Search Results (210)

The increasing complexity and sophistication of cyberattacks have made machine learning (ML) and artificial intelligence (AI) central to modern cyber defense. However, existing surveys typically examine attacks, ML methods, or datasets separately, limiting understanding of how methodological choices align with adversarial behaviours and benchmark availability. This paper presents a systematic literature review (SLR) of AI- and ML-based cyber defense studies published between 2019 and 2025, framed as an ATT&CK-aligned tri-axis synthesis of cyberattacks, machine learning methods, and datasets. Across 99 primary studies, the review maps 312 attack labels to MITRE ATT&CK tactics and techniques, categorises the ML methods applied, and organizes 96 datasets into a refined taxonomy spanning NIDD, IoT-NIDD, malware, Spam and Phishing, ICS, Insider Threat, custom-collected, and other datasets. Rather than treating attacks, ML methods, and datasets as separate descriptive dimensions, the review analyses them jointly through a tri-axis cross-reference framework, enabling the identification of benchmark dependence, methodological concentration, and underexplored attack–method–dataset intersections that are not visible in single-axis or model-centred surveys. The synthesis shows that the literature is strongly concentrated on externally visible attacks associated with Impact, Initial Access, and Execution, that ensemble and deep learning models dominate high-frequency detection settings, and that dataset usage remains heavily skewed toward a small set of public benchmarks, particularly CSE-CIC-IDS2017, UNSW-NB15, and NSL-KDD. This review further identifies persistent blind spots, including limited coverage of post-compromise ATT&CK behaviours, sparse use of ICS and insider-threat datasets, and weak support for multi-stage or multi-dataset evaluation. These findings provide a more focused and actionable evidence base for future ML-based cyber defense research. Full article

Traditional Network Intrusion Detection Systems (NIDSs) face persistent challenges in detecting zero-day attacks due to concept drift, high false-positive rates, and limited adaptability. This research introduces a Cognitive Network Intrusion Detection System (CNIDS) whose central novelty is that effective zero-day handling does not arise from any single mechanism but from the interaction between continual representation learning, persistent vector memory, and human-aligned feedback. By reframing zero-day resilience as a continuous learning process rather than a static detection task, CNIDS emphasizes adaptive operational behavior over raw automated accuracy. The proposed framework integrates Continual Pre-Training (CPT) to align representations with evolving traffic, Supervised Fine-Tuning (SFT) to preserve precision on known attacks, and a Human-in-the-Loop Reinforcement Signal (HRS) that converts low-confidence alerts into structured learning updates. These components are unified through a vector database that functions as long-term episodic memory, enabling similarity-based reasoning and cross-dataset generalization. Ablation results show that disabling any component degrades zero-day adaptation: removing CPT increases drift sensitivity, removing vector memory prevents knowledge retention, and removing human feedback collapses learning to static inference. Using a class-exclusion zero-day protocol on NSL-KDD, UNSW-NB15, and CICIDS2017, CNIDS raises zero-day detection from 0% to 18.2% while maintaining precision above 80% and stabilizing false positives. Full article

Closed-set heterogeneous domain adaptation (HDA) for Internet of Things (IoT) intrusion detection aims to transfer detection capabilities across environments that differ in devices, telemetry, feature schemas, attack implementations, label taxonomies, and target supervision availability. Although recent HDA methods report strong performance, their deployment meaning is often unclear because improvements over a weak source-only baseline do not show how much target supervision headroom has been recovered or whether adaptation is preferable to direct target-side labelling under the same budget. This paper presents a controlled, anchor-based benchmark for closed-set HDA in IoT intrusion detection. Edge-IIoTset is used as the main fixed target dataset, with transfer from CICIDS2017, UNSW-NB15, CICIDS2017 + UNSW-NB15, and CICIDS2017 + NSL-KDD under single-source and multi-source settings. The benchmark defines fixed resolved contexts, Intersection and Union representation contracts, a five-class closed-set label contract, leakage-safe preprocessing, and an anchor ladder consisting of source-only, correlation alignment (CORAL), matched-budget target-only, and oracle target-only references. Geometric Graph Alignment (GGA) and the Joint Semantic Transfer Network (JSTN) are evaluated as the primary selected native single-source semi-supervised HDA (SS-HDA) and multi-source semi-supervised HDA (MS-HDA) exemplars, while the Prototype-Matching Graph Network (PMGN) and Conditional Weighting Adversarial Network (CWAN) provide $1:10$ method coverage checks. Each method–context–ratio configuration is evaluated across twenty fixed seeds, and DA-versus-target-only differences are tested using paired seed-level statistical evidence. A compact second-target confirmatory experiment using ToN-IoT assesses whether the qualitative headroom recovery and same-budget deployment patterns remain visible under a different IoT/IIoT target. The results show that primary native HDA can recover substantial source-only-to-oracle headroom, but not uniformly. At the $1:10$ labelled target ratio, GGA recovers $0.633$–$0.835$ of the available headroom across C1–C4, while JSTN recovers $0.776$–$0.897$ in the contemporary-source MS-HDA family and $0.872$–$0.926$ in the mixed-vintage family. Same-budget comparisons show that DA is deployment-competitive only in some contexts; in others, direct target-side supervised learning is stronger. The benchmark therefore shows that closed-set HDA should be evaluated as target-conditioned, context-resolved evidence rather than as a pooled method leaderboard. Full article

Deep learning-based intrusion detection systems offer world-class accuracy in threat classification. They are also generally not easily explainable to security analysts, which represents a major hurdle in their use in real-world Security Operations Centers (SOCs) where explainability and trust are critical. This operational challenge is tackled with a systems-engineered approach combining the CNN-LSTM architecture with the computationally optimized SHAP and LIME approaches for enabling real-time, interpretable threat detection. Unlike novel mathematical formulations, we concentrate on practical innovations in systems engineering that we believe are required to generate explanations in real-time: quantization of the numbers to INT8, execution of explanation algorithms in parallel, asynchronously, and caching of similar traffic patterns. CNN-LSTM combines the convolutional function to capture spatial dependencies and the recurrent function to capture temporal dynamics of network traffic, and SHAP and LIME capture global and local feature attributions, respectively. One of the major innovations is the parallel execution which brings the latency of explanation down from 117 ms (sequential SHAP + LIME) to 46 ms (parallel, cache-miss) and 39 ms (average with caching) and 46 ms (without caching), which is sufficient for operational “real-time” requirements. The framework is evaluated on CICIDS2017 and NSL-KDD benchmark datasets, and results show that it can achieve 98.7% accuracy with 98.6% F1-score and sub-50 ms explanation latency. The results here show that explainability and operational efficiency can be attained with the same level of accuracy in the detection of abnormal events, through careful systems engineering. This paper presents a systems-engineered framework demonstrating the feasibility of real-time, interpretable IDS for deployment in Security Operations Centers (SOCs) and addresses the challenges of combining high-performance deep learning with operational transparency in cybersecurity. Full article

The evolution of 5G networks has introduced new challenges in securing mobile infrastructures against increasingly sophisticated cyber threats. Intrusion detection in such environments has been widely studied using traditional datasets such as the Canadian Institute for Cybersecurity Intrusion Detection Systems CICIDS2017, the University of New South Wales-Network Behavior UNSW-NB15, and The Network Security Laboratory-Knowledge Discovery in Databases NSL-KDD; however, these benchmarks lack the architectural complexity and protocol diversity inherent to 5G networks. More recent research has adopted the 5G-NIDD dataset (5G Network Intrusion Detection Dataset), which provides realistic traffic generated from a live 5G testbed, including various attack scenarios targeting MEC servers and core network components. Nevertheless, existing works using 5G-NIDD often focus on limited subsets of attacks, rely on unsupervised or federated learning approaches, and lack comprehensive evaluations of supervised learning models. In contrast, this study leverages the entire 5G-NIDD dataset, encompassing all available attack scenarios, and conducts a systematic comparison of multiple supervised learning algorithms. A systematic evaluation of supervised learning algorithms is conducted using key performance metrics such as accuracy, precision, recall and F1-score to identify the most effective model for intrusion detection in 5G environments. Specifically, this study focuses on four supervised learning algorithms, K-Nearest Neighbors (KNNs), Support Vector Machines (SVMs), Logistic Regression (LR), and Naive Bayes (NB), to determine not only which achieves the highest detection accuracy but also which offers the best balance between predictive performance and computational efficiency in realistic 5G environments. To assess robustness and adaptability, the proposed models are further validated on two widely used benchmark datasets, namely CICIDS2017 and UNSW-NB15, as part of an extended analysis. This cross-dataset evaluation highlights each algorithm’s strengths and limitations under diverse network traffic conditions and attack scenarios. The results aim to validate the applicability of supervised learning approaches to intrusion detection in next-generation network infrastructures, while also emphasizing the importance of balancing predictive accuracy with computational efficiency for real-world deployment. Full article

Existing anomalous traffic detection methods based on feature fusion in Software-Defined Networking (SDN) lack adaptability in weight allocation mechanisms. Consequently, their detection accuracy and model generalization capabilities fail to meet practical security requirements. To solve these limitations, this paper proposes a refined detection method based on hybrid feature selection and gated fusion. First, the framework employs XGBoost combined with the Recursive Feature Elimination (RFE) algorithm. This process identifies shallow statistical features with high discriminative power. Simultaneously, the method utilizes a 1D Convolutional Neural Network (1D-CNN) integrated with a Squeeze-and-Excitation (SE) block to extract deep temporal semantic features. Subsequently, a tailored gated fusion mechanism incorporating linear projection layers for feature alignment adaptively integrates these two categories of features. The fused features are then input into a Multilayer Perceptron (MLP) to execute anomalous traffic detection. Experimental results demonstrate that the proposed method achieves superior performance. Specifically, on the InSDN Dataset, the binary and multi-classification accuracy rates reach 99.91% and 99.88%. Similarly, the accuracy rates on the NSL-KDD dataset are 99.78% and 99.76%. Finally, we established a local simulation environment. Experimental results demonstrate that our method attains an average precision exceeding 93% for anomalous traffic detection in simulated real scenarios. Full article

In network intrusion detection, class imbalance, the scarcity of minority-class attack samples, high feature dimensionality, and substantial feature redundancy are prevalent issues that limit the detection capability of intrusion detection models. To address these issues, this paper proposes a network traffic anomaly detection method based on a Variational Autoencoder and a Conditional Wasserstein Generative Adversarial Network (VAE-CWGAN). First, a feature selection strategy that combines ANOVA and mutual information is employed to select informative network traffic features, thereby improving the discriminative capability of the input features. Second, a minority-class sample generation model that integrates VAE and CWGAN is constructed. The VAE is used to learn the latent distribution characteristics of minority-class attack samples, while class-conditional constraints and the Wasserstein distance are introduced to generate high-quality synthetic minority-class samples, thereby alleviating class imbalance in the training dataset. Finally, Random Forest (RF), a representative machine learning classifier, is adopted for the classification experiments. Experimental results on the NSL-KDD dataset demonstrate that the proposed method performs well in minority-class attack detection, achieving Precision, Recall, and F1-score values of 95.89%, 75.18%, and 84.28% for the R2L class and 77.08%, 55.22%, and 64.35% for the U2R class, respectively. Full article

Deploying deep neural networks-based intrusion detection systems on resource-constrained edge devices demands inference strategies that balance latency, energy, and accuracy under shifting threat landscapes. This paper presents Edge-Prioritize IDS, a class-prioritized early-exit framework that accelerates inference for high-risk attack classes without post-deployment retraining. A lightweight K-dimensional control vector encodes per-class runtime priorities and steers samples toward earlier exits via adaptive normalization and cost-sensitive training. Evaluation across five benchmarks NSL-KDD, CIC-IDS2017, UNSW-NB15, WISDM, and CIFAR-10 on an NVIDIA Jetson TX2 shows that Edge-Prioritize IDS preserves baseline accuracy (up to 99.6%) while reducing latency by up to 55% and energy by up to 50% for prioritized classes. Ablation studies isolate each component’s contribution, and a controlled distribution-shift experiment demonstrates the sliding-window heuristic’s ability to recover near-baseline latency within 500 samples under synthetic class-frequency drift. Once trained under the proposed framework, the model requires no additional retraining, firmware updates, or additional memory beyond the priority vector itself when runtime priorities change. Full article

Software-defined networking (SDN) represents a paradigm shift in network management, but its centralized control plane introduces new and severe security vulnerabilities. Conventional intrusion detection systems, including signature- and rule-based methods, lack adaptability and interpretability in the face of evolving threats. This paper proposes a multi-hybrid deep learning fusion ensemble (MHDLFE) to enhance intrusion detection in SDN environments. The framework integrates Deep Neural Networks (DNNs), Convolutional Neural Networks (CNNs), Recurrent Neural Networks (RNNs), and Long Short-Term Memory (LSTM) models via feature fusion and a meta-classifier, thereby improving both detection performance and robustness. To address the critical need for transparency in security systems, the proposed approach incorporates Explainable AI techniques, specifically Shapley Additive Explanations (SHAP) and Local Interpretable Model-agnostic Explanations (LIME), providing interpretable insights into model decisions. The proposed model achieves strong performance on the NSL-KDD and CIC-IDS2017 datasets, attaining near-perfect binary classification scores of 97.91% and 93.30%, and multiclass accuracies of 98.61% and 97.91%, respectively. These results demonstrate that the proposed framework delivers an effective and trustworthy SDN intrusion detection system by combining deep learning, ensemble fusion, and explainable AI to support accurate, transparent, and reliable cybersecurity decision-making. Full article

Machine learning helps intrusion detection systems learn new assaults quickly. These systems train on a dataset with several threats and may identify odd behavior. This research detects intrusion using Random Forest, KNN, and Gaussian Naive Bayes. We run the model on a comprehensive dataset. Dynamics Feature Selector (DFS) improves performance. This technique eliminates unnecessary inputs and improves predictions using statistical analysis and feature significance. DFS effectiveness is tested using the NSL-KDD dataset. The recommended hybrid approach, Gaussian NB, Random Forest, and KNN are compared in meta-learning. Getting excellent accuracy with fewer characteristics is the aim. In order to demonstrate how the model may function in actual cybersecurity scenarios, the final test makes use of common performance metrics such as accuracy, precision, recall, and F1-score. The proposed method outperforms previously reported results with around 96.09% accuracy, 93.21% precision, 92.53% recall, 92.79% F1-score, and 93.65% average performance. Full article

This study explores the use of traditional machine learning and deep learning algorithms to develop efficient Intrusion Detection Systems (IDSs). It evaluates data using the NSL-KDD dataset, which contains both normal and attack traffic. The research compares the performance of various classifiers, including Random Forest, Extreme Gradient Boosting, LightGBM, and Prototypical Networks. Recursive Feature Elimination is used for feature selection to enhance decision-making and model performance. The models are assessed using multiple metrics, such as accuracy, precision, recall, F-score, ROC curves, and confusion matrices. In addition, Explainable AI techniques like SHAP and LIME are employed to interpret predictions, making the IDS more transparent and reliable. Results indicate that few-shot learning models, particularly Prototypical Networks, combined with Recursive Feature Elimination techniques, outperform traditional models, achieving up to 98% accuracy. This approach enhances IDS applications in IoT by enabling more accurate threat detection, improving decision-making, and identifying key intrusion parameters. Full article

The rise of the Internet of Medical Things (IoMT) has transformed healthcare through real-time monitoring and improved outcomes but also introduced critical security and privacy challenges. This paper presents a focused survey of Explainable AI (XAI) approaches for intrusion detection in IoMT, emphasizing methods that are lightweight, transparent, and deployable under resource constraints. We first clarify XAI terminology and taxonomy (global vs. local scope; ante hoc vs. post hoc; model-agnostic vs. model-specific) and then systematize recent works from the past five years across cybersecurity sub-domains relevant to eHealth. Representative pipelines span classical ML (e.g., LR, RF, SVM, and XGBoost) and deep models (e.g., DNNs and SRU/LSTM), with post hoc explainers, especially SHAP and LIME, dominating practice on benchmark datasets such as CICIDS2017, NSL-KDD, ToN-IoT, WUSTL-EHMS, and CICIoMT2024. Our comparative analysis highlights consistent gains from model ensembling and interpretable feature selection while uncovering key gaps: limited real-world validation, inconsistent explainability metrics, adversarial brittleness, and the computing cost of explanations at the edge. Full article

This study proposes ViTWGAN, a novel and effective intrusion detection model designed to enhance data privacy protection by detecting malicious traffic within network flows. By improving the discriminator’s loss function, our approach reduces blind spots in the discriminator by explicitly reinforcing the learning of hard negative samples, thereby mitigating the forgetting of negative samples in the generative adversarial network. A Vision Transformer is employed as the backbone architecture for both the generator and the discriminator, while the Wasserstein distance is introduced to prevent mode collapse, enabling the generator to produce diverse normal traffic and consequently improving the discriminator’s detection capability. Extensive experiments on the NSL-KDD and CIC-DDoS2019 datasets demonstrate the superior performance of the proposed model, achieving accuracy rates of 96.45% and 99.37%, respectively. These results highlight the effectiveness of ViTWGAN as a high-performance solution for general intrusion detection systems. Full article

The Internet of Things (IoT) comprises diverse devices connected through heterogeneous communication protocols to deliver a wide range of services. However, the complexity and scale of IoT networks make them difficult to secure. Network intrusion detection systems (NIDSs) have therefore become essential for identifying malicious activities and protecting IoT environments across many applications. Although recent deep learning (DL)-based IDS approaches achieve strong detection performance, they often require substantial computation and storage, which limits their practicality on resource-constrained IoT devices. To balance detection accuracy with computational efficiency, we propose a lightweight deep learning model for IoT intrusion detection. Specifically, our method learns compact, intrusion-relevant representations from traffic features using a two-layer multi-layer perceptron (MLP) embedding backbone, followed by a linear SoftMax classification head for multi-class attack detection. We evaluate the proposed approach on three benchmark datasets, CICIDS2017, NSL-KDD, and CICIoT2023, and the results show strong performance, achieving 99.85%, 99.21%, and 98.45% accuracy, respectively, while significantly reducing model size and computational overhead. The experimental results demonstrate that the proposed method achieves excellent classification performance while maintaining a lightweight design, with fewer parameters and lower FLOPs than existing approaches. Full article

In today’s digital era, cyberattacks pose a critical threat to networks of all scales, from local systems to global infrastructures. Intrusion detection systems (IDSs) are essential for identifying and mitigating such threats. However, existing machine learning-based IDS often suffer from low detection accuracy, heavy reliance on manual feature extraction, and limited coverage of attack categories. To address these limitations, we propose a modular, deployment-ready intrusion detection framework that integrates multiple heterogeneous datasets through a hybrid transformer–multilayer perceptron (Transformer–MLP) architecture. The system employs three parallel Transformer–MLP models, each specialized for a distinct dataset, whose probabilistic outputs are fused using a weighted decision-level strategy. Unlike traditional feature-level fusion, this strategy ensures module independence, eliminates the need for global retraining when adding new components, and provides seamless modular scalability. The framework accurately identifies twenty-one traffic categories, including one benign and twenty attack classes, derived from a unified mapping across multiple heterogeneous sources to ensure a consistent cross-dataset taxonomy. By combining advanced contextual representation learning with ensemble-based probabilistic fusion, the framework demonstrates high detection accuracy and practical applicability in real-world network environments. The Transformer module captures complex contextual dependencies, while the MLP performs final classification. Class imbalance is mitigated via adaptive synthetic sampling (ADASYN), synthetic minority over-sampling technique (SMOTE), edited nearest neighbor (ENN), and class weight adjustments. Empirical evaluation demonstrates the framework’s high effectiveness: for binary classification, it achieves 99.98% on CICIDS2017, 99.19% on NSL-KDD, and 99.98% on NF-BoT-IoT-v2; for two-stage multi-class classification, 99.56%, 99.55%, and 97.75%; and for one-phase multi-class classification, 99.73%, 99.07%, and 98.23%, respectively. Moreover, the framework enables real-time deployment with 4.8–6.9 ms latency, 9800–14,200 fps throughput, and 412–458 MB memory. These results outperform existing multi-dataset IDS approaches, highlighting the architectural effectiveness, robustness, and practical applicability of the proposed framework. Full article