AI-Driven Threat Detection and Response: Toward Autonomous Cyber Defense Systems

AI-Driven Threat Detection and Response: Toward Autonomous Cyber Defense Systems | Research Square window.SnipcartSettings = { analytics: { enabled: false } }; (function() { var accessVector = localStorage.getItem('access_vector') || ''; window.dataLayer = window.dataLayer || []; if (accessVector) { window.dataLayer.push({ user: { profile: { profileInfo: { snid: accessVector } } } }); } })(); (function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-K279D39R'); Browse Preprints In Review Journals COVID-19 Preprints AJE Video Bytes Research Tools Research Promotion AJE Professional Editing AJE Rubriq About Preprint Platform In Review Editorial Policies Our Team Advisory Board Help Center Sign In Submit a Preprint Cite Share Download PDF Article AI-Driven Threat Detection and Response: Toward Autonomous Cyber Defense Systems Susan Konyeha, Cyprian C. Konyeha, Evans Mintah, Osahon Ukpebor, and 2 more This is a preprint; it has not been peer reviewed by a journal. https://doi.org/ 10.21203/rs.3.rs-7935562/v1 This work is licensed under a CC BY 4.0 License Status: Under Review Version 1 posted 20 You are reading this latest preprint version Abstract The increasing sophistication of cyber threats in modern digital infrastructures necessitates intelligent, autonomous defense mechanisms capable of responding faster and more accurately than humans. This study introduces an AI-Driven Threat Detection and Response (AI-TDR) framework that integrates deep learning and reinforcement learning to autonomously detect, analyze, and mitigate cyberattacks in real time. Using the UNSW-NB15 dataset, which contains realistic traffic and nine attack types, three architectures, Convolutional Neural Network (CNN), Long Short-Term Memory (LSTM), and Transformer, were developed and tested. The CNN and LSTM achieved 100% accuracy, while the Transformer reached 96.8% accuracy with an AUC of 0.996, demonstrating robustness and generalization. The AI-TDR operates through a Perception–Cognition–Decision–Action cycle, enabling adaptive learning and autonomous mitigation through continuous feedback. By combining spatial, temporal, and contextual intelligence, the system advances toward self-learning, multi-agent cyber defense. Beyond detection, it envisions automated responses such as node isolation and firewall reconfiguration. Future work includes integrating Explainable AI for transparency, adversarial training for resilience, and federated learning for decentralized protection. Overall, this research contributes to the advancement of adaptive and intelligent cybersecurity, supporting global efforts to achieve continuous and collaborative defense in an evolving threat landscape. Physical sciences/Engineering Physical sciences/Mathematics and computing artificial intelligence cybersecurity threat detection and response deep learning reinforcement learning autonomous cyber defense Figures Figure 1 Figure 2 Figure 3 Figure 4 Figure 5 Figure 6 Figure 7 Figure 8 Figure 9 Figure 10 1. Introduction The accelerating digitization of global infrastructures encompassing finance, healthcare, government, and industrial systems has exponentially increased the attack surface available to cyber adversaries. Contemporary networks generate immense volumes of heterogeneous data through interconnected devices, cloud platforms, and edge computing environments. This expanding cyber-physical ecosystem, while enabling unprecedented computational agility and scalability, also introduces multifaceted vulnerabilities that exceed the capacity of human operators and traditional security systems to monitor and secure effectively [ 1 ]. Conventional intrusion detection systems (IDS), firewalls, and security information and event management (SIEM) tools rely heavily on static rule sets, predefined signatures, or human-defined heuristics. Such deterministic mechanisms are ill-equipped to recognize zero-day attacks, polymorphic malware, or adaptive adversarial behaviors that evolve faster than human response cycles or manual rule updates[ 2 ]. Cybersecurity has thus transitioned from a reactive discipline to one that demands autonomous, predictive, and adaptive intelligence. Artificial Intelligence (AI), with its capacity for pattern recognition, feature learning, and decision automation, offers a transformative paradigm for addressing this complexity. AI-driven threat detection and response (AI-TDR) leverages machine learning (ML), deep learning (DL) [ 3 ], and reinforcement learning (RL) to identify, assess, and mitigate threats in real time, often at a scale and precision unattainable through human oversight alone [ 4 ], [ 5 ]. Unlike traditional systems that depend on explicit signatures, AI models learn latent representations from historical and streaming data, enabling the discovery of subtle correlations and contextual dependencies indicative of malicious intent [ 6 ]. This shift from rule-based reasoning to data-driven inference forms the core of modern cyber defense intelligence. At the technical level, AI enables continuous and autonomous situational awareness by ingesting and analyzing massive, dynamic datasets, including network flows, endpoint telemetry, user behaviors, and system logs. Through this continuous monitoring, AI systems can detect deviations from normal behavioral baselines [ 7 ], even when such anomalies correspond to a previously unseen threat. For instance, deep neural networks can identify the faint statistical irregularities of stealthy lateral movement, while reinforcement learning agents can dynamically adapt firewall rules or isolate compromised nodes to contain breaches autonomously [ 8 ]. The integration of such self-adaptive control loops marks a significant step toward achieving autonomous cyber defense, where AI systems not only detect but also respond to attacks with minimal or no human intervention. However, this convergence of AI and cybersecurity also introduces a new class of challenges that extend beyond technical implementation[ 9 ] [ 10 ]. The use of AI in defensive systems gives rise to adversarial AI, wherein threat actors exploit the vulnerabilities of learning models themselves. By crafting carefully perturbed inputs or manipulating training data, attackers can deceive or degrade AI classifiers, rendering them unreliable or even weaponized against their own networks. This emerging phenomenon exposes a fundamental paradox: the same AI techniques that enhance defensive intelligence can also be subverted to amplify offensive capabilities [ 11 ]. Consequently, research into robust model architectures, adversarial training, and explainable AI (XAI) has become integral to ensuring trust and reliability in AI-driven defense systems. From a systems perspective, another critical limitation lies in the fragmentation and centralization of current security infrastructures. Most enterprise environments deploy isolated AI models tailored for specific contexts such as endpoint protection, email filtering, or network anomaly detection without systemic coordination [ 12 ]. The next frontier in AI-driven cybersecurity envisions decentralized, collaborative, and multi-agent defense frameworks. In such systems, multiple AI agents operating across endpoints, networks, and cloud nodes cooperate to share intelligence, cross-validate alerts, and orchestrate responses. This distributed intelligence not only enhances resilience but also ensures that local observations contribute to global situational awareness in near real-time. Research in multi-agent reinforcement learning (MARL) and federated learning (FL) is particularly promising in this regard, enabling collaboration across organizational and geographical boundaries while preserving data privacy and confidentiality. Moreover, the dynamic and non-stationary nature of cyber threat landscapes demands continuous learning mechanisms capable of evolving alongside emerging attack tactics. Traditional AI models, once deployed, often suffer from model drift where learned representations become outdated as attackers modify their strategies. To sustain long-term defensive efficacy, AI-driven systems must incorporate lifelong learning, online adaptation, and concept drift detection capabilities. These capabilities are essential to ensure that defense systems remain contextually relevant, resilient, and responsive over time [ 13 ]. AI-driven threat detection and response represents a paradigm shift from human-assisted security monitoring toward autonomous, self-optimizing cyber defense ecosystems. By fusing data-driven intelligence, automation, and adaptive control, AI enables near real-time identification, interpretation, and remediation of complex cyber threats. Yet, realizing this vision necessitates overcoming persistent challenges ranging from adversarial robustness and explainability to cross-domain intelligence integration and continuous adaptation [ 14 ]. As research advances toward tightly coupled, multi-agent, and privacy-preserving defense architectures, AI stands poised not merely as a tool for detection but as the central orchestrator of intelligent, autonomous cybersecurity in the era of ubiquitous digital interconnectivity. The development of AI-driven threat detection and response systems is grounded in a rich interplay of theories drawn from computer science, cognitive science [ 15 ], control theory, and systems engineering. At its core, this field operates at the intersection of computational intelligence and adaptive security theory, where machine learning algorithms emulate cognitive reasoning processes to perceive, interpret, and respond to cyber threats in complex, dynamic environments. These systems are shaped by multiple theoretical perspectives, namely, computational intelligence and adaptive learning theory, cognitive and decision-theoretic frameworks, complex adaptive systems theory, and adversarial and game-theoretic cybersecurity models[ 16 ]. Collectively, these perspectives establish a holistic foundation for understanding how artificial agents autonomously perform threat detection, situational assessment, and mitigation in real time. Computational intelligence provides the foundational layer for AI-based cybersecurity by offering mathematical and algorithmic mechanisms for perception, reasoning, and adaptation under uncertainty. Rooted in machine learning and statistical pattern recognition, this approach enables systems to infer latent patterns from high-dimensional data streams and to differentiate between normal and anomalous behaviors [ 17 ]The theoretical basis stems from learning theory, Bayesian inference, and information theory, which define how intelligent agents incrementally update their knowledge and reduce uncertainty through evidence accumulation. Within this framework, deep learning emerges as a hierarchical form of feature learning, in which successive network layers extract progressively abstract representations of input data [ 18 ]. Such architectures, especially convolutional neural networks (CNNs) and transformers, have demonstrated the capacity to model polymorphic attacks and identify complex threat signatures embedded in raw packet sequences, system logs, or binary executables. Reinforcement learning (RL) [ 19 ], built on the mathematical structure of Markov Decision Processes (MDPs), further extends this intelligence by enabling adaptive control and autonomous response. Here, AI agents interact with their environment, evaluate the consequences of their actions (such as isolating compromised nodes or rerouting traffic), and optimize long-term cumulative rewards [ 20 ], thereby converging toward self-learning defense policies capable of continuous adaptation. Beyond computational mechanisms, the theoretical foundation of AI-driven defense draws heavily from cognitive and decision-theoretic models of intelligence. Cognitive theories posit that intelligent systems perceive their environment, construct internal representations, and make goal-oriented decisions under uncertainty, a process analogous to Endsley’s model of situational awareness, which includes perception, comprehension, and projection [ 21 ]. AI-driven security systems follow a similar logic: they collect data, interpret threats, and anticipate adversarial actions. Within a decision-theoretic context, these systems adhere to the notion of bounded rationality, wherein decision-making is optimized under constraints of time and computational capacity. Cybersecurity, with its fast-evolving threats [ 22 ], exemplifies such bounded contexts, where rapid, approximate reasoning is more practical than exhaustive analysis. Reinforcement learning formalizes this bounded rationality by allowing agents to learn near-optimal defense strategies iteratively. Cognitive architectures such as SOAR and ACT-R further inform the design of AI systems by modeling perception, reasoning, and memory as interconnected components. Translating this to cybersecurity suggests the creation of systems that maintain episodic memory (historical attack data), semantic understanding (relations among threat types), and procedural knowledge (learned defense strategies), thereby creating a foundation for autonomous situational intelligence. The Complex Adaptive Systems (CAS) theory provides a foundational perspective for understanding AI-driven cybersecurity as a dynamic, evolving ecosystem composed of autonomous and interconnected agents such as devices, users, and applications that continuously adapt to changing threats. Within this framework, resilience emerges not from centralized control but from the self-organization and cooperative adaptation of distributed entities. These agents interact across network, edge, and cloud layers [ 23 ], independently processing local information while contributing to collective learning and coordinated defense. Nonlinear feedback loops and emergent behaviors enable the system to evolve and maintain stability under diverse attack conditions. This mirrors the principles of Multi-Agent Reinforcement Learning (MARL), where collaborative agents learn optimal defense strategies through shared experience, resembling biological immune systems that self-organize to counter evolving threats. Complementing CAS is the adversarial and game-theoretic perspective, which conceptualizes cybersecurity as an ongoing strategic contest between attackers and defenders. Here, both parties adapt their strategies to maximize their respective advantages, forming a co-evolutionary relationship. The Stackelberg game model captures this asymmetry, positioning defenders as leaders who anticipate and optimize against attacker responses. Similarly, Adversarial Machine Learning (AML) frames this interaction as a minimax optimization process attackers generate adversarial inputs to deceive models, while defenders employ adversarial training and ensemble learning to enhance robustness [ 24 ]. Integrating these theories, the proposed AI-Driven Threat Detection and Response (AI-TDR) framework operates as a closed-loop intelligence system encompassing perception, cognition, decision, and action. It embodies autonomous resilience, where intelligent agents continuously learn, adapt, and collaborate to predict, prevent, and mitigate evolving cyber threats with minimal human oversight. In light of these developments, this research proposes an AI-Driven Threat Detection and Response (AI-TDR) framework designed to advance the field toward autonomous, adaptive, and self-learning cyber defense systems. By integrating deep learning and reinforcement learning techniques within a unified Perception–Cognition–Decision–Action architecture, the framework enables continuous situational awareness, intelligent threat interpretation, and autonomous mitigation. Using the UNSW-NB15 dataset, the study evaluates three deep learning architectures: Convolutional Neural Network (CNN), Long Short-Term Memory (LSTM), and Transformer to analyze their capabilities in detecting, classifying, and responding to diverse cyber threats. Beyond achieving superior detection accuracy, the framework aspires to embody the next generation of multi-agent, collaborative defense intelligence, capable of operating across distributed environments and adapting dynamically to non-stationary threat landscapes. The overarching goal is to contribute to the ongoing evolution of AI-powered autonomous cybersecurity, where intelligent agents not only detect but also anticipate, prevent, and neutralize cyberattacks in real time with minimal human intervention. 2. Literature Review The evolution of cybersecurity has witnessed a significant transformation from traditional rule-based systems toward intelligent, adaptive, and data-driven defense mechanisms. Early intrusion detection systems (IDS) and firewalls relied primarily on static signatures and manually defined rules to detect known threats. Although these methods proved effective against conventional attacks, they were limited in addressing zero-day exploits, polymorphic malware, and advanced persistent threats that continually evolve to evade detection [ 25 ]. The rapid expansion of digital infrastructures and the increasing complexity of network environments have led to massive volumes of heterogeneous data, rendering human-centered monitoring impractical. As a result, artificial intelligence (AI) and machine learning (ML) have become integral to modern cybersecurity, offering automated, scalable, and predictive threat detection capabilities that can operate beyond human cognitive limits [ 26 ]. Machine learning models such as Support Vector Machines, Decision Trees, and Random Forests represented the first wave of data-driven cybersecurity systems. These models learned statistical patterns from network traffic and behavioral features to detect anomalies and intrusions. However, they were limited in handling dynamic, non-linear, and high-dimensional data typical of modern cyber environments. This limitation led to the emergence of deep learning (DL) approaches, which have demonstrated remarkable success in learning hierarchical and abstract representations directly from raw or preprocessed network data. Convolutional Neural Networks (CNNs) have been widely used to capture spatial relationships among network features, effectively identifying localized anomalies and packet-level attack signatures. Recurrent Neural Networks (RNNs), particularly Long Short-Term Memory (LSTM) networks, have shown strong performance in modeling temporal dependencies, enabling the detection of time-dependent or stealthy intrusion patterns that unfold gradually over time[ 27 ]. More recently, the Transformer architecture has revolutionized deep learning for cybersecurity by introducing self-attention mechanisms capable of modeling complex, long-range dependencies across high-dimensional network features. The parallel processing and scalability advantages of Transformers make them particularly suitable for real-time intrusion detection and large-scale security analytics. Together, CNNs, LSTMs, and Transformers form the foundation of modern AI-driven threat detection, each contributing unique strengths in spatial, temporal, and contextual modeling. According to[ 6 ] Deep reinforcement learning (DRL) applications in cybersecurity highlight its ability to address complex and dynamic threats through adaptable and scalable defense mechanisms. It reviews DRL methods for cyber physical security, intrusion detection, and game-theoretic defense, while outlining key challenges and future research directions for advancing DRL-based cyber defense.[ 5 ] Presents CAFormer, a Transformer-based auction framework that uses reinforcement learning (RL) Q-values to allocate defensive actions strategically under uncertainty. By applying combinatorial auctions, it ensures robust and efficient resource distribution even with misreporting. Results show strong performance, robustness, and alignment with real-world defense goals, highlighting the promise of RL-driven, auction-based planning for modern cyber defense.[ 28 ] Proposes DS2-SbPG, a game-theoretical framework combining potential and Stackelberg games for decentralized manufacturing optimization. Unlike traditional methods, it enhances coordination, scalability, and multiobjective tradeoffs through fully distributed training. Experiments show DS2-SbPG improves system performance and reduces power use by up to 10.61%, proving its effectiveness for real-world industrial applications[ 29 ]. According to[ 30 ] Machine Learning (ML)-based Network Intrusion Detection Systems (NIDSs) are increasingly used to safeguard networks from cyberattacks, but inconsistencies across public datasets hinder model comparability and real-world applicability. To bridge this gap, researchers developed five standardized NetFlow-based datasets derived from UNSW-NB15, BoT-IoT, ToN-IoT, and CSE-CIC-IDS2018, ensuring a unified, practically relevant feature set. The NetFlow format enhances scalability and reflects real network environments. Each dataset supports both binary and multi-class classification, facilitating consistent evaluation of ML models. Using an Extra Trees classifier as a case study, the approach demonstrated improved cross-dataset generalization, promoting more reliable and deployable ML-based NIDS research. Beyond detection, reinforcement learning (RL) has emerged as a promising approach for achieving autonomous and adaptive cyber defense. Unlike supervised learning, which relies on labeled data, RL enables systems to learn optimal defense strategies through continuous interaction with their environment. RL agents can dynamically reconfigure network policies, isolate compromised hosts, and deploy countermeasures in response to evolving threat conditions. This ability to adapt in real time transforms cybersecurity from a reactive to a proactive discipline. However, implementing RL in cyber defense poses challenges, including safe exploration in high-stakes environments, delayed feedback, and vulnerability to adversarial manipulation. Embedding RL within a structured framework, such as the Perception–Cognition–Decision–Action cycle adopted in this research, offers a solution by providing controlled feedback mechanisms that guide learning and decision optimization. While the integration of AI into cybersecurity has brought remarkable advancements, it has also introduced new vulnerabilities through adversarial AI. In adversarial settings, malicious actors craft deceptive inputs or manipulate training data to mislead learning models, causing misclassification or performance degradation [ 31 ]. This phenomenon highlights the dual-use nature of AI, where the same technologies that enable intelligent defense can be exploited for offense. Consequently, research into adversarial robustness and model explainability has become crucial. Explainable AI (XAI) techniques [ 32 ], such as model attribution and interpretability visualization, enhance transparency by revealing the rationale behind AI-driven decisions. These methods not only build user trust but also support human analysts in understanding, validating, and refining automated threat responses. Combining adversarial resilience with explainability is essential for developing trustworthy AI systems that can be safely deployed in critical cyber environments. Despite these advancements, several challenges remain unresolved in the field of AI-driven cybersecurity. Most existing approaches focus on detection alone, neglecting the need for integrated response mechanisms and continuous learning. Many systems lack adaptability, explainability, and resilience against adversarial manipulation. Furthermore, the fragmentation of AI models across isolated applications such as endpoint protection, network analysis, and behavioral monitoring limits cross-domain intelligence sharing and coordinated defense. The proposed AI-Driven Threat Detection and Response (AI-TDR) framework addresses these gaps by unifying deep learning, reinforcement learning, and adaptive feedback loops within a single closed-loop architecture. Structured around the Perception–Cognition–Decision–Action model, this framework fosters autonomous learning, self-optimization, and proactive response capabilities. In doing so, it contributes to the evolution of cybersecurity from static detection to autonomous, explainable, and collaborative defense, aligning with the emerging vision of intelligent, decentralized cyber protection systems. 3. Methodology This study adopts a design science research (DSR) methodology integrated with quantitative experimental validation to develop and evaluate an AI-Driven Threat Detection and Response (AI-TDR) framework. The DSR paradigm focuses on the design, construction, and evaluation of innovative artifacts that solve real-world problems, in this case, the need for autonomous, intelligent cyber defense mechanisms. The methodology emphasizes relevance to practical cybersecurity challenges, rigor in theoretical grounding, and evaluation through empirical experimentation. The AI-TDR system was conceptualized as a computational artifact integrating perception, cognition, decision-making, and autonomous response capabilities. A hybrid research design , combining system modeling and simulation-based experimentation , was employed to assess AI mechanisms under realistic cyber-attack scenarios. This dual orientation enabled both empirical performance assessment and construct validation , linking the experimental outcomes to theoretical constructs of adaptive intelligence and cyber resilience. Dataset Description and Data Collection This study employed the UNSW-NB15 dataset [30], a comprehensive benchmark for evaluating modern intrusion detection systems. Developed at the Cyber Range Lab of UNSW Canberra using the IXIA PerfectStorm tool, the dataset combines real network traffic with synthetic attack behaviors to simulate realistic cyber environments. Approximately 100 GB of raw packet data were captured using tcpdump, covering nine attack categories, including Fuzzers, DoS, Exploits, and Reconnaissance. Data processing was performed using Argus and Bro-IDS tools, with twelve algorithms extracting 49 features and corresponding class labels. The dataset contains 2,540,044 records, distributed across four CSV files, with supplementary ground truth and event mapping files. For experimentation, it was divided into 175,341 training and 82,332 testing samples, maintaining a balanced mix of normal and attack data. Before model training, standard data preprocessing, including normalization, label encoding, handling of missing values, and shuffling, was applied to enhance learning performance and reduce bias. Research Design The AI-TDR Research Model conceptualizes intelligent cybersecurity as a continuous adaptive learning loop composed of four interdependent components: Perception, Cognition, Decision, and Action . Perception (P) involves the acquisition and preprocessing of data from heterogeneous network sources, as depicted in Figure 1, ensuring the system has high-quality, real-time information for analysis. Cognition (C) represents the phase where deep learning algorithms infer threats by recognizing complex and evolving malicious patterns. Decision (D) focuses on optimizing response strategies through reinforcement learning mechanisms that enable the system to adapt dynamically to emerging threats. Finally, Action (A) entails the autonomous execution of mitigation measures and feedback processes that reinforce and refine both perception and cognition over time. The hypothesized relationships among these components (H1–H4) Figure 2, establish a cybernetic feedback loop , allowing the system to continuously learn, self-improve, and achieve adaptive threat mitigation in real time. Model Development and Evaluation In this study, three deep learning architectures, Convolutional Neural Network (CNN) , Long Short-Term Memory (LSTM) , and Transformer, were developed and trained using the processed UNSW-NB15 dataset to evaluate the performance of the proposed AI-Driven Threat Detection and Response (AI-TDR) framework. The CNN architecture effectively extracted spatial correlations from network features, enabling the identification of localized anomalies and attack signatures. The LSTM network captured temporal dependencies across sequential data, making it highly proficient in detecting stealthy or time-dependent intrusion patterns. In contrast, the Transformer model leveraged self-attention mechanisms to capture complex, long-range dependencies within high-dimensional network data, enhancing contextual understanding and scalability. Each model was trained for ten epochs and evaluated using key performance metrics, including accuracy, precision, recall, F1-score , and AUC-ROC . Experimental results revealed that both the CNN and LSTM achieved 100% classification accuracy , while the Transformer reached 96.8% accuracy with an AUC of 0.996 , reflecting strong generalization and minimal overfitting. These results demonstrate that the integration of advanced AI architectures with a robust and diverse dataset, such as UNSW-NB15, enables the development of autonomous, adaptive, and explainable cyber defense systems capable of operating effectively in complex and evolving threat environments. Model Development The Convolutional Neural Network (CNN) Each deep learning model used in AI-driven threat detection and response offers distinct strengths and limitations based on its underlying architecture and learning mechanisms. The Convolutional Neural Network (CNN) is particularly effective at capturing spatial correlations and local feature patterns within network traffic or system behavior data. Its convolutional filters enable it to automatically extract hierarchical representations, making it well-suited for identifying localized anomalies, such as suspicious packet sequences or malicious payload signatures. However, CNNs have a limited capacity for temporal modeling, as they primarily focus on spatial dependencies within fixed data windows and struggle to capture long-term sequential dynamics that evolve in network activities. Table 1: Training Loop for CNN Table 1 shows rapid and consistent improvement across 10 epochs, reaching nearly perfect performance. Training and validation accuracies rise to about 100% , while losses drop to extremely low values, indicating excellent learning efficiency and strong generalization with minimal overfitting. Figure 3 presents the accuracy and loss performance of the CNN over 10 epochs. Both training and validation accuracies increased rapidly, reaching nearly 100% by the third epoch and remaining stable afterward, demonstrating strong learning and generalization ability. Correspondingly, the training and validation losses dropped sharply after the first epoch and stayed near zero, with only a minor fluctuation around epoch 4. The model achieved excellent convergence, indicating effective training with minimal overfitting. Table 2 presents the classification performance metrics of the CNN model. The model achieved a perfect accuracy of 1.0000 , with precision, recall, and F1-score all equal to 1.00 across both classes (0 and 1). This indicates that the CNN correctly classified every sample in the dataset without any false positives or false negatives. The macro and weighted averages also stand at 1.00, confirming consistent and balanced performance across all classes. Overall, the results demonstrate that the CNN achieved flawless prediction accuracy and generalization on the evaluated dataset. Figure 4: The CNN model shows outstanding accuracy and reliability, correctly classifying nearly all samples with only two minor errors out of over fifty thousand predictions. With perfect precision and near-perfect recall, the results indicate that the model effectively learns and distinguishes patterns between the two classes, achieving a near-flawless performance in its classification task. The Long Short-Term Memory (LSTM) The Long Short-Term Memory (LSTM) network addresses this temporal limitation by learning sequential dependencies and modeling the evolution of threats over time. Its gated recurrent structure allows it to retain information across multiple time steps, enabling effective detection of time-based intrusion patterns, such as slow-moving or stealth attacks. Despite this advantage, LSTMs are computationally intensive, requiring longer training times and significant resources. Moreover, they are prone to overfitting, particularly when trained on small or noisy cybersecurity datasets, which can reduce their generalizability to unseen attack behaviors. Table 3 depicts the training log for the LSTM model, showing a rapid improvement in performance across ten epochs. The model began with an accuracy of 92.04% and a validation accuracy of 100% in the first epoch, then quickly achieved perfect accuracy (100%) from the second epoch onward. Correspondingly, both training and validation losses decreased steadily to extremely small values, reaching as low as 1.2048e-09 in the final epoch. This indicates that the LSTM model effectively learned the patterns in the dataset, achieving complete convergence with no sign of overfitting or underperformance. Figure 5: The LSTM model showed rapid and stable learning, reaching 100% accuracy by the second epoch and maintaining it throughout training. Both training and validation losses decreased steadily to near zero, indicating excellent convergence and generalization. Overall, the model achieved near-perfect performance with minimal error and no signs of overfitting. Table 4 depicts the LSTM model achieved perfect performance with 100% accuracy, precision, recall, and F1-score across both classes, correctly classifying all 51,535 samples. This outstanding result suggests high model effectiveness but may also indicate possible overfitting or data leakage. Figure 6 shows the confusion matrix for the LSTM model shows perfect classification performance. All 18,613 instances of class 0 and 32,922 instances of class 1 were correctly predicted, with no misclassifications (zero false positives and false negatives). This confirms the model achieved 100% accuracy, precision, recall, and F1-score, although such flawless results may indicate potential overfitting or data leakage. Transformer architecture In contrast, the Transformer architecture represents a more advanced and flexible model that uses self-attention mechanisms to learn complex, long-range dependencies within large-scale network data. Its parallelized attention allows simultaneous analysis of multiple relationships between data points, significantly improving efficiency and scalability compared to recurrent models. This capability makes Transformers highly effective for modeling intricate attack vectors and multi-stage intrusion scenarios. However, these advantages come with the limitation of requiring large volumes of labeled data and substantial computational power for training. Without sufficient data or resources, Transformers may fail to generalize effectively or become cost-prohibitive for real-time deployment. Overall, while each model contributes uniquely to AI-driven cybersecurity, their combined use in hybrid or ensemble frameworks can often yield superior detection performance by leveraging their complementary strengths. Table 5 shows the training log shows the performance of a Transformer model over 10 epochs. The model’s training accuracy steadily increased from 73.5% in epoch 1 to 94.9% in epoch 10 , while the validation accuracy improved from 85.7% to 96.9% . Simultaneously, both training and validation losses decreased significantly from 0.5247 to 0.1162 and 0.3148 to 0.0808, respectively, indicating effective learning and convergence. Overall, the model demonstrates strong generalization and consistent improvement, suggesting successful optimization without signs of overfitting. Figure 7 displays the Transformer model shows steady learning and strong generalization, with both training and validation accuracy improving consistently and losses decreasing smoothly across epochs. The close alignment of the curves indicates stable convergence and minimal overfitting, confirming the model’s robustness and effectiveness. Table 6 shows that the Transformer model achieved an overall accuracy of 96.78% , demonstrating excellent classification performance. For class 0, it attained a precision of 0.95, a recall of 0.96, and an F1-score of 0.96, while class 1 achieved even higher values with a precision of 0.98, a recall of 0.97, and an F1-score of 0.97. The macro and weighted averages both stand at 0.97, confirming balanced performance across classes. These results indicate that the model effectively distinguishes between categories with high precision and consistency, showing strong reliability and generalization. Figure 8 depicts the confusion matrix for the Transformer model shows strong classification performance, with 17,945 true negatives, 31,928 true positives, 668 false positives, and 994 false negatives. This indicates that the model correctly classifies most samples in both classes with minimal errors. The calculated metrics reveal an accuracy of about 98% , precision of 97.9% , recall of 97.0% , and an F1-score of 97.4% , demonstrating the model’s high reliability and balanced performance. Figure 9 compares the accuracy of three deep learning models: CNN , LSTM , and Transformer . Both the CNN and LSTM models achieved perfect accuracy scores of 1.000 (100%) , while the Transformer model recorded a slightly lower accuracy of 0.968 (96.8%) . This indicates that although all three models perform very well, the CNN and LSTM architectures outperform the Transformer in this specific task. Overall, the results suggest that CNN and LSTM models exhibit superior precision and generalization capabilities for the dataset compared to the Transformer. The ROC curve compares the classification performance of the CNN , LSTM , and Transformer models. Both the CNN and LSTM achieved perfect AUC (Area Under the Curve) scores of 1.000 , indicating flawless discrimination between classes with no false positives or false negatives. The Transformer model also performed excellently, with an AUC of 0.996 , showing only a slight drop in performance compared to CNN and LSTM. Overall, the ROC curves demonstrate that all three models have exceptional classification capability, with CNN and LSTM showing ideal performance and the Transformer maintaining near-perfect accuracy in distinguishing between positive and negative classes. 4. Results and Discussion The performance evaluation of the proposed AI-Driven Threat Detection and Response (AI-TDR) framework was conducted using the UNSW-NB15 dataset , which contains diverse attack categories representative of real-world network environments. The inclusion of nine attack types, Fuzzers, Analysis, Backdoors, DoS, Exploits, Generic, Reconnaissance, Shellcode, and Worms, enabled comprehensive testing of the models’ capacity to generalize across multiple threat vectors. Three deep learning architectures , Convolutional Neural Network (CNN) , Long Short-Term Memory (LSTM) , and Transformer, were developed and evaluated using the training (175,341 records) and testing (82,332 records) subsets of the dataset. Each model was trained over ten epochs, and performance metrics were computed to assess accuracy, precision, recall, F1-score, and AUC-ROC. The CNN model demonstrated rapid convergence and high efficiency, achieving 100% training and validation accuracy by the third epoch. Both loss functions dropped sharply toward zero, indicating effective feature learning and minimal overfitting. The CNN excelled in identifying spatial correlations within the dataset’s feature space, such as packet size and flow duration, leading to perfect classification performance across all attack classes. The LSTM model , designed to capture temporal dependencies, also achieved 100% accuracy, precision, recall, and F1-score across all classes. Its gated architecture effectively modeled sequential variations in network traffic patterns, enabling precise detection of stealthy or long-term attacks, such as reconnaissance and slow DoS. However, the flawless results suggest the need for additional cross-validation with unseen data to mitigate potential overfitting or data leakage risks. The Transformer model , leveraging self-attention mechanisms, achieved 96.8% accuracy and an AUC of 0.996 , showing strong generalization despite its computational complexity. It successfully learned high-level dependencies across large-scale features and proved particularly effective in handling multi-stage intrusion patterns present in the UNSW-NB15 dataset. The Transformer’s slightly lower accuracy reflects the challenge of modeling heterogeneous attack types while maintaining efficiency across high-dimensional inputs. A comparative performance assessment highlights that both CNN and LSTM outperformed the Transformer in terms of raw accuracy but required less computational overhead. The ROC analysis revealed that CNN and LSTM achieved an AUC of 1.000 , indicating perfect discrimination between benign and malicious traffic, while the Transformer achieved an AUC of 0.996 , confirming near-ideal performance. While CNN and LSTM excelled in classification precision, their deterministic learning structures may limit adaptability to new, unseen attacks. Conversely, the Transformer’s attention-based design offers greater contextual adaptability, making it more suitable for real-time, large-scale network defense . These differences underscore the value of ensemble or hybrid architectures that integrate the spatial sensitivity of CNNs, temporal awareness of LSTMs, and contextual adaptability of Transformers for improved resilience and scalability. The AI-Driven Threat Detection and Response (AI-TDR) framework developed in this study aligns with the evolving research focus on leveraging artificial intelligence to autonomously identify, assess, and neutralize cybersecurity threats with speed and precision beyond human capability. The findings demonstrate that integrating deep learning and reinforcement learning can redefine modern cyber defense by enabling systems to continuously monitor vast and dynamic data streams, identify subtle and previously unseen attack patterns, and respond to evolving threats in near real time. This advancement represents a significant step toward autonomous, intelligent, and adaptive cyber defense ecosystems capable of both detection and mitigation without human intervention. The experimental results confirm that combining Convolutional Neural Networks (CNN), Long Short-Term Memory (LSTM) networks, and Transformer architectures provides complementary strengths in addressing the complexity of modern network attacks. The CNN excelled at capturing spatial dependencies and localized anomalies within network traffic, while the LSTM effectively modeled sequential and temporal correlations, detecting stealthy and time-dependent intrusions. The Transformer, leveraging its self-attention mechanism, demonstrated exceptional scalability and contextual understanding for high-dimensional and multi-stage attack patterns. Collectively, these models achieved a superior accuracy of 100% for CNN and LSTM, and 96.8% for the Transformer, validating the effectiveness of deep learning architectures in autonomously detecting and classifying diverse cyber threats using realistic benchmark data such as UNSW-NB15. Beyond achieving high detection performance, the integration of reinforcement learning within the AI-TDR framework demonstrates the system’s ability to adapt and self-optimize. Reinforcement learning enables the model to learn optimal defense strategies through iterative feedback, allowing it to autonomously determine the most effective responses to various attack scenarios. By embedding this adaptive mechanism within the Perception–Cognition–Decision–Action cycle, the AI-TDR framework establishes a continuous learning process in which perception (data acquisition) informs cognition (threat inference), decision (response optimization), and action (autonomous mitigation) [33]. This feedback-driven structure mirrors human cognitive adaptation but operates with far greater speed and consistency, supporting the emergence of self-healing, self-learning, and self-optimizing defense systems that evolve with their environments. The practical applications of this research are extensive and impactful. In Security Operations Centers (SOCs) , the AI-TDR framework can automate threat detection, prioritization, and response, significantly reducing analyst workload and improving response times [34]. Within enterprise and corporate networks , it enables continuous monitoring, adaptive firewall reconfiguration, and autonomous containment of lateral movement attacks such as ransomware. In cloud and virtualized environments , AI-TDR provides scalable, dynamic defense for containerized workloads and virtual machines, ensuring uninterrupted service integrity. Its application in Internet of Things (IoT) and Industrial Control Systems (ICS) enhances the resilience of critical infrastructures, including energy, healthcare, and manufacturing, by detecting and mitigating operational anomalies in real time. Additionally, the framework is applicable in government and defense networks , where it can identify state-sponsored cyber activities and coordinate rapid, intelligent responses across agencies. When extended through Federated Learning (FL) and Multi-Agent Reinforcement Learning (MARL) , AI-TDR can support privacy-preserving, collaborative cyber defense , enabling decentralized intelligence sharing across organizations without compromising data security [35]. These applications highlight the broader shift from reactive, rule-based monitoring to proactive, autonomous, and collaborative defense ecosystems. The AI-TDR framework embodies this transition by demonstrating how AI agents can operate as independent yet cooperative units capable of learning from global threat patterns and collectively adapting to non-stationary attack environments. Such capabilities are especially critical for modern distributed infrastructures, where centralized security control is no longer sufficient [36]. However, as AI capabilities expand, so too do adversarial risks. Adversarial AI, where attackers craft deceptive inputs or poison training data to mislead detection models, poses one of the most significant challenges to autonomous cybersecurity [37]. Addressing this requires continuous research into robust learning architectures, adversarial training, and hybrid defense models that combine anomaly detection with adversarial resilience. The integration of Explainable AI (XAI) not only provides interpretability but also serves as a safeguard by enabling the system to validate its own predictions, thereby reducing the likelihood of undetected manipulation. This convergence of robustness and transparency is key to achieving trustworthy and resilient AI-driven defense systems. In alignment with the broader research vision of developing multi-agent, decentralized [38], [39], and privacy-preserving defense architectures, the AI-TDR framework establishes a foundation for collaborative intelligence. Future implementations can expand the framework using MARL and FL to enable distributed AI agents to share knowledge, coordinate responses, and collectively defend against attacks across networks and organizations without exposing sensitive data. Such collaboration fosters a cooperative, privacy-preserving cybersecurity ecosystem that enhances resilience and facilitates continuous learning in non-stationary threat environments. From a broader perspective, the AI-TDR framework contributes to the global transition from traditional, rule-based security toward autonomous, intelligent, and adaptive cyber defense ecosystems. Its implications extend beyond academic research into tangible operational benefits for enterprises and governments alike. Implementing AI-TDR within large-scale infrastructures can enhance cyber resilience, minimize downtime, and reduce the need for constant human supervision in threat monitoring and response. The framework’s modular design allows seamless integration into existing defense architectures, positioning it as a viable pathway toward fully autonomous cybersecurity orchestration [40]. Looking forward, the future trajectory of AI-driven cybersecurity will depend on strengthening three interrelated pillars: autonomous intelligence, decentralized collaboration, and adversarial resilience. Future work should aim to enhance the robustness of learning models against adversarial manipulation, incorporate continuous self-assessment mechanisms to ensure model integrity, and establish standardized communication protocols for multi-agent cooperation across domains. Moreover, integrating human–AI collaboration into the adaptive feedback loop where analysts supervise and refine AI actions will ensure a balanced coexistence between automation and accountability. This research demonstrates the effectiveness of deep learning and reinforcement learning in automated intrusion detection and response while contributing to the broader vision of intelligent, collaborative cybersecurity. The AI-TDR framework bridges the gap between detection and autonomous response, showcasing how AI can predict, prevent, and neutralize threats in real time. By advancing continuous learning, decentralized coordination, and explainable intelligence, this study supports the evolution of an autonomous, collaborative, and resilient cyber defense ecosystem capable of adapting to the ever-changing landscape of digital threats. Conclusion This study presented an AI-Driven Threat Detection and Response (AI-TDR) framework designed to advance cybersecurity toward autonomous, intelligent, and adaptive defense. By integrating deep learning and reinforcement learning , the framework enables systems to continuously analyze complex network data, identify subtle attack patterns, and execute timely, data-driven responses. The combined use of CNN, LSTM, and Transformer architectures demonstrated exceptional detection accuracy on the UNSW-NB15 dataset, confirming their complementary strengths in capturing spatial, temporal, and contextual features of network traffic. Reinforcement learning further enhanced adaptability, transforming static detection into a self-learning and self-optimizing defense mechanism capable of evolving alongside emerging threats. A key contribution of this research lies in the Perception–Cognition–Decision–Action feedback cycle, which allows the framework to function as a continuously improving defense system. The integration of Explainable AI (XAI) ensures that the model’s decisions remain transparent and interpretable, fostering human trust and accountability. Together, these elements bridge the gap between threat detection and autonomous response, providing a scalable, real-time cybersecurity solution that is adaptable to enterprise, cloud, and IoT environments. Future research should focus on strengthening adversarial resilience by incorporating adversarial training , robust optimization , and uncertainty quantification to defend against model manipulation and data poisoning. Expanding the framework through Multi-Agent Reinforcement Learning (MARL) and Federated Learning (FL) could enable decentralized, privacy-preserving collaboration , allowing AI agents across organizations to share intelligence and coordinate responses securely. Further exploration of energy-efficient architectures , ethical AI governance , and interoperability standards will enhance the practical deployment of such systems. Ultimately, this research contributes to the transformation of cybersecurity into an intelligent, collaborative, and adversarially resilient ecosystem , where AI systems can not only detect and respond to attacks but also predict, prevent, and autonomously neutralize them in real time. Declarations Acknowledgements: Not Applicable Author contributions: All authors made significant contributions to the conception, design, development, and preparation of this research work. Godfrey Perfectson Oise led the overall study conception, experimental design, model development, and manuscript drafting. Susan Konyeha contributed to the formulation of the theoretical framework, synthesis of the literature review, and methodological alignment. Cyprian C. Konyeha participated in data preprocessing, feature engineering, and experimental evaluation. Osahon Ukpebor and Tejiri Jessa assisted in performance analysis, result interpretation, and visualization of findings. Oludare Sokoya contributed to the integration of explainable AI and reinforcement learning components within the proposed framework. Evans Mintah provided critical revisions, ensured technical accuracy, and contributed to manuscript editing and final approval. All authors reviewed and approved the final version of the manuscript and agree to be accountable for all aspects of the work, ensuring that any questions related to the accuracy or integrity of the study are appropriately investigated and resolved. Competing interests: The author(s) declare no competing interests. Data Availability Statement: The datasets generated and/or analyzed during the current study are available in the [UNSW-NB15 dataset repository] maintained by the University of New South Wales (UNSW) Canberra Cyber Range Lab , accessible at https://research.unsw.edu.au/projects/unsw-nb15-dataset. Ethics declarations : Not Applicable Approval for animal experiments: Not Applicable Approval for human experiments: Not Applicable Consent to participate/Consent to publish: Not Applicable Funding: Not Applicable References H. Cam, “Cyber resilience using autonomous agents and reinforcement learning,” in Artificial Intelligence and Machine Learning for Multi-Domain Operations Applications II , T. Pham, L. Solomon, and K. Rainey, Eds., SPIE, Apr. 2020, p. 35. doi: 10.1117/12.2559319. M. Pham, V. Vaze, and P. Chin, “Strategic Cyber Defense via Reinforcement Learning-Guided Combinatorial Auctions,” in 2025 IEEE High Performance Extreme Computing Conference (HPEC) , IEEE, Sep. 2025, pp. 1–7. doi: 10.1109/HPEC67600.2025.11196565. G. Oise and S. Konyeha, “Environmental impacts in e-waste management using deep learning,” Discover Artificial Intelligence , vol. 5, no. 1, p. 210, Aug. 2025, doi: 10.1007/s44163-025-00376-9. M. Pham, V. Vaze, and P. Chin, “Strategic Cyber Defense via Reinforcement Learning-Guided Combinatorial Auctions,” in 2025 IEEE High Performance Extreme Computing Conference (HPEC) , IEEE, Sep. 2025, pp. 1–7. doi: 10.1109/HPEC67600.2025.11196565. M. Pham, V. Vaze, and P. Chin, “Strategic Cyber Defense via Reinforcement Learning-Guided Combinatorial Auctions,” in 2025 IEEE High Performance Extreme Computing Conference (HPEC) , IEEE, Sep. 2025, pp. 1–7. doi: 10.1109/HPEC67600.2025.11196565. T. T. Nguyen and V. J. Reddi, “Deep Reinforcement Learning for Cyber Security,” IEEE Trans Neural Netw Learn Syst , vol. 34, no. 8, pp. 3779–3795, Aug. 2023, doi: 10.1109/TNNLS.2021.3121870. O. Samuel Abiodun, O. P. Ejenarhome, and G. Oise, “AI-BASED MEDICAL IMAGE ANALYSIS FOR EARLY DETECTION OF NEUROLOGICAL DISORDERS USING DEEP LEARNING,” FUDMA JOURNAL OF SCIENCES , vol. 9, no. 6, pp. 322–328, Jun. 2025, doi: 10.33003/fjs-2025-0906-3697. B. Blakely, “An Experimental Platform for Autonomous Intelligent Cyber-Defense Agents: Towards a collaborative community approach (WIPP),” in 2022 Resilience Week (RWS) , IEEE, Sep. 2022, pp. 1–7. doi: 10.1109/RWS55399.2022.9984037. G. P. Oise, O. C. Nwabuokei, O. J. Akpowehbve, B. A. Eyitemi, and N. B. Unuigbokhai, “TOWARDS SMARTER CYBER DEFENSE: LEVERAGING DEEP LEARNING FOR THREAT IDENTIFICATION AND PREVENTION,” FUDMA JOURNAL OF SCIENCES , vol. 9, no. 3, pp. 122–128, Mar. 2025, doi: 10.33003/fjs-2025-0903-3264. B. Blakely, “An Experimental Platform for Autonomous Intelligent Cyber-Defense Agents: Towards a collaborative community approach (WIPP),” in 2022 Resilience Week (RWS) , IEEE, Sep. 2022, pp. 1–7. doi: 10.1109/RWS55399.2022.9984037. G. Gkoktsis, H. Lauer, and L. Jäger, “Towards Mission Aware Cyber-Resiliency with Autonomous Agents,” in 2023 Australasian Computer Science Week , New York, NY, USA: ACM, Jan. 2023, pp. 36–39. doi: 10.1145/3579375.3579421. B. E. Akilo, S. A. Oyedotun, G. P. Oise, O. C. Nwabuokei, and N. B. Unuigbokhai, “Intelligent Traffic Management System Using Ant Colony and Deep Learning Algorithms for Real-Time Traffic Flow Optimization,” Journal of Science Research and Reviews , vol. 1, no. 2, pp. 63–71, Dec. 2024, doi: 10.70882/josrar.2024.v1i2.52. G. G. James, O. G. P, C. E. G, M. N. A, E. W. F, and O. P. E, “Optimizing Business Intelligence System Using Big Data and Machine Learning,” Journal of Information Systems and Informatics , vol. 6, no. 2, pp. 1215–1236, Jun. 2024, doi: 10.51519/journalisi.v6i2.631. M. Hilmi, A. Widyotriatmo, I. Kuncara, Y. Y. Nazaruddin, and A. Hasan, “Path-Following Control of Autonomous Vehicles Under Sensor Attacks,” in 2024 European Control Conference (ECC) , IEEE, Jun. 2024, pp. 3656–3661. doi: 10.23919/ECC64448.2024.10590744. G. P. Oise et al. , “YOLOv8-DeepSORT: A High-Performance Framework for Real-Time Multi-Object Tracking with Attention and Adaptive Optimization,” Journal of Science Research and Reviews , vol. 2, no. 2, pp. 92–100, May 2025, doi: 10.70882/josrar.2025.v2i2.50. A. Anandita Iyer and K. S. Umadevi, “Role of AI and Its Impact on the Development of Cyber Security Applications,” 2023, pp. 23–46. doi: 10.1007/978-981-99-2115-7_2. P. Verma, T. Newe, G. D. O’Mahony, D. Brennan, and D. O’Shea, “Toward a Unified Understanding of Cyber Resilience: Concepts, Strategies, and Future Directions,” IEEE Access , vol. 13, pp. 49945–49965, 2025, doi: 10.1109/ACCESS.2025.3551887. A. K. Ligo, A. Kott, and I. Linkov, “How to Measure Cyber-Resilience of a System With Autonomous Agents: Approaches and Challenges,” IEEE Engineering Management Review , vol. 49, no. 2, pp. 89–97, Jun. 2021, doi: 10.1109/EMR.2021.3074288. G. P. Oise, S. A. Oyedotun, O. C. Nwabuokei, A. E. Babalola, and N. B. Unuigbokhai, “ENHANCED PREDICTION OF CORONARY ARTERY DISEASE USING LOGISTIC REGRESSION,” FUDMA JOURNAL OF SCIENCES , vol. 9, no. 3, pp. 201–208, Mar. 2025, doi: 10.33003/fjs-2025-0903-3263. R. Buchta, G. Gkoktsis, F. Heine, and C. Kleiner, “Advanced Persistent Threat Attack Detection Systems: A Review of Approaches, Challenges, and Trends,” Digital Threats: Research and Practice , vol. 5, no. 4, pp. 1–37, Dec. 2024, doi: 10.1145/3696014. W. Soussi, M. Christopoulou, G. Xilouris, and G. Gur, “Moving Target Defense as a Proactive Defense Element for Beyond 5G,” IEEE Communications Standards Magazine , vol. 5, no. 3, pp. 72–79, Sep. 2021, doi: 10.1109/MCOMSTD.211.2000087. A. K. Ligo, A. Kott, and I. Linkov, “Autonomous Cyberdefense Introduces Risk: Can We Manage the Risk?,” Computer (Long Beach Calif) , vol. 54, no. 10, pp. 106–110, Oct. 2021, doi: 10.1109/MC.2021.3099042. E. Tsen, R. K. Ko, and S. Slapničar, “Organisational Cyber Resilience and its Influence on Cyber Attack Outcomes: An Exploratory Study of 1,145 Publicised Attacks,” SSRN Electronic Journal , 2020, doi: 10.2139/ssrn.3735636. W. H. Walters, “The Effectiveness of Software Designed to Detect AI-Generated Writing: A Comparison of 16 AI Text Detectors,” Open Information Science , vol. 7, no. 1, Oct. 2023, doi: 10.1515/opis-2022-0158. S. Munikoti, D. Agarwal, L. Das, M. Halappanavar, and B. Natarajan, “Challenges and Opportunities in Deep Reinforcement Learning With Graph Neural Networks: A Comprehensive Review of Algorithms and Applications,” IEEE Trans Neural Netw Learn Syst , vol. 35, no. 11, pp. 15051–15071, Nov. 2024, doi: 10.1109/TNNLS.2023.3283523. L. Zhang, P. Liu, Y.-H. Choi, and P. Chen, “Semantics-Preserving Reinforcement Learning Attack Against Graph Neural Networks for Malware Detection,” IEEE Trans Dependable Secure Comput , vol. 20, no. 2, pp. 1390–1402, Mar. 2023, doi: 10.1109/TDSC.2022.3153844. A. Uprety and D. B. Rawat, “Reinforcement Learning for IoT Security: A Comprehensive Survey,” IEEE Internet Things J , vol. 8, no. 11, pp. 8693–8706, Jun. 2021, doi: 10.1109/JIOT.2020.3040957. S. Yuwono, D. Schwung, and A. Schwung, “Distributed Stackelberg Strategies in State-Based Potential Games for Autonomous Decentralized Learning Manufacturing Systems,” IEEE Trans Syst Man Cybern Syst , vol. 55, no. 11, pp. 8112–8125, Nov. 2025, doi: 10.1109/TSMC.2025.3602958. T. T. Nguyen and V. J. Reddi, “Deep Reinforcement Learning for Cyber Security,” IEEE Trans Neural Netw Learn Syst , vol. 34, no. 8, pp. 3779–3795, Aug. 2023, doi: 10.1109/TNNLS.2021.3121870. M. Sarhan, S. Layeghy, N. Moustafa, and M. Portmann, “NetFlow Datasets for Machine Learning-Based Network Intrusion Detection Systems,” 2021, pp. 117–135. doi: 10.1007/978-3-030-72802-1_9. A. M. K. Adawadkar and N. Kulkarni, “Cyber-security and reinforcement learning — A brief survey,” Eng Appl Artif Intell , vol. 114, p. 105116, Sep. 2022, doi: 10.1016/j.engappai.2022.105116. G. Oise and S. Konyeha, “Environmental impacts in e-waste management using deep learning,” Discover Artificial Intelligence , vol. 5, no. 1, p. 210, Aug. 2025, doi: 10.1007/s44163-025-00376-9. S. Dasgupta, A. Piplai, P. Ranade, and A. Joshi, “Cybersecurity Knowledge Graph Improvement with Graph Neural Networks,” in 2021 IEEE International Conference on Big Data (Big Data) , IEEE, Dec. 2021, pp. 3290–3297. doi: 10.1109/BigData52589.2021.9672062. T. Bilot, N. El Madhoun, K. Al Agha, and A. Zouaoui, “Graph Neural Networks for Intrusion Detection: A Survey,” IEEE Access , vol. 11, pp. 49114–49139, 2023, doi: 10.1109/ACCESS.2023.3275789. B. Lakha, S. L. Mount, E. Serra, and A. Cuzzocrea, “Anomaly Detection in Cybersecurity Events Through Graph Neural Network and Transformer-Based Model: A Case Study with BETH Dataset,” in 2022 IEEE International Conference on Big Data (Big Data) , IEEE, Dec. 2022, pp. 5756–5764. doi: 10.1109/BigData55660.2022.10020336. S. A. Oyedotun, G. P. Oise, and C. E. Ozobialu, “Towards Intelligent Cybersecurity in SCADA and DCS Environments: Anomaly Detection Using Multimodal Deep Learning and Explainable AI,” Journal of Science Research and Reviews , vol. 2, no. 3, pp. 20–31, Jul. 2025, doi: 10.70882/josrar.. 2025.v2i3.76. A. Anandita Iyer and K. S. Umadevi, “Role of AI and Its Impact on the Development of Cyber Security Applications,” 2023, pp. 23–46. doi: 10.1007/978-981-99-2115-7_2. N. B. Unuigbokhai et al. , “ADVANCEMENTS IN FEDERATED LEARNING FOR SECURE DATA SHARING IN FINANCIAL SERVICES,” FUDMA JOURNAL OF SCIENCES , vol. 9, no. 5, pp. 80–86, May 2025, doi: 10.33003/fjs-2025-0905-3207. G. P. Oise et al. , “DECENTRALIZED DEEP LEARNING IN HEALTHCARE: ADDRESSING DATA PRIVACY WITH FEDERATED LEARNING,” FUDMA JOURNAL OF SCIENCES , vol. 9, no. 6, pp. 19–26, Jun. 2025, doi: 10.33003/fjs-2025-0906-3714. S. A. Oyedotun et al. , “The Role of Internal Audit in Fraud Detection and Prevention: A Multi-Contextual Review and Research Agenda,” Journal of Science Research and Reviews , vol. 2, no. 2, pp. 76–85, May 2025, doi: 10.70882/josrar.. 2025.v2i2.51. Tables Tables 1 to 6 are available in the Supplementary Files section. Additional Declarations No competing interests reported. Supplementary Files tables123456.docx Cite Share Download PDF Status: Under Review Version 1 posted Editorial decision: Revision requested 01 Apr, 2026 Reviews received at journal 31 Mar, 2026 Reviews received at journal 29 Mar, 2026 Reviewers agreed at journal 09 Mar, 2026 Reviewers agreed at journal 07 Mar, 2026 Reviews received at journal 25 Jan, 2026 Reviewers agreed at journal 20 Jan, 2026 Reviews received at journal 20 Jan, 2026 Reviews received at journal 16 Jan, 2026 Reviewers agreed at journal 14 Jan, 2026 Reviewers agreed at journal 13 Jan, 2026 Reviews received at journal 25 Nov, 2025 Reviews received at journal 17 Nov, 2025 Reviewers agreed at journal 17 Nov, 2025 Reviewers agreed at journal 15 Nov, 2025 Reviewers invited by journal 12 Nov, 2025 Editor invited by journal 30 Oct, 2025 Editor assigned by journal 25 Oct, 2025 Submission checks completed at journal 25 Oct, 2025 First submitted to journal 23 Oct, 2025 You are reading this latest preprint version Research Square lets you share your work early, gain feedback from the community, and start making changes to your manuscript prior to peer review in a journal. As a division of Research Square Company, we’re committed to making research communication faster, fairer, and more useful. We do this by developing innovative software and high quality services for the global research community. Our growing team is made up of researchers and industry professionals working together to solve the most critical problems facing scientific publishing. Also discoverable on Platform About Our Team In Review Editorial Policies Advisory Board Help Center Resources Author Services Accessibility API Access RSS feed Manage Cookie Preferences © Research Square 2026 | ISSN 2693-5015 (online) Privacy Policy Terms of Service Do Not Sell My Personal Information {"props":{"pageProps":{"initialData":{"identity":"rs-7935562","acceptedTermsAndConditions":true,"allowDirectSubmit":false,"archivedVersions":[],"articleType":"Article","associatedPublications":[],"authors":[{"id":549022280,"identity":"ae781332-07ab-43f5-8e22-05c333aba6bb","order_by":0,"name":"Susan Konyeha","email":"","orcid":"","institution":"University of Benin","correspondingAuthor":false,"prefix":"","firstName":"Susan","middleName":"","lastName":"Konyeha","suffix":""},{"id":549022281,"identity":"b7168d5a-2e36-478d-ba96-a6c65d1a4d73","order_by":1,"name":"Cyprian C. Konyeha","email":"","orcid":"","institution":"Benson Idahosa University","correspondingAuthor":false,"prefix":"","firstName":"Cyprian","middleName":"C.","lastName":"Konyeha","suffix":""},{"id":549022284,"identity":"cbf650b9-4acd-4e7c-8b5e-9de74ce16734","order_by":2,"name":"Evans Mintah","email":"","orcid":"","institution":"Westcliff University","correspondingAuthor":false,"prefix":"","firstName":"Evans","middleName":"","lastName":"Mintah","suffix":""},{"id":549022285,"identity":"6a455e3d-7cc4-414d-9f53-62cb3d89ae32","order_by":3,"name":"Osahon Ukpebor","email":"","orcid":"","institution":"University of the Cumberlands","correspondingAuthor":false,"prefix":"","firstName":"Osahon","middleName":"","lastName":"Ukpebor","suffix":""},{"id":549022286,"identity":"58816eae-69f8-43ad-9bfd-a39477de8015","order_by":4,"name":"Oludare Sokoya","email":"","orcid":"","institution":"National University","correspondingAuthor":false,"prefix":"","firstName":"Oludare","middleName":"","lastName":"Sokoya","suffix":""},{"id":549022289,"identity":"48de1ac3-fcfc-4f7b-a026-5d9747d5d5c9","order_by":5,"name":"Tejiri Jessa","email":"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAZAAAAAyAQMAAABI0h/eAAAABlBMVEX///8AAABVwtN+AAAACXBIWXMAAA7EAAAOxAGVKw4bAAAA7ElEQVRIiWNgGAWjYHCChAMMBmwgBuMDIMHDR0g9D5IWZgOQABsRWuCATQJMEtJiz97w8HBFAZ+cfP/hZ5Vfc+xk2BiYHz66gc8WngMJB88YsBkb3Egzuy27LRnoMDZj4xx8WiQSEg42GLAlbpBgMLstuY0ZqIWHTRqvFvkHYC318/uPfyuW3FZPhBYJBrCWBIYDOWaMH7cdJkLLGYjDDDfcyCmWZtx2nIeNmYBf2NvPJH9s+HNMXr7/+MaPP7dV2/OzNz98jE8L0J4EIHEMzGQGxxIzXuVgew4AiRowk/EHQdWjYBSMglEwEgEA/X5FRRYPAF8AAAAASUVORK5CYII=","orcid":"","institution":"Westcliff University","correspondingAuthor":true,"prefix":"","firstName":"Tejiri","middleName":"","lastName":"Jessa","suffix":""}],"badges":[],"createdAt":"2025-10-24 00:08:15","currentVersionCode":1,"declarations":"","doi":"10.21203/rs.3.rs-7935562/v1","doiUrl":"https://doi.org/10.21203/rs.3.rs-7935562/v1","draftVersion":[],"editorialEvents":[],"editorialNote":"","failedWorkflow":false,"files":[{"id":96600148,"identity":"50ab69d6-fdf6-4610-9ec5-4060e539845c","added_by":"auto","created_at":"2025-11-24 08:22:59","extension":"docx","order_by":0,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":1263533,"visible":true,"origin":"","legend":"","description":"","filename":"AIDrivenThreatDetectionandResponse.docx","url":"https://assets-eu.researchsquare.com/files/rs-7935562/v1/0f143c4ddfa767b28ee025d5.docx"},{"id":96600138,"identity":"0da37488-c132-496a-8005-1ad4ce48c7d0","added_by":"auto","created_at":"2025-11-24 08:22:59","extension":"json","order_by":1,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":8415,"visible":true,"origin":"","legend":"","description":"","filename":"dfdfe5990e5348f7873ae163004b9cf2.json","url":"https://assets-eu.researchsquare.com/files/rs-7935562/v1/6886f5025e5b9a26b79e3bf2.json"},{"id":96600113,"identity":"e84b3ee5-9895-41ee-b14a-1512b1d6b8c0","added_by":"auto","created_at":"2025-11-24 08:22:58","extension":"xml","order_by":2,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":124736,"visible":true,"origin":"","legend":"","description":"","filename":"dfdfe5990e5348f7873ae163004b9cf21enriched.xml","url":"https://assets-eu.researchsquare.com/files/rs-7935562/v1/7450b24fd9d05649135022e9.xml"},{"id":96600115,"identity":"fcb35443-95b6-471c-8759-fad6a34b254d","added_by":"auto","created_at":"2025-11-24 08:22:58","extension":"png","order_by":3,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":512860,"visible":true,"origin":"","legend":"","description":"","filename":"floatimage1.png","url":"https://assets-eu.researchsquare.com/files/rs-7935562/v1/f5c7d7977543d1e5f9e80060.png"},{"id":96605676,"identity":"0d57002e-0292-4c42-a82b-c686d12b80dc","added_by":"auto","created_at":"2025-11-24 09:23:48","extension":"png","order_by":4,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":13609,"visible":true,"origin":"","legend":"","description":"","filename":"floatimage10.png","url":"https://assets-eu.researchsquare.com/files/rs-7935562/v1/6bd705db656a796e5f4671e6.png"},{"id":96600154,"identity":"19c69cab-c3b2-4d99-b9ab-556422d80155","added_by":"auto","created_at":"2025-11-24 08:22:59","extension":"png","order_by":5,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":49644,"visible":true,"origin":"","legend":"","description":"","filename":"floatimage11.png","url":"https://assets-eu.researchsquare.com/files/rs-7935562/v1/b2110166eb17c13ec0f849c6.png"},{"id":96600124,"identity":"8a109aae-8624-48fd-be8c-40137c0e2cbe","added_by":"auto","created_at":"2025-11-24 08:22:58","extension":"jpeg","order_by":6,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":165588,"visible":true,"origin":"","legend":"","description":"","filename":"floatimage12.jpeg","url":"https://assets-eu.researchsquare.com/files/rs-7935562/v1/6bdf6d02159bde230c85ee66.jpeg"},{"id":96605381,"identity":"4119e3b0-b6c2-4adb-bed2-b8185a39b1d8","added_by":"auto","created_at":"2025-11-24 09:22:41","extension":"png","order_by":7,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":8442,"visible":true,"origin":"","legend":"","description":"","filename":"floatimage13.png","url":"https://assets-eu.researchsquare.com/files/rs-7935562/v1/ac240a5a62ec5bad5972d55f.png"},{"id":96600118,"identity":"72c01b91-4422-48d0-8159-f9b5d0b82aa5","added_by":"auto","created_at":"2025-11-24 08:22:58","extension":"png","order_by":8,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":15442,"visible":true,"origin":"","legend":"","description":"","filename":"floatimage14.png","url":"https://assets-eu.researchsquare.com/files/rs-7935562/v1/92f3ba2b86f1889c5583e20e.png"},{"id":96600127,"identity":"cbf6f90d-9638-4c08-8ec7-d408f06fbcf5","added_by":"auto","created_at":"2025-11-24 08:22:58","extension":"png","order_by":9,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":15192,"visible":true,"origin":"","legend":"","description":"","filename":"floatimage15.png","url":"https://assets-eu.researchsquare.com/files/rs-7935562/v1/6b40d620d00eb10073781813.png"},{"id":96600128,"identity":"dcce8aae-a16a-43a4-bcf3-4f602a952b91","added_by":"auto","created_at":"2025-11-24 08:22:58","extension":"png","order_by":10,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":40734,"visible":true,"origin":"","legend":"","description":"","filename":"floatimage16.png","url":"https://assets-eu.researchsquare.com/files/rs-7935562/v1/f99bc6771574575a087123b8.png"},{"id":96605688,"identity":"2529a314-dd85-475f-b6cb-34162da188d4","added_by":"auto","created_at":"2025-11-24 09:23:49","extension":"png","order_by":11,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":96620,"visible":true,"origin":"","legend":"","description":"","filename":"floatimage2.png","url":"https://assets-eu.researchsquare.com/files/rs-7935562/v1/1425de0bb51d71562373b445.png"},{"id":96600122,"identity":"52efc543-abc0-4701-ad4d-557a7eb34925","added_by":"auto","created_at":"2025-11-24 08:22:58","extension":"png","order_by":12,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":50515,"visible":true,"origin":"","legend":"","description":"","filename":"floatimage3.png","url":"https://assets-eu.researchsquare.com/files/rs-7935562/v1/c4fdd6763bcc98abfcaf6951.png"},{"id":96600131,"identity":"66cd03ea-083a-4b5f-9275-02c614fc6ede","added_by":"auto","created_at":"2025-11-24 08:22:58","extension":"jpeg","order_by":13,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":161109,"visible":true,"origin":"","legend":"","description":"","filename":"floatimage4.jpeg","url":"https://assets-eu.researchsquare.com/files/rs-7935562/v1/229e0dd6b978453185eb266c.jpeg"},{"id":96605878,"identity":"7cd8d001-a494-4a22-bc4d-e356040bf80d","added_by":"auto","created_at":"2025-11-24 09:24:17","extension":"png","order_by":14,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":8022,"visible":true,"origin":"","legend":"","description":"","filename":"floatimage5.png","url":"https://assets-eu.researchsquare.com/files/rs-7935562/v1/c20cb13d5426ee927f994cca.png"},{"id":96605347,"identity":"e2d62c3d-0c62-4253-a225-4328ae3e7f10","added_by":"auto","created_at":"2025-11-24 09:22:28","extension":"png","order_by":15,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":13731,"visible":true,"origin":"","legend":"","description":"","filename":"floatimage6.png","url":"https://assets-eu.researchsquare.com/files/rs-7935562/v1/d84917b464751a1b17d1eae1.png"},{"id":96605304,"identity":"2113f96d-48e5-4fa3-87bb-82735ce98947","added_by":"auto","created_at":"2025-11-24 09:22:11","extension":"png","order_by":16,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":50832,"visible":true,"origin":"","legend":"","description":"","filename":"floatimage7.png","url":"https://assets-eu.researchsquare.com/files/rs-7935562/v1/125c19e966fab62bc9f8d624.png"},{"id":96600134,"identity":"a60aa104-6080-4d13-8868-43a64a1051be","added_by":"auto","created_at":"2025-11-24 08:22:58","extension":"jpeg","order_by":17,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":174991,"visible":true,"origin":"","legend":"","description":"","filename":"floatimage8.jpeg","url":"https://assets-eu.researchsquare.com/files/rs-7935562/v1/e5a25a2521fa3fa28fe3c2ed.jpeg"},{"id":96605252,"identity":"9972cdc8-cb52-4e56-aeb5-4c3ed6d65f2f","added_by":"auto","created_at":"2025-11-24 09:21:50","extension":"png","order_by":18,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":8086,"visible":true,"origin":"","legend":"","description":"","filename":"floatimage9.png","url":"https://assets-eu.researchsquare.com/files/rs-7935562/v1/dfb4d71fc7d7d6c880eeb685.png"},{"id":96600135,"identity":"277545c1-7374-4eb8-821b-5fc7fa00ea1b","added_by":"auto","created_at":"2025-11-24 08:22:59","extension":"png","order_by":19,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":26925,"visible":true,"origin":"","legend":"","description":"","filename":"Onlinefloatimage1.png","url":"https://assets-eu.researchsquare.com/files/rs-7935562/v1/c1445e6a732aed0cc1db285d.png"},{"id":96600136,"identity":"da2cf951-9347-4a25-ad5b-26f3ac56c45d","added_by":"auto","created_at":"2025-11-24 08:22:59","extension":"png","order_by":20,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":4094,"visible":true,"origin":"","legend":"","description":"","filename":"Onlinefloatimage10.png","url":"https://assets-eu.researchsquare.com/files/rs-7935562/v1/5aaec45be2c82345c494fcff.png"},{"id":96605931,"identity":"fd90c15b-db76-4768-8f9a-924aa56afbd3","added_by":"auto","created_at":"2025-11-24 09:24:24","extension":"png","order_by":21,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":21076,"visible":true,"origin":"","legend":"","description":"","filename":"Onlinefloatimage11.png","url":"https://assets-eu.researchsquare.com/files/rs-7935562/v1/8bda1a20aee80cc002f14f62.png"},{"id":96605892,"identity":"1c6f9a15-95c2-49fa-bfc4-837ececd4cf9","added_by":"auto","created_at":"2025-11-24 09:24:19","extension":"png","order_by":22,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":46810,"visible":true,"origin":"","legend":"","description":"","filename":"Onlinefloatimage12.png","url":"https://assets-eu.researchsquare.com/files/rs-7935562/v1/e18675d189937fd640abc82d.png"},{"id":96605921,"identity":"b6f9e402-3af4-4047-b89a-99010080b31c","added_by":"auto","created_at":"2025-11-24 09:24:22","extension":"png","order_by":23,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":3506,"visible":true,"origin":"","legend":"","description":"","filename":"Onlinefloatimage13.png","url":"https://assets-eu.researchsquare.com/files/rs-7935562/v1/7ad42b4b3ab0c9256c6346a4.png"},{"id":96600149,"identity":"97ab13e2-a29c-4a99-9f25-71bf2e8c5447","added_by":"auto","created_at":"2025-11-24 08:22:59","extension":"png","order_by":24,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":4599,"visible":true,"origin":"","legend":"","description":"","filename":"Onlinefloatimage14.png","url":"https://assets-eu.researchsquare.com/files/rs-7935562/v1/c6644635fc1aa8bcd175a7d6.png"},{"id":96600141,"identity":"3eb2f103-a876-463c-9690-7afb2dc6eeda","added_by":"auto","created_at":"2025-11-24 08:22:59","extension":"png","order_by":25,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":4325,"visible":true,"origin":"","legend":"","description":"","filename":"Onlinefloatimage15.png","url":"https://assets-eu.researchsquare.com/files/rs-7935562/v1/e2706d985740a574b5920817.png"},{"id":96605495,"identity":"8b20022a-1d4e-490a-bc95-7e706cacddc6","added_by":"auto","created_at":"2025-11-24 09:23:15","extension":"png","order_by":26,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":12163,"visible":true,"origin":"","legend":"","description":"","filename":"Onlinefloatimage16.png","url":"https://assets-eu.researchsquare.com/files/rs-7935562/v1/9d966dc01ec47efef01258c7.png"},{"id":96600144,"identity":"7a908087-640d-4268-8821-7d07eae19ad6","added_by":"auto","created_at":"2025-11-24 08:22:59","extension":"png","order_by":27,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":7502,"visible":true,"origin":"","legend":"","description":"","filename":"Onlinefloatimage2.png","url":"https://assets-eu.researchsquare.com/files/rs-7935562/v1/44774f17d76b53af1359ea05.png"},{"id":96600151,"identity":"68751213-a287-4c5f-a7a9-47d5f0143b36","added_by":"auto","created_at":"2025-11-24 08:22:59","extension":"png","order_by":28,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":21625,"visible":true,"origin":"","legend":"","description":"","filename":"Onlinefloatimage3.png","url":"https://assets-eu.researchsquare.com/files/rs-7935562/v1/27df81f5a8726ffa3388d742.png"},{"id":96605792,"identity":"67d120fc-b5c1-4a1c-a9a5-f31b4c4655b1","added_by":"auto","created_at":"2025-11-24 09:24:03","extension":"png","order_by":29,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":47398,"visible":true,"origin":"","legend":"","description":"","filename":"Onlinefloatimage4.png","url":"https://assets-eu.researchsquare.com/files/rs-7935562/v1/a51e9d885b1ead42597b401e.png"},{"id":96605985,"identity":"f2ede537-4fa5-45d4-ab09-0da4e8d7a3fb","added_by":"auto","created_at":"2025-11-24 09:24:31","extension":"png","order_by":30,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":3173,"visible":true,"origin":"","legend":"","description":"","filename":"Onlinefloatimage5.png","url":"https://assets-eu.researchsquare.com/files/rs-7935562/v1/06e39ce8dc05a17b45d33fa7.png"},{"id":96600143,"identity":"ac9c30db-67a0-4285-a214-20e545a560cb","added_by":"auto","created_at":"2025-11-24 08:22:59","extension":"png","order_by":31,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":4098,"visible":true,"origin":"","legend":"","description":"","filename":"Onlinefloatimage6.png","url":"https://assets-eu.researchsquare.com/files/rs-7935562/v1/1b26d7da56eceb697fd92b5b.png"},{"id":96600140,"identity":"c755be0a-5d00-4900-9f90-7ad26c379275","added_by":"auto","created_at":"2025-11-24 08:22:59","extension":"png","order_by":32,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":22287,"visible":true,"origin":"","legend":"","description":"","filename":"Onlinefloatimage7.png","url":"https://assets-eu.researchsquare.com/files/rs-7935562/v1/8d11ae6fdfa18c30ff1ab2a7.png"},{"id":96600146,"identity":"39b2d244-958c-44ec-b2b0-77a038d3ec03","added_by":"auto","created_at":"2025-11-24 08:22:59","extension":"png","order_by":33,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":47921,"visible":true,"origin":"","legend":"","description":"","filename":"Onlinefloatimage8.png","url":"https://assets-eu.researchsquare.com/files/rs-7935562/v1/6040789d7b3f6fec627b4061.png"},{"id":96605807,"identity":"9f0b924f-e3dc-41ba-ac86-ee52fb97590f","added_by":"auto","created_at":"2025-11-24 09:24:04","extension":"png","order_by":34,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":3182,"visible":true,"origin":"","legend":"","description":"","filename":"Onlinefloatimage9.png","url":"https://assets-eu.researchsquare.com/files/rs-7935562/v1/126e6339967f36112601dc25.png"},{"id":96605423,"identity":"f67cb49d-3d2b-4570-9815-85ba7fc6a7cd","added_by":"auto","created_at":"2025-11-24 09:22:50","extension":"xml","order_by":35,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":124221,"visible":true,"origin":"","legend":"","description":"","filename":"dfdfe5990e5348f7873ae163004b9cf21structuring.xml","url":"https://assets-eu.researchsquare.com/files/rs-7935562/v1/d7b24b1640de0b5f83aa7a39.xml"},{"id":96605972,"identity":"6c931add-099d-463a-91a6-f9868e88fc09","added_by":"auto","created_at":"2025-11-24 09:24:27","extension":"html","order_by":36,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":137817,"visible":true,"origin":"","legend":"","description":"","filename":"earlyproof.html","url":"https://assets-eu.researchsquare.com/files/rs-7935562/v1/8586da7250dbae9131f88c10.html"},{"id":96600108,"identity":"45b6721f-1acc-4e27-95b4-7f6aa4ce99f9","added_by":"auto","created_at":"2025-11-24 08:22:58","extension":"png","order_by":1,"title":"Figure 1","display":"","copyAsset":false,"role":"figure","size":290068,"visible":true,"origin":"","legend":"\u003cp\u003e\u003cstrong\u003eAI-Driven Threat Detection and Response Research Model\u003c/strong\u003e\u003c/p\u003e","description":"","filename":"1.png","url":"https://assets-eu.researchsquare.com/files/rs-7935562/v1/4c67e27057ab93f24ffbd69c.png"},{"id":96605682,"identity":"6be87943-06c3-4b9f-81ae-628945a5cb1f","added_by":"auto","created_at":"2025-11-24 09:23:49","extension":"png","order_by":2,"title":"Figure 2","display":"","copyAsset":false,"role":"figure","size":227056,"visible":true,"origin":"","legend":"\u003cp\u003e\u003cstrong\u003eHypothetical Relationships\u003c/strong\u003e\u003c/p\u003e","description":"","filename":"2.png","url":"https://assets-eu.researchsquare.com/files/rs-7935562/v1/fd7fcd8e81a6b960c83d75d8.png"},{"id":96605975,"identity":"d58ce033-6e8a-440f-8f49-da06acefcefe","added_by":"auto","created_at":"2025-11-24 09:24:28","extension":"png","order_by":3,"title":"Figure 3","display":"","copyAsset":false,"role":"figure","size":108907,"visible":true,"origin":"","legend":"\u003cp\u003eAccuracy and Loss Performance Graph\u003c/p\u003e","description":"","filename":"3.png","url":"https://assets-eu.researchsquare.com/files/rs-7935562/v1/7dd9abd8d913d647dfcf7f6c.png"},{"id":96600152,"identity":"19435a78-5992-48f0-bd6f-9aa3b8bb5174","added_by":"auto","created_at":"2025-11-24 08:22:59","extension":"png","order_by":4,"title":"Figure 4","display":"","copyAsset":false,"role":"figure","size":47309,"visible":true,"origin":"","legend":"\u003cp\u003eConfusion Matrix of CNN\u003c/p\u003e","description":"","filename":"4.png","url":"https://assets-eu.researchsquare.com/files/rs-7935562/v1/6195973434d3eb24257f08d0.png"},{"id":96600109,"identity":"d1e1c783-71f0-4371-a0b2-d9983fcba167","added_by":"auto","created_at":"2025-11-24 08:22:58","extension":"png","order_by":5,"title":"Figure 5","display":"","copyAsset":false,"role":"figure","size":97449,"visible":true,"origin":"","legend":"\u003cp\u003eAccuracy and Loss Performance Graph of LSTM\u003c/p\u003e","description":"","filename":"5.png","url":"https://assets-eu.researchsquare.com/files/rs-7935562/v1/a0a3458963634538bfc2a81c.png"},{"id":96605729,"identity":"0a4097b0-da1b-4b78-a7a8-ca3da904fe0d","added_by":"auto","created_at":"2025-11-24 09:23:56","extension":"png","order_by":6,"title":"Figure 6","display":"","copyAsset":false,"role":"figure","size":53857,"visible":true,"origin":"","legend":"\u003cp\u003eConfusion Matrix of LSTM\u003c/p\u003e","description":"","filename":"6.png","url":"https://assets-eu.researchsquare.com/files/rs-7935562/v1/cb0d7fbe7faa715ac3927b84.png"},{"id":96605936,"identity":"2b5a939d-30ef-4cb8-995e-f66dad7e1ffd","added_by":"auto","created_at":"2025-11-24 09:24:24","extension":"png","order_by":7,"title":"Figure 7","display":"","copyAsset":false,"role":"figure","size":126836,"visible":true,"origin":"","legend":"\u003cp\u003eAccuracy and Loss Performance Graph of Transformer\u003c/p\u003e","description":"","filename":"7.png","url":"https://assets-eu.researchsquare.com/files/rs-7935562/v1/e1df831c2f5ae3bbfedaad20.png"},{"id":96605773,"identity":"4f610cc7-7e03-484c-9b27-1dd4163d3f9e","added_by":"auto","created_at":"2025-11-24 09:24:02","extension":"png","order_by":8,"title":"Figure 8","display":"","copyAsset":false,"role":"figure","size":59125,"visible":true,"origin":"","legend":"\u003cp\u003eConfusion Matrix of Transformer\u003c/p\u003e","description":"","filename":"8.png","url":"https://assets-eu.researchsquare.com/files/rs-7935562/v1/74c20e20371ccca3f8686327.png"},{"id":96600111,"identity":"67ebd0b4-6644-44d2-9974-28baadec2427","added_by":"auto","created_at":"2025-11-24 08:22:58","extension":"png","order_by":9,"title":"Figure 9","display":"","copyAsset":false,"role":"figure","size":61907,"visible":true,"origin":"","legend":"\u003cp\u003eModel Accuracy Comparison\u003c/p\u003e","description":"","filename":"9.png","url":"https://assets-eu.researchsquare.com/files/rs-7935562/v1/d41c2f4806237c48469e43fd.png"},{"id":96605491,"identity":"d4069bb1-a3de-4bfa-8d31-a9aa32e2e93a","added_by":"auto","created_at":"2025-11-24 09:23:15","extension":"png","order_by":10,"title":"Figure 10","display":"","copyAsset":false,"role":"figure","size":98732,"visible":true,"origin":"","legend":"\u003cp\u003eFigure 9: ROC Curve for the Models\u003c/p\u003e","description":"","filename":"10.png","url":"https://assets-eu.researchsquare.com/files/rs-7935562/v1/c60f6f80a6eca2c5df2c428f.png"},{"id":97248451,"identity":"4a295e3f-7b86-499a-95f7-88a83dda1af2","added_by":"auto","created_at":"2025-12-02 12:58:50","extension":"pdf","order_by":0,"title":"","display":"","copyAsset":false,"role":"manuscript-pdf","size":2847071,"visible":true,"origin":"","legend":"","description":"","filename":"manuscript.pdf","url":"https://assets-eu.researchsquare.com/files/rs-7935562/v1/9c135f6f-29b2-4e14-a760-9aaff990b9cc.pdf"},{"id":96605606,"identity":"8b15e7d6-649d-4e04-ab91-d7efbd336f14","added_by":"auto","created_at":"2025-11-24 09:23:38","extension":"docx","order_by":1,"title":"","display":"","copyAsset":false,"role":"supplement","size":191085,"visible":true,"origin":"","legend":"","description":"","filename":"tables123456.docx","url":"https://assets-eu.researchsquare.com/files/rs-7935562/v1/b8624cf30eb9d6519c96f833.docx"}],"financialInterests":"No competing interests reported.","formattedTitle":"AI-Driven Threat Detection and Response: Toward Autonomous Cyber Defense Systems","fulltext":[{"header":"1. Introduction","content":"\u003cp\u003eThe accelerating digitization of global infrastructures encompassing finance, healthcare, government, and industrial systems has exponentially increased the attack surface available to cyber adversaries. Contemporary networks generate immense volumes of heterogeneous data through interconnected devices, cloud platforms, and edge computing environments. This expanding cyber-physical ecosystem, while enabling unprecedented computational agility and scalability, also introduces multifaceted vulnerabilities that exceed the capacity of human operators and traditional security systems to monitor and secure effectively [\u003cspan citationid=\"CR1\" class=\"CitationRef\"\u003e1\u003c/span\u003e]. Conventional intrusion detection systems (IDS), firewalls, and security information and event management (SIEM) tools rely heavily on static rule sets, predefined signatures, or human-defined heuristics. Such deterministic mechanisms are ill-equipped to recognize zero-day attacks, polymorphic malware, or adaptive adversarial behaviors that evolve faster than human response cycles or manual rule updates[\u003cspan citationid=\"CR2\" class=\"CitationRef\"\u003e2\u003c/span\u003e]. Cybersecurity has thus transitioned from a reactive discipline to one that demands autonomous, predictive, and adaptive intelligence. Artificial Intelligence (AI), with its capacity for pattern recognition, feature learning, and decision automation, offers a transformative paradigm for addressing this complexity. AI-driven threat detection and response (AI-TDR) leverages machine learning (ML), deep learning (DL) [\u003cspan citationid=\"CR3\" class=\"CitationRef\"\u003e3\u003c/span\u003e], and reinforcement learning (RL) to identify, assess, and mitigate threats in real time, often at a scale and precision unattainable through human oversight alone [\u003cspan citationid=\"CR4\" class=\"CitationRef\"\u003e4\u003c/span\u003e], [\u003cspan citationid=\"CR5\" class=\"CitationRef\"\u003e5\u003c/span\u003e]. Unlike traditional systems that depend on explicit signatures, AI models learn latent representations from historical and streaming data, enabling the discovery of subtle correlations and contextual dependencies indicative of malicious intent [\u003cspan citationid=\"CR6\" class=\"CitationRef\"\u003e6\u003c/span\u003e]. This shift from rule-based reasoning to data-driven inference forms the core of modern cyber defense intelligence.\u003c/p\u003e\u003cp\u003eAt the technical level, AI enables continuous and autonomous situational awareness by ingesting and analyzing massive, dynamic datasets, including network flows, endpoint telemetry, user behaviors, and system logs. Through this continuous monitoring, AI systems can detect deviations from normal behavioral baselines [\u003cspan citationid=\"CR7\" class=\"CitationRef\"\u003e7\u003c/span\u003e], even when such anomalies correspond to a previously unseen threat. For instance, deep neural networks can identify the faint statistical irregularities of stealthy lateral movement, while reinforcement learning agents can dynamically adapt firewall rules or isolate compromised nodes to contain breaches autonomously [\u003cspan citationid=\"CR8\" class=\"CitationRef\"\u003e8\u003c/span\u003e]. The integration of such self-adaptive control loops marks a significant step toward achieving autonomous cyber defense, where AI systems not only detect but also respond to attacks with minimal or no human intervention. However, this convergence of AI and cybersecurity also introduces a new class of challenges that extend beyond technical implementation[\u003cspan citationid=\"CR9\" class=\"CitationRef\"\u003e9\u003c/span\u003e] [\u003cspan citationid=\"CR10\" class=\"CitationRef\"\u003e10\u003c/span\u003e]. The use of AI in defensive systems gives rise to adversarial AI, wherein threat actors exploit the vulnerabilities of learning models themselves. By crafting carefully perturbed inputs or manipulating training data, attackers can deceive or degrade AI classifiers, rendering them unreliable or even weaponized against their own networks. This emerging phenomenon exposes a fundamental paradox: the same AI techniques that enhance defensive intelligence can also be subverted to amplify offensive capabilities [\u003cspan citationid=\"CR11\" class=\"CitationRef\"\u003e11\u003c/span\u003e]. Consequently, research into robust model architectures, adversarial training, and explainable AI (XAI) has become integral to ensuring trust and reliability in AI-driven defense systems.\u003c/p\u003e\u003cp\u003eFrom a systems perspective, another critical limitation lies in the fragmentation and centralization of current security infrastructures. Most enterprise environments deploy isolated AI models tailored for specific contexts such as endpoint protection, email filtering, or network anomaly detection without systemic coordination [\u003cspan citationid=\"CR12\" class=\"CitationRef\"\u003e12\u003c/span\u003e]. The next frontier in AI-driven cybersecurity envisions decentralized, collaborative, and multi-agent defense frameworks. In such systems, multiple AI agents operating across endpoints, networks, and cloud nodes cooperate to share intelligence, cross-validate alerts, and orchestrate responses. This distributed intelligence not only enhances resilience but also ensures that local observations contribute to global situational awareness in near real-time. Research in multi-agent reinforcement learning (MARL) and federated learning (FL) is particularly promising in this regard, enabling collaboration across organizational and geographical boundaries while preserving data privacy and confidentiality. Moreover, the dynamic and non-stationary nature of cyber threat landscapes demands continuous learning mechanisms capable of evolving alongside emerging attack tactics. Traditional AI models, once deployed, often suffer from model drift where learned representations become outdated as attackers modify their strategies. To sustain long-term defensive efficacy, AI-driven systems must incorporate lifelong learning, online adaptation, and concept drift detection capabilities. These capabilities are essential to ensure that defense systems remain contextually relevant, resilient, and responsive over time [\u003cspan citationid=\"CR13\" class=\"CitationRef\"\u003e13\u003c/span\u003e]. AI-driven threat detection and response represents a paradigm shift from human-assisted security monitoring toward autonomous, self-optimizing cyber defense ecosystems. By fusing data-driven intelligence, automation, and adaptive control, AI enables near real-time identification, interpretation, and remediation of complex cyber threats. Yet, realizing this vision necessitates overcoming persistent challenges ranging from adversarial robustness and explainability to cross-domain intelligence integration and continuous adaptation [\u003cspan citationid=\"CR14\" class=\"CitationRef\"\u003e14\u003c/span\u003e]. As research advances toward tightly coupled, multi-agent, and privacy-preserving defense architectures, AI stands poised not merely as a tool for detection but as the central orchestrator of intelligent, autonomous cybersecurity in the era of ubiquitous digital interconnectivity.\u003c/p\u003e\u003cp\u003eThe development of AI-driven threat detection and response systems is grounded in a rich interplay of theories drawn from computer science, cognitive science [\u003cspan citationid=\"CR15\" class=\"CitationRef\"\u003e15\u003c/span\u003e], control theory, and systems engineering. At its core, this field operates at the intersection of computational intelligence and adaptive security theory, where machine learning algorithms emulate cognitive reasoning processes to perceive, interpret, and respond to cyber threats in complex, dynamic environments. These systems are shaped by multiple theoretical perspectives, namely, computational intelligence and adaptive learning theory, cognitive and decision-theoretic frameworks, complex adaptive systems theory, and adversarial and game-theoretic cybersecurity models[\u003cspan citationid=\"CR16\" class=\"CitationRef\"\u003e16\u003c/span\u003e]. Collectively, these perspectives establish a holistic foundation for understanding how artificial agents autonomously perform threat detection, situational assessment, and mitigation in real time.\u003c/p\u003e\u003cp\u003eComputational intelligence provides the foundational layer for AI-based cybersecurity by offering mathematical and algorithmic mechanisms for perception, reasoning, and adaptation under uncertainty. Rooted in machine learning and statistical pattern recognition, this approach enables systems to infer latent patterns from high-dimensional data streams and to differentiate between normal and anomalous behaviors [\u003cspan citationid=\"CR17\" class=\"CitationRef\"\u003e17\u003c/span\u003e]The theoretical basis stems from learning theory, Bayesian inference, and information theory, which define how intelligent agents incrementally update their knowledge and reduce uncertainty through evidence accumulation. Within this framework, deep learning emerges as a hierarchical form of feature learning, in which successive network layers extract progressively abstract representations of input data [\u003cspan citationid=\"CR18\" class=\"CitationRef\"\u003e18\u003c/span\u003e]. Such architectures, especially convolutional neural networks (CNNs) and transformers, have demonstrated the capacity to model polymorphic attacks and identify complex threat signatures embedded in raw packet sequences, system logs, or binary executables. Reinforcement learning (RL) [\u003cspan citationid=\"CR19\" class=\"CitationRef\"\u003e19\u003c/span\u003e], built on the mathematical structure of Markov Decision Processes (MDPs), further extends this intelligence by enabling adaptive control and autonomous response. Here, AI agents interact with their environment, evaluate the consequences of their actions (such as isolating compromised nodes or rerouting traffic), and optimize long-term cumulative rewards [\u003cspan citationid=\"CR20\" class=\"CitationRef\"\u003e20\u003c/span\u003e], thereby converging toward self-learning defense policies capable of continuous adaptation.\u003c/p\u003e\u003cp\u003eBeyond computational mechanisms, the theoretical foundation of AI-driven defense draws heavily from cognitive and decision-theoretic models of intelligence. Cognitive theories posit that intelligent systems perceive their environment, construct internal representations, and make goal-oriented decisions under uncertainty, a process analogous to Endsley\u0026rsquo;s model of situational awareness, which includes perception, comprehension, and projection [\u003cspan citationid=\"CR21\" class=\"CitationRef\"\u003e21\u003c/span\u003e]. AI-driven security systems follow a similar logic: they collect data, interpret threats, and anticipate adversarial actions. Within a decision-theoretic context, these systems adhere to the notion of bounded rationality, wherein decision-making is optimized under constraints of time and computational capacity. Cybersecurity, with its fast-evolving threats [\u003cspan citationid=\"CR22\" class=\"CitationRef\"\u003e22\u003c/span\u003e], exemplifies such bounded contexts, where rapid, approximate reasoning is more practical than exhaustive analysis. Reinforcement learning formalizes this bounded rationality by allowing agents to learn near-optimal defense strategies iteratively. Cognitive architectures such as SOAR and ACT-R further inform the design of AI systems by modeling perception, reasoning, and memory as interconnected components. Translating this to cybersecurity suggests the creation of systems that maintain episodic memory (historical attack data), semantic understanding (relations among threat types), and procedural knowledge (learned defense strategies), thereby creating a foundation for autonomous situational intelligence. The Complex Adaptive Systems (CAS) theory provides a foundational perspective for understanding AI-driven cybersecurity as a dynamic, evolving ecosystem composed of autonomous and interconnected agents such as devices, users, and applications that continuously adapt to changing threats. Within this framework, resilience emerges not from centralized control but from the self-organization and cooperative adaptation of distributed entities. These agents interact across network, edge, and cloud layers [\u003cspan citationid=\"CR23\" class=\"CitationRef\"\u003e23\u003c/span\u003e], independently processing local information while contributing to collective learning and coordinated defense. Nonlinear feedback loops and emergent behaviors enable the system to evolve and maintain stability under diverse attack conditions. This mirrors the principles of Multi-Agent Reinforcement Learning (MARL), where collaborative agents learn optimal defense strategies through shared experience, resembling biological immune systems that self-organize to counter evolving threats.\u003c/p\u003e\u003cp\u003eComplementing CAS is the adversarial and game-theoretic perspective, which conceptualizes cybersecurity as an ongoing strategic contest between attackers and defenders. Here, both parties adapt their strategies to maximize their respective advantages, forming a co-evolutionary relationship. The Stackelberg game model captures this asymmetry, positioning defenders as leaders who anticipate and optimize against attacker responses. Similarly, Adversarial Machine Learning (AML) frames this interaction as a minimax optimization process attackers generate adversarial inputs to deceive models, while defenders employ adversarial training and ensemble learning to enhance robustness [\u003cspan citationid=\"CR24\" class=\"CitationRef\"\u003e24\u003c/span\u003e]. Integrating these theories, the proposed AI-Driven Threat Detection and Response (AI-TDR) framework operates as a closed-loop intelligence system encompassing perception, cognition, decision, and action. It embodies autonomous resilience, where intelligent agents continuously learn, adapt, and collaborate to predict, prevent, and mitigate evolving cyber threats with minimal human oversight. In light of these developments, this research proposes an AI-Driven Threat Detection and Response (AI-TDR) framework designed to advance the field toward autonomous, adaptive, and self-learning cyber defense systems. By integrating deep learning and reinforcement learning techniques within a unified Perception\u0026ndash;Cognition\u0026ndash;Decision\u0026ndash;Action architecture, the framework enables continuous situational awareness, intelligent threat interpretation, and autonomous mitigation. Using the UNSW-NB15 dataset, the study evaluates three deep learning architectures: Convolutional Neural Network (CNN), Long Short-Term Memory (LSTM), and Transformer to analyze their capabilities in detecting, classifying, and responding to diverse cyber threats. Beyond achieving superior detection accuracy, the framework aspires to embody the next generation of multi-agent, collaborative defense intelligence, capable of operating across distributed environments and adapting dynamically to non-stationary threat landscapes. The overarching goal is to contribute to the ongoing evolution of AI-powered autonomous cybersecurity, where intelligent agents not only detect but also anticipate, prevent, and neutralize cyberattacks in real time with minimal human intervention.\u003c/p\u003e"},{"header":"2. Literature Review","content":"\u003cp\u003eThe evolution of cybersecurity has witnessed a significant transformation from traditional rule-based systems toward intelligent, adaptive, and data-driven defense mechanisms. Early intrusion detection systems (IDS) and firewalls relied primarily on static signatures and manually defined rules to detect known threats. Although these methods proved effective against conventional attacks, they were limited in addressing zero-day exploits, polymorphic malware, and advanced persistent threats that continually evolve to evade detection [\u003cspan citationid=\"CR25\" class=\"CitationRef\"\u003e25\u003c/span\u003e]. The rapid expansion of digital infrastructures and the increasing complexity of network environments have led to massive volumes of heterogeneous data, rendering human-centered monitoring impractical. As a result, artificial intelligence (AI) and machine learning (ML) have become integral to modern cybersecurity, offering automated, scalable, and predictive threat detection capabilities that can operate beyond human cognitive limits [\u003cspan citationid=\"CR26\" class=\"CitationRef\"\u003e26\u003c/span\u003e].\u003c/p\u003e\u003cp\u003eMachine learning models such as Support Vector Machines, Decision Trees, and Random Forests represented the first wave of data-driven cybersecurity systems. These models learned statistical patterns from network traffic and behavioral features to detect anomalies and intrusions. However, they were limited in handling dynamic, non-linear, and high-dimensional data typical of modern cyber environments. This limitation led to the emergence of deep learning (DL) approaches, which have demonstrated remarkable success in learning hierarchical and abstract representations directly from raw or preprocessed network data. Convolutional Neural Networks (CNNs) have been widely used to capture spatial relationships among network features, effectively identifying localized anomalies and packet-level attack signatures. Recurrent Neural Networks (RNNs), particularly Long Short-Term Memory (LSTM) networks, have shown strong performance in modeling temporal dependencies, enabling the detection of time-dependent or stealthy intrusion patterns that unfold gradually over time[\u003cspan citationid=\"CR27\" class=\"CitationRef\"\u003e27\u003c/span\u003e]. More recently, the Transformer architecture has revolutionized deep learning for cybersecurity by introducing self-attention mechanisms capable of modeling complex, long-range dependencies across high-dimensional network features. The parallel processing and scalability advantages of Transformers make them particularly suitable for real-time intrusion detection and large-scale security analytics. Together, CNNs, LSTMs, and Transformers form the foundation of modern AI-driven threat detection, each contributing unique strengths in spatial, temporal, and contextual modeling. According to[\u003cspan citationid=\"CR6\" class=\"CitationRef\"\u003e6\u003c/span\u003e] Deep reinforcement learning (DRL) applications in cybersecurity highlight its ability to address complex and dynamic threats through adaptable and scalable defense mechanisms. It reviews DRL methods for cyber physical security, intrusion detection, and game-theoretic defense, while outlining key challenges and future research directions for advancing DRL-based cyber defense.[\u003cspan citationid=\"CR5\" class=\"CitationRef\"\u003e5\u003c/span\u003e] Presents CAFormer, a Transformer-based auction framework that uses reinforcement learning (RL) Q-values to allocate defensive actions strategically under uncertainty. By applying combinatorial auctions, it ensures robust and efficient resource distribution even with misreporting. Results show strong performance, robustness, and alignment with real-world defense goals, highlighting the promise of RL-driven, auction-based planning for modern cyber defense.[\u003cspan citationid=\"CR28\" class=\"CitationRef\"\u003e28\u003c/span\u003e] Proposes DS2-SbPG, a game-theoretical framework combining potential and Stackelberg games for decentralized manufacturing optimization. Unlike traditional methods, it enhances coordination, scalability, and multiobjective tradeoffs through fully distributed training. Experiments show DS2-SbPG improves system performance and reduces power use by up to 10.61%, proving its effectiveness for real-world industrial applications[\u003cspan citationid=\"CR29\" class=\"CitationRef\"\u003e29\u003c/span\u003e]. According to[\u003cspan citationid=\"CR30\" class=\"CitationRef\"\u003e30\u003c/span\u003e] Machine Learning (ML)-based Network Intrusion Detection Systems (NIDSs) are increasingly used to safeguard networks from cyberattacks, but inconsistencies across public datasets hinder model comparability and real-world applicability. To bridge this gap, researchers developed five standardized NetFlow-based datasets derived from UNSW-NB15, BoT-IoT, ToN-IoT, and CSE-CIC-IDS2018, ensuring a unified, practically relevant feature set. The NetFlow format enhances scalability and reflects real network environments. Each dataset supports both binary and multi-class classification, facilitating consistent evaluation of ML models. Using \u003cb\u003ean\u003c/b\u003e Extra Trees classifier as a case study, the approach demonstrated improved cross-dataset generalization, promoting more reliable and deployable ML-based NIDS research.\u003c/p\u003e\u003cp\u003eBeyond detection, reinforcement learning (RL) has emerged as a promising approach for achieving autonomous and adaptive cyber defense. Unlike supervised learning, which relies on labeled data, RL enables systems to learn optimal defense strategies through continuous interaction with their environment. RL agents can dynamically reconfigure network policies, isolate compromised hosts, and deploy countermeasures in response to evolving threat conditions. This ability to adapt in real time transforms cybersecurity from a reactive to a proactive discipline. However, implementing RL in cyber defense poses challenges, including safe exploration in high-stakes environments, delayed feedback, and vulnerability to adversarial manipulation. Embedding RL within a structured framework, such as the Perception\u0026ndash;Cognition\u0026ndash;Decision\u0026ndash;Action cycle adopted in this research, offers a solution by providing controlled feedback mechanisms that guide learning and decision optimization. While the integration of AI into cybersecurity has brought remarkable advancements, it has also introduced new vulnerabilities through adversarial AI. In adversarial settings, malicious actors craft deceptive inputs or manipulate training data to mislead learning models, causing misclassification or performance degradation [\u003cspan citationid=\"CR31\" class=\"CitationRef\"\u003e31\u003c/span\u003e]. This phenomenon highlights the dual-use nature of AI, where the same technologies that enable intelligent defense can be exploited for offense. Consequently, research into adversarial robustness and model explainability has become crucial. Explainable AI (XAI) techniques [\u003cspan citationid=\"CR32\" class=\"CitationRef\"\u003e32\u003c/span\u003e], such as model attribution and interpretability visualization, enhance transparency by revealing the rationale behind AI-driven decisions. These methods not only build user trust but also support human analysts in understanding, validating, and refining automated threat responses. Combining adversarial resilience with explainability is essential for developing trustworthy AI systems that can be safely deployed in critical cyber environments.\u003c/p\u003e\u003cp\u003eDespite these advancements, several challenges remain unresolved in the field of AI-driven cybersecurity. Most existing approaches focus on detection alone, neglecting the need for integrated response mechanisms and continuous learning. Many systems lack adaptability, explainability, and resilience against adversarial manipulation. Furthermore, the fragmentation of AI models across isolated applications such as endpoint protection, network analysis, and behavioral monitoring limits cross-domain intelligence sharing and coordinated defense. The proposed AI-Driven Threat Detection and Response (AI-TDR) framework addresses these gaps by unifying deep learning, reinforcement learning, and adaptive feedback loops within a single closed-loop architecture. Structured around the Perception\u0026ndash;Cognition\u0026ndash;Decision\u0026ndash;Action model, this framework fosters autonomous learning, self-optimization, and proactive response capabilities. In doing so, it contributes to the evolution of cybersecurity from static detection to autonomous, explainable, and collaborative defense, aligning with the emerging vision of intelligent, decentralized cyber protection systems.\u003c/p\u003e"},{"header":"3. Methodology","content":"\u003cp\u003eThis study adopts a \u003cstrong\u003edesign science research (DSR)\u003c/strong\u003e methodology integrated with \u003cstrong\u003equantitative experimental validation\u003c/strong\u003e to develop and evaluate an \u003cstrong\u003eAI-Driven Threat Detection and Response (AI-TDR)\u003c/strong\u003e framework. The DSR paradigm focuses on the design, construction, and evaluation of innovative artifacts that solve real-world problems, in this case, the need for autonomous, intelligent cyber defense mechanisms. The methodology emphasizes \u003cstrong\u003erelevance\u003c/strong\u003e to practical cybersecurity challenges, \u003cstrong\u003erigor\u003c/strong\u003e in theoretical grounding, and \u003cstrong\u003eevaluation\u003c/strong\u003e through empirical experimentation. The AI-TDR system was conceptualized as a computational artifact integrating perception, cognition, decision-making, and autonomous response capabilities. A \u003cstrong\u003ehybrid research design\u003c/strong\u003e, combining \u003cstrong\u003esystem modeling\u003c/strong\u003e and \u003cstrong\u003esimulation-based experimentation\u003c/strong\u003e, was employed to assess AI mechanisms under realistic cyber-attack scenarios. This dual orientation enabled both \u003cstrong\u003eempirical performance assessment\u003c/strong\u003e and \u003cstrong\u003econstruct validation\u003c/strong\u003e, linking the experimental outcomes to theoretical constructs of adaptive intelligence and cyber resilience.\u003c/p\u003e\n\u003cp\u003eDataset Description and Data Collection\u003cstrong\u003e\u0026nbsp;\u003c/strong\u003e\u003c/p\u003e\n\u003cp\u003eThis study employed the UNSW-NB15 dataset [30], a comprehensive benchmark for evaluating modern intrusion detection systems. Developed at the Cyber Range Lab of UNSW Canberra using the IXIA PerfectStorm tool, the dataset combines real network traffic with synthetic attack behaviors to simulate realistic cyber environments. Approximately 100 GB of raw packet data were captured using tcpdump, covering nine attack categories, including Fuzzers, DoS, Exploits, and Reconnaissance. Data processing was performed using Argus and Bro-IDS tools, with twelve algorithms extracting 49 features and corresponding class labels. The dataset contains 2,540,044 records, distributed across four CSV files, with supplementary ground truth and event mapping files. For experimentation, it was divided into 175,341 training and 82,332 testing samples, maintaining a balanced mix of normal and attack data. Before model training, standard data preprocessing, including normalization, label encoding, handling of missing values, and shuffling, was applied to enhance learning performance and reduce bias.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003e\u0026nbsp;Research Design\u003c/strong\u003e\u003c/p\u003e\n\u003cp\u003eThe \u003cstrong\u003eAI-TDR Research Model\u003c/strong\u003e\u003cstrong\u003e\u0026nbsp;\u003c/strong\u003econceptualizes intelligent cybersecurity as a\u003cstrong\u003e\u0026nbsp;\u003cstrong\u003econtinuous adaptive learning loop\u003c/strong\u003e\u003c/strong\u003e composed of four interdependent components: \u003cstrong\u003ePerception, Cognition, Decision, and Action\u003c/strong\u003e\u003cstrong\u003e.\u003c/strong\u003e \u003cem\u003ePerception (P)\u003c/em\u003e involves the acquisition and preprocessing of data from heterogeneous network sources, as depicted in Figure 1, ensuring the system has high-quality, real-time information for analysis. \u003cem\u003eCognition (C)\u003c/em\u003e represents the phase where deep learning algorithms infer threats by recognizing complex and evolving malicious patterns. \u003cem\u003eDecision (D)\u003c/em\u003e focuses on optimizing response strategies through reinforcement learning mechanisms that enable the system to adapt dynamically to emerging threats. Finally, \u003cem\u003eAction (A)\u003c/em\u003e\u003cem\u003e\u0026nbsp;\u003c/em\u003eentails the autonomous execution of mitigation measures and feedback processes that reinforce and refine both perception and cognition over time. The hypothesized relationships among these components (H1\u0026ndash;H4) Figure 2, establish a \u003cstrong\u003ecybernetic feedback loop\u003c/strong\u003e\u003cstrong\u003e,\u003c/strong\u003e allowing the system to continuously learn, self-improve, and achieve adaptive threat mitigation in real time.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eModel Development and Evaluation\u003c/strong\u003e\u003c/p\u003e\n\u003cp\u003eIn this study, three deep learning architectures, \u003cstrong\u003eConvolutional Neural Network (CNN)\u003c/strong\u003e\u003cstrong\u003e, \u003cstrong\u003eLong Short-Term Memory (LSTM)\u003c/strong\u003e,\u0026nbsp;\u003c/strong\u003eand \u003cstrong\u003eTransformer,\u003c/strong\u003e were developed and trained using the processed \u003cstrong\u003eUNSW-NB15 dataset\u003c/strong\u003e to evaluate the performance of the proposed AI-Driven Threat Detection and Response (AI-TDR) framework. The \u003cstrong\u003eCNN\u003c/strong\u003e architecture effectively extracted spatial correlations from network features, enabling the identification of localized anomalies and attack signatures. The \u003cstrong\u003eLSTM\u003c/strong\u003e network captured temporal dependencies across sequential data, making it highly proficient in detecting stealthy or time-dependent intrusion patterns. In contrast, the \u003cstrong\u003eTransformer\u003c/strong\u003e model leveraged self-attention mechanisms to capture complex, long-range dependencies within high-dimensional network data, enhancing contextual understanding and scalability. Each model was trained for ten epochs and evaluated using key performance metrics, including \u003cstrong\u003eaccuracy, precision, recall, F1-score\u003c/strong\u003e\u003cstrong\u003e,\u003c/strong\u003e and \u003cstrong\u003eAUC-ROC\u003c/strong\u003e. Experimental results revealed that both the CNN and LSTM achieved \u003cstrong\u003e100% classification accuracy\u003c/strong\u003e, while the Transformer reached \u003cstrong\u003e96.8% accuracy\u003c/strong\u003e with an \u003cstrong\u003eAUC of 0.996\u003c/strong\u003e\u003cstrong\u003e,\u003c/strong\u003e reflecting strong generalization and minimal overfitting. These results demonstrate that the integration of advanced AI architectures with a robust and diverse dataset, such as UNSW-NB15, enables the development of \u003cstrong\u003eautonomous, adaptive, and explainable cyber defense systems\u003c/strong\u003e capable of operating effectively in complex and evolving threat environments.\u003c/p\u003e\n\u003cp\u003eModel Development\u003c/p\u003e\n\u003cp\u003eThe Convolutional Neural Network (CNN)\u003c/p\u003e\n\u003cp\u003eEach deep learning model used in AI-driven threat detection and response offers distinct strengths and limitations based on its underlying architecture and learning mechanisms. The Convolutional Neural Network (CNN) is particularly effective at capturing spatial correlations and local feature patterns within network traffic or system behavior data. Its convolutional filters enable it to automatically extract hierarchical representations, making it well-suited for identifying localized anomalies, such as suspicious packet sequences or malicious payload signatures. However, CNNs have a limited capacity for temporal modeling, as they primarily focus on spatial dependencies within fixed data windows and struggle to capture long-term sequential dynamics that evolve in network activities.\u003c/p\u003e\n\u003cp\u003eTable 1: Training Loop for CNN\u003c/p\u003e\n\u003cp\u003e\u003cimg width=\"598\" height=\"226\" src=\"https://myfiles.space/user_files/58895_8739fc6c57c1c19a/58895_custom_files/img176397134566.jpg\" alt=\"image\"\u003eTable 1 shows rapid and consistent improvement across 10 epochs, reaching nearly perfect performance. Training and validation accuracies rise to about \u003cstrong\u003e100%\u003c/strong\u003e\u003cstrong\u003e,\u003c/strong\u003e while losses drop to extremely low values, indicating excellent learning efficiency and strong generalization with minimal overfitting.\u003c/p\u003e\n\u003cp\u003eFigure 3 presents the accuracy and loss performance of the CNN over 10 epochs. Both training and validation accuracies increased rapidly, reaching nearly 100% by the third epoch and remaining stable afterward, demonstrating strong learning and generalization ability. Correspondingly, the training and validation losses dropped sharply after the first epoch and stayed near zero, with only a minor fluctuation around epoch 4. The model achieved excellent convergence, indicating effective training with minimal overfitting.\u003c/p\u003e\n\u003cp\u003eTable 2 presents the classification performance metrics of the CNN model. The model achieved a perfect \u003cstrong\u003eaccuracy of 1.0000\u003c/strong\u003e\u003cstrong\u003e,\u0026nbsp;\u003c/strong\u003ewith\u003cstrong\u003e\u0026nbsp;\u003cstrong\u003eprecision, recall, and F1-score\u003c/strong\u003e\u003c/strong\u003e all equal to \u003cstrong\u003e1.00\u003c/strong\u003e across both classes (0 and 1). This indicates that the CNN correctly classified every sample in the dataset without any false positives or false negatives. The macro and weighted averages also stand at 1.00, confirming consistent and balanced performance across all classes. Overall, the results demonstrate that the CNN achieved flawless prediction accuracy and generalization on the evaluated dataset.\u003c/p\u003e\n\u003cp\u003eFigure 4: The CNN model shows outstanding accuracy and reliability, correctly classifying nearly all samples with only two minor errors out of over fifty thousand predictions. With perfect precision and near-perfect recall, the results indicate that the model effectively learns and distinguishes patterns between the two classes, achieving a near-flawless performance in its classification task.\u003c/p\u003e\n\u003cp\u003eThe Long Short-Term Memory (LSTM)\u0026nbsp;\u003c/p\u003e\n\u003cp\u003eThe Long Short-Term Memory (LSTM) network addresses this temporal limitation by learning sequential dependencies and modeling the evolution of threats over time. Its gated recurrent structure allows it to retain information across multiple time steps, enabling effective detection of time-based intrusion patterns, such as slow-moving or stealth attacks. Despite this advantage, LSTMs are computationally intensive, requiring longer training times and significant resources. Moreover, they are prone to overfitting, particularly when trained on small or noisy cybersecurity datasets, which can reduce their generalizability to unseen attack behaviors.\u0026nbsp;\u003c/p\u003e\n\u003cp\u003eTable 3 depicts the training log for the LSTM model, showing a rapid improvement in performance across ten epochs. The model began with an accuracy of 92.04% and a validation accuracy of 100% in the first epoch, then quickly achieved perfect accuracy (100%) from the second epoch onward. Correspondingly, both training and validation losses decreased steadily to extremely small values, reaching as low as 1.2048e-09 in the final epoch. This indicates that the LSTM model effectively learned the patterns in the dataset, achieving complete convergence with no sign of overfitting or underperformance.\u003c/p\u003e\n\u003cp\u003eFigure 5: The LSTM model showed rapid and stable learning, reaching 100% accuracy by the second epoch and maintaining it throughout training. Both training and validation losses decreased steadily to near zero, indicating excellent convergence and generalization. Overall, the model achieved near-perfect performance with minimal error and no signs of overfitting.\u003c/p\u003e\n\u003cp\u003eTable 4 depicts the LSTM model achieved perfect performance with 100% accuracy, precision, recall, and F1-score across both classes, correctly classifying all 51,535 samples. This outstanding result suggests high model effectiveness but may also indicate possible overfitting or data leakage.\u003c/p\u003e\n\u003cp\u003eFigure 6 shows the confusion matrix for the LSTM model shows perfect classification performance. All 18,613 instances of class 0 and 32,922 instances of class 1 were correctly predicted, with no misclassifications (zero false positives and false negatives). This confirms the model achieved 100% accuracy, precision, recall, and F1-score, although such flawless results may indicate potential overfitting or data leakage.\u0026nbsp;\u003c/p\u003e\n\u003cp\u003eTransformer architecture\u0026nbsp;\u003c/p\u003e\n\u003cp\u003eIn contrast, the Transformer architecture represents a more advanced and flexible model that uses self-attention mechanisms to learn complex, long-range dependencies within large-scale network data. Its parallelized attention allows simultaneous analysis of multiple relationships between data points, significantly improving efficiency and scalability compared to recurrent models. This capability makes Transformers highly effective for modeling intricate attack vectors and multi-stage intrusion scenarios. However, these advantages come with the limitation of requiring large volumes of labeled data and substantial computational power for training. Without sufficient data or resources, Transformers may fail to generalize effectively or become cost-prohibitive for real-time deployment. Overall, while each model contributes uniquely to AI-driven cybersecurity, their combined use in hybrid or ensemble frameworks can often yield superior detection performance by leveraging their complementary strengths.\u003c/p\u003e\n\u003cp\u003eTable 5 shows the training log shows the performance of a \u003cstrong\u003eTransformer model\u003c/strong\u003e over 10 epochs. The model\u0026rsquo;s \u003cstrong\u003etraining accuracy\u003c/strong\u003e steadily increased from \u003cstrong\u003e73.5% in epoch 1\u003c/strong\u003e to\u003cstrong\u003e\u0026nbsp;\u003cstrong\u003e94.9% in epoch 10\u003c/strong\u003e,\u003c/strong\u003e while the \u003cstrong\u003evalidation accuracy\u003c/strong\u003e improved from \u003cstrong\u003e85.7% to 96.9%\u003c/strong\u003e\u003cstrong\u003e.\u003c/strong\u003e Simultaneously, both \u003cstrong\u003etraining and validation losses\u003c/strong\u003e decreased significantly from 0.5247 to 0.1162 and 0.3148 to 0.0808, respectively, indicating effective learning and convergence. Overall, the model demonstrates strong generalization and consistent improvement, suggesting successful optimization without signs of overfitting.\u003c/p\u003e\n\u003cp\u003eFigure 7 displays the Transformer model shows steady learning and strong generalization, with both training and validation accuracy improving consistently and losses decreasing smoothly across epochs. The close alignment of the curves indicates stable convergence and minimal overfitting, confirming the model\u0026rsquo;s robustness and effectiveness.\u003c/p\u003e\n\u003cp\u003eTable 6 shows that the Transformer model achieved an overall accuracy of \u003cstrong\u003e96.78%\u003c/strong\u003e\u003cstrong\u003e,\u003c/strong\u003e demonstrating excellent classification performance. For class 0, it attained a precision of 0.95, a recall of 0.96, and an F1-score of 0.96, while class 1 achieved even higher values with a precision of 0.98, a recall of 0.97, and an F1-score of 0.97. The macro and weighted averages both stand at 0.97, confirming balanced performance across classes. These results indicate that the model effectively distinguishes between categories with high precision and consistency, showing strong reliability and generalization.\u003c/p\u003e\n\u003cp\u003eFigure 8 depicts the confusion matrix for the Transformer model shows strong classification performance, with 17,945 true negatives, 31,928 true positives, 668 false positives, and 994 false negatives. This indicates that the model correctly classifies most samples in both classes with minimal errors. The calculated metrics reveal an accuracy of about \u003cstrong\u003e98%\u003c/strong\u003e\u003cstrong\u003e,\u003c/strong\u003e precision of \u003cstrong\u003e97.9%\u003c/strong\u003e\u003cstrong\u003e,\u003c/strong\u003e recall of \u003cstrong\u003e97.0%\u003c/strong\u003e\u003cstrong\u003e,\u003c/strong\u003e and an F1-score of \u003cstrong\u003e97.4%\u003c/strong\u003e\u003cstrong\u003e,\u0026nbsp;\u003c/strong\u003edemonstrating the model\u0026rsquo;s high reliability and balanced performance.\u0026nbsp;\u003c/p\u003e\n\u003cp\u003eFigure 9 compares the accuracy of three deep learning models: \u003cstrong\u003eCNN\u003c/strong\u003e\u003cstrong\u003e, \u003cstrong\u003eLSTM\u003c/strong\u003e,\u003c/strong\u003e and \u003cstrong\u003eTransformer\u003c/strong\u003e\u003cstrong\u003e.\u003c/strong\u003e Both the CNN and LSTM models achieved perfect accuracy scores of \u003cstrong\u003e1.000 (100%)\u003c/strong\u003e\u003cstrong\u003e,\u003c/strong\u003e while the Transformer model recorded a slightly lower accuracy of \u003cstrong\u003e0.968 (96.8%)\u003c/strong\u003e\u003cstrong\u003e.\u003c/strong\u003e This indicates that although all three models perform very well, the CNN and LSTM architectures outperform the Transformer in this specific task. Overall, the results suggest that CNN and LSTM models exhibit superior precision and generalization capabilities for the dataset compared to the Transformer.\u003c/p\u003e\n\u003cp\u003eThe ROC curve compares the classification performance of the \u003cstrong\u003eCNN\u003c/strong\u003e\u003cstrong\u003e, \u003cstrong\u003eLSTM\u003c/strong\u003e\u003c/strong\u003e, and \u003cstrong\u003eTransformer\u003c/strong\u003e\u003cstrong\u003e\u0026nbsp;\u003c/strong\u003emodels. Both the CNN and LSTM achieved perfect \u003cstrong\u003eAUC (Area Under the Curve) scores of 1.000\u003c/strong\u003e\u003cstrong\u003e,\u0026nbsp;\u003c/strong\u003eindicating flawless discrimination between classes with no false positives or false negatives. The \u003cstrong\u003eTransformer\u003c/strong\u003e model also performed excellently, with an \u003cstrong\u003eAUC of 0.996\u003c/strong\u003e\u003cstrong\u003e,\u003c/strong\u003e showing only a slight drop in performance compared to CNN and LSTM. Overall, the ROC curves demonstrate that all three models have exceptional classification capability, with CNN and LSTM showing ideal performance and the Transformer maintaining near-perfect accuracy in distinguishing between positive and negative classes.\u003c/p\u003e"},{"header":"4. Results and Discussion","content":"\u003cp\u003eThe performance evaluation of the proposed \u003cstrong\u003eAI-Driven Threat Detection and Response (AI-TDR)\u003c/strong\u003e framework was conducted using the \u003cstrong\u003eUNSW-NB15 dataset\u003c/strong\u003e\u003cstrong\u003e,\u003c/strong\u003e which contains diverse attack categories representative of real-world network environments. The inclusion of nine attack types, Fuzzers, Analysis, Backdoors, DoS, Exploits, Generic, Reconnaissance, Shellcode, and Worms, enabled comprehensive testing of the models\u0026rsquo; capacity to generalize across multiple threat vectors. Three deep learning architectures\u003cstrong\u003e, \u003cstrong\u003eConvolutional Neural Network (CNN)\u003c/strong\u003e, \u003cstrong\u003eLong Short-Term Memory (LSTM)\u003c/strong\u003e,\u0026nbsp;\u003c/strong\u003eand \u003cstrong\u003eTransformer,\u003c/strong\u003e were developed and evaluated using the training (175,341 records) and testing (82,332 records) subsets of the dataset. Each model was trained over ten epochs, and performance metrics were computed to assess accuracy, precision, recall, F1-score, and AUC-ROC. The \u003cstrong\u003eCNN model\u003c/strong\u003e demonstrated rapid convergence and high efficiency, achieving \u003cstrong\u003e100% training and validation accuracy\u003c/strong\u003e by the third epoch. Both loss functions dropped sharply toward zero, indicating effective feature learning and minimal overfitting. The CNN excelled in identifying spatial correlations within the dataset\u0026rsquo;s feature space, such as packet size and flow duration, leading to perfect classification performance across all attack classes.\u003c/p\u003e\n\u003cp\u003eThe \u003cstrong\u003eLSTM model\u003c/strong\u003e\u003cstrong\u003e,\u003c/strong\u003e designed to capture temporal dependencies, also achieved \u003cstrong\u003e100% accuracy, precision, recall, and F1-score\u003c/strong\u003e across all classes. Its gated architecture effectively modeled sequential variations in network traffic patterns, enabling precise detection of stealthy or long-term attacks, such as reconnaissance and slow DoS. However, the flawless results suggest the need for additional cross-validation with unseen data to mitigate potential overfitting or data leakage risks. The \u003cstrong\u003eTransformer model\u003c/strong\u003e\u003cstrong\u003e,\u003c/strong\u003e leveraging self-attention mechanisms, achieved \u003cstrong\u003e96.8% accuracy\u003c/strong\u003e and an \u003cstrong\u003eAUC of 0.996\u003c/strong\u003e\u003cstrong\u003e,\u003c/strong\u003e showing strong generalization despite its computational complexity. It successfully learned high-level dependencies across large-scale features and proved particularly effective in handling multi-stage intrusion patterns present in the UNSW-NB15 dataset. The Transformer\u0026rsquo;s slightly lower accuracy reflects the challenge of modeling heterogeneous attack types while maintaining efficiency across high-dimensional inputs.\u003c/p\u003e\n\u003cp\u003eA comparative performance assessment highlights that both \u003cstrong\u003eCNN\u003c/strong\u003e\u003cstrong\u003e\u0026nbsp;\u003c/strong\u003eand \u003cstrong\u003eLSTM\u003c/strong\u003e\u003cstrong\u003e\u0026nbsp;\u003c/strong\u003eoutperformed the \u003cstrong\u003eTransformer\u003c/strong\u003e in terms of raw accuracy but required less computational overhead. The \u003cstrong\u003eROC analysis\u003c/strong\u003e\u003cstrong\u003e\u0026nbsp;\u003c/strong\u003erevealed that CNN and LSTM achieved an \u003cstrong\u003eAUC of 1.000\u003c/strong\u003e\u003cstrong\u003e,\u003c/strong\u003e indicating perfect discrimination between benign and malicious traffic, while the Transformer achieved an \u003cstrong\u003eAUC of 0.996\u003c/strong\u003e\u003cstrong\u003e,\u003c/strong\u003e confirming near-ideal performance. While CNN and LSTM excelled in classification precision, their deterministic learning structures may limit adaptability to new, unseen attacks. Conversely, the Transformer\u0026rsquo;s attention-based design offers greater contextual adaptability, making it more suitable for \u003cstrong\u003ereal-time, large-scale network defense\u003c/strong\u003e\u003cstrong\u003e.\u003c/strong\u003e These differences underscore the value of \u003cstrong\u003eensemble or hybrid architectures\u003c/strong\u003e that integrate the spatial sensitivity of CNNs, temporal awareness of LSTMs, and contextual adaptability of Transformers for improved resilience and scalability.\u003c/p\u003e\n\u003cp\u003eThe \u003cstrong\u003eAI-Driven Threat Detection and Response (AI-TDR)\u003c/strong\u003e\u003cstrong\u003e\u0026nbsp;\u003c/strong\u003eframework developed in this study aligns with the evolving research focus on leveraging artificial intelligence to autonomously identify, assess, and neutralize cybersecurity threats with speed and precision beyond human capability. The findings demonstrate that integrating deep learning and reinforcement learning can redefine modern cyber defense by enabling systems to continuously monitor vast and dynamic data streams, identify subtle and previously unseen attack patterns, and respond to evolving threats in near real time. This advancement represents a significant step toward autonomous, intelligent, and adaptive cyber defense ecosystems capable of both detection and mitigation without human intervention. The experimental results confirm that combining Convolutional Neural Networks (CNN), Long Short-Term Memory (LSTM) networks, and Transformer architectures provides complementary strengths in addressing the complexity of modern network attacks. The CNN excelled at capturing spatial dependencies and localized anomalies within network traffic, while the LSTM effectively modeled sequential and temporal correlations, detecting stealthy and time-dependent intrusions. The Transformer, leveraging its self-attention mechanism, demonstrated exceptional scalability and contextual understanding for high-dimensional and multi-stage attack patterns. Collectively, these models achieved a superior accuracy of 100% for CNN and LSTM, and 96.8% for the Transformer, validating the effectiveness of deep learning architectures in autonomously detecting and classifying diverse cyber threats using realistic benchmark data such as UNSW-NB15.\u003c/p\u003e\n\u003cp\u003eBeyond achieving high detection performance, the integration of reinforcement learning within the AI-TDR framework demonstrates the system\u0026rsquo;s ability to adapt and self-optimize. Reinforcement learning enables the model to learn optimal defense strategies through iterative feedback, allowing it to autonomously determine the most effective responses to various attack scenarios. By embedding this adaptive mechanism within the \u003cstrong\u003ePerception\u0026ndash;Cognition\u0026ndash;Decision\u0026ndash;Action\u003c/strong\u003e cycle, the AI-TDR framework establishes a continuous learning process in which perception (data acquisition) informs cognition (threat inference), decision (response optimization), and action (autonomous mitigation) [33]. This feedback-driven structure mirrors human cognitive adaptation but operates with far greater speed and consistency, supporting the emergence of self-healing, self-learning, and self-optimizing defense systems that evolve with their environments.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eThe practical applications of this research are extensive and impactful.\u003c/strong\u003e\u003cstrong\u003e\u0026nbsp;\u003c/strong\u003eIn \u003cstrong\u003eSecurity Operations Centers (SOCs)\u003c/strong\u003e\u003cstrong\u003e,\u003c/strong\u003e the AI-TDR framework can automate threat detection, prioritization, and response, significantly reducing analyst workload and improving response times [34]. Within \u003cstrong\u003eenterprise and corporate networks\u003c/strong\u003e\u003cstrong\u003e,\u003c/strong\u003e it enables continuous monitoring, adaptive firewall reconfiguration, and autonomous containment of lateral movement attacks such as ransomware. In \u003cstrong\u003ecloud and virtualized environments\u003c/strong\u003e\u003cstrong\u003e,\u003c/strong\u003e AI-TDR provides scalable, dynamic defense for containerized workloads and virtual machines, ensuring uninterrupted service integrity. Its application in \u003cstrong\u003eInternet of Things (IoT)\u003c/strong\u003e\u003cstrong\u003e\u0026nbsp;\u003c/strong\u003eand\u003cstrong\u003e\u0026nbsp;\u003cstrong\u003eIndustrial Control Systems (ICS)\u003c/strong\u003e\u003c/strong\u003e enhances the resilience of critical infrastructures, including energy, healthcare, and manufacturing, by detecting and mitigating operational anomalies in real time. Additionally, the framework is applicable in \u003cstrong\u003egovernment and defense networks\u003c/strong\u003e\u003cstrong\u003e,\u003c/strong\u003e where it can identify state-sponsored cyber activities and coordinate rapid, intelligent responses across agencies. When extended through \u003cstrong\u003eFederated Learning (FL)\u003c/strong\u003e and \u003cstrong\u003eMulti-Agent Reinforcement Learning (MARL)\u003c/strong\u003e\u003cstrong\u003e,\u003c/strong\u003e AI-TDR can support \u003cstrong\u003eprivacy-preserving, collaborative cyber defense\u003c/strong\u003e\u003cstrong\u003e,\u003c/strong\u003e enabling decentralized intelligence sharing across organizations without compromising data security [35].\u003c/p\u003e\n\u003cp\u003eThese applications highlight the broader shift from reactive, rule-based monitoring to proactive, autonomous, and collaborative defense ecosystems. The AI-TDR framework embodies this transition by demonstrating how AI agents can operate as independent yet cooperative units capable of learning from global threat patterns and collectively adapting to non-stationary attack environments. Such capabilities are especially critical for modern distributed infrastructures, where centralized security control is no longer sufficient [36]. However, as AI capabilities expand, so too do adversarial risks. Adversarial AI, where attackers craft deceptive inputs or poison training data to mislead detection models, poses one of the most significant challenges to autonomous cybersecurity [37]. Addressing this requires continuous research into robust learning architectures, adversarial training, and hybrid defense models that combine anomaly detection with adversarial resilience. The integration of \u003cstrong\u003eExplainable AI (XAI)\u003c/strong\u003e not only provides interpretability but also serves as a safeguard by enabling the system to validate its own predictions, thereby reducing the likelihood of undetected manipulation. This convergence of robustness and transparency is key to achieving trustworthy and resilient AI-driven defense systems. In alignment with the broader research vision of developing multi-agent, decentralized [38], [39], and privacy-preserving defense architectures, the AI-TDR framework establishes a foundation for collaborative intelligence. Future implementations can expand the framework using \u003cstrong\u003eMARL\u003c/strong\u003e\u003cstrong\u003e\u0026nbsp;\u003c/strong\u003eand \u003cstrong\u003eFL\u003c/strong\u003e to enable distributed AI agents to share knowledge, coordinate responses, and collectively defend against attacks across networks and organizations without exposing sensitive data. Such collaboration fosters a cooperative, privacy-preserving cybersecurity ecosystem that enhances resilience and facilitates continuous learning in non-stationary threat environments.\u003c/p\u003e\n\u003cp\u003eFrom a broader perspective, the AI-TDR framework contributes to the global transition from traditional, rule-based security toward autonomous, intelligent, and adaptive cyber defense ecosystems. Its implications extend beyond academic research into tangible operational benefits for enterprises and governments alike. Implementing AI-TDR within large-scale infrastructures can enhance cyber resilience, minimize downtime, and reduce the need for constant human supervision in threat monitoring and response. The framework\u0026rsquo;s modular design allows seamless integration into existing defense architectures, positioning it as a viable pathway toward fully autonomous cybersecurity orchestration [40]. Looking forward, the future trajectory of AI-driven cybersecurity will depend on strengthening three interrelated pillars: autonomous intelligence, decentralized collaboration, and adversarial resilience. Future work should aim to enhance the robustness of learning models against adversarial manipulation, incorporate continuous self-assessment mechanisms to ensure model integrity, and establish standardized communication protocols for multi-agent cooperation across domains. Moreover, integrating human\u0026ndash;AI collaboration into the adaptive feedback loop where analysts supervise and refine AI actions will ensure a balanced coexistence between automation and accountability. This research demonstrates the effectiveness of deep learning and reinforcement learning in automated intrusion detection and response while contributing to the broader vision of intelligent, collaborative cybersecurity. The AI-TDR framework bridges the gap between detection and autonomous response, showcasing how AI can predict, prevent, and neutralize threats in real time. By advancing continuous learning, decentralized coordination, and explainable intelligence, this study supports the evolution of an \u003cstrong\u003eautonomous, collaborative, and resilient cyber defense ecosystem\u003c/strong\u003e\u003cstrong\u003e\u0026nbsp;\u003c/strong\u003ecapable of adapting to the ever-changing landscape of digital threats.\u003c/p\u003e"},{"header":"Conclusion","content":"\u003cp\u003eThis study presented an \u003cstrong\u003eAI-Driven Threat Detection and Response (AI-TDR)\u003c/strong\u003e framework designed to advance cybersecurity toward autonomous, intelligent, and adaptive defense. By integrating \u003cstrong\u003edeep learning\u003c/strong\u003e and \u003cstrong\u003ereinforcement learning\u003c/strong\u003e\u003cstrong\u003e,\u003c/strong\u003e the framework enables systems to continuously analyze complex network data, identify subtle attack patterns, and execute timely, data-driven responses. The combined use of \u003cstrong\u003eCNN, LSTM, and Transformer architectures\u003c/strong\u003e demonstrated exceptional detection accuracy on the \u003cstrong\u003eUNSW-NB15\u003c/strong\u003e dataset, confirming their complementary strengths in capturing spatial, temporal, and contextual features of network traffic. Reinforcement learning further enhanced adaptability, transforming static detection into a\u003cstrong\u003e\u0026nbsp;\u003cstrong\u003eself-learning and self-optimizing defense mechanism\u003c/strong\u003e\u003c/strong\u003e capable of evolving alongside emerging threats. A key contribution of this research lies in the \u003cstrong\u003ePerception\u0026ndash;Cognition\u0026ndash;Decision\u0026ndash;Action\u003c/strong\u003e feedback cycle, which allows the framework to function as a continuously improving defense system. The integration of \u003cstrong\u003eExplainable AI (XAI)\u003c/strong\u003e ensures that the model\u0026rsquo;s decisions remain transparent and interpretable, fostering human trust and accountability. Together, these elements bridge the gap between threat detection and autonomous response, providing a scalable, real-time cybersecurity solution that is adaptable to enterprise, cloud, and IoT environments. Future research should focus on strengthening \u003cstrong\u003eadversarial resilience\u003c/strong\u003e by incorporating\u003cstrong\u003e\u0026nbsp;\u003cstrong\u003eadversarial training\u003c/strong\u003e, \u003cstrong\u003erobust optimization\u003c/strong\u003e,\u0026nbsp;\u003c/strong\u003eand\u003cstrong\u003e\u0026nbsp;\u003cstrong\u003euncertainty quantification\u003c/strong\u003e\u0026nbsp;\u003c/strong\u003eto defend against model manipulation and data poisoning. Expanding the framework through\u003cstrong\u003e\u0026nbsp;\u003cstrong\u003eMulti-Agent Reinforcement Learning (MARL)\u003c/strong\u003e\u0026nbsp;\u003c/strong\u003eand\u003cstrong\u003e\u0026nbsp;\u003cstrong\u003eFederated Learning (FL)\u003c/strong\u003e\u003c/strong\u003e could enable \u003cstrong\u003edecentralized, privacy-preserving collaboration\u003c/strong\u003e, allowing AI agents across organizations to share intelligence and coordinate responses securely. Further exploration of \u003cstrong\u003eenergy-efficient architectures\u003c/strong\u003e\u003cstrong\u003e, \u003cstrong\u003eethical AI governance\u003c/strong\u003e,\u0026nbsp;\u003c/strong\u003eand\u003cstrong\u003e\u0026nbsp;\u003cstrong\u003einteroperability standards\u003c/strong\u003e\u003c/strong\u003e will enhance the practical deployment of such systems. Ultimately, this research contributes to the transformation of cybersecurity into an \u003cstrong\u003eintelligent, collaborative, and adversarially resilient ecosystem\u003c/strong\u003e\u003cstrong\u003e,\u003c/strong\u003e where AI systems can not only detect and respond to attacks but also \u003cstrong\u003epredict, prevent, and autonomously neutralize\u003c/strong\u003e them in real time.\u003c/p\u003e\n\u003cp\u003e\u003cbr\u003e\u003c/p\u003e"},{"header":"Declarations","content":"\u003cp\u003e\u003cstrong\u003eAcknowledgements:\u003c/strong\u003e Not Applicable\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eAuthor contributions:\u003c/strong\u003e All authors made significant contributions to the conception, design, development, and preparation of this research work. \u003cstrong\u003eGodfrey Perfectson Oise\u003c/strong\u003e led the overall study conception, experimental design, model development, and manuscript drafting. \u003cstrong\u003eSusan Konyeha\u003c/strong\u003e contributed to the formulation of the theoretical framework, synthesis of the literature review, and methodological alignment. \u003cstrong\u003eCyprian C. Konyeha\u003c/strong\u003e participated in data preprocessing, feature engineering, and experimental evaluation. \u003cstrong\u003eOsahon Ukpebor\u003c/strong\u003e and \u003cstrong\u003eTejiri Jessa\u003c/strong\u003e assisted in performance analysis, result interpretation, and visualization of findings. \u003cstrong\u003eOludare Sokoya\u003c/strong\u003e contributed to the integration of explainable AI and reinforcement learning components within the proposed framework. \u003cstrong\u003eEvans Mintah\u003c/strong\u003e provided critical revisions, ensured technical accuracy, and contributed to manuscript editing and final approval. All authors reviewed and approved the final version of the manuscript and agree to be accountable for all aspects of the work, ensuring that any questions related to the accuracy or integrity of the study are appropriately investigated and resolved.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eCompeting interests:\u003c/strong\u003e The author(s) declare no competing interests.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eData Availability Statement:\u0026nbsp;\u003c/strong\u003eThe datasets generated and/or analyzed during the current study are available in the \u003cstrong\u003e[UNSW-NB15 dataset repository]\u003c/strong\u003e maintained by the \u003cstrong\u003eUniversity of New South Wales (UNSW) Canberra Cyber Range Lab\u003c/strong\u003e\u003cstrong\u003e,\u003c/strong\u003e accessible at https://research.unsw.edu.au/projects/unsw-nb15-dataset.\u003cbr\u003e\u003cstrong\u003eEthics declarations\u003c/strong\u003e: Not Applicable\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eApproval for animal experiments:\u003c/strong\u003e Not Applicable\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eApproval for human experiments:\u003c/strong\u003e Not Applicable\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eConsent to participate/Consent to publish:\u003c/strong\u003e Not Applicable\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eFunding:\u003c/strong\u003e Not Applicable\u003c/p\u003e"},{"header":"References","content":"\u003col\u003e\n\u003cli\u003eH. Cam, \u0026ldquo;Cyber resilience using autonomous agents and reinforcement learning,\u0026rdquo; in \u003cem\u003eArtificial Intelligence and Machine Learning for Multi-Domain Operations Applications II\u003c/em\u003e, T. Pham, L. Solomon, and K. Rainey, Eds., SPIE, Apr. 2020, p. 35. doi: 10.1117/12.2559319.\u003c/li\u003e\n\u003cli\u003eM. Pham, V. Vaze, and P. Chin, \u0026ldquo;Strategic Cyber Defense via Reinforcement Learning-Guided Combinatorial Auctions,\u0026rdquo; in \u003cem\u003e2025 IEEE High Performance Extreme Computing Conference (HPEC)\u003c/em\u003e, IEEE, Sep. 2025, pp. 1\u0026ndash;7. doi: 10.1109/HPEC67600.2025.11196565.\u003c/li\u003e\n\u003cli\u003eG. Oise and S. Konyeha, \u0026ldquo;Environmental impacts in e-waste management using deep learning,\u0026rdquo; \u003cem\u003eDiscover Artificial Intelligence\u003c/em\u003e, vol. 5, no. 1, p. 210, Aug. 2025, doi: 10.1007/s44163-025-00376-9.\u003c/li\u003e\n\u003cli\u003eM. Pham, V. Vaze, and P. Chin, \u0026ldquo;Strategic Cyber Defense via Reinforcement Learning-Guided Combinatorial Auctions,\u0026rdquo; in \u003cem\u003e2025 IEEE High Performance Extreme Computing Conference (HPEC)\u003c/em\u003e, IEEE, Sep. 2025, pp. 1\u0026ndash;7. doi: 10.1109/HPEC67600.2025.11196565.\u003c/li\u003e\n\u003cli\u003eM. Pham, V. Vaze, and P. Chin, \u0026ldquo;Strategic Cyber Defense via Reinforcement Learning-Guided Combinatorial Auctions,\u0026rdquo; in \u003cem\u003e2025 IEEE High Performance Extreme Computing Conference (HPEC)\u003c/em\u003e, IEEE, Sep. 2025, pp. 1\u0026ndash;7. doi: 10.1109/HPEC67600.2025.11196565.\u003c/li\u003e\n\u003cli\u003eT. T. Nguyen and V. J. Reddi, \u0026ldquo;Deep Reinforcement Learning for Cyber Security,\u0026rdquo; \u003cem\u003eIEEE Trans Neural Netw Learn Syst\u003c/em\u003e, vol. 34, no. 8, pp. 3779\u0026ndash;3795, Aug. 2023, doi: 10.1109/TNNLS.2021.3121870.\u003c/li\u003e\n\u003cli\u003eO. Samuel Abiodun, O. P. Ejenarhome, and G. Oise, \u0026ldquo;AI-BASED MEDICAL IMAGE ANALYSIS FOR EARLY DETECTION OF NEUROLOGICAL DISORDERS USING DEEP LEARNING,\u0026rdquo; \u003cem\u003eFUDMA JOURNAL OF SCIENCES\u003c/em\u003e, vol. 9, no. 6, pp. 322\u0026ndash;328, Jun. 2025, doi: 10.33003/fjs-2025-0906-3697.\u003c/li\u003e\n\u003cli\u003eB. Blakely, \u0026ldquo;An Experimental Platform for Autonomous Intelligent Cyber-Defense Agents: Towards a collaborative community approach (WIPP),\u0026rdquo; in \u003cem\u003e2022 Resilience Week (RWS)\u003c/em\u003e, IEEE, Sep. 2022, pp. 1\u0026ndash;7. doi: 10.1109/RWS55399.2022.9984037.\u003c/li\u003e\n\u003cli\u003eG. P. Oise, O. C. Nwabuokei, O. J. Akpowehbve, B. A. Eyitemi, and N. B. Unuigbokhai, \u0026ldquo;TOWARDS SMARTER CYBER DEFENSE: LEVERAGING DEEP LEARNING FOR THREAT IDENTIFICATION AND PREVENTION,\u0026rdquo; \u003cem\u003eFUDMA JOURNAL OF SCIENCES\u003c/em\u003e, vol. 9, no. 3, pp. 122\u0026ndash;128, Mar. 2025, doi: 10.33003/fjs-2025-0903-3264.\u003c/li\u003e\n\u003cli\u003eB. Blakely, \u0026ldquo;An Experimental Platform for Autonomous Intelligent Cyber-Defense Agents: Towards a collaborative community approach (WIPP),\u0026rdquo; in \u003cem\u003e2022 Resilience Week (RWS)\u003c/em\u003e, IEEE, Sep. 2022, pp. 1\u0026ndash;7. doi: 10.1109/RWS55399.2022.9984037.\u003c/li\u003e\n\u003cli\u003eG. Gkoktsis, H. Lauer, and L. J\u0026auml;ger, \u0026ldquo;Towards Mission Aware Cyber-Resiliency with Autonomous Agents,\u0026rdquo; in \u003cem\u003e2023 Australasian Computer Science Week\u003c/em\u003e, New York, NY, USA: ACM, Jan. 2023, pp. 36\u0026ndash;39. doi: 10.1145/3579375.3579421.\u003c/li\u003e\n\u003cli\u003eB. E. Akilo, S. A. Oyedotun, G. P. Oise, O. C. Nwabuokei, and N. B. Unuigbokhai, \u0026ldquo;Intelligent Traffic Management System Using Ant Colony and Deep Learning Algorithms for Real-Time Traffic Flow Optimization,\u0026rdquo; \u003cem\u003eJournal of Science Research and Reviews\u003c/em\u003e, vol. 1, no. 2, pp. 63\u0026ndash;71, Dec. 2024, doi: 10.70882/josrar.2024.v1i2.52.\u003c/li\u003e\n\u003cli\u003eG. G. James, O. G. P, C. E. G, M. N. A, E. W. F, and O. P. E, \u0026ldquo;Optimizing Business Intelligence System Using Big Data and Machine Learning,\u0026rdquo; \u003cem\u003eJournal of Information Systems and Informatics\u003c/em\u003e, vol. 6, no. 2, pp. 1215\u0026ndash;1236, Jun. 2024, doi: 10.51519/journalisi.v6i2.631.\u003c/li\u003e\n\u003cli\u003eM. Hilmi, A. Widyotriatmo, I. Kuncara, Y. Y. Nazaruddin, and A. Hasan, \u0026ldquo;Path-Following Control of Autonomous Vehicles Under Sensor Attacks,\u0026rdquo; in \u003cem\u003e2024 European Control Conference (ECC)\u003c/em\u003e, IEEE, Jun. 2024, pp. 3656\u0026ndash;3661. doi: 10.23919/ECC64448.2024.10590744.\u003c/li\u003e\n\u003cli\u003eG. P. Oise \u003cem\u003eet al.\u003c/em\u003e, \u0026ldquo;YOLOv8-DeepSORT: A High-Performance Framework for Real-Time Multi-Object Tracking with Attention and Adaptive Optimization,\u0026rdquo; \u003cem\u003eJournal of Science Research and Reviews\u003c/em\u003e, vol. 2, no. 2, pp. 92\u0026ndash;100, May 2025, doi: 10.70882/josrar.2025.v2i2.50.\u003c/li\u003e\n\u003cli\u003eA. Anandita Iyer and K. S. Umadevi, \u0026ldquo;Role of AI and Its Impact on the Development of Cyber Security Applications,\u0026rdquo; 2023, pp. 23\u0026ndash;46. doi: 10.1007/978-981-99-2115-7_2.\u003c/li\u003e\n\u003cli\u003eP. Verma, T. Newe, G. D. O\u0026rsquo;Mahony, D. Brennan, and D. O\u0026rsquo;Shea, \u0026ldquo;Toward a Unified Understanding of Cyber Resilience: Concepts, Strategies, and Future Directions,\u0026rdquo; \u003cem\u003eIEEE Access\u003c/em\u003e, vol. 13, pp. 49945\u0026ndash;49965, 2025, doi: 10.1109/ACCESS.2025.3551887.\u003c/li\u003e\n\u003cli\u003eA. K. Ligo, A. Kott, and I. Linkov, \u0026ldquo;How to Measure Cyber-Resilience of a System With Autonomous Agents: Approaches and Challenges,\u0026rdquo; \u003cem\u003eIEEE Engineering Management Review\u003c/em\u003e, vol. 49, no. 2, pp. 89\u0026ndash;97, Jun. 2021, doi: 10.1109/EMR.2021.3074288.\u003c/li\u003e\n\u003cli\u003eG. P. Oise, S. A. Oyedotun, O. C. Nwabuokei, A. E. Babalola, and N. B. Unuigbokhai, \u0026ldquo;ENHANCED PREDICTION OF CORONARY ARTERY DISEASE USING LOGISTIC REGRESSION,\u0026rdquo; \u003cem\u003eFUDMA JOURNAL OF SCIENCES\u003c/em\u003e, vol. 9, no. 3, pp. 201\u0026ndash;208, Mar. 2025, doi: 10.33003/fjs-2025-0903-3263.\u003c/li\u003e\n\u003cli\u003eR. Buchta, G. Gkoktsis, F. Heine, and C. Kleiner, \u0026ldquo;Advanced Persistent Threat Attack Detection Systems: A Review of Approaches, Challenges, and Trends,\u0026rdquo; \u003cem\u003eDigital Threats: Research and Practice\u003c/em\u003e, vol. 5, no. 4, pp. 1\u0026ndash;37, Dec. 2024, doi: 10.1145/3696014.\u003c/li\u003e\n\u003cli\u003eW. Soussi, M. Christopoulou, G. Xilouris, and G. Gur, \u0026ldquo;Moving Target Defense as a Proactive Defense Element for Beyond 5G,\u0026rdquo; \u003cem\u003eIEEE Communications Standards Magazine\u003c/em\u003e, vol. 5, no. 3, pp. 72\u0026ndash;79, Sep. 2021, doi: 10.1109/MCOMSTD.211.2000087.\u003c/li\u003e\n\u003cli\u003eA. K. Ligo, A. Kott, and I. Linkov, \u0026ldquo;Autonomous Cyberdefense Introduces Risk: Can We Manage the Risk?,\u0026rdquo; \u003cem\u003eComputer (Long Beach Calif)\u003c/em\u003e, vol. 54, no. 10, pp. 106\u0026ndash;110, Oct. 2021, doi: 10.1109/MC.2021.3099042.\u003c/li\u003e\n\u003cli\u003eE. Tsen, R. K. Ko, and S. Slapničar, \u0026ldquo;Organisational Cyber Resilience and its Influence on Cyber Attack Outcomes: An Exploratory Study of 1,145 Publicised Attacks,\u0026rdquo; \u003cem\u003eSSRN Electronic Journal\u003c/em\u003e, 2020, doi: 10.2139/ssrn.3735636.\u003c/li\u003e\n\u003cli\u003eW. H. Walters, \u0026ldquo;The Effectiveness of Software Designed to Detect AI-Generated Writing: A Comparison of 16 AI Text Detectors,\u0026rdquo; \u003cem\u003eOpen Information Science\u003c/em\u003e, vol. 7, no. 1, Oct. 2023, doi: 10.1515/opis-2022-0158.\u003c/li\u003e\n\u003cli\u003eS. Munikoti, D. Agarwal, L. Das, M. Halappanavar, and B. Natarajan, \u0026ldquo;Challenges and Opportunities in Deep Reinforcement Learning With Graph Neural Networks: A Comprehensive Review of Algorithms and Applications,\u0026rdquo; \u003cem\u003eIEEE Trans Neural Netw Learn Syst\u003c/em\u003e, vol. 35, no. 11, pp. 15051\u0026ndash;15071, Nov. 2024, doi: 10.1109/TNNLS.2023.3283523.\u003c/li\u003e\n\u003cli\u003eL. Zhang, P. Liu, Y.-H. Choi, and P. Chen, \u0026ldquo;Semantics-Preserving Reinforcement Learning Attack Against Graph Neural Networks for Malware Detection,\u0026rdquo; \u003cem\u003eIEEE Trans Dependable Secure Comput\u003c/em\u003e, vol. 20, no. 2, pp. 1390\u0026ndash;1402, Mar. 2023, doi: 10.1109/TDSC.2022.3153844.\u003c/li\u003e\n\u003cli\u003eA. Uprety and D. B. Rawat, \u0026ldquo;Reinforcement Learning for IoT Security: A Comprehensive Survey,\u0026rdquo; \u003cem\u003eIEEE Internet Things J\u003c/em\u003e, vol. 8, no. 11, pp. 8693\u0026ndash;8706, Jun. 2021, doi: 10.1109/JIOT.2020.3040957.\u003c/li\u003e\n\u003cli\u003eS. Yuwono, D. Schwung, and A. Schwung, \u0026ldquo;Distributed Stackelberg Strategies in State-Based Potential Games for Autonomous Decentralized Learning Manufacturing Systems,\u0026rdquo; \u003cem\u003eIEEE Trans Syst Man Cybern Syst\u003c/em\u003e, vol. 55, no. 11, pp. 8112\u0026ndash;8125, Nov. 2025, doi: 10.1109/TSMC.2025.3602958.\u003c/li\u003e\n\u003cli\u003eT. T. Nguyen and V. J. Reddi, \u0026ldquo;Deep Reinforcement Learning for Cyber Security,\u0026rdquo; \u003cem\u003eIEEE Trans Neural Netw Learn Syst\u003c/em\u003e, vol. 34, no. 8, pp. 3779\u0026ndash;3795, Aug. 2023, doi: 10.1109/TNNLS.2021.3121870.\u003c/li\u003e\n\u003cli\u003eM. Sarhan, S. Layeghy, N. Moustafa, and M. Portmann, \u0026ldquo;NetFlow Datasets for Machine Learning-Based Network Intrusion Detection Systems,\u0026rdquo; 2021, pp. 117\u0026ndash;135. doi: 10.1007/978-3-030-72802-1_9.\u003c/li\u003e\n\u003cli\u003eA. M. K. Adawadkar and N. Kulkarni, \u0026ldquo;Cyber-security and reinforcement learning \u0026mdash; A brief survey,\u0026rdquo; \u003cem\u003eEng Appl Artif Intell\u003c/em\u003e, vol. 114, p. 105116, Sep. 2022, doi: 10.1016/j.engappai.2022.105116.\u003c/li\u003e\n\u003cli\u003eG. Oise and S. Konyeha, \u0026ldquo;Environmental impacts in e-waste management using deep learning,\u0026rdquo; \u003cem\u003eDiscover Artificial Intelligence\u003c/em\u003e, vol. 5, no. 1, p. 210, Aug. 2025, doi: 10.1007/s44163-025-00376-9.\u003c/li\u003e\n\u003cli\u003eS. Dasgupta, A. Piplai, P. Ranade, and A. Joshi, \u0026ldquo;Cybersecurity Knowledge Graph Improvement with Graph Neural Networks,\u0026rdquo; in \u003cem\u003e2021 IEEE International Conference on Big Data (Big Data)\u003c/em\u003e, IEEE, Dec. 2021, pp. 3290\u0026ndash;3297. doi: 10.1109/BigData52589.2021.9672062.\u003c/li\u003e\n\u003cli\u003eT. Bilot, N. El Madhoun, K. Al Agha, and A. Zouaoui, \u0026ldquo;Graph Neural Networks for Intrusion Detection: A Survey,\u0026rdquo; \u003cem\u003eIEEE Access\u003c/em\u003e, vol. 11, pp. 49114\u0026ndash;49139, 2023, doi: 10.1109/ACCESS.2023.3275789.\u003c/li\u003e\n\u003cli\u003eB. Lakha, S. L. Mount, E. Serra, and A. Cuzzocrea, \u0026ldquo;Anomaly Detection in Cybersecurity Events Through Graph Neural Network and Transformer-Based Model: A Case Study with BETH Dataset,\u0026rdquo; in \u003cem\u003e2022 IEEE International Conference on Big Data (Big Data)\u003c/em\u003e, IEEE, Dec. 2022, pp. 5756\u0026ndash;5764. doi: 10.1109/BigData55660.2022.10020336.\u003c/li\u003e\n\u003cli\u003eS. A. Oyedotun, G. P. Oise, and C. E. Ozobialu, \u0026ldquo;Towards Intelligent Cybersecurity in SCADA and DCS Environments: Anomaly Detection Using Multimodal Deep Learning and Explainable AI,\u0026rdquo; \u003cem\u003eJournal of Science Research and Reviews\u003c/em\u003e, vol. 2, no. 3, pp. 20\u0026ndash;31, Jul. 2025, doi: 10.70882/josrar.. 2025.v2i3.76.\u003c/li\u003e\n\u003cli\u003eA. Anandita Iyer and K. S. Umadevi, \u0026ldquo;Role of AI and Its Impact on the Development of Cyber Security Applications,\u0026rdquo; 2023, pp. 23\u0026ndash;46. doi: 10.1007/978-981-99-2115-7_2.\u003c/li\u003e\n\u003cli\u003eN. B. Unuigbokhai \u003cem\u003eet al.\u003c/em\u003e, \u0026ldquo;ADVANCEMENTS IN FEDERATED LEARNING FOR SECURE DATA SHARING IN FINANCIAL SERVICES,\u0026rdquo; \u003cem\u003eFUDMA JOURNAL OF SCIENCES\u003c/em\u003e, vol. 9, no. 5, pp. 80\u0026ndash;86, May 2025, doi: 10.33003/fjs-2025-0905-3207.\u003c/li\u003e\n\u003cli\u003eG. P. Oise \u003cem\u003eet al.\u003c/em\u003e, \u0026ldquo;DECENTRALIZED DEEP LEARNING IN HEALTHCARE: ADDRESSING DATA PRIVACY WITH FEDERATED LEARNING,\u0026rdquo; \u003cem\u003eFUDMA JOURNAL OF SCIENCES\u003c/em\u003e, vol. 9, no. 6, pp. 19\u0026ndash;26, Jun. 2025, doi: 10.33003/fjs-2025-0906-3714.\u003c/li\u003e\n\u003cli\u003eS. A. Oyedotun \u003cem\u003eet al.\u003c/em\u003e, \u0026ldquo;The Role of Internal Audit in Fraud Detection and Prevention: A Multi-Contextual Review and Research Agenda,\u0026rdquo; \u003cem\u003eJournal of Science Research and Reviews\u003c/em\u003e, vol. 2, no. 2, pp. 76\u0026ndash;85, May 2025, doi: 10.70882/josrar.. 2025.v2i2.51.\u003c/li\u003e\n\u003c/ol\u003e"},{"header":"Tables","content":"\u003cp\u003eTables 1 to 6 are available in the Supplementary Files section.\u003c/p\u003e"}],"fulltextSource":"","fullText":"","funders":[],"hasAdminPriorityOnWorkflow":false,"hasManuscriptDocX":true,"hasOptedInToPreprint":true,"hasPassedJournalQc":"","hasAnyPriority":false,"hideJournal":false,"highlight":"","institution":"","isAcceptedByJournal":false,"isAuthorSuppliedPdf":false,"isDeskRejected":"","isHiddenFromSearch":false,"isInQc":false,"isInWorkflow":false,"isPdf":false,"isPdfUpToDate":true,"isWithdrawnOrRetracted":false,"journal":{"display":true,"email":"[email protected]","identity":"scientific-reports","isNatureJournal":false,"hasQc":true,"allowDirectSubmit":false,"externalIdentity":"scirep","sideBox":"Learn more about [Scientific Reports](http://www.nature.com/srep/)","snPcode":"","submissionUrl":"","title":"Scientific Reports","twitterHandle":"","acdcEnabled":true,"dfaEnabled":true,"editorialSystem":"stoa","reportingPortfolio":"Scientific Reports","inReviewEnabled":true,"inReviewRevisionsEnabled":true},"keywords":"artificial intelligence, cybersecurity, threat detection and response, deep learning, reinforcement learning, autonomous cyber defense","lastPublishedDoi":"10.21203/rs.3.rs-7935562/v1","lastPublishedDoiUrl":"https://doi.org/10.21203/rs.3.rs-7935562/v1","license":{"name":"CC BY 4.0","url":"https://creativecommons.org/licenses/by/4.0/"},"manuscriptAbstract":"\u003cp\u003eThe increasing sophistication of cyber threats in modern digital infrastructures necessitates intelligent, autonomous defense mechanisms capable of responding faster and more accurately than humans. This study introduces an AI-Driven Threat Detection and Response (AI-TDR) framework that integrates deep learning and reinforcement learning to autonomously detect, analyze, and mitigate cyberattacks in real time. Using the UNSW-NB15 dataset, which contains realistic traffic and nine attack types, three architectures, Convolutional Neural Network (CNN), Long Short-Term Memory (LSTM), and Transformer, were developed and tested. The CNN and LSTM achieved 100% accuracy, while the Transformer reached 96.8% accuracy with an AUC of 0.996, demonstrating robustness and generalization. The AI-TDR operates through a Perception\u0026ndash;Cognition\u0026ndash;Decision\u0026ndash;Action cycle, enabling adaptive learning and autonomous mitigation through continuous feedback. By combining spatial, temporal, and contextual intelligence, the system advances toward self-learning, multi-agent cyber defense. Beyond detection, it envisions automated responses such as node isolation and firewall reconfiguration. Future work includes integrating Explainable AI for transparency, adversarial training for resilience, and federated learning for decentralized protection. Overall, this research contributes to the advancement of adaptive and intelligent cybersecurity, supporting global efforts to achieve continuous and collaborative defense in an evolving threat landscape.\u003c/p\u003e","manuscriptTitle":"AI-Driven Threat Detection and Response: Toward Autonomous Cyber Defense Systems","msid":"","msnumber":"","nonDraftVersions":[{"code":1,"date":"2025-11-24 08:22:53","doi":"10.21203/rs.3.rs-7935562/v1","editorialEvents":[{"type":"communityComments","content":0},{"type":"decision","content":"Revision requested","date":"2026-04-02T03:18:17+00:00","index":"","fulltext":""},{"type":"editorInvitedReview","content":"","date":"2026-03-31T08:14:12+00:00","index":"hide","fulltext":""},{"type":"editorInvitedReview","content":"","date":"2026-03-29T20:14:28+00:00","index":"hide","fulltext":""},{"type":"reviewerAgreed","content":"177651481244550535233286321306236199473","date":"2026-03-09T05:58:15+00:00","index":"hide","fulltext":""},{"type":"reviewerAgreed","content":"102977582303731949530102419780063063919","date":"2026-03-07T22:26:17+00:00","index":"hide","fulltext":""},{"type":"editorInvitedReview","content":"","date":"2026-01-25T09:42:19+00:00","index":"hide","fulltext":""},{"type":"reviewerAgreed","content":"89531311880855931105544727615106429652","date":"2026-01-20T08:04:29+00:00","index":"hide","fulltext":""},{"type":"editorInvitedReview","content":"","date":"2026-01-20T05:02:03+00:00","index":"hide","fulltext":""},{"type":"editorInvitedReview","content":"","date":"2026-01-16T14:46:39+00:00","index":"hide","fulltext":""},{"type":"reviewerAgreed","content":"63262852232197320943173276707100221187","date":"2026-01-14T16:47:42+00:00","index":"hide","fulltext":""},{"type":"reviewerAgreed","content":"325012862263162153248216998011084815667","date":"2026-01-13T14:42:13+00:00","index":"hide","fulltext":""},{"type":"editorInvitedReview","content":"","date":"2025-11-25T12:58:00+00:00","index":"hide","fulltext":""},{"type":"editorInvitedReview","content":"","date":"2025-11-17T17:48:17+00:00","index":"hide","fulltext":""},{"type":"reviewerAgreed","content":"15582862508467655314496434233633408755","date":"2025-11-17T13:43:47+00:00","index":"hide","fulltext":""},{"type":"reviewerAgreed","content":"132476844171711786242150546436904183813","date":"2025-11-15T17:07:53+00:00","index":"hide","fulltext":""},{"type":"reviewersInvited","content":"","date":"2025-11-12T05:33:47+00:00","index":"","fulltext":""},{"type":"editorInvited","content":"","date":"2025-10-30T18:05:26+00:00","index":"","fulltext":""},{"type":"editorAssigned","content":"","date":"2025-10-25T09:12:04+00:00","index":"","fulltext":""},{"type":"checksComplete","content":"","date":"2025-10-25T09:10:12+00:00","index":"","fulltext":""},{"type":"submitted","content":"Scientific Reports","date":"2025-10-24T00:03:44+00:00","index":"","fulltext":""}],"status":"published","journal":{"display":true,"email":"[email protected]","identity":"scientific-reports","isNatureJournal":false,"hasQc":true,"allowDirectSubmit":false,"externalIdentity":"scirep","sideBox":"Learn more about [Scientific Reports](http://www.nature.com/srep/)","snPcode":"","submissionUrl":"","title":"Scientific Reports","twitterHandle":"","acdcEnabled":true,"dfaEnabled":true,"editorialSystem":"stoa","reportingPortfolio":"Scientific Reports","inReviewEnabled":true,"inReviewRevisionsEnabled":true}}],"origin":"","ownerIdentity":"7ad9e486-d566-4664-b610-f2fbf4b88705","owner":[],"postedDate":"November 24th, 2025","published":true,"recentEditorialEvents":[],"rejectedJournal":[],"revision":"","amendment":"","status":"under-review","subjectAreas":[{"id":58423809,"name":"Physical sciences/Engineering"},{"id":58423810,"name":"Physical sciences/Mathematics and computing"}],"tags":[],"updatedAt":"2026-04-23T02:08:29+00:00","versionOfRecord":[],"versionCreatedAt":"2025-11-24 08:22:53","video":"","vorDoi":"","vorDoiUrl":"","workflowStages":[]},"version":"v1","identity":"rs-7935562","journalConfig":"researchsquare"},"__N_SSP":true},"page":"/article/[identity]/[[...version]]","query":{"redirect":"/article/rs-7935562","identity":"rs-7935562","version":["v1"]},"buildId":"8U1c8b4HqxoKbykW_rLl7","isFallback":false,"isExperimentalCompile":false,"dynamicIds":[84888],"gssp":true,"scriptLoader":[]}