A One-Dimensional Convolutional Neural Network (1D-CNN) Based Deep Learning System for Network Intrusion Detection

Abstract

The connectivity of devices through the internet plays a remarkable role in our daily lives. Many network-based applications are utilized in different domains, e.g., health care, smart environments, and businesses. These applications offer a wide range of services and provide services to large groups. Therefore, the safety of network-based applications has always been an area of research interest for academia and industry alike. The evolution of deep learning has enabled us to explore new areas of research. Hackers make use of the vulnerabilities in networks and attempt to gain access to confidential systems and information. This information and access to systems can be very harmful and portray losses beyond comprehension. Therefore, detection of these network intrusions is of the utmost importance. Deep learning based techniques require minimal inputs while exploring every possible feature set in the network. Thus, in this paper, we present a one-dimensional convolutional neural network-based deep learning architecture for the detection of network intrusions. In this research, we detect four different types of network intrusions, i.e., DoS Hulk, DDoS, and DoS Goldeneye which belong to the active attack category, and PortScan, which falls in the passive attack category. For this purpose, we used the benchmark CICIDS2017 dataset for conducting the experiments and achieved an accuracy of 98.96% as demonstrated in the experimental results.

1. Introduction

In recent years many organizations have been increasingly exposed to advanced cyber threats which led to the development of the novel intrusion detection system (IDS). The invention of IDSs affects deals with both the academic community and the industry globally since it affects economic costs, damages to reputation, and legal sequences, by every cyber-attack. It is therefore of considerable importance for networks to be secured from unauthorized access, for user interaction and user data to be protected [1], and to disclose new security vulnerabilities.

An efficient security strengthening tool for detecting and protecting cyber assaults on any network or host is the IDS. IDSs are accountable for the detection of suspicious behaviors and the adequate protection of the network against attacks and the reduction in losses such as financial and functional [2].

IDSs can be classified in the literature as an anomaly [3], signature [4], or as a hybrid mix [5] of the two. Intrusion detection systems based on the signature (SIDS), which is also known as Rule IDS, conduct continuous network traffic monitoring and searches for inbound network traffic sequences or patterns that meet the signature of the attack. The signature of the attack can be recognized based on the headers of the network packets, destination addresses or the source network, data sequences corresponding to the known malware pattern, data sequences, or packet series known for a particular assault. They work with great efficiency in the identification of potential known incursions by maintaining low failure rates. Unfortunately, a database of the system must be manually updated by the admin, and SIDS can identify only those intrusions that exist in the system’s database, excluding fresh attack detection.

Anomaly-based intrusion detection systems (AIDS), or behavioral detection systems, examine the usual behavior of networks by monitoring the network deeply to detect suspicious activity. To identify new forms of intrusions, AIDS can learn using anomaly detecting algorithms or train itself with reinforcement learning algorithms. Anomaly-based systems demonstrate a substantial difference in the identification of new threats compared to signature-based ones. In addition, it is difficult for the intruders to determine which intrusion actions would not be identified to adapt the configuration profile of each system [6].

Recently, Machine Learning (ML) based AIDS enhancement (MLAIDS) algorithms have been developed [7]. These algorithms assess the network status via classification in normal or abnormal classes of the processed data. These algorithms train and test AIDS for assaults and accuracy to assess AIDS’ capabilities with various datasets. However, the majority of these datasets are severely unbalanced. The majority (98%) of these datasets are considered to be normal, while the remainder (2%) are classified as attacks [8].

A hybrid Intrusion Detection System (HIDS) can combine the benefits of both anomalies as well as signature systems and enhance the detection and erosion of known intrusion threats. Most recent hybrid IDSs are built on deep learning techniques and machines. Because of AIDS benefits in the zero-day assaults field, the newly proposed model also develops a deeply learned anomaly-based intrusion detection system.

1.1. Feature-Based Classification

IDSs employ traffic packets in network flows, by source/destination IP, source/destination port, timestamp, and protocol [9] to function correctly and identify an anomalous activity effectively [10]. In another research study [11], the authors mentioned the full-flux exchange of successive network packets between an IP address port and a port at a different IP address using a specific application protocol is a unidirectional exchange of packets. For efficient flow management, machine learning operations, and processing traffic classification is therefore necessary.

Flow technique is a recent development that can overcome various additional restrictions, such as unsaved port numbers, and encrypted packets. In the flow-based method, flow features are used as discriminators to exploit the variety of network packets and various classes [12]. In addition, due to the lack of payload, flow-based methods are preferable rather than payload methods for data protection problems. A flow-based classification of traffic uses high precision, accuracy approaches, and a vast study field.

1.2. Machine and Deep Learning Using IDS

IDSs play a significant role in cybersecurity as they monitor the network to protect it from cyber threats. Following are a few frequently used methods in the research conducted: Support Vector Machines (SVM), Random Forests (RF), Artificial Neural Networks (ANN), Self-Organizing Map (SOM), etc.

An up-to-date and elaborated dataset including numerous features and criteria was essentially required by the researchers. They were required during experiments, evaluation, and model testing on the given modern networks [13,14]. Not all datasets provided in the experiments deliver all the features provided in the literature. So thus only a few well-known datasets are referred to.

Network attacks have become common nowadays due to which datasets are continuously evaluated. The KDD 99 [15], CAIDA [16], ISCX2012 [17], and KYOTO [18] are a few datasets that were frequently used as they represented real-world network traffic. Despite their use, they are now outdated. Currently, the CICIDS2017 dataset is widely used. It is commonly used in the field of research. One of the main reasons for its popularity is that it was introduced to overcome the problems noticed in previous datasets [9] apart from this advantage it also holds numerous traffic types, furthermore, it also contains real-world network traffic. Although CICIDS2017 is an appropriate dataset there is a major issue that needs to be resolved. The consequences of this issue leads to high-class imbalance which directly misleads the classifier [13]. Although a new dataset named CIS AWS 2018 [19] has appeared, which is quite similar to CICIDS2017, its previous version is not reported yet. In this research we detect two different attacks; active and passive where DoS Hulk, DoS GoldenEye, and DDoS belong to the active attacks while PortScan belongs to the passive attacks. A detailed description of the attacks and their types has been given in

Table 1. Types of Attack.

Attacks	Types	Description
Active	Dos Hulk	Attacks web servers by generating unique traffic.
	Dos GoldenEye	GoldenEye attempts to target the web servers’ resources by continuously requesting URLs from multiple attacking machines.
	DDoS	A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt normal traffic to a web property.
Passive	PortScan	Scans the less secure and free port for attacks.

.

In this study, our objective is to develop an anomalous network intrusion system based on flow-based statistics, using the CICIDS2017 dataset which detects and classifies every form of assault in a multi-categorization utilizing a high degree of accuracy. Deep learning approaches in the field of machine learning were used to accomplish flow categorization. Great success has been noted with the use of deep learning. In this research we used one dimensional convolutional neural networks (1D CNN), which works quite well on textual data in order to identify network intrusions and classify various types of threats. To identify network traffic, we created an enhanced deep neural network model based on 1D CNN. As a result, this study proposes a flow-based anomaly detection system based on deep learning. Furthermore, the main contributions are described below:

• Proposed an efficient complete system for NIDS using deep learning-based approach.
• Presented a comprehensive analysis of existing techniques based on machine learning and state-of-the-art deep learning.
• In-depth analysis of the CICIDS2017 dataset.
• Presented a detailed comparison with existing Network Intrusion Detection Systems
• Proposed one-dimensional convolution neural network-based multi-class classification technique.

The structure of this paper is organized as follows. Section 2 analyzes most of the related work of network intrusion systems utilizing deep learning and machine learning models. Section 3 discusses the dataset and its pre-processing method. Section 4 presents our proposed work utilizing deep learning techniques for network intrusion detection. The outcomes and discussion for our model are discussed in Section 5. Finally, Section 6 summarizes the findings and provides a few recommendations for future research.

2. Related Work

Machine learning is taking over the current era and is transforming the current era into a revolutionary practical world where intelligent machines complete tasks that were performed by humans in the past. Network Intrusion detection is a type of anomaly detection mechanism used to classify network anomalies. In the field of information security, network intrusion detection has become the most essential component of the infrastructure of defensive networking systems. Different machine learning techniques or approaches in NIDS are used to identify and discriminate between normal traffic, network attack, and abnormalities. K-nearest neighbor (K-NN) [1], Decision trees [2], Nave Bayes networks [3], artificial neural network (ANN) [4] and SOM [5], SVM [6], and are among these techniques where most of the researchers are using various IDS dataset, for the training and evaluation.

Siddiqui et al. [13] used the NSL-KDD dataset to investigate intrusion detection (ID), and its attributes are classified as basic, content, traffic, and host. These classifications evaluate ID based on False Alarm Rate (FAR) and Detection rate (DA) [14]. The results show that 81.2% and 72.9% of the threats were detected properly. Revolutionary energy architecture based on blockchain and deep learning for protecting the smart grid from cyber assaults named DeepCoin is presented by Ferrag et al. [16]. With deep learning being used in the block-based network, they employed the realistic Byzantine fault tolerance method recurrent neural network model (RNN). For the assessment and performance testing of their model, three distinct datasets are used: CICIDS2017, a dataset on power systems, and a dataset on web robots (Bots) the Internet of Things.

Zhang et al. [9] proposed a neural network-based anomaly detection model with the LeNet 5 convolution neural network and LSTM for feature removal. The studies were carried out utilizing binary and multi-classification using CICIDS2017 and CTU datasets. CNN, LSTM, and the hybrid combinations were performed, which resulted in improved performance in both binary and multi-classification tests. A distributed intrusion detection system for cloud settings is proposed by Idhammad et al. [20]. Firstly, the Naive Bayes Model is used to detect the anomaly and to preprocess data, and then a Random Forest classifier to determine the nature of each attack for multi-classification is used. Experiments were performed using parameters such as false-positive rate (FPR) and accuracy utilizing the CICDDS-001 dataset.

Radford et al. [21] proposed an LSTM-based deep learning model for anomaly detection sequence. To put the proposed model into operation, the authors used embedded sequences through which two bidirectional LSTM models have been passed. For evaluating the model CICIDS2017 dataset was used. The tests have been carried out using CICIDS2017 and the findings are aimed at multi-classification.

Islam et al. [22] proposed a framework based on deep learning for the identification of anomalous network traffic in the TCP/IP packets used to construct the network traffic configuration. The authors compared the performance of four different Artificial Neural Network (ANN) models using the publicly available NSLKDD network intrusion dataset. An overall accuracy of 96.74% was achieved using a particular configuration of parameters of the ANN model. Furthermore, the authors also claim that the proposed model can be effective for particularly smart factories management systems.

Hanif et al. [23] recently tried to put together an intrusion detection system for IoT devices; particularly for solving the authentication issues within IoT devices. The authors proposed the use of a supervised learning algorithm in order to detect the intrusion attacks and discard commands classified as threats at the controller level. Furthermore, ANN was used for the identification of intrusions and the UNSW-15 dataset was used for training the model. An average precision of 84% was reported while undergoing 10-fold cross validation.

Peng et al. [24] evaluated deep learning-based systems in adversarial environments for network intrusion detection. The authors aimed to analyze the resilience of Network Intrusion Detection (NID) systems based on deep learning in an adversarial environment by proposing four frameworks; Deep Neural Networks (DNN), Support Vector Machine (SVM), Random Forest (RF) and Logistic Regression (LR) using the NSL-KDD dataset. The experimental results proved that the DNN based model is more effective in detecting network intrusions.

Also, an intrusion detection method based on artificial neural networks (ANN) and fuzzy clustering were presented by Wang et al. [25]. The FC-ANN method consists of three major modules: fuzzy clustering, ANN, and fuzzy aggregation. The fluffy module for clustering divides a given collection of data into clusters. Every subset’s pattern is learned using the ANN module. The fuzzy aggregation module is used to combine the results of various ANNs and decrease detection errors. The FC-ANN method was evaluated on the KDD CUP 1999 dataset and shown to be effective against low-frequency assaults such as R2L and U2R.

A CNN based novel network intrusion detection system is presented by L. Chen et al. [26] to address the issue of malicious network traffic identification. The authors proposed a novel CNN based system for NIDS and trained their deep learning-based CNN model using raw network traffic and extracted features as well. The CICIDS 2017 dataset was used to train the model. Furthermore, the authors claim that the model trained on raw network traffic performs better when compared with the CNN model trained on the previously extracted features.

Ran et al. [27] present an ensemble-based technique for the detection of network anomalies in an intrusion detection system. This technique uses an ensemble of learning and prediction mechanisms for the multi-class classification of anomalies. Initially, researchers used ANOVA F-test as the univariate feature selection technique for determining the feature performance and the relationship between class labels and data features [28,29]. Furthermore, they used an automated machine learning model as a learning mechanism and a Kalman filter as a prediction model. They used a Bayesian optimizer as an optimization function for neural network architecture search (NAS) that selects architecture from a set of architectures list that maximizes the accuracy. This ensemble method uses a weighted voting mechanism that weights the prediction of both algorithms based on average prediction accuracy. They evaluated the performance of the proposed technique on publicly available CICIDS2017 and UNSW-NB15 datasets and achieved an accuracy of 97.02 and 98.801%, respectively.

Azizjon et al. [30] proposed a 1 Dimensional Convolution Neural Network (1D CNN) for the detection of network intrusions. In order to create an invasive Internet traffic model for the IDS, the authors serialize Transmission Control Protocol/Internet Protocol (TCP/IP) packets over a set time period. Normal and abnormal network traffic are then identified and tagged for supervised learning in the 1D-CNN.

Vinayakumar et al. [31] used a CNN algorithm built on deep learning for IDS. They created the CNN-RNN, CNN-LSTM, and CNN-GRU hybrid network models and tested them on the KDDCup 99 dataset. Their hybrid CNN-LSTM model achieves 99.7% accuracy in two-class classification and 98.7% accuracy in five-class classification.

Our literature review concluded that there is a dire need to develop a new system for network intrusion detection based on sophisticated methods such as DL. Despite some of the existing techniques achieving high accuracy, there are still some weaknesses in the detection systems, such as average or inconsistent levels of accuracy, long training period, non-existence of automatic systems, and dependence upon human operators and modified datasets. These weaknesses create the vacuum to develop new state-of-the-art systems to fill this gap. This field is preliminary, where most researchers try to experiment with different algorithms and methods to establish the most reliable and successful method for a particular dataset. We also assume that our work presented in this study would add a significant contribution to NIDS based on the DL approach.

3. Preprocessing and Data Analysis

3.1. CICIDS2017 Dataset Description and Analysis

The work conducted in the research is based on a benchmark intrusion dataset known as CICIDS-2017; this is because it holds various features and also fulfills the majority of the criteria. The dataset used is beneficial as it manages the majority of network real-world network attacks. Moreover, it contains most data network attacks. The dataset used in the research was developed by the University of New Brunswick (UNB) incorporated with the Canadian Institute of cybersecurity.

The dataset holds both normal and abnormal network traffics, where benign is normal and different categories of attacks are abnormal network traffic which is attained by capturing the data of 5 consecutive days. The acquired data was divided into 8 different files. In the captured data each day a data attack was found which contradicted the previous attack.

3.2. Data Preprocessing

Data Pre-processing is a technique used in data mining for the transformation of raw data into a format that can be utilized efficiently. It encompasses different techniques for data cleaning, data transformation, and data reduction. Data Cleaning is an essential step in pre-processing that removes the irrelevant and missing information from the dataset that could lead to the incorrect estimation of the target class.

There were a total of 8 different files that were merged into one single file and the entire work presented was relying on this file. The different types of attacks noticed are displayed in

Table 2. Description of CICIDS2017 Dataset.

File Name	Day	Attack Type
Monday-WorkingHours.pcap_ISCX.csv	Monday	Benign (Normal human activities)
WorkingHours.pcap_ISCX.csv	Tuesday	Benign, FTP-Patator, SSH-Patator
Wednesday-workingHours.pcap_ISCX.csv	Wednesday	Benign, DoS GoldenEye, DoS Hulk, DoS Slowhttptest, DoS slowloris, Heartbleed
Thursday-WorkingHours-Morning-WebAttacks.pcap_ ISCX.csv	Thursday	Benign, Web Attack—Brute Force, Web Attack—SQL Injection, Web Attack—XSS
Thursday-WorkingHours-Afternoon-Infilteration.pcap_ ISCX.csv	Thursday	Benign, Infiltration
Friday-WorkingHours-Morning.pcap_ISCX.csv	Friday	Benign, Bot
Friday-WorkingHours-Afternoon-PortScan.pcap_ISCX.csv	Friday	Benign, PortScan
Friday-WorkingHours-Afternoon-DDos.pcap_ISCX.csv	Friday	Benign, DDoS

. In total, they were 2,830,743 examples included in 15 classes as shown in

Table 3. CICIDS2017 Dataset characteristics.

Dataset Name	CICIDS2018
Dataset Type	Multi-class
Year of release	2017
Total number of distinct instances	2,830,540
Number of features	83

. On the other hand, the number of instances per class is presented in

Table 4. Class wise Instances after Preprocessing.

Class	Total Instances
BENIGN	50,000
DoS Hulk	25,000
PortScan	25,000
DDoS	25,000
DoS GoldenEye	10,000

.

Each row in the dataset contained nearly 83 features. The CICI Flow Meter is also responsible for generating bidirectional flow. In this flow, the first packet is accountable for both forward and backward directions. The forward direction is from source to direction whereas the backward direction is from destination to source. Therefore, it can be demonstrated that in total there are 83 statistical features which include both the data from back and reverse directions.

In the research, the subset of the original 83 features was utilized excluding a few features. Some of these excluded features were IPs of the source to destination, timestamp, the ID of flow, etc. As a result, nearly 79 features were left. Out of the remaining features, the last feature, i.e., the 79th feature represents the category of traffic prescribed in the present Bi-flow; this is denoted as the label.

Upon investigation, we identified that the dataset contains 135,000 values that are either missing or contain infinite floating-point values that can’t be processed. So, we removed those data instances from the dataset. The dataset used contains 83 distinct features for the classification of network activity.

Table 5. Dataset Discriminative features.

Features	Variance Ratio
Fwd Header Length	6.05 × 10−1
Fwd IAT Total	3.22 × 10−1
Bwd IAT Total	3.15 × 10−2
Bwd IAT Max	1.34 × 10−2
Fwd IAT Min	1.14 × 10−2
Flow Bytes/s	6.71 × 10−3
Idle Min	4.89 × 10−3
Bwd IAT Min	2.69 × 10−3
Flow IAT Std	7.23 × 10−4
Total Length of Bwd Packets	4.13 × 10−4
Fwd IAT Std	3 × 10−4
Packet Length Variance	2.93 × 10−4
Idle Max	1.81 × 10−4
Flow Duration	8.17 × 10−5
Bwd IAT Std	6.89 × 10−5

shows some of the most discriminative features along with their variance ratios. From Table 3, we can analyze that the dataset is highly imbalanced, and applying the machine learning algorithms to the imbalanced dataset could lead to more bias toward the majority class [32]. So, we removed the classes that are highly imbalanced and utilized the random under-sampling technique to decrease the size of the majority class. Table 4 shows the number of class-wise instances that we are using for this research.

4. Methods

Deep learning is considered one of the latest achievements in machine learning. It helped the researchers to develop the solutions that could only be assumed a decade before because of the unavailability of data management, and data processing resources.

In this research, we use one-dimensional CNN (1D-CNN) for the detection of network intrusion. 1D-CNN is designed specifically to operate in 1-dimensional data. Researchers have proposed different variants of 2D-CNN to develop the solutions for one-dimensional data due to the following reasons:

I.

Forward propagation (FP) and Backward propagation (BP) is considered the major component of the CNN architecture. The computational complexity of 1D-CNN is reduced by a significant factor as compared to 2D-CNN due to the involvement of matrix operations.

II.

Shallow network architectures are easier to understand, train, and implement, and they can learn from the challenging 1D data. Conversely, 2D-CNN with deep architectures might be required to perform the task.

III.

1D-CNN can train to utilize less computational resources for 1D data whereas 2D-CNN requires specialized hardware for this purpose.

1D-CNN consists of 1-dimensional convolution layers, pooling layers, dropout layers, and activation functions for handling the 1-dimensional data. 1D-CNN is configured using the following hyper-parameters: number of CNN layers, neurons in each layer, size of the filter, and subsampling factor of each layer.

The convolution layer is the basic application of the filter to an input. Utilizing the filtering operation repeated times creates a feature map, which indicates the particular attributes related to the data points. Convolution is a linear operation that involved containing the multiplication with inputs with a set of weights. For this case, inputs are multiplied with the single-dimensional array weights, known as the kernel. This operation gives a unique value for each pass and executing this operation results in multiple values, known as a feature map.

Once the feature map is computed, each value is passed to the ReLU activation function. ReLU is a linear activation function that transforms the input as zero if it is negative, otherwise, it outputs the same input. The ReLU activation function allows the model to perform better, learn from the training data faster, and overcomes the vanishing gradient problem. It is demonstrated using Equation (1) as follows:

$$R\left(z\right)=\max \left(0,z\right)$$

(1)

Here, $z$ represents the input being provided to the activation function and $R\left(z\right)$ represents a positive output of the activation function. Convolution layers are often followed by another block of CNN—pooling layers. Internally, the Sub-Sampling technique is being used to reduce the reliance on precise positioning of the feature maps on the model; however, the feature maps should be independent of the positioning of information to avoid the model from overfitting. The computation of the architecture is dependent on the complexity and the number of parameters; pooling layers operate on the feature maps for the generation of the mapped pooled features. The selection of mapped pooled features varies based on the size of pooling filter applied, stride, and type of pooling—max pooling, average pooling. Max pooling sets the value as the maximum value of the feature for each patch whereas average pooling calculates the average value for each patch. Deep learning neural networks may likely overfit the training data, which could reduce the overall performance of the model when evaluated on the unseen data. So, we employed the use of dropout layers. It is a regularization technique that ignores some neurons that are further processing randomly. It sets the inputs to 0 at each step with the frequency of rate during the training phase for preventing the model from overfitting. Active inputs are then scaled up by a certain factor such that the sum of all the inputs remains the same using Equation (2).

$$z=\frac{1}{1-rate}$$

(2)

Hence, this makes the training process noisy by imposing more responsibility on some nodes. It is only used during the training process. However, dropout increases the weight of the network, and scaling is required up to the chosen dropout rate. They are then followed by the dense layers, fully connected with the previous layer, and an activation function for mapping the results to the output.

Proposed Architecture

Deep learning has played a vital role in the detection of network intrusions in the current era. In this paper, we propose a state-of-the-art 1DCNN-based deep learning architecture for the detection of network intrusions. Table 2 presents the intrusion types along with their data samples.

The proposed architecture consists of 5 convolution layers, a dropout layer, pooling layers, and 5 dense layers as presented in Figure 1. The first CNN layer consists of 32 filters with a kernel size of 2 along with ReLU as an activation function. This layer takes the input sample as an input and transforms the sample into a (77, 32) shape vector. It is then followed by another convolution layer consisting of 16 filters with a kernel size of 2. After five consecutive convolution layers, we added a dropout with a 0.5 rate that turns off 50% of the neurons during the training phase to avoid the model from overfitting. The dropout layer is then followed by a max-pooling having a pool size of 2. By using the max-pooling layer, the number of parameters to learn is reduced, hence, it reduces the computational cost of the model. The results are then flattened using a flattening layer that transforms the 3-dimensional vector into a single dimension. Afterward, five dense layers were employed using ReLU and SoftMax activation function for the prediction of a target variable. The summary of the model is presented in

Table 6. Summary of the proposed model.

Layer	Output Shape	Number of Parameters
Conv1d	(77, 32)	96
Conv1d	(76, 16)	1040
Conv1d	(75, 16)	528
Conv1d	(74, 16)	528
Conv1d	(73, 16)	528
dropout	(73, 16)	0
Max pooling	(36, 16)	0
Flatten	576	0
Dense	100	57,700
Dense	75	7575
Dense	50	3800
Dense	25	1275
Dense	5	130

.

5. Experimental Results and Discussion

Deep learning is considered one of the latest achievements in machine learning. It helped the researchers to develop the solutions that could only be assumed a decade before because of the unavailability of data management, and data processing resources.

In this research, we use 1D-CNN for the detection of network intrusion. 1D-CNN is designed specifically to operate in 1-dimensional data. Previously various generic and machine learning-based approaches were used by researchers for the detection of network intrusions. Table 4 shows class wise instances after preprocessing and Table 7 depicts the number of instances used for training and testing. We divided the dataset into two sets, i.e., 75 and 25% for training and testing purposes, respectively. We evaluated the performance of the 1D-CNN classifier using different performance metrics, e.g., accuracy, precision, recall, and F1 score. These metrics are explained in Equations (3)–(6), respectively. The results of the CNN classifier are populated in Table 8.

$$\mathit{Accuracy}=\frac{TP+TN}{\mathit{Total} \mathit{Samples}}$$

(3)

$$\mathit{Precision}=\frac{TP}{TP+FP}$$

(4)

$$\mathit{Recall}=\frac{TP}{TP+FN}$$

(5)

$$F1 \mathit{Score}=\frac{T2\times \mathit{Precision} \times \mathit{Recall}}{\mathit{Precision} + \mathit{Recall}}$$

(6)

where,

• $TP$ represents the number of attacks that are correctly classified as attacks
• $FP$ represents the normal data classified as an attack
• $TN$ represents the normal data classified as normal
• $FN$ represents the attack as normal.

Table 7. Dataset Distribution.

Instances	Value
Training	101,250
Testing	33,750

Table 7. Dataset Distribution.

Instances	Value
Training	101,250
Testing	33,750

Table 8. Model Performance.

	Precision (%)	Recall (%)	F1 Score (%)	Accuracy (%)
Training	99.2	99.5	99.34	99.32
Validation	98.7	99.2	98.94	98.96

Table 8. Model Performance.

	Precision (%)	Recall (%)	F1 Score (%)	Accuracy (%)
Training	99.2	99.5	99.34	99.32
Validation	98.7	99.2	98.94	98.96

The optimal parameters used by our 1D-CNN classifier are presented in

Table 9. 1D-CNN Parameters.

Parameter	Value
Optimizer	Adam
Activation Function	Relu
Dropout	0.5
Epochs	50

. After detailed experimentation, the parameters presented in Table 9 were selected. From Table 8, it is evident that we achieved a training accuracy of 99.32%, a precision of 99.2%, a recall of 99.5% and an F1 score of 99.34% was obtained over 50 epochs. Testing accuracy of 98.96%, the precision of 98.7%, recall of 99.2%, and F1 score of 98.94% were obtained by the proposed 1D-CNN- based methodology. Furthermore, we also present a detailed comparison of our methodology with existing techniques; most of the researchers have used generic machine learning techniques along with a handful of researchers using ANN, deep learning, and CNN as their main architectures. A detailed comparison is presented in

Table 10. Comparison with Existing Approaches.

Reference	Technique	Dataset	Accuracy (%)
[26]	CNN	CICIDS 2017	96.55
[33]	ANN	UNSW-NB15	84
[34]	CNN, LSTM	CICIDS 2017	97.16
[35]	LSTM, CNN, FNN	CICIDS 2017	98
[36]	DNN	CICIDS 2017	96.5
[37]	DCNN	NSLKDD	85.22
[38]	AE and DNN	CICIDS 2017, NSL-KDD	98.92, 98.43
[39]	DL, Feed-Forward back-Propagation Network	CICIDS 2017	98
[40]	DNN-Multi Task Learning	CICIDS 2017, UNSW-NB15	87.50
[41]	RNN BiLSTM	CIC IDS 2017	98.48
[42]	LSTM	CICIDS 2017	96
[43]	RNN and CNN	RedIRIS	96.32
[44]	CNN	NSL-KDD	80.07
[45]	CNN, Federated Learning	CICIDS 2017	98.8, 93
[46]	NN	CICIDS 2017	77
Proposed Method	1D-CNN based DL system	CIC IDS 2017	98.96

which shows the architecture, dataset that is used and the accuracy obtained. Figure 2 presents the overall model performance over 50 epochs. We also report the loss of the model during training and validation in Figure 3.

The artificial neural networks were used for the detection of anomaly-based intrusions by Zhang et al. [33] where they used unsupervised outlier detection along with ANN using the UNSW-NB-15 dataset. The authors achieved an accuracy of 84%. Furthermore, we compare some of the existing approaches for network intrusion detection in various domains using the CICIDS 2017, NSL-KDD, UNSW-NB15 and RedIRIS datasets. We focus on deep learning-based techniques employed to detect network intrusions in different settings [37,43,44,45], presented the use of CNN, and RNN-based methodologies whereas the detailed comparison are presented in Table 10. Most of the researchers detect DDoS attacks while multi class classification is conducted by Sanchit et al. [42] using RNN-LSTM algorithm which was tested on the CICIDS 2017 dataset, whereas Sivamohan et al. [41] used Bi-directional LSTM on the CICIDS 2017 dataset for intrusion detection. Federated learning and CNN-LSTM based methodologies were also adopted for the detection of network intrusions [34,45].

6. Conclusions and Future Work

In this study, we present a One-Dimensional Convolution Neural Network (1D-CNN) based methodology for the detection of normal and four different types of malicious network traffic. While undergoing data analysis at the preprocessing stage, we were able to determine four different types of most common network intrusions, namely: DoS Hulk, DDoS, and DoS GoldenEye belonging to the active attack types, and PortScan which belongs to the passive attacks. We were also able to detect features with missing data and inconsistencies in the data. To overcome the class imbalance problem, we applied under sampling on the dataset.

We made use of the state-of-the-art deep learning methodologies by employing a 1D-CNN based architecture and achieved very promising results while performing multi-class classification. The proposed model architecture is simple and less computationally expensive. We achieved an overall accuracy of 98.96% with this approach.

In future work, we aim to perform further analysis on the reduction in input features using various techniques such as Principal Component Analysis (PCA), Independent Component Analysis (ICA), Autoencoders, etc. We also plan to retrain our model to detect even more types of network attacks. Lastly, we also consider the use of RNN, LSTM, and GRU-based architectures in future research.