Search Results (206)

Intrusion detection systems (IDSs) must operate under severe class imbalance, evolving attack behavior, and the need for calibrated decisions that integrate smoothly with security operations. We propose a human-in-the-loop IDS that combines a convolutional neural network and a long short-term memory network (CNN–LSTM) classifier with a variational autoencoder (VAE)-seeded conditional Wasserstein generative adversarial network with gradient penalty (cWGAN-GP) augmentation and entropy-based abstention. Minority classes are reinforced offline via conditional generative adversarial (GAN) sampling, whereas high-entropy predictions are escalated for analysts and are incorporated into a curated retraining set. On CIC-IDS2017, the resulting framework delivered well-calibrated binary performance (ACC = 98.0%, DR = 96.6%, precision = 92.1%, F1 = 94.3%; baseline ECE ≈ 0.04, Brier ≈ 0.11) and substantially improved minority recall (e.g., Infiltration from 0% to >80%, Web Attack–XSS +25 pp, and DoS Slowhttptest +15 pp, for an overall +11 pp macro-recall gain). The deployed model remained lightweight (~42 MB, <10 ms per batch; ≈32 k flows/s on RTX-3050 Ti), and only approximately 1% of the flows were routed for human review. Extensive evaluation, including ROC/PR sweeps, reliability diagrams, cross-domain tests on CIC-IoT2023, and FGSM/PGD adversarial stress, highlights both the strengths and remaining limitations, notably residual errors on rare web attacks and limited IoT transfer. Overall, the framework provides a practical, calibrated, and extensible machine learning (ML) tier for modern IDS deployment and motivates future research on domain alignment and adversarial defense. Full article

To address the critical challenge of low detection rates for rare anomaly classes in network traffic, a problem exacerbated by severe data imbalance, this paper proposes a deep learning framework for anomaly detection in imbalanced network traffic. Initially, the framework employs the Isolation Forest (iForest) and SMOTE-Tomek techniques for outlier removal and data balancing, respectively, to enhance data quality. The model first undergoes unsupervised pre-training using a symmetrically designed Residual Convolutional Autoencoder (ResCAE) to learn robust feature representations. Subsequently, the pre-trained encoder is integrated with a Bidirectional Gated Recurrent Unit (BiGRU) to capture temporal dependencies within the traffic features. During the fine-tuning phase, a Sharpness-Aware Minimization (SAM) optimizer is employed to enhance the model’s generalization capability. The experimental results on the public CICIDS2017 and UNSW-NB15 datasets reveal the model’s outstanding performance, achieving an accuracy, precision, recall, and F1-score of 99.33%, 99.53%, 99.33%, and 99.41%, respectively. Comparative analysis against baseline models confirms that the proposed method not only surpasses traditional machine learning algorithms but also holds a significant advantage over contemporary deep learning models. The results validate that this framework effectively resolves the issue of low detection rates for rare anomaly classes caused by data imbalance, offering a powerful and robust solution for building high-performance anomaly detection frameworks. Full article

As cyber threats such as denial-of-service (DoS) attacks continue to rise, network intrusion detection systems (NIDS) have become essential components of cybersecurity defense. Although machine learning is widely applied to network intrusion detection, its performance often deteriorates due to the extreme class imbalance present in real-world data. This imbalance causes models to become biased and unable to detect critical attack instances. To address this issue, we propose MCH-Ensemble (Minority Class Highlighting Ensemble), an ensemble framework designed to improve the detection of minority attack classes. The method constructs multiple balanced subsets through random under-sampling and trains base learners, including decision tree, XGBoost, and LightGBM models. Features of correctly predicted attack samples are then amplified by adding a constant value, producing a boosting-like effect that enhances minority class representation. The highlighted subsets are subsequently combined to train a random forest meta-model, which leverages bagging to capture diverse and fine-grained decision boundaries. Experimental evaluations on the UNSW-NB15, CIC-IDS2017, and WSN-DS datasets demonstrate that MCH-Ensemble effectively mitigates class imbalance and achieves superior recognition of DoS attacks. The proposed method achieves enhanced performance compared with those reported previously. On the UNSW-NB15 and CIC-IDS2017 datasets, it achieves improvements in accuracy, precision, recall, F1-score, and area under the receiver operating characteristic curve (AUC-ROC) by ~1.2% and ~0.61%, ~9.8% and 0.77%, ~0.7% and ~0.56%, ~5.3% and 0.66%, and ~0.1% and ~0.06%, respectively. In addition, it achieves these improvements by ~0.17%, ~1.66%, ~0.11%, ~0.88%, and ~0.06%, respectively, on the WSN-DS dataset. These findings indicate that the proposed framework offers a robust and accurate approach to intrusion detection, contributing to the development of reliable cybersecurity systems in highly imbalanced network environments. Full article

Intrusion detection systems (IDSs) must balance detection quality with operational transparency. We present a deterministic, leakage-free comparison of three classical classifiers: Naïve Bayes (NB), Logistic Regression (LR), and Linear Discriminant Analysis (LDA). We also propose a hybrid pipeline that trains LR on Autoencoder embeddings (AE). Experiments use NSL-KDD and CICIDS2017 under two regimes (with/without SMOTE (Synthetic Minority Oversampling Technique) applied only on training data). All preprocessing (one-hot encoding, scaling, and imputation) is fitted on the training split; fixed seeds and deterministic TensorFlow settings ensure exact reproducibility. We report a complete metric set—Accuracy, Precision, Recall, F1, Area Under the Curve (AUC), and False Alarm Rate (FAR)—and release a replication package (code, preprocessing artifacts, and saved prediction scores) to regenerate all reported tables and metrics. On NSL-KDD, AE+LR yields the highest AUC (≈0.904) and the strongest F1 among the evaluated models (e.g., 0.7583 with SMOTE), while LDA slightly edges LR on Accuracy/F1. NB attains very high Precision (≈0.98) but low Recall (≈0.24), resulting in the weakest F1, yet a low FAR due to conservative decisions. On CICIDS2017, LR delivers the best Accuracy/F1 (0.9878/0.9752 without SMOTE), with AE+LR close behind; both approach ceiling AUC (≈0.996). SMOTE provides modest gains on NSL-KDD and limited benefits on CICIDS2017. Overall, LR/LDA remain strong, interpretable baselines, while AE+LR improves separability (AUC) without sacrificing a simple, auditable decision layer for practical IDS deployment. Full article

Post-5G and 6G telecommunication infrastructures face critical information security challenges due to increasing network complexity and sophisticated cyberattacks. Traditional intrusion detection systems based on statistical traffic analysis struggle to identify advanced threats that exploit semantic-level vulnerabilities in modern communication protocols. This paper proposes a Transformer-based intrusion detection system specifically designed for post-5G and 6G networks. Our approach integrates three key innovations: First, a comprehensive feature extraction method capturing both semantic content characteristics and communication behavior patterns. Second, a dynamic semantic embedding mechanism that adaptively adjusts positional encoding based on semantic context changes. Third, a Transformer-based classifier with multi-head attention mechanisms to model long-range dependencies in attack sequences. Extensive experiments on CICIDS2017 and UNSW-NB15 datasets demonstrate superior performance compared to LSTM, GRU, and CNN baselines across multiple evaluation metrics. Robustness testing and cross-dataset validation confirm strong generalization capability, making the system suitable for deployment in heterogeneous post-5G and 6G telecommunication environments. Full article

Unmanned Aerial Vehicles (UAVs) are increasingly being used in critical infrastructure, defense, and civilian applications, and face new cybersecurity threats. In this work, we present a novel hybrid deep learning architecture that combines Mamba, Kolmogorov-Arnold Networks (KAN), and Liquid Neural Networks for real-time cyberattack detection in UAV systems. The proposed Mamba-KAN-Liquid (MKL) model integrates Mamba’s selective state-space mechanism for temporal dependency modeling, KAN’s learnable activation functions for feature representation, and Liquid networks’ dynamic adaptation capabilities for real-time anomaly detection. Extensive evaluations on CIC-IDS2017, CSE-CIC-IDS2018, and synthetic UAV telemetry datasets demonstrate that our model achieves detection rates exceeding 95% across six different attack scenarios, including GPS spoofing (97.3%), network jamming (95.8%), man-in-the-middle attacks (96.2%), sensor manipulation (94.7%), DDoS (98.1%), and zero-day attacks (89.4%). The model meets real-time processing requirements with an average inference time of 47.3 ms for a sample batch size of 32, making it suitable for practical deployment on resource-constrained UAV platforms. Full article

Zero-trust security and federated learning have emerged as promising paradigms for edge computing, yet existing solutions struggle to balance security, privacy, and performance requirements effectively. This paper presents ZT-IoTrust, a zero-trust framework that integrates device-specific trust evaluation with quantum-resistant security mechanisms for secure IoT access control. The framework incorporates several key innovations: quantum-resistant cryptographic protocols based on lattice problems for long-term security, a dynamic federated trust evaluation system that continuously assesses individual IoT device behaviors, and an adaptive access control architecture that implements continuous verification principles while maintaining efficiency for resource-constrained environments. Experimental evaluation on CICIDS2017 and KDD Cup 1999 datasets demonstrates effectiveness across network-layer security metrics, achieving a 92.5% attack detection rate with 1.2% false positives and 0.5% privacy leakage. The device-specific trust evaluation mechanism achieves 93.0% accuracy within 12 federation rounds while maintaining 98.8% reliability under high concurrent loads. Performance analysis shows robust scalability, with response times remaining under 125 ms and throughput reaching 1250 requests per second as the system scales from 5 to 20 nodes. These results establish ZT-IoTrust as a practical solution for implementing zero-trust security in IoT environments, effectively balancing continuous verification with system performance requirements. Full article

Network attacks are becoming increasingly diverse and sophisticated, resulting in complex cybersecurity challenges, which can be fundamentally viewed as a disruption of the symmetry or balanced state in normal network behavior. To address these challenges, graph representation learning methods have gained prominence in network anomaly detection. These methods effectively represent complex network traffic data as graphs and capture data relationships. By integrating deep learning, graph neural networks, and other techniques, graph representation learning enhances the accuracy and efficiency of network anomaly detection in complex network environments. This paper proposes a novel network anomaly detection model based on graph representation learning called ETG-EESAGE. The model constructs an event key time subgraph (ETG) to group similar data and enhance structural features. Then, it introduces an edge enhancement sampling aggregation algorithm (EESAGE) to capture node relations and differentiate edge information accurately. The model generates richer node feature representations during aggregation and detects abnormal nodes using a threshold. Experimental evaluations on the CIC-IDS2017 dataset demonstrate the strong performance of the proposed model across multiple daily subsets. Under optimal configuration settings, ETG-EESAGE achieves an average accuracy of 95.5%, precision of 97.9%, recall of 97.3%, and F1-score of 97.7%, outperforming other baseline algorithms. The model also exhibits strong interpretability and applicability in real-world network anomaly detection scenarios. Full article

Zero-day attacks pose unprecedented challenges to modern cybersecurity frameworks, exploiting unknown vulnerabilities that evade traditional signature-based detection systems. This paper presents ZeroDay-LLM, a novel large language model framework specifically designed for real-time zero-day threat detection in IoT and cloud networks. The proposed system integrates lightweight edge encoders with centralized transformer-based reasoning engines, enabling contextual understanding of network traffic patterns and behavioral anomalies. Through comprehensive evaluation on benchmark cybersecurity datasets including CICIDS2017, NSL-KDD, and UNSW-NB15, ZeroDay-LLM demonstrates superior performance, with a 97.8% accuracy in detecting novel attack signatures, a 23% reduction in false positives compared to traditional intrusion detection systems, and enhanced resilience against adversarial evasion techniques. The framework achieves real-time processing capabilities with an average latency of 12.3 ms per packet analysis while maintaining scalability across heterogeneous network infrastructures. Experimental results across urban, rural, and mixed deployment scenarios validate the practical applicability and robustness of the proposed approach. Full article

Detecting anomalies in network traffic is a central task in cybersecurity and digital infrastructure management. Traditional approaches rely on statistical models, rule-based systems, or machine learning techniques to identify deviations from expected patterns, but often face limitations in generalization across domains. This study proposes a cross-domain data enrichment framework that integrates behavioral embeddings with network traffic features through adversarial autoencoders. Each network traffic record is paired with the most similar behavioral profile embedding from user web activity data (Charles dataset) using cosine similarity, thereby providing contextual enrichment for anomaly detection. The proposed system comprises (i) behavioral profile clustering via autoencoder embeddings and (ii) cross-domain latent alignment through adversarial autoencoders, with a discriminator to enable feature fusion. A Deep Feedforward Neural Network trained on the enriched feature space achieves 97.17% accuracy, 96.95% precision, 97.34% recall, and 97.14% F1-score, with stable cross-validation performance (99.79% average accuracy across folds). Behavioral clustering quality is supported by a silhouette score of 0.86 and a Davies–Bouldin index of 0.57. To assess robustness and transferability, the framework was evaluated on the UNSW-NB15 and the CIC-IDS2017 datasets, where results confirmed consistent performance and reliability when compared to traffic-only baselines. This supports the feasibility of cross-domain alignment and shows that adversarial training enables stable feature integration without evidence of overfitting or memorization. Full article

With the increasing complexity and diversity of network threats, developing high-performance Network Intrusion Detection Systems (NIDSs) has become a critical challenge. A primary obstacle in this domain is the pervasive issue of class imbalance, where the scarcity of minority attack samples and the varying costs of misclassification severely limit the effectiveness of traditional models, often leading to a difficult trade-off between high False Positive Rates (FPRs) and low Recall. To address this challenge, this paper proposes a novel, conditionally symmetric two-stage framework, termed CSCVAE-NID (Conditionally Symmetric Two-Stage CVAE for Network Intrusion Detection). The framework operates in two synergistic stages: Firstly, a Data Augmentation Conditional Variational Autoencoder (DA-CVAE) is introduced to tackle the data imbalance problem at the data level. By conditioning on attack categories, the DA-CVAE generates high-quality and diverse synthetic samples for underrepresented classes, providing a more balanced training dataset. Secondly, the core of our framework, a Cost-Sensitive Multi-Class Classification CVAE (CSMC-CVAE), is proposed. This model innovatively reframes the classification task as a probabilistic distribution matching problem and integrates a cost-sensitive learning strategy at the algorithm level. By incorporating a predefined cost matrix into its loss function, the CSMC-CVAE is compelled to prioritize the correct classification of high-cost, minority attack classes. Comprehensive experiments conducted on the public CICIDS-2017 and UNSW-NB15 datasets demonstrate the superiority of the proposed CSCVAE-NID framework. Compared to several state-of-the-art methods, our approach achieves exceptional performance in both binary and multi-class classification tasks. Notably, the DA-CVAE module is designed to be independent and extensible, allowing the effective data that it generates to support any advanced intrusion detection methodology. Full article

This study proposes a lightweight classification framework for anomaly traffic detection in edge computing environments. Thirteen packet- and flow-level features extracted from the CIC-IDS2017 dataset were compressed into 4-dimensional latent vectors using a Sparse Autoencoder (SAE). Two classifiers were compared under the same pipeline: a Feed-Forward network (SAE-FF) and a Deep Neural Network (SAE-DNN). To ensure generalization, all experiments were conducted with 5-fold cross-validation. Performance evaluation revealed that SAE-DNN achieved superior classification performance, with an average accuracy of 99.33% and an AUC of 0.9993. The SAE-FF model, although exhibiting lower performance (average accuracy of 93.66% and AUC of 0.9758), maintained stable outcomes and offered significantly lower computational complexity (~40 FLOPs) compared with SAE-DNN (~8960 FLOPs). Device-level analysis confirmed that SAE-FF was the most efficient option for resource-constrained platforms such as Raspberry Pi 4, whereas SAE-DNN achieved real-time inference capability on the Coral Dev Board by leveraging Edge TPU acceleration. To quantify this trade-off between accuracy and efficiency, we introduce the Edge Performance Efficiency Score (EPES), a composite metric that integrates accuracy, latency, memory usage, FLOPs, and CPU performance into a single score. The proposed EPES provides a practical and comprehensive benchmark for balancing accuracy and efficiency and supporting device-specific model selection in practical edge deployments. These findings highlight the importance of system-aware evaluation and demonstrate that EPES can serve as a valuable guideline for efficient anomaly traffic classification in resource-limited environments. Full article

The rapid development of the Internet of Things (IoT) poses significant problems in securing heterogeneous, massive, and high-volume network traffic against cyber threats. Traditional intrusion detection systems (IDSs) are often found to be poorly scalable, or are ineffective computationally, because of the presence of redundant or irrelevant features, and they suffer from high false positive rates. Addressing these limitations, this study proposes a hybrid intelligent model that combines quantum computing, chaos theory, and deep learning to achieve efficient feature selection and effective intrusion classification. The proposed system offers four novel modules for feature optimization: chaotic swarm intelligence, quantum diffusion modeling, transformer-guided ranking, and multi-agent reinforcement learning, all of which work with a graph-based classifier enhanced with quantum attention mechanisms. This architecture allows as much as 75% feature reduction, while achieving 4% better classification accuracy and reducing computational overhead by 40% compared to the best-performing models. When evaluated on benchmark datasets (NSL-KDD, CICIDS2017, and UNSW-NB15), it shows superior performance in intrusion detection tasks, thereby marking it as a viable candidate for scalable and real-time IoT security analytics. Full article

The continuously evolving cyber threat landscape necessitates not only resilient defense mechanisms but also the sustained capacity development of security personnel. However, conventional training pipelines are predominantly dependent on static real-world datasets, which fail to adequately reflect the diversity and dynamics of emerging attack tactics. To address these limitations, this study employs a Wasserstein GAN with Gradient Penalty (WGAN-GP) to synthesize realistic network traffic that preserves both temporal and statistical characteristics. Using the CIC-IDS-2017 dataset, which encompasses diverse attack scenarios including brute-force, Heartbleed, botnet, DoS/DDoS, web, and infiltration attacks, two training methodologies are proposed. The first trains a single conditional WGAN-GP on the entire dataset to capture the global distribution. The second employs multiple generators tailored to individual attack types, while sharing a discriminator pretrained on the complete traffic set, thereby ensuring consistent decision boundaries across classes. The quality of the generated traffic was evaluated using a Train on Synthetic, Test on Real (TSTR) protocol with LSTM and Random Forest classifiers, along with distribution similarity measures in the embedding space. The proposed approach achieved a classification accuracy of 97.88% and a Fréchet Inception Distance (FID) score of 3.05, surpassing baseline methods by more than one percentage point. These results demonstrate that the proposed synthetic traffic generation strategy provides advantages in scalability, diversity, and privacy, thereby enriching cyber range training scenarios and supporting the development of adaptive intrusion detection systems that generalize more effectively to evolving threats. Full article

This study introduces the Machine Learning (ML)-Driven Pattern Synthesis for Digital Forensics in Synthetic Log Analysis (ML-PSDFA) framework to address critical gaps in digital forensics, including the reliance on real-world data, limited pattern diversity, and forensic integration challenges. A key innovation is the introduction of a novel temporal forensics loss ${\mathcal{L}}_{\mathrm{TFL}}$ in the Synthetic Attack Pattern Generator (SAPG), which enhances the preservation of temporal sequences in synthetic logs that are crucial for forensic analysis. The framework employs the SAPG with hybrid seed data (UNSW-NB15 and CICIDS2017) to create 500,000 synthetic log entries using Google Colab, achieving a realism score of 0.96, a temporal consistency score of 0.90, and an entropy of 4.0. The methodology employs a three-layer architecture that integrates data generation, pattern analysis, and forensic training, utilizing TimeGAN, XGBoost classification with hyperparameter tuning via Optuna, and reinforcement learning (RL) to optimize the extraction of evidence. Due to enhanced synthetic data quality and advanced modeling, the results exhibit an average classification precision of 98.5% (best fold 98.7%) 98.5% (best fold 98.7%), outperforming previously reported approaches. Feature importance analysis highlights timestamps (0.40) and event types (0.30), while the RL workflow reduces false positives by 17% over 1000 episodes, aligning with RL benchmarks. The temporal forensics loss improves the realism score from 0.92 to 0.96 and introduces a temporal consistency score of 0.90, demonstrating enhanced forensic relevance. This work presents a scalable and accessible training platform for legally constrained environments, as well as a novel RL-based evidence extraction method. Limitations include a lack of real-system validation and resource constraints. Future work will explore dynamic reward tuning and simulated benchmarks to enhance precision and generalizability. Full article