoftMax activation function for classification. Figure 5 illustrates the complete structure of the CBiNet model.

3.4. Evaluation Metrics

In binary classification experiments, key metrics for assessing model performance include: precision (P), accuracy (ACC), detection rate (DR), false alarm rate (FAR), and F1-score. The respective calculation formulas are as follows:

$$P={\displaystyle \frac{TP}{TP+FP}}$$

(11)

$$ACC={\displaystyle \frac{TP+TN}{TP+TN+FP+FN}}$$

(12)

$$DR={\displaystyle \frac{TP}{TP+FN}}$$

(13)

$$FAR={\displaystyle \frac{FP}{FP+TN}}$$

(14)

$$F1-score={\displaystyle \frac{2\times Precision\times Recall}{Precision+Recall}}$$

(15)

Recall is defined as $Recall={\displaystyle \frac{TP}{TP+FN}}$. TP represents samples that are actually attacks and are also predicted as attacks by the model; TN represents samples that are actually normal traffic and are also predicted as normal traffic by the model; FP represents samples that are actually normal traffic but are falsely reported as attacks by the model; FN represents samples that are actually attacks but are missed by the model and reported as normal traffic. This experiment calculates the aforementioned metrics by considering the total number of samples across both the normal and attack categories in the binary classification task.

In multi-classification experiments, to comprehensively evaluate the model’s classification performance across each category, the following metrics are required: Overall Accuracy (OA), Macro-average Precision (Macro-P), Weighted-average Precision (Weighted-P), Macro-average F1-score (Macro-F1), Weighted-average F1-score (Weighted-F1). The respective calculation formulas are as follows:

$$OA={\displaystyle \frac{\sum _{i=1}^n{TP}_i}{\sum _{i=1}^n({TP}_i+{FP}_i+{TN}_i+{FN}_i)}}$$

(16)

$$Macro-P={\displaystyle \frac{1}{n}}{\sum }_{i=1}^n{P}_i$$

(17)

$$Weighted-P={\displaystyle \frac{\sum _{i=1}^n\left(P_i\times {Support}_i\right)}{\sum _{i=1}^n{Support}_i}}$$

(18)

$$Macro-F1={\displaystyle \frac{1}{n}}{\sum }_{i=1}^n{F1-score}_i$$

(19)

$$Weighted-F1={\displaystyle \frac{\sum _{i=1}^n\left({F1-score}_i\times {Support}_i\right)}{\sum _{i=1}^n{Support}_i}}$$

(20)

Here, n represents the number of classes, and Support denotes the number of samples in each class. Macro-average is the arithmetic mean for each class, susceptible to extreme outliers and more sensitive to the classification performance of minority classes. In contrast, binary weighted average prioritizes the model’s overall performance across the entire dataset. Using both metrics as evaluation indicators allows for a more intuitive comparison of how a model’s single-class prediction performance impacts its overall capability.

4. Experimental Results and Discussion

The experimental section evaluates the proposed 1D-CNN-BiLSTM model, including cross-dataset validation of its generalization capabilities (see Section 4.1 and Section 4.2); comparative analysis with state-of-the-art models to demonstrate its superior performance (see Section 4.3); and ablation experiments, conducted to investigate the impact of each module on the overall intrusion detection performance, as detailed in Section 4.4.

All experiments were conducted under a unified environment with predefined configurations: Python 3.9.18, PyTorch 2.0.0, CUDA 11.8, Intel Xeon Silver 4210R (Intel Corporation, Santa Clara, CA, USA), and NVIDIA RTX A5000 (NVIDIA Corporation, Santa Clara, CA, USA). All experiments employed the same hyperparameter settings, as shown in

Table 3. Hyperparameter Settings.

Parameters	Values
epochs	100
batch size	128
lr0	0.001
Dropout	0.3
optimizer	Adam

.

4.1. Binary Classification Results and Discussion

To validate the model’s capability to distinguish between normal and abnormal traffic, this experiment classified all abnormal traffic samples from both datasets as the Attack class, while labeling normal traffic samples as Normal. Binary classification experiments were conducted on each dataset.

Table 4. CBiNet Binary Classification Experimental Results.

Dataset	P%	ACC%	FAR%	DR%	F1-Score%
CICIDS2017	93.63	98.49	1.73	99.36	96.41
UNSW-NB15	93.79	93.44	6.16	93.03	93.83

presents the binary classification results of the proposed CBiNet model on both datasets. On CICIDS2017, the accuracy reached 98.49%, with a false positive rate (FPR) below 2%. The attack detection rate achieved 99.36%, yielding an F1-score of 96.41. The binary classification confusion matrix is shown in Figure 6a. On the UNSW-NB15 dataset, the accuracy reached 93.44%, the false positive rate was controlled below 7%, the detection rate reached 93.03%, and the F1-score was 93.83. The confusion matrix is shown in Figure 6b. These results demonstrate that the proposed CBiNet model maintains a high detection rate while sustaining a low false alarm rate, accurately distinguishing between normal and abnormal traffic. Cross-dataset validation confirms the model’s strong generalization capability, demonstrating the superior performance of the proposed model.

4.2. Multi-Class Classification Results and Discussion

To better align with the practical requirements of traffic analysis for industrial internet gateways, this section builds upon the binary classification experiments in Section 4.1 to further validate the model’s ability to identify and predict different attack categories. Attacks of various types within the dataset are treated as independent samples for classification.

Table 5. CBiNet Multi-Classification Experimental Results.

Dataset	OA%	Macro-P%	Weighted-P%	Macro-F1%	Weighted-F1%
CICIDS2017	91.82	68.40	95.70	72.20	93.10
UNSW-NB15	95.29	81.20	90.60	82.32	93.14

presents the multi-classification experimental results of the proposed CBiNet model across two datasets. On the CICIDS2017 dataset, CBiNet achieved a weighted average precision of 95.70%, an overall accuracy of 91.82%, and a weighted F1 score of 93.10%. On the UNSW-NB15 dataset, CBiNet achieved a weighted average precision of 90.60%, overall accuracy of 95.29%, and weighted F1 score of 93.14%. It is noted that classification performance has relatively improved for categories with fewer samples, such as Infiltration, Heartbleed, Web Attack SQL Injection (CICIDS2017), Shellcode, and Worms, demonstrating that the model mitigates the decline in overall classification performance caused by data imbalance.

The results demonstrate that the proposed model effectively distinguishes between different categories of cyberattacks, holding significant practical value.

Table 6. CICIDS2017 Multi-Classification Results.

Label	ACC%	FAR%	DR	F1-Score
Benign	91.13	1.10	0.90	0.95
FTP-Patator	99.74	0.20	0.99	0.70
Web Attack Sql Injection	99.64	0.30	0.63	0.39
Bot	99.85	0.14	0.99	0.71
PortScan	98.63	1.25	0.99	0.90
DDoS	98.68	1.35	1.00	0.87
Infiltration	99.80	0.18	0.97	0.65
SSH-Patator	99.60	0.40	0.99	0.52
DoS Hulk	98.53	1.45	1.00	0.92
DoS GoldenEye	99.82	0.25	0.98	0.81
DoS slowloris	99.91	0.05	1.00	0.83
DoS Slowhttptest	99.80	0.15	0.98	0.68
Heartbleed	99.99	0.01	1.00	0.98
Web Attack Brute Force	99.92	0.04	0.81	0.78
Web Attack XSS	99.19	0.70	0.98	0.34

and

Table 7. UNSW-NB15 Multi-Classification Results.

Label	ACC%	FAR%	DR%	F1-Score
Normal	95.20	4.10	94.50	0.93
Analysis	97.30	0.09	72.80	0.68
Backdoor	97.60	0.12	75.40	0.71
DoS	90.10	3.20	83.50	0.82
Exploits	88.60	11.30	87.40	0.85
Fuzzers	93.70	2.10	79.60	0.81
Generic	98.10	1.80	98.60	0.99
Reconnaissance	95.80	1.92	90.40	0.91
Shellcode	94.30	0.18	77.20	0.79
Worms	93.40	0.26	70.80	0.74

present the classification performance for different attack types on the CICIDS2017 and UNSW-NB15 datasets, respectively. Figure 7 shows the multi-class confusion matrix of the proposed CBiNet model on the CICIDS2017 dataset, providing a detailed visualization of the classification results across different attack categories.

4.3. Cross-Dataset Validation

Due to differences in attack types and traffic feature distributions across the two datasets, cross-validation between CICIDS2017 and UNSW-NB15 was conducted to verify model robustness and prevent overfitting caused by single-dataset validation. The results from both datasets demonstrate the model’s performance fluctuations under different data distributions, validating its reliability for practical applications, as shown in the

Table 8. Cross-Dataset Validation Results.

Source Dataset	Target Dataset	ACC%	FAR%	DR	F1-Score
CICIDS2017	UNSW-NB15	64.39	5.41	0.49	0.56
UNSW-NB15	CICIDS2017	68.10	6.24	0.45	0.60

.

4.4. Comparative Analysis of Different Intrusion Detection Algorithms

To validate the superiority of the proposed CBiNet model in industrial internet gateway intrusion detection algorithms, we compared it with other commonly used intrusion detection algorithms in recent years: Transformer architecture, Random Forest, Naive Bayes, and Deep Neural Networks (DNN). To align with the deployment requirements of industrial edge devices, this experiment introduces the FLOPs metric to measure inference speed. Since RF and NB models involve minimal floating-point operations, the comparison primarily focuses on the inference speeds of Transformers, DNNs, and the proposed model. Since Section 4.1, Section 4.2 and Section 4.3 have already validated the model’s generalization performance, to avoid redundancy, this section only conducts performance comparison experiments on the CICIDS2017 dataset and focuses solely on binary classification validation. As shown in

Table 9. CBiNet Performance Comparison Results.

Algorithm	ACC%	FAR%	DR%	F1-Score%	FLOPs (G)
Transformer	97.10	0.95	97.85	97.47	4.50
RF	98.00	2.10	87.10	52.00	-
NB	64.16	39.78	63.25	74.20	-
DNN	95.87	4.25	94.62	90.13	0.005
CBiNet	98.49	1.73	99.36	96.41	1.15

, KNN and Random Forest achieve accuracy rates exceeding 98% with false positive rates below 3%. While Naive Bayes demonstrates significant improvement over KNN and SVM in accuracy, its overall performance remains below practical standards. Although Transformers exhibit lower false positive rates and higher F1 scores than our CBiNet model, demonstrating slightly superior performance, their inference speed significantly exceeds that of CBiNet. Considering the high sensitivity of edge devices to FLOPs, our CBiNet model overall outperforms other machine learning and deep learning models, validating the effectiveness of the proposed model, as shown in Figure 8.

4.5. Ablation Studies

To validate that the CBiNet model, which fuses the 1D-CNN and BiLSTM architectures, outperforms the individual models before fusion, this section designs ablation experiments involving three components: 1D-CNN, BiLSTM, CNN-LSTM and CBiNet. The experimental results are presented in

Table 10. CBiNet Ablation Experiment Results.

Module	ACC%	FAR%	DR%	F1-Score%
1D-CNN	96.80	2.14	87.10	91.40
BiLSTM	87.50	1.51	87.60	93.30
CNN-LSTM	97.85	1.95	95.20	94.85
CBiNet	98.49	1.73	99.36	96.41

. The detection rates for standalone 1D-CNN and BiLSTM were 96.80% and 87.50%, respectively, increasing to 99.36% after integration. Although CBiNet’s false alarm rate was slightly higher than BiLSTM’s, it remains practical for real-world industrial gateway detection. CBiNet’s overall performance surpasses that of its individual components, demonstrating the practical significance of the proposed CBiNet model.

5. Conclusions

The introduction of technologies such as deep learning and artificial intelligence continues to inject new momentum into the digitalization and intelligent transformation of industrial manufacturing through the Industrial Internet. While revolutionizing production and lifestyles, the cybersecurity of these systems warrants close attention. As a critical technology for safeguarding Industrial Internet gateways, intrusion detection plays a vital role in analyzing network traffic within the Industrial Internet, thereby maintaining its cybersecurity ecosystem. This paper proposes CBiNet, a hybrid deep learning model integrating 1D-CNN and BiLSTM for gateway intrusion detection in industrial settings. Experimental validation demonstrates the model’s robust detection and classification performance on real-world datasets, achieving significant improvements over prior techniques and contributing a novel and practical approach to intrusion detection in industrial internet gateways. Future work will focus on exploring how symmetric and asymmetric traffic characteristics influence intrusion behavior, enabling more symmetry-aware intrusion detection mechanisms. Additionally, we will explore incorporating adaptive feature selection or attention mechanisms into the model to enhance the practicality of intrusion detection technology.