AE-DTNN: Autoencoder–Dense–Transformer Neural Network Model for Efficient Anomaly-Based Intrusion Detection Systems
Abstract
1. Introduction
- Creating a highly sophisticated IDS utilizing the enhanced hybrid AE-DTNN model. The Autoencoder mechanism restructures and enhances network traffic patterns, while a stratified array of Dense layers executes feature extraction. The Transformer network subsequently enables exceptionally accurate and all-encompassing classification.
- A sophisticated data preprocessing pipeline is implemented, beginning with a hybrid outlier detection method using Z-score and local outlier factor (LOF) to identify and address anomalies, followed by feature selection based on correlation and the use of Principal Component Analysis (PCA) for dimensionality reduction. This structured methodology optimizes model inputs, enhancing performance and minimizing processing overhead.
- Employing ADASYN resampling for binary and multi-class classification, integrated with ENN and class weights, to proficiently resolve class imbalance and boost model efficacy.
- Assessment on the NF-BoT-IoT-v2, NSL-KDD, and CSE-CIC-IDS2018 datasets showcases the exceptional performance of the proposed model in comparison to leading-edge methods.
2. Related Work
2.1. Binary Classification
2.2. Multi-Class Classification
2.3. Challenges and Contribution
- Achieving high performance in deep learning-based intrusion detection remains challenging, as models must accurately distinguish among multiple traffic classes, including benign and diverse attack types. The root cause of this difficulty lies in limited model selection, poor optimization, and inadequate preprocessing, which hinder robustness across diverse network conditions.
- Class imbalance is a prevalent issue in many intrusion detection datasets, often characterized by unequal distribution among different traffic classes. This imbalance often leads to inflated false-positive rates and diminished detection efficacy, as the model may struggle to effectively identify and classify rare anomalous or adversarial traffic. The root cause of this limitation is the insufficient use of resampling techniques to balance the dataset, which hampers the model’s ability to learn from minority classes effectively.
- The generalizability and adaptability of these models remain significant challenges, as their performance often declines when faced with variations in network parameters and diverse attack types. The root cause of this limitation is the insufficient testing and validation of models across multiple, diverse datasets, which restricts their ability to effectively generalize and adapt to dynamic, real-world network environments.
- Scalability remains a challenge for deep learning models, especially in large-scale, real-time applications where fast and efficient processing is critical. The root cause is due to inadequate model optimization for high-volume environments, including extended training times, high inference latency, and substantial memory requirements, which limit their practicality for deployment.
- High performance: A high-performance IDS is developed using the hybrid AE-DTNN model, where the AE restructures network traffic data, Dense layers extract relevant features, and the Transformer network enables accurate classification. The data preprocessing pipeline includes hybrid outlier detection using Z-score and LOF, followed by feature selection based on correlation and PCA for dimensionality reduction, ensuring optimized feature extraction and minimized computational overhead for maximum efficiency.
- Class imbalance: ADASYN resampling is employed for both binary and multi-class classification, combined with ENN and class weights to effectively address class imbalance. This integrated approach enhances model performance by generating synthetic samples for underrepresented classes and refining the decision boundary, resulting in improved classification performance across imbalanced datasets.
- Generalization: The AE-DTNN model achieves robust generalizability by leveraging a hybrid architecture that excels at learning intricate traffic patterns. The Autoencoder’s data reshaping, the Dense layers’ feature extraction, and the Transformer’s classification capabilities enable the model to adapt to varying network conditions and identify novel attack types across diverse datasets, including NF-BoT-IoT-v2, NSL-KDD, and CSE-CIC-IDS2018.
- Scalability: This is a key factor in deploying the AE-DTNN model in real-time IDS environments. In Section 4.8, we assess inference time, training time, and memory usage, with results demonstrating that the model performs efficiently across these metrics. The AE-DTNN model exhibits optimal resource utilization, providing fast inference and reasonable training times, making it highly scalable and suitable for handling large datasets in operational network environments where performance is critical.
- Reducing false-positive and false-negative rates: The AE-DTNN model demonstrates a substantial reduction in both false-positive and false-negative rates, as supported by the confusion matrix analysis presented in Section 5 (Discussion). It effectively distinguishes between benign traffic and diverse categories of malicious activities. This capability highlights the model’s robust classification performance and significantly enhances the accuracy and reliability of intrusion detection. As a result, the AE-DTNN model is well suited for real-world deployment in dynamic and complex network security environments.
3. Methodology
3.1. Dataset Description
3.2. Data Preprocessing
3.2.1. Outlier Removal Using Combined Z-Score and LOF
3.2.2. Feature Selection Based on Correlation
3.2.3. Normalization
3.2.4. Dimensionality Reduction Using PCA
3.2.5. Training and Testing Data Separation
3.2.6. Class Balancing
- ADASYN
- 2.
- ENN
- 3.
- Class Weights
3.3. Proposed Model
Autoencoder–Dense–Transformer (AE-DTNN)
- (i)
- Binary Classification
- (ii)
- Multi-Class Classification
- (iii)
- AE-DTNN Hyperparameters
4. Results and Experiments
4.1. Dataset Characteristics and Preprocessing Outline
4.1.1. NF-BoT-IoT-v2 Dataset
4.1.2. NSL-KDD Dataset
4.1.3. CSE-CIC-IDS2018 Dataset
4.2. Configuration Overview of the Compared Models
4.2.1. Convolutional Neural Network (CNN)
4.2.2. Autoencoder (AE)
4.2.3. Deep Neural Network (DNN)
4.2.4. Transformer
Model Hyperparameters
4.3. Experiment’s Establishment
4.4. Evaluation Metrics
4.5. Results
- (i)
- Binary Classification
- (ii)
- Multi-Class Classification
4.6. Ablation Study on Component-Wise Enhancements in the AE-DTNN Model
4.7. Ablation Analysis of Preprocessing and Class Imbalance Mitigation Techniques in the Proposed Hybrid AE-DTNN Model
4.8. Inference Time, Training Time, and Memory
- (i)
- Inference time
- (ii)
- Training time
- (iii)
- Memory consumption
5. Discussion
5.1. Binary Classification
5.2. Multi-Class Classification
6. Limitations
- Scalability: The model’s computational requirements may escalate with larger datasets and more intricate network configurations, potentially hindering its efficiency and ability to adapt to extensive, real-world environments.
- Generalization: Although the model demonstrates strong performance on the NF-BoT-IoT-v2, NSL-KDD, and CSE-CIC-IDS2018 datasets, its ability to effectively handle a wider range of network traffic patterns and newly emerging cyber threats is not guaranteed. To ensure its robustness, further evaluation on diverse datasets such as UNSW-NB15, IoT23, CICIDS2017, NF-UNSW-NB15-v2, and NF-ToN-IoT-v2 is essential.
- Data Preprocessing: The model’s success is significantly contingent on the quality of data preprocessing. Accurate handling of missing values, appropriate encoding of categorical data, and effective normalization of numerical features are critical to achieving optimal performance.
- Model Adaptation: Tailoring the model for optimal performance across various datasets necessitates a thorough and iterative process of hyperparameter optimization, ensuring that the model is precisely aligned with the specific characteristics of each new dataset.
7. Conclusions
Author Contributions
Funding
Data Availability Statement
- NF-BoT-IoT-v2: https://staff.itee.uq.edu.au/marius/NIDS_datasets/ (accessed on 21 June 2025)
- NSL-KDD: https://www.unb.ca/cic/datasets/nsl.html (accessed on 21 June 2025)
- CSE-CIC-IDS2018: https://www.unb.ca/cic/datasets/ids-2018.html (accessed on 21 June 2025)
Conflicts of Interest
References
- Heady, R.; Luger, G.; Maccabe, A.; Servilla, M. The Architecture of a Network Level Intrusion Detection System; Technical Report; U.S. Department of Energy: Washington, DC, USA, 1990.
- Mitchell, R.; Chen, R. A survey of intrusion detection in wireless network applications. Comput. Commun. 2014, 42, 1–23. [Google Scholar] [CrossRef]
- Hu, J.; Yu, X.; Qiu, D.; Chen, H.H. A simple and efficient hidden Markov model scheme for host-based anomaly intrusion detection. IEEE Netw. 2009, 23, 42–47. [Google Scholar] [CrossRef]
- Zhang, X.; Xie, J.; Huang, L. Real-Time Intrusion Detection Using Deep Learning Techniques. J. Netw. Comput. Appl. 2020, 140, 45–53. [Google Scholar]
- Kumar, S.; Kumar, R. A Review of Real-Time Intrusion Detection Systems Using Machine Learning Approaches. Comput. Secur. 2020, 95, 101944. [Google Scholar]
- Smith, A.; Jones, B.; Taylor, C. Enhancing Network Security with Real-Time Intrusion Detection Systems. Int. J. Inf. Secur. 2021, 21, 123–135. [Google Scholar]
- Messinis, S.; Temenos, N.; Protonotarios, N.E.; Rallis, I.; Kalogeras, D.; Doulamis, N. Enhancing Internet of Medical Things security with artificial intelligence: A comprehensive review. Comput. Biol. Med. 2024, 170, 108036. [Google Scholar] [CrossRef]
- Dorothy, E. An intrusion-detection model. IEEE Trans. Softw. Eng. 1987, 13, 222–232. [Google Scholar] [CrossRef]
- Tayeh, T.; Aburakhia, S.; Myers, R.; Shami, A. An attention-based ConvLSTM autoencoder with dynamic thresholding for unsupervised anomaly detection in multivariate time series. Mach. Learn. Knowl. Extr. 2022, 4, 350–370. [Google Scholar] [CrossRef]
- Strelcenia, E.; Prakoonwit, S. A survey on gan techniques for data augmentation to address the imbalanced data issues in credit card fraud detection. Mach. Learn. Knowl. Extr. 2023, 5, 304–329. [Google Scholar] [CrossRef]
- Lewandowski, B.; Paffenroth, R. Autoencoder Feature Residuals for Network Intrusion Detection: One-Class Pretraining for Improved Performance. Mach. Learn. Knowl. Extr. 2023, 5, 868–890. [Google Scholar] [CrossRef]
- Bacevicius, M.; Paulauskaite-Taraseviciene, A.; Zokaityte, G.; Kersys, L.; Moleikaityte, A.; Moleikaityte, A. Comparative analysis of perturbation techniques in LIME for intrusion detection enhancement. Mach. Learn. Knowl. Extr. 2025, 7, 1–8. [Google Scholar] [CrossRef]
- Wang, Y.; Li, J.; Zhao, W.; Han, Z.; Zhao, H.; Wang, L.; He, X. N-STGAT: Spatio-temporal graph neural network based network intrusion detection for near-earth remote sensing. Remote Sens. 2023, 15, 3611. [Google Scholar] [CrossRef]
- Xu, R.; Wu, G.; Wang, W.; Gao, X.; He, A.; Zhang, Z. Applying self-supervised learning to network intrusion detection for network flows with graph neural network. Comput. Netw. 2024, 248, 110495. [Google Scholar] [CrossRef]
- Kamal, H.; Mashaly, M. Advanced Hybrid Transformer-CNN Deep Learning Model for Effective Intrusion Detection Systems with Class Imbalance Mitigation Using Resampling Techniques. Future Internet 2024, 16, 481. [Google Scholar] [CrossRef]
- Yaras, S.; Dener, M. IoT-based intrusion detection system using new hybrid deep learning algorithm. Electronics 2024, 13, 1053. [Google Scholar] [CrossRef]
- Abdelkhalek, A.; Mashaly, M. Addressing the class imbalance problem in network intrusion detection systems using data resampling and deep learning. J. Supercomput. 2023, 79, 10611–10644. [Google Scholar] [CrossRef]
- Türk, F. Analysis of intrusion detection systems in UNSW-NB15 and NSL-KDD datasets with machine learning algorithms. Bitlis Eren Üniversitesi Fen Bilim. Dergisi. 2023, 12, 465–477. [Google Scholar] [CrossRef]
- Kamal, H.; Mashaly, M. Enhanced Hybrid Deep Learning Models-Based Anomaly Detection Method for Two-Stage Binary and Multi-Class Classification of Attacks in Intrusion Detection Systems. Algorithms 2025, 18, 69. [Google Scholar] [CrossRef]
- Talukder, M.A.; Islam, M.M.; Uddin, M.A.; Hasan, K.F.; Sharmin, S.; Alyami, S.A.; Moni, M.A. Machine learning-based network intrusion detection for big and imbalanced data using oversampling, stacking feature embedding and feature extraction. J. Big Data 2024, 11, 33. [Google Scholar] [CrossRef]
- Fathima, A.; Khan, A.; Uddin, M.F.; Waris, M.M.; Ahmad, S.; Sanin, C.; Szczerbicki, E. Performance evaluation and comparative analysis of machine learning models on the unsw-nb15 dataset: A contemporary approach to cyber threat detection. Cybern. Syst. 2023, 16, 1–7. [Google Scholar] [CrossRef]
- ElKashlan, M.; Elsayed, M.S.; Jurcut, A.D.; Azer, M. A machine learning-based intrusion detection system for IoT electric vehicle charging stations (EVCSs). Electronics 2023, 12, 1044. [Google Scholar] [CrossRef]
- Kamal, H.; Mashaly, M. Robust Intrusion Detection System Using an Improved Hybrid Deep Learning Model for Binary and Multi-Class Classification in IoT Networks. Technologies (2227-7080) 2025, 13, 102. [Google Scholar] [CrossRef]
- Sarhan, M.; Layeghy, S.; Moustafa, N.; Portmann, M. Cyber threat intelligence sharing scheme based on federated learning for network intrusion detection. J. Netw. Syst. Manag. 2023, 31, 3. [Google Scholar] [CrossRef]
- Abdalgawad, N.; Sajun, A.; Kaddoura, Y.; Zualkernan, I.A.; Aloul, F. Generative deep learning to detect cyberattacks for the IoT-23 dataset. IEEE Access 2021, 10, 6430–6441. [Google Scholar] [CrossRef]
- Arapidis, E.; Temenos, N.; Giagkos, D.; Rallis, I.; Kalogeras, D.; Papadakis, N.; Litke, A.; Messinis, C.; Zeekflow+, S. A Deep LSTM Autoencoder with Integrated Random Forest Classifier for Binary and Multi-class Classification in Network Traffic Data. In Proceedings of the 17th International Conference on PErvasive Technologies Related to Assistive Environments, Crete, Greece, 26–28 June 2024; pp. 613–618. [Google Scholar]
- Sarhan, M.; Layeghy, S.; Portmann, M. Towards a standard feature set for network intrusion detection system datasets. Mob. Netw. Appl. 2022, 27, 357–370. [Google Scholar] [CrossRef]
- Moustafa, N. Network Intrusion Detection System (NIDS) Datasets [Internet]. University of Queensland: Brisbane, Australia. Available online: https://staff.itee.uq.edu.au/marius/NIDS_datasets (accessed on 21 June 2025).
- Bagui, S.; Li, K. Resampling imbalanced data for network intrusion detection datasets. J. Big Data 2021, 8, 6. [Google Scholar] [CrossRef]
- Elmasry, W.; Akbulut, A.; Zaim, A.H. Empirical study on multiclass classification-based network intrusion detection. Comput. Intell. 2019, 35, 919–954. [Google Scholar] [CrossRef]
- Mbow, M.; Koide, H.; Sakurai, K. Handling class imbalance problem in intrusion detection system based on deep learning. Int. J. Netw. Comput. 2022, 12, 467–492. [Google Scholar] [CrossRef]
- Goodfellow, I.; Bengio, Y.; Courville, A. Deep Learning; MIT Press: Cambridge, MA, USA, 2016. [Google Scholar]
- Vaswani, A.; Shazeer, N.; Parmar, N.; Uszkoreit, J.; Jones, L.; Gomez, A.N.; Kaiser, Ł.; Polosukhin, I. Attention is all you need. Adv. Neural Inf. Process. Syst. 2017, 30, 5998–6008. [Google Scholar]
- Ba, J.L.; Kiros, J.R.; Hinton, G.E. Layer normalization. arXiv 2016, arXiv:1607.06450. [Google Scholar]
- Tavallaee, M.; Bagheri, E.; Lu, W.; Ghorbani, A.A. A detailed analysis of the KDD CUP 99 data set. In Proceedings of the IEEE Symposium on Computational Intelligence for Security and Defense Applications, Ottawa, ON, Canada, 8–10 July 2009; IEEE: New York, NY, USA, 2009; pp. 1–6. [Google Scholar]
- Dhanabal, L.; Shantharajah, S.P. A study on NSL-KDD dataset for intrusion detection system based on classification algorithms. Int. J. Adv. Res. Comput. Commun. Eng. 2015, 4, 446–452. [Google Scholar]
- Sharafaldin, I.; Lashkari, A.H.; Ghorbani, A.A. CSE-CIC-IDS2018 Dataset. Fredericton (NB): Canadian Institute for Cybersecurity, University of New Brunswick; 2018. Available online: https://www.unb.ca/cic/datasets/ids-2018.html (accessed on 21 June 2025).
- Songma, S.; Sathuphan, T.; Pamutha, T. Optimizing intrusion detection systems in three phases on the CSE-CIC-IDS-2018 dataset. Computers 2023, 12, 245. [Google Scholar] [CrossRef]
- El-Habil, B.Y.; Abu-Naser, S.S. Global climate prediction using deep learning. J. Theor. Appl. Inf. Technol. 2022, 100, 4824–4838. [Google Scholar]
- Song, Z.; Ma, J. Deep learning-driven MIMO: Data encoding and processing mechanism. Phys. Commun. 2023, 57, 101976. [Google Scholar] [CrossRef]
- Zhou, X.; Zhao, C.; Sun, J.; Yao, K.; Xu, M. Detection of lead content in oilseed rape leaves and roots based on deep transfer learning and hyperspectral imaging technology. Spectrochim. Acta Part A Mol. Biomol. Spectrosc. 2023, 290, 122288. [Google Scholar] [CrossRef] [PubMed]
- LeCun, Y.; Bottou, L.; Bengio, Y.; Haffner, P. Gradient-based learning applied to document recognition. Proc. IEEE 2002, 86, 2278–2324. [Google Scholar] [CrossRef]
- Kunang, Y.N.; Nurmaini, S.; Stiawan, D.; Zarkasi, A. Automatic features extraction using autoencoder in intrusion detection system. In Proceedings of the International Conference on Electrical Engineering and Computer Science (ICECOS), Pangkal Pinang, Indonesia, 2–4 October 2018; IEEE: New York, NY, USA, 2018; pp. 219–224. [Google Scholar]
- Gogna, A.; Majumdar, A. Discriminative autoencoder for feature extraction: Application to character recognition. Neural Process. Lett. 2019, 49, 1723–1735. [Google Scholar] [CrossRef]
- Chen, X.; Ma, L.; Yang, X. Stacked denoise autoencoder based feature extraction and classification for hyperspectral images. J. Sens. 2016, 2016, 3632943. [Google Scholar]
- Michelucci, U. An introduction to autoencoders. arXiv 2022. [Google Scholar] [CrossRef]
- Dosovitskiy, A.; Beyer, L.; Kolesnikov, A.; Weissenborn, D.; Zhai, X.; Unterthiner, T.; Dehghani, M.; Minderer, M.; Heigold, G.; Gelly, S.; et al. An image is worth 16x16 words: Transformers for image recognition at scale. arXiv 2020, arXiv:2010.11929. [Google Scholar]
- Veeramreddy, J.; Prasad, K. Anomaly-based intrusion detection system. In Anomaly Detection and Complex Network System; Alexandrov, A.A., Ed.; IntechOpen: London, UK, 2019. [Google Scholar] [CrossRef]
- Chen, C.; Song, Y.; Yue, S.; Xu, X.; Zhou, L.; Lv, Q.; Yang, L. Fcnn-se: An intrusion detection model based on a fusion CNN and stacked ensemble. Appl. Sci. 2022, 12, 8601. [Google Scholar] [CrossRef]
- Powers, D.M. Evaluation: From precision, recall and F-measure to ROC, informedness, markedness and correlation. arXiv 2020. [Google Scholar] [CrossRef]
- Kamal, H.; Mashaly, M. Improving Anomaly Detection in IDS with Hybrid Auto Encoder-SVM and Auto Encoder-LSTM Models Using Resampling Methods. In Proceedings of the 6th Novel Intelligent and Leading Emerging Sciences Conference (NILES), Giza, Egypt, 19–21 October 2024; IEEE: New York, NY, USA, 2024; pp. 34–39. [Google Scholar]
- Assy, A.T.; Mostafa, Y.; Abd El-khaleq, A.; Mashaly, M. Anomaly-based intrusion detection system using one-dimensional convolutional neural network. Procedia Comput. Sci. 2023, 220, 78–85. [Google Scholar] [CrossRef]
- Kamal, H.; Mashaly, M. Hybrid Deep Learning-Based Autoencoder-DNN Model for Intelligent Intrusion Detection System in IoT Networks. In Proceedings of the 15th International Conference on Electrical Engineering (ICEENG), Cairo, Egypt, 12–15 May 2025; IEEE: New York, NY, USA, 2025; pp. 1–6. [Google Scholar]
- Kamal, H.; Mashaly, M. Combined Dataset System Based on a Hybrid PCA–Transformer Model for Effective Intrusion Detection Systems. AI 2025, 6, 168. [Google Scholar] [CrossRef]
Author | Dataset | Year | Utilized Technique | Accuracy | Contribution | Limitations |
---|---|---|---|---|---|---|
Yalu Wang et al. [13]. | NF-BoT-IoT-v2 | 2023 | N-STGAT | 97.88% | This study proposes a Node Condition-augmented N-STGAT to detect network intrusions in remote observation systems. |
|
Renjie Xu et al. [14] | NF-BoT-IoT-v2 | 2024 | GNN | 99.64% | This study presents an unsupervised graph neural network for identifying diverse network attacks by distinguishing normal from malicious traffic. |
|
Hesham Kamal and Maggie Mashaly [15] | NF-UNSW-NB15-v2 | 2024 | Transformer–CNN | 99.71% | This study proposes a Transformer–CNN model that uses ADASYN, SMOTE, ENN, and class weighting to address class imbalance. |
|
Sami Yaras and Murat Dener [16] | ToN-IoT | 2024 | CNN-LSTM | 98.75% | This study developed a CNN-LSTM model using relevant features from CICIoT2023 and TON_IoT datasets, aiming to improve intrusion detection accuracy. |
|
Ahmed Abdelkhalek and Maggie Mashaly [17] | NSL-KDD | 2023 | CNN | 93.3% | This work introduces a data-balancing approach using ADASYN and Tomek Links with deep learning models to address class imbalance on the NSL-KDD dataset. |
|
Fuat Turk [18] | NSL-KDD | 2023 | LR, KNN, RF, DT, MLP, and LSTM | 97.8% | This study applies diverse ML and DL methods on UNSW-NB15 and NSL-KDD to improve intrusion detection for imbalanced data. |
|
Hesham Kamal and Maggie Mashaly [19] | CICIDS2017 | 2025 | Autoencoder–CNN and Transformer–DNN | 99.90% and 99.92% | This study presents Autoencoder–CNN and Transformer–DNN hybrids to improve classification by reshaping traffic data and enhancing accuracy. |
|
Hesham Kamal and Maggie Mashaly [15] | CICIDS2017 | 2024 | Transformer–CNN | 99.93% | This study presents a Transformer–CNN hybrid using ADASYN, SMOTE, ENN, and class weights to address class imbalance effectively. |
|
Md. Alamin Talukder [20] | UNSW-NB15 | 2024 | RF and ET | 99.59% | A machine learning-based intrusion detector uses random oversampling (RO) to balance data, with stacking and PCA for feature reduction on large imbalanced sets. |
|
Afrah Fathima et al. [21] | UNSW-NB15 | 2023 | RF | 99% | This study leverages UNSW-NB15 to improve outdated dataset limitations, using multi-tier models to detect unauthorized access. |
|
Mohamed ElKashlan et al. [22] | IoT-23 | 2023 | Filtered classifier | 99.2% | This work presents a machine learning-based classification algorithm for identifying malicious data in IoT environments using realistic traffic data. |
|
Hesham Kamal and Maggie Mashaly [23] | IoT-23 | 2025 | CNN–MLP | 99.94% | A CNN-MLP model is introduced for IoT intrusion detection, using refined augmentation (ADASYN, SMOTE, ENN) to manage class imbalance. |
|
Author | Dataset | Year | Utilized Technique | Accuracy | Contribution | Limitations |
---|---|---|---|---|---|---|
Yalu Wang et al. [13]. | NF-BoT-IoT-v2 | 2023 | N-STGAT | 93% | This study proposes N-STGAT with node states to detect intrusions in near-Earth observation systems. |
|
Mohanad Sarhan et al. [24]. | NF-BoT-IoT-v2 | 2023 | LSTM | 94.61% | This study introduces a federated learning approach using LSTM on NF-BoT-IoT-v2 to improve IDS performance, achieving 94.61% accuracy. |
|
Hesham Kamal and Maggie Mashaly [15] | NF-UNSW-NB15-v2 | 2024 | Transformer–CNN | 99.02% | This study proposes a hybrid Transformer–CNN model using ADASYN, SMOTE, ENN, and class weights to address class imbalance challenges. |
|
Ahmed Abdelkhalek and Maggie Mashaly [17] | NSL-KDD | 2023 | CNN | 81.8% | This study combines ADASYN and Tomek Links with deep learning to handle class imbalance and evaluate performance on the NSL-KDD dataset. |
|
Fuat Turk [18] | NSL-KDD | 2023 | LR, KNN, RF, DT, MLP, and LSTM | 93.4% | This study uses ML and DL methods on UNSW-NB15 and NSL-KDD to improve intrusion detection in imbalanced data. |
|
Hesham Kamal and Maggie Mashaly [19] | CICIDS2017 | 2025 | Autoencoder–CNN and Transformer–DNN | 99.95% and 99.96% | This study introduces Autoencoder–CNN and Transformer–DNN hybrids to enhance classification by balancing data and improving accuracy. |
|
Hesham Kamal and Maggie Mashaly [15] | CICIDS2017 | 2024 | Transformer–CNN | 99.13% | This study presents a Transformer–CNN hybrid that uses ADASYN, SMOTE, ENN, and class weights to handle class imbalance effectively. |
|
Md. Alamin Talukder [20] | UNSW-NB15 | 2024 | RF and ET | 99.59% | A machine learning IDS uses RO to fix imbalance, stacked features from clustering, and PCA to reduce dimensions, targeting large skewed datasets. |
|
Afrah Fathima et al. [21] | UNSW-NB15 | 2023 | RF | 99% | This study uses the UNSW-NB15 dataset to enhance unauthorized access detection with multi-level classification models. |
|
Mohamed ElKashlan et al. [22] | IoT-23 | 2023 | Filtered classifier | 99.2% | This study develops a machine learning method to identify harmful data in IoT networks using real data and tests various classifiers. |
|
Hesham Kamal and Maggie Mashaly [23] | IoT-23 | 2025 | CNN–MLP | 99.94% | This study introduces a hybrid CNN-MLP model for IoT security with data augmentation techniques to address class imbalance. |
|
N. Abdalgawad et al. [25] | IoT-23 | 2022 | AAE and BiGAN | 99% | This study uses AAE and BiGAN machine learning methods to detect unauthorized users by analyzing system logs. |
|
Emmanouil Arapidis et al. [26] | USTC-TFC2016 | 2024 | LSTM AE with RF | 99% | This study introduces Zeekflow+ and combines LSTM Autoencoder and Random Forest for accurate network traffic classification. |
|
Author | High Performance | Class Imbalance Mitigation | Binary Classification | Multi-Class Classification | Generalization Threshold > 2 | Scalability | Learning Type | Model Type | Utilized Technique | |||
---|---|---|---|---|---|---|---|---|---|---|---|---|
B | M | DL | ML | H | S | |||||||
Yalu Wang et al. [13] | ✓ | ✓ | ✓ | ✓ | N-STGAT | |||||||
Renjie Xu et al. [14] | ✓ | ✓ | ✓ | ✓ | GNN | |||||||
Hesham Kamal and Maggie Mashaly [15] | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | Transformer–CNN | |||
Sami Yaras and Murat Dener [16] | ✓ | ✓ | ✓ | CNN-LSTM | ||||||||
Ahmed Abdelkhalek and Maggie Mashaly [17] | ✓ | ✓ | ✓ | ✓ | ✓ | CNN | ||||||
Fuat Turk [18] | ✓ | ✓ | ✓ | ✓ | ✓ | LR, KNN, RF, DT, MLP, and LSTM | ||||||
Hesham Kamal and Maggie Mashaly [19] | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | Autoencoder–CNN and Transformer–DNN | |||
Md. Alamin Talukder [20] | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | RF and ET | ||||
Afrah Fathima et al. [21] | ✓ | ✓ | ✓ | ✓ | ✓ | RF, SVM, GBM, and LR | ||||||
Mohamed ElKashlan et al. [22] | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | Filtered classifier | |||||
Hesham Kamal and Maggie Mashaly [23] | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | CNN–MLP | ||||
Mohanad Sarhan et al. [24]. | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | LSTM | |||||
N. Abdalgawad et al. [25] | ✓ | ✓ | ✓ | ✓ | AAE and BiGAN | |||||||
Emmanouil Arapidis et al. [26] | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | LSTM AE with RF | ||||
Ours | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | AE-DTNN |
Class Type | Sample Count | Description |
---|---|---|
Benign | 50,000 | Legitimate, non-malicious network traffic. |
Reconnaissance | 65,000 | A strategic approach employed to systematically collect intelligence on a network host, often referred to as a probing technique aimed at identifying vulnerabilities and mapping network structures. |
DDoS | 90,000 | A large-scale, highly coordinated cyber onslaught that amplifies the principles of a Denial of Service attack by leveraging a vast network of distributed sources, often compromised devices forming a botnet, to inundate a target with relentless traffic, rendering it inaccessible and severely disrupting its functionality. |
DoS | 80,000 | A meticulously orchestrated cyber assault aimed at exhausting a system’s computational bandwidth, rendering it incapable of handling legitimate requests and thereby disrupting critical data accessibility and operational continuity, ultimately plunging the target into a state of digital incapacitation. |
Theft | 2316 | A sophisticated class of cyber intrusions designed to covertly acquire sensitive information, including data exfiltration and keylogging, by exploiting system vulnerabilities and bypassing security measures to compromise confidentiality and integrity. |
Classification Type | Binary | Multi-Class | ||
---|---|---|---|---|
Class | Before Z-Score and LOF | After Z-Score and LOF | Before Z-Score and LOF | After Z-Score and LOF |
Benign | 41,596 | 25,792 | 41,507 | 26,150 |
Reconnaissance | 64,100 | 56,942 | 64,121 | 56,760 |
DDoS | 89,736 | 85,653 | 89,719 | 85,713 |
DoS | 79,770 | 71,830 | 79,778 | 71,717 |
Theft | 1460 | 1012 | 1452 | 991 |
Selected Features | Selected Features | Selected Features | Selected Features |
---|---|---|---|
CLIENT_TCP_FLAGS | FLOW_DURATION_MILLISECONDS | IN_BYTES | NUM_PKTS_128_TO_256_BYTES |
TCP_WIN_MAX_IN | SHORTEST_FLOW_PKT | NUM_PKTS_256_TO_512_BYTES | SRC_TO_DST_AVG_THROUGHPUT |
DURATION_OUT | OUT_PKTS | LONGEST_FLOW_PKT | SRC_TO_DST_SECOND_BYTES |
MAX_TTL | ICMP_TYPE | DST_TO_SRC_SECOND_BYTES | DNS_QUERY_TYPE |
TCP_FLAGS | DST_TO_SRC_AVG_THROUGHPUT | L4_SRC_PORT | DNS_TTL_ANSWER |
DURATION_IN | OUT_BYTES | NUM_PKTS_UP_TO_128_BYTES | |
L7_PROTO | IN_PKTS | TCP_WIN_MAX_OUT |
Selected Features | Selected Features | Selected Features | Selected Features |
---|---|---|---|
MIN_IP_PKT_LEN | NUM_PKTS_128_TO_256_BYTES | DST_TO_SRC_AVG_THROUGHPUT | IN_BYTES |
MIN_TTL | DURATION_OUT | OUT_BYTES | DST_TO_SRC_SECOND_BYTES |
DURATION_IN | ICMP_TYPE | MAX_IP_PKT_LEN | SRC_TO_DST_SECOND_BYTES |
SHORTEST_FLOW_PKT | SRC_TO_DST_AVG_THROUGHPUT | L7_PROTO | DNS_QUERY_TYPE |
CLIENT_TCP_FLAGS | TCP_WIN_MAX_OUT | NUM_PKTS_UP_TO_128_BYTES | DNS_QUERY_ID |
FLOW_DURATION_MILLISECONDS | L4_SRC_PORT | NUM_PKTS_256_TO_512_BYTES | DNS_TTL_ANSWER |
TCP_WIN_MAX_IN | OUT_PKTS | IN_PKTS |
Class | Train | Test |
---|---|---|
Normal | 24,520 | 1272 |
Attack | 204,647 | 10,790 |
Class | Train | Test |
---|---|---|
Benign | 24,860 | 1290 |
Reconnaissance | 53,918 | 2842 |
DDoS | 81,432 | 4281 |
DoS | 68,110 | 3607 |
Theft | 944 | 47 |
Class | Before ADASYN | After ADASYN |
---|---|---|
Normal | 25,792 | 215,443 |
Attack | 215,437 | 215,437 |
Class | Before ADASYN | After ADASYN |
---|---|---|
Benign | 26,150 | 85,730 |
Reconnaissance | 56,760 | 56,760 |
DDoS | 85,713 | 85,713 |
DoS | 71,717 | 71,717 |
Theft | 991 | 85,722 |
Class | Before ENN | After ENN |
---|---|---|
Normal | 214,171 | 214,164 |
Attack | 204,647 | 204,647 |
Class | Before ENN | After ENN |
---|---|---|
Benign | 84,440 | 84,440 |
Reconnaissance | 53,918 | 53,918 |
DDoS | 81,432 | 80,262 |
DoS | 68,110 | 63,186 |
Theft | 85,675 | 85,675 |
Class | Weight |
---|---|
Normal | 0.9778 |
Attack | 1.0233 |
Class | Weight |
---|---|
Benign | 0.8704 |
Reconnaissance | 1.3631 |
DDoS | 0.9157 |
DoS | 1.1632 |
Theft | 0.8578 |
Block | Layer Type | Layer Size | Activation Function | Parameters |
---|---|---|---|---|
Input block | Input layer | Number of Features | - | - |
Encoder block | Dense layer | 64 | ReLU | - |
Decoder block | Dense layer | Input Size | Linear | - |
Input block | Input layer | Autoencoder Output | - | - |
Dense layer | 256 | ReLU | - | |
Dense block | Dropout | 0.0000001 | - | - |
Dense layer | 128 | ReLU | - | |
Dropout | 0.0000001 | - | - | |
Multi-head attention | - | - | num_heads = 8, key_dim = 64 | |
Transformer block (Encoder block) | Layer Normalization | - | - | epsilon = 1 × 10−6 |
Add (Residual Connection) | - | - | - | |
Dense layer | 128 | ReLU | units = 128, activation = ‘relu’ | |
Feed-Forward block (Encoder block) | Dense layer | 128 | - | units = 128 |
Add (Residual Connection) | - | - | - | |
Layer Normalization | - | - | epsilon = 1 × 10−6 | |
Output block | Output layer | 1 (Binary) | Sigmoid | - |
Output block | Output layer | Number of Classes (Multi-Class) | Softmax | - |
Parameter | Binary Classifier | Multi-Class Classifier |
---|---|---|
Batch size | 64 | 64 |
Learning rate | 0.001 | 0.001 |
Optimizer | Adam | Adam |
Loss function | Mean_squared_error | Mean_squared_error |
Parameter | Binary Classifier | Multi-Class Classifier |
---|---|---|
Batch size | 128 | 128 |
Learning rate | Scheduled: Initial = 0.001, Factor = 0.5, Min = 1 × 10−5 (ReduceLROnPlateau) | Scheduled: Initial = 0.001, Factor = 0.5, Min = 1 × 10−5 (ReduceLROnPlateau) |
Optimizer | Adam | Adam |
Loss function | Binary cross-entropy | Categorical cross-entropy |
Metric | Accuracy | Accuracy |
Dataset | Model | Accuracy | Precision | Recall | F-Score |
---|---|---|---|---|---|
NF-BoT-IoT-v2 | CNN | 99.97% | 99.97% | 99.97% | 99.97% |
Autoencoder | 99.97% | 99.97% | 99.97% | 99.97% | |
DNN | 99.87% | 99.87% | 99.87% | 99.87% | |
Transformer | 99.96% | 99.96% | 99.96% | 99.96% | |
AE-DTNN (proposed) | 99.98% | 99.98% | 99.98% | 99.98% | |
NSL-KDD | CNN | 97.34% | 97.40% | 97.34% | 97.34% |
Autoencoder | 98.54% | 98.55% | 98.54% | 98.54% | |
DNN | 98.46% | 98.46% | 98.46% | 98.46% | |
Transformer | 97.33% | 97.34% | 97.33% | 97.33% | |
AE-DTNN (proposed) | 98.57% | 98.57% | 98.57% | 98.57% | |
CSE-CIC-IDS2018 | CNN | 99.88% | 99.88% | 99.88% | 99.88% |
Autoencoder | 99.89% | 99.88% | 99.89% | 99.88% | |
DNN | 99.86% | 99.86% | 99.86% | 99.86% | |
Transformer | 99.90% | 99.90% | 99.90% | 99.90% | |
AE-DTNN (proposed) | 99.92% | 99.92% | 99.92% | 99.92% |
Dataset | Model | Accuracy | Precision | Recall | F-Score |
---|---|---|---|---|---|
NF-BoT-IoT-v2 | CNN | 98.07% | 98.08% | 98.07% | 98.07% |
Autoencoder | 98.08% | 98.12% | 98.08% | 98.07% | |
DNN | 98.14% | 98.19% | 98.14% | 98.14% | |
Transformer | 97.91% | 97.96% | 97.91% | 97.91% | |
AE-DTNN (proposed) | 98.30% | 98.32% | 98.30% | 98.30% | |
NSL-KDD | CNN | 97.38% | 97.68% | 97.38% | 97.46% |
Autoencoder | 97.33% | 97.78% | 97.33% | 97.47% | |
DNN | 97.47% | 98.20% | 97.47% | 97.76% | |
Transformer | 97.48% | 97.76% | 97.48% | 97.56% | |
AE-DTNN (proposed) | 97.50% | 98.25% | 97.50% | 97.82% | |
CSE-CIC-IDS2018 | CNN | 99.76% | 99.76% | 99.76% | 99.75% |
Autoencoder | 99.73% | 99.73% | 99.73% | 99.72% | |
DNN | 99.70% | 99.67% | 99.70% | 99.67% | |
Transformer | 99.76% | 99.77% | 99.76% | 99.76% | |
AE-DTNN (proposed) | 99.78% | 99.78% | 99.78% | 99.78% |
Classification Type | Dataset | Model | Accuracy | Precision | Recall | F-Score |
---|---|---|---|---|---|---|
AE | 95.82% | 96.14% | 95.82% | 95.94% | ||
NF-BoT-IoT-v2 | AE + Dense | 99.79% | 99.80% | 99.79% | 99.79% | |
AE + Dense + Transformer | 99.98% | 99.98% | 99.98% | 99.98% | ||
AE | 96.55% | 96.56% | 96.55% | 96.55% | ||
Binary Classification | NSL-KDD | AE + Dense | 98.01% | 98.04% | 98.01% | 98.01% |
AE + Dense + Transformer | 98.57% | 98.57% | 98.57% | 98.57% | ||
AE | 98.12% | 98.16% | 98.12% | 97.22% | ||
CSE-CIC-IDS2018 | AE + Dense | 99.77% | 99.76% | 99.77% | 99.76% | |
AE + Dense + Transformer | 99.92% | 99.92% | 99.92% | 99.92% | ||
AE | 93.88% | 94.58% | 93.88% | 94.20% | ||
NF-BoT-IoT-v2 | AE + Dense | 97.97% | 98.02% | 97.97% | 97.97% | |
AE + Dense + Transformer | 98.30% | 98.32% | 98.30% | 98.30% | ||
AE | 93.78% | 95.92% | 93.78% | 94.72% | ||
Multi-Class Classification | NSL-KDD | AE + Dense | 96.64% | 97.63% | 96.64% | 97.07% |
AE + Dense + Transformer | 97.50% | 98.25% | 97.50% | 97.82% | ||
AE | 94.04% | 94.26% | 94.04% | 94.02% | ||
CSE-CIC-IDS2018 | AE + Dense | 99.51% | 99.49% | 99.51% | 99.48% | |
AE + Dense + Transformer | 99.78% | 99.78% | 99.78% | 99.78% |
Classification Type | Experimental Setup | Accuracy | Precision | Recall | F-score |
---|---|---|---|---|---|
Preprocessing (Z-Score) | 81.24% | 90.59% | 81.24% | 84.26% | |
Preprocessing (Z-Score + LOF) | 83.23% | 93.48% | 83.23% | 86.08% | |
Preprocessing (Z-Score + LOF + Feature Selection) | 84.15% | 93.62% | 84.15% | 86.78% | |
Preprocessing (Z-Score + LOF + Feature Selection + Normalization) | 99.49% | 99.48% | 99.49% | 99.48% | |
Binary | Preprocessing (Z-Score + LOF + Feature Selection + Normalization + PCA) | 99.77% | 99.77% | 99.77% | 99.77% |
Preprocessing + Resampling (ADASYN) | 99.88% | 99.88% | 99.88% | 99.88% | |
Preprocessing + Resampling (ADASYN + ENN) | 99.94% | 99.94% | 99.94% | 99.94% | |
Preprocessing + Resampling (ADASYN + ENN) + Class Weights | 99.98% | 99.98% | 99.98% | 99.98% | |
Preprocessing (Z-Score) | 77.36% | 85.65% | 77.36% | 78.07% | |
Preprocessing (Z-Score + LOF) | 78.36% | 86.82% | 78.36% | 78.97% | |
Preprocessing (Z-Score + LOF + Feature Selection) | 81.67% | 88.03% | 81.67% | 82.23% | |
Preprocessing (Z-Score + LOF + Feature Selection + Normalization) | 97.26% | 97.27% | 97.26% | 97.26% | |
Multi-Class | Preprocessing (Z-Score + LOF + Feature Selection + Normalization + PCA) | 97.51% | 97.55% | 97.51% | 97.51% |
Preprocessing + Resampling (ADASYN) | 97.85% | 97.90% | 97.85% | 97.85% | |
Preprocessing + Resampling (ADASYN + ENN) | 97.97% | 98.03% | 97.97% | 97.97% | |
Preprocessing + Resampling (ADASYN + ENN) + Class Weights | 98.30% | 98.32% | 98.30% | 98.30% |
Dataset | Model | Inference Time per Batch (128 Samples) (Milliseconds) | Inference Time per Sample (Milliseconds) |
---|---|---|---|
CNN | 86.834 | 0.6784 | |
Autoencoder | 92.095 | 0.7195 | |
Binary classification | DNN | 92.820 | 0.7252 |
Transformer | 93.182 | 0.7280 | |
AE-DTNN (proposed) | 121.253 | 0.9473 | |
CNN | 87.197 | 0.6812 | |
Autoencoder | 95.903 | 0.7492 | |
Multi-class classification | DNN | 95.414 | 0.7454 |
Transformer | 96.531 | 0.7541 | |
AE-DTNN (proposed) | 123.055 | 0.9614 |
Dataset | Model | Training Time per Batch (128 Samples) (Milliseconds) | Training Time per Sample (Milliseconds) |
---|---|---|---|
CNN | 95.433 | 0.7456 | |
Autoencoder | 100.651 | 0.7863 | |
Binary classification | DNN | 94.919 | 0.7416 |
Transformer | 100.279 | 0.7834 | |
AE-DTNN (proposed) | 125.496 | 0.9804 | |
CNN | 96.809 | 0.7563 | |
Autoencoder | 118.780 | 0.9280 | |
Multi-class classification | DNN | 98.565 | 0.7700 |
Transformer | 100.612 | 0.7860 | |
AE-DTNN (proposed) | 126.334 | 0.9870 |
Dataset | Model | Memory Consumption (MB) per Batch (128 Samples) |
---|---|---|
CNN | 3.02 | |
Autoencoder | 0.16 | |
Binary classification | DNN | 0.07 |
Transformer | 0.21 | |
AE-DTNN (proposed) | 1.63 | |
CNN | 3.06 | |
Autoencoder | 0.16 | |
Multi-class classification | DNN | 0.07 |
Transformer | 0.25 | |
AE-DTNN (proposed) | 1.67 |
Dataset | Class | Accuracy | Precision | Recall | F-score |
---|---|---|---|---|---|
NF-BoT-IoT-v2 | Normal | 100% | 99.84% | 100% | 99.92% |
Attack | 99.98% | 100% | 99.98% | 99.99% | |
NSL-KDD | Normal | 98.57% | 98.33% | 98.57% | 98.45% |
Attack | 98.57% | 98.78% | 98.57% | 98.67% | |
CSE-CIC-IDS2018 | Normal | 96.98% | 98.91% | 96.98% | 97.94% |
Attack | 99.98% | 99.94% | 99.98% | 99.96% |
Dataset | Class | Accuracy | Precision | Recall | F-Score |
---|---|---|---|---|---|
NF-BoT-IoT-v2 | Benign | 100% | 99.85% | 100% | 99.92% |
Reconnaissance | 96.13% | 98.66% | 96.13% | 97.38% | |
DDoS | 99.25% | 99.39% | 99.25% | 99.32% | |
DoS | 98.25% | 96.20% | 98.25% | 97.22% | |
Theft | 100% | 100% | 100% | 100% | |
NSL-KDD | Normal | 97.89% | 99.49% | 97.89% | 98.68% |
DoS | 98.71% | 99.95% | 98.71% | 99.33% | |
Probe | 99.64% | 93.95% | 99.64% | 96.71% | |
U2R | 78.38% | 15.68% | 78.38% | 26.13% | |
L2R | 92.18% | 92.98% | 92.18% | 92.58% |
Label | Accuracy | Precision | Recall | F-Score |
---|---|---|---|---|
Benign | 95.25% | 96.59% | 95.25% | 95.91% |
DDoS attacks-LOIC-HTTP | 100% | 100% | 100% | 100% |
DDOS attack-HOIC | 100% | 100% | 100% | 100% |
DoS attacks-Hulk | 100% | 99.96% | 100% | 99.98% |
Bot | 99.98% | 99.95% | 99.98% | 99.96% |
Infiltration | 98.14% | 97.50% | 98.14% | 97.82% |
SSH-Bruteforce | 99.97% | 100% | 99.97% | 99.98% |
DoS attacks-GoldenEye | 99.96% | 99.96% | 99.96% | 99.96% |
DoS attacks-Slowloris | 99.92% | 99.92% | 99.92% | 99.92% |
DDOS attack-LOIC-UDP | 100% | 100% | 100% | 100% |
Brute Force-Web | 100% | 97.30% | 100% | 98.63% |
Brute Force-XSS | 96.97% | 96.97% | 96.97% | 96.97% |
SQL Injection | 50% | 100% | 50% | 66.67% |
DoS attacks-SlowHTTPTest | 25% | 10% | 25% | 14.29% |
FTP-BruteForce | 10% | 25% | 10% | 14.29% |
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |
© 2025 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Kamal, H.; Mashaly, M. AE-DTNN: Autoencoder–Dense–Transformer Neural Network Model for Efficient Anomaly-Based Intrusion Detection Systems. Mach. Learn. Knowl. Extr. 2025, 7, 78. https://doi.org/10.3390/make7030078
Kamal H, Mashaly M. AE-DTNN: Autoencoder–Dense–Transformer Neural Network Model for Efficient Anomaly-Based Intrusion Detection Systems. Machine Learning and Knowledge Extraction. 2025; 7(3):78. https://doi.org/10.3390/make7030078
Chicago/Turabian StyleKamal, Hesham, and Maggie Mashaly. 2025. "AE-DTNN: Autoencoder–Dense–Transformer Neural Network Model for Efficient Anomaly-Based Intrusion Detection Systems" Machine Learning and Knowledge Extraction 7, no. 3: 78. https://doi.org/10.3390/make7030078
APA StyleKamal, H., & Mashaly, M. (2025). AE-DTNN: Autoencoder–Dense–Transformer Neural Network Model for Efficient Anomaly-Based Intrusion Detection Systems. Machine Learning and Knowledge Extraction, 7(3), 78. https://doi.org/10.3390/make7030078