Search Results (6)

The ubiquity of resource-constrained Internet-of Things (IoT) nodes creates an urgent demand for network intrusion detection systems (NIDSs) optimized for edge devices with limited computing power. In this paper, we propose a new NIDS system based on Mamba. NIDS-Mamba uses a dynamic sparse attention and a lightweight state space to jointly learn from short-term anomaly and long-term attack patterns. We use standardized NF-UNSW-NB15 and NF-CSE-CIC-IDS2018 datasets to verify the effectiveness of this NIDS-Mamba model. We find that this NIDS-Mamba model is very effective in dealing with extreme class imbalance problems. In the NF-CSE-CIC-IDS2018 dataset, the model achieves 98.32% accuracy, 96.98% F1-score, and an AUC of 0.9996. Most notably, the model is very robust in handling extreme class imbalance problems in the NF-UNSW-NB15 dataset. It achieves 97.03% G-Mean, 0.7915 MCC, and 0.9983 AUC, far exceeding other baseline models. Compared to Transformer-based baselines, NIDS-Mamba achieves nearly an order-of-magnitude improvement in throughput while maintaining a parameter footprint compatible with edge deployment constraints. The proposed architecture effectively mitigates the quadratic complexity and memory wall inherent in standard Transformers, ensuring compatibility with Limited RAM and strict energy constraints. The proposed model achieves a compact design with 1.12 million parameters and a peak inference memory of 5.4 MB, ensuring its feasibility for edge-based IoT nodes. These properties make NIDS-Mamba a strong candidate for deployment on IoT gateways and edge sensor nodes in smart home, industrial IoT, and critical infrastructure scenarios. Full article

The sophistication of cyber attacks and privacy issues related to data sharing is improving and requires a decentralized approach. Conventional centralized approaches to IDS pose a threat to the privacy of data and data sovereignty. Contrarily, federated learning enables several clients to learn simultaneously without sharing their sensitive information, which is one of the most promising solutions to studying cyber threats in real time. This framework also adds value to IDS by using CTI, which is incorporated into the training process to make it more accurate in its detection while still maintaining privacy. Each client uses the local model, which is a random forest model that is trained on local datasets without sharing the raw data. Multiple aggregation methods, such as FedAvg, FedOPT, FedProx, and FedXGBoost, are then used to combine the local models into a global model. These techniques are judged with regard to accuracy and Cohen’s Kappa Score. The performance of various models in the NF-UNSW-NB15-v2 dataset experiments was tested. The local model took a value of 0.9941–0.9934 with Kappa scores of 0.8336–0.8088, showing strong performance in different configurations. The FedXGBoost aggregated global model was best in terms of its highest accuracy of 99.22 (Kappa score of 0.8417). More experiments were done on the DFedForest and DFedForest++ models. DFedForest++, incorporating diversity in local models alongside validation accuracy, achieved 99.76% accuracy, surpassing DFedForest (with 71% accuracy in local models). This framework operationalizes CTI through feature augmentation—appending three CTI-derived features (is_known_malicious_ip, is_suspicious_port, and ttp_match_score from MITRE ATT&CK v14 and AlienVault OTX) to each NetFlow record locally at each client before federated training begins. These results highlight the advantages of federated learning in providing collaborative, privacy-preserving solutions for cyber threat detection and emphasize the potential of CTI integration for improving the accuracy and robustness of IDS models across decentralized environments. Full article

Graph learning is well suited to modeling relationships among communicating entities in network intrusion detection. However, the resulting models are frequently difficult to interpret, in contrast to many classical approaches that offer more transparent reasoning. This work integrates SHapley Additive exPlanations with temporal, edge-aware GNN based on GraphSAGE architecture to deliver an explainable, inductive intrusion detection model for NetFlow data named TE-G-SAGE. Using the NF-UNSW-NB15-v3 dataset, flow data are transformed into temporal communication graphs where flows are directed edges and endpoints are nodes. The model learns relational patterns across two-hop neighborhoods and achieves strong recall under chronological evaluation, outperforming a GCN baseline and recovering more attacks than a tuned XGBoost model. SHAP is adapted to graph inputs through a feature attribution on the two-hop computational subgraph, producing global and local explanations that align with analyst reasoning. The resulting attributions identify key discriminative features while revealing shared indicators that explain cross-class confusion. The research shows that temporal validation, inductive graph modeling, and Shapley-based attribution can be combined into a transparent, reproducible intrusion detection framework suited for operational use. Full article

Federated Learning (FL) enables collaborative model training on smart edge devices while preserving data privacy, but it suffers from decreased performance when faced with non-Independent and Identically Distributed (non-IID) data. This paper addresses the problem of the evaluation of aggregation strategies in non-IID FL environments, and it proposes an approach to generation of the skewed datasets with different types of non-IIDness from one dataset: with Feature Distribution Skew; with Label Distribution Skew; with Same Label, Different Features skew; and with Same Features, Different Label skew. The authors also introduce a Modified Federated via Local Batch Normalization (MFedBN), which improves model convergence and robustness across various non-IID data skews by implementing a server-side gradient-style update with several Learning Rate values tested within the aggregated function. Experimental evaluation of the MFedBN strategy was conducted on two heterogeneous datasets, namely, the Commercial Vehicles Sensor dataset designed for monitoring vehicle behavior and the NF-UNSW-NB15 dataset for cybersecurity threat detection. In the majority of cases, the MFedBN algorithm outperformed the baseline FedBN, with test accuracies of up to 85% on the Commercial Vehicles Sensor dataset and 99.98% on the NF-UNSW-NB15 dataset. The model trained with MFedBN showed convergence stability and improved generalization in highly heterogeneous federated environments. The proposed algorithm and data generation methods establish a viable platform for privacy-preserving applications in IoT-based monitoring and network intrusion detection, advancing the validity of Federated Learning in real-world, non-IID conditions. Full article

With the recent proliferation of the Internet and the ever-evolving threat landscape, developing a reliable and effective intrusion detection system (IDS) has become an urgent need. However, one of the key challenges hindering the success of IDS development is class imbalance, which often leads to biased models and poor detection rates. To address this challenge, this paper proposes a GAN-AHR algorithm which adaptively balances the dataset by augmenting minority classes using CGAN or BSMOTE, based on class-specific characteristics such as compactness and density. By leveraging BSMOTE to oversample classes with high compactness and high density, we can exploit its simplicity and effectiveness. However, the quality of BSMOTE-generated data is significantly lower when the classes are sparse and lacking clear boundaries. In such cases, CGAN is better suited in this scenario given its ability to capture complex data distributions. We present empirical results on the NF-UNSW-NB15 dataset using a Random Forest (RF) classifier, reporting a significant improvement in the precision, recall, and F1-score of several minority classes. Specifically, a remarkable increase in the F1-score for the Shellcode and DoS classes was reported, reaching 0.90 and 0.51, respectively. Full article

Network and cloud environments must be fortified against a dynamic array of threats, and intrusion detection systems (IDSs) are critical tools for identifying and thwarting hostile activities. IDSs, classified as anomaly-based or signature-based, have increasingly incorporated deep learning models into their framework. Recently, significant advancements have been made in anomaly-based IDSs, particularly those using machine learning, where attack detection accuracy has been notably high. Our proposed method demonstrates that deep learning models can achieve unprecedented success in identifying both known and unknown threats within cloud environments. However, existing benchmark datasets for intrusion detection typically contain more normal traffic samples than attack samples to reflect real-world network traffic. This imbalance in the training data makes it more challenging for IDSs to accurately detect specific types of attacks. Thus, our challenges arise from two key factors, unbalanced training data and the emergence of new, unidentified threats. To address these issues, we present a hybrid transformer-convolutional neural network (Transformer-CNN) deep learning model, which leverages data resampling techniques such as adaptive synthetic (ADASYN), synthetic minority oversampling technique (SMOTE), edited nearest neighbors (ENN), and class weights to overcome class imbalance. The transformer component of our model is employed for contextual feature extraction, enabling the system to analyze relationships and patterns in the data effectively. In contrast, the CNN is responsible for final classification, processing the extracted features to accurately identify specific attack types. The Transformer-CNN model focuses on three primary objectives to enhance detection accuracy and performance: (1) reducing false positives and false negatives, (2) enabling real-time intrusion detection in high-speed networks, and (3) detecting zero-day attacks. We evaluate our proposed model, Transformer-CNN, using the NF-UNSW-NB15-v2 and CICIDS2017 benchmark datasets, and assess its performance with metrics such as accuracy, precision, recall, and F1-score. The results demonstrate that our method achieves an impressive 99.71% accuracy in binary classification and 99.02% in multi-class classification on the NF-UNSW-NB15-v2 dataset, while for the CICIDS2017 dataset, it reaches 99.93% in binary classification and 99.13% in multi-class classification, significantly outperforming existing models. This proves the enhanced capability of our IDS in defending cloud environments against intrusions, including zero-day attacks. Full article