AI-Powered Intrusion Detection Using CNN-LSTM for Cloud and Edge Networks: A Hybrid Deep Learning Approach

AI-Powered Intrusion Detection Using CNN-LSTM for Cloud and Edge Networks: A Hybrid Deep Learning Approach | Research Square window.SnipcartSettings = { analytics: { enabled: false } }; (function() { var accessVector = localStorage.getItem('access_vector') || ''; window.dataLayer = window.dataLayer || []; if (accessVector) { window.dataLayer.push({ user: { profile: { profileInfo: { snid: accessVector } } } }); } })(); (function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-K279D39R'); Browse Preprints In Review Journals COVID-19 Preprints AJE Video Bytes Research Tools Research Promotion AJE Professional Editing AJE Rubriq About Preprint Platform In Review Editorial Policies Our Team Advisory Board Help Center Sign In Submit a Preprint Cite Share Download PDF Research Article AI-Powered Intrusion Detection Using CNN-LSTM for Cloud and Edge Networks: A Hybrid Deep Learning Approach Niki Modi This is a preprint; it has not been peer reviewed by a journal. https://doi.org/ 10.21203/rs.3.rs-6928225/v1 This work is licensed under a CC BY 4.0 License Status: Posted Version 1 posted You are reading this latest preprint version Abstract Intrusion Detection Systems (IDS) play a vital role in safeguarding cloud and edge computing environments from cyber threats. Traditional IDS models, primarily signature-based approaches, are ineffective against evolving attack patterns and suffer from high false positive rates. To address these limitations, this research presents an AI-based anomaly detection framework leveraging deep learning models, including Convolutional Neural Networks (CNNs) and Long Short-Term Memory (LSTM) networks. The proposed system is trained using the NSL-KDD and CICIDS2017 datasets, ensuring robustness against a diverse range of network intrusions. Our methodology incorporates feature extraction, data normalization, and advanced deep learning architectures to enhance detection accuracy and minimize false alarms. Experimental results demonstrate significant improvements over conventional IDS solutions, with higher precision, recall, and overall detection efficiency. Additionally, a comparative analysis highlights the effectiveness of AI-driven IDS in handling large-scale, real-time network traffic. Deployment strategies in cloud and edge environments are discussed, along with the computational challenges associated with deep learning-based IDS. Future research will explore federated learning for decentralized IDS and reinforcement learning for automated threat response, ensuring a more adaptive and scalable cybersecurity framework. Software Engineering AI-driven Security Anomaly Detection Cloud Computing Cybersecurity CNN Edge Computing Federated Learning Intrusion Detection Systems LSTM Reinforcement Learning Figures Figure 1 I. Introduction An Intrusion Detection System (IDS) is a network security mechanism designed to detect and analyze potential threats targeting applications, end devices, and network infrastructure. Operating as a passive monitoring tool, IDS listens to network traffic, identifies anomalies, and alerts administrators about suspicious activities. However, IDS alone cannot take preventive measures to mitigate an attack, making it insufficient as a standalone security solution.In cloud environments, IDS can be deployed as a Software as a Service (SaaS) or integrated into security solutions like Next-Generation Firewall as a Service (FWaaS) or Secure Access Service Edge (SASE). These cloud-based security architectures provide scalable, real-time threat detection across Infrastructure-as-a-Service (IaaS) environments.On the other hand, edge networks shift computing resources closer to the data source, reducing the load on central cloud data centers. Edge computing enables low-latency processing by handling data at or near IoT devices, ensuring faster threat detection and response. IDS in edge networks plays a crucial role in real-time security monitoring, improving network performance, bandwidth efficiency, and overall cybersecurity resilience by detecting attacks at the periphery of the network before they reach critical cloud infrastructure. Intrusion Detection Systems (IDS) play a critical role in network security[ 1 ]; however, they face several challenges that affect their efficiency and reliability. One of the primary issues is the False Alarm Rate, where legitimate network activities are mistakenly flagged as malicious, leading to unnecessary alerts and increased workload for security analysts. Another major challenge is the Low Detection Rate, which occurs when IDS fails to identify actual threats, leaving networks vulnerable to attacks. Additionally, the Unbalanced Dataset problem arises due to the significant disparity between attack and normal traffic data in training models, which can lead to biased detection results. Lastly, Response Time is a crucial factor, as delays in identifying and mitigating threats can allow attackers to exploit vulnerabilities before preventive measures are taken. Addressing these challenges is essential to improving IDS effectiveness and ensuring robust cybersecurity defenses. The integration of Artificial Intelligence (AI) and Deep Learning (DL) has significantly improved the efficiency and adaptability of Intrusion Detection Systems (IDS). By leveraging deep networks (DN), IDS can gradually enhance its capacity through the addition of layers and nodes, enabling better feature extraction and pattern recognition in complex network traffic. The tuning process of these models is largely empirical, requiring extensive hyperparameter optimization, including learning rate adjustments and layer configurations, to achieve optimal detection accuracy. Additionally, model and dataset design changes play a crucial role in improving IDS performance. The collection, cleanup, and augmentation of datasets help in mitigating the unbalanced data issue, ensuring that the IDS can detect both common and rare cyber threats effectively. The incorporation of semi-supervised learning enables the system to learn from both labeled and unlabeled data, making it more adaptive to emerging threats. By continuously refining the training process, hyperparameters, and dataset quality, AI-driven IDS can achieve higher detection rates, lower false alarms, and real-time threat mitigation, making network security more robust and proactive. The goal of this research is to build a deep learning-driven anomaly detection system designed specifically for cloud and edge networks[ 2 ]. As cyber threats become more sophisticated, traditional security measures struggle to keep up. A deep learning-based approach can help by identifying complex attack patterns, adapting to new threats, and minimizing false alarms in real time. To enhance the system’s accuracy, we will gradually increase the depth of the neural network by adding more layers and nodes, allowing it to better recognize suspicious activity. However, fine-tuning the model is not just a theoretical process—it requires experimenting with different hyperparameters, adjusting the learning rate, and optimizing network architecture to find the best balance between performance and efficiency. Another key challenge is dealing with imbalanced datasets, where normal network traffic far outweighs attack data. To address this, we will focus on curating high-quality datasets, cleaning up inconsistencies, and applying data augmentation techniques to ensure that the model learns effectively from a diverse range of attack scenarios. Additionally, by incorporating semi-supervised learning, the system will be able to detect previously unseen attacks using both labeled and unlabeled data.By continuously refining the model and improving how it processes network traffic, this research aims to develop an intelligent, real-time intrusion detection system that can secure cloud and edge environments more effectively, reducing false alarms and responding to threats before they cause damage. II. Literature Review Intrusion Detection Systems (IDS) play a crucial role in cybersecurity, evolving from traditional signature-based methods to advanced AI-driven approaches. Signature-based IDS rely on predefined attack patterns, making them effective for known threats but inadequate against novel attacks. Anomaly-based IDS, leveraging machine learning (ML) and statistical models, address this limitation by detecting deviations from normal behavior. However, high false positive rates pose a significant challenge, necessitating more sophisticated AI solutions that can adapt to evolving cyber threats. Artificial Intelligence (AI)-based approaches in IDS [ 3 ] have gained significant attention due to their ability to analyze vast amounts of network traffic data and detect sophisticated cyber threats. AI models, particularly those based on machine learning (ML) and deep learning (DL), enhance IDS by enabling automated detection, adaptive learning, and predictive analytics. These techniques allow IDS to recognize subtle attack patterns that traditional methods may miss. ML-based IDS leverage algorithms such as Decision Trees, Support Vector Machines (SVM), and Random Forests, which classify network traffic by learning from past attack data. However, these models often require extensive feature engineering and may struggle with detecting evolving threats. To address this, DL techniques, including Convolutional Neural Networks (CNNs) and Long Short-Term Memory (LSTM) networks, provide superior feature extraction capabilities and improved accuracy in detecting zero-day attacks and advanced persistent threats (APTs). Machine learning techniques such as Support Vector Machines (SVM), Random Forest (RF), Decision Trees (DT), and K-Nearest Neighbors (KNN) have been widely applied in IDS, improving detection accuracy by identifying patterns in network traffic. These models, however, often require extensive feature engineering and struggle with scalability when dealing with high-volume, real-time network data. Deep learning (DL) models, including Convolutional Neural Networks (CNNs), Long Short-Term Memory (LSTM), and Artificial Neural Networks (ANNs), have shown promise in overcoming these limitations by automatically extracting features and identifying complex attack patterns. CNNs effectively analyze structured network traffic data, while LSTMs excel in detecting sequential anomalies in time-series data. Despite their advantages, DL models require substantial labeled datasets and remain vulnerable to adversarial attacks that manipulate input data to evade detection. AI-driven IDS face multiple challenges, including high false positive rates, computational overhead[ 8 ], and adversarial vulnerabilities. Anomaly-based detection systems often misclassify benign activities as threats, leading to unnecessary alerts that burden security teams. Additionally, processing high-dimensional network data demands significant computational resources, making real-time detection difficult. Adversarial attacks can further undermine IDS reliability by subtly altering malicious traffic to resemble normal behavior. Another major concern is the lack of explainability in AI-based IDS, as most deep learning models function as black boxes, making it difficult for security analysts to interpret and trust automated decisions. Efforts in Explainable AI (XAI) aim to address this by improving transparency and justifications for threat classifications. The emergence of cloud and edge computing introduces further complexities for IDS deployment. Cloud-based IDS provide centralized security monitoring but may struggle with latency in large-scale environments. Conversely, edge-based IDS must operate with minimal computational resources while maintaining high detection accuracy. Hybrid approaches combining ML, DL, and federated learning (FL) are increasingly being explored to enhance IDS efficiency. Federated learning enables IDS models to be trained collaboratively across distributed nodes without data sharing, preserving privacy while improving detection capabilities. This is particularly valuable for organizations handling sensitive data, as it allows models to learn from diverse threat landscapes without compromising security policies. Despite significant advancements, existing IDS solutions face notable gaps. One of the primary challenges is real-time scalability, as many AI-based IDS struggle to process and analyze large-scale network traffic efficiently. Many current models exhibit high computational overhead, making them impractical for deployment in resource-constrained environments such as edge computing. Additionally, high false positive rates remain a critical issue, leading to frequent misclassification of benign traffic as threats, overwhelming security teams with unnecessary alerts. There is also a lack of comprehensive solutions that integrate adaptive learning mechanisms to ensure continuous model updates against evolving cyber threats. Addressing these gaps requires further research into lightweight, real-time AI models, improved anomaly detection techniques, and enhanced explainability to reduce false positives and improve the trustworthiness of AI-driven IDS[ 10 ]. Future research directions focus on optimizing detection accuracy, reducing false positives, and mitigating computational constraints. Federated learning is expected to play a crucial role in training IDS models across distributed environments while ensuring data privacy. Adaptive security models with self-learning mechanisms are being developed to dynamically update IDS rules based on evolving threats, ensuring resilience against emerging cyber-attacks. As AI and DL continue to advance, their integration into IDS solutions will significantly enhance cybersecurity in cloud and edge networks, offering a proactive and adaptive approach to threat detection and prevention. However, for AI-driven IDS to be fully effective, continued efforts are needed to refine model accuracy, improve interpretability, and minimize computational overhead, ensuring scalable and reliable security solutions for modern digital infrastructures III. Proposed Methodology 1) Data Collection & Processing This paper utilizes two widely used intrusion detection datasets: NSL-KDD and CICIDS2017 . The NSL-KDD dataset improves upon the original KDD99 dataset by removing redundant and duplicate records, making it more balanced for training and testing IDS models. CICIDS2017 is a modern dataset containing realistic attack scenarios and diverse network traffic, making it highly suitable for training deep learning-based intrusion detection systems. Data Preprocessing Steps: 1. Feature Selection and Extraction: Reducing dimensionality using techniques like PCA (Principal Component Analysis) or autoencoders. 2. Data Normalization: Standardizing features to a common scale for better deep learning model performance. 3. Handling Imbalanced Data: Applying techniques such as SMOTE (Synthetic Minority Over-sampling Technique) to ensure balanced class distribution. 4. Splitting Data: Dividing the dataset into training (70%), validation (15%), and testing (15%) sets for model evaluation. 2) Deep Learning Model Architecture 1. Input Layer: The model begins with an input layer that receives preprocessed network traffic features as shown in Fig[1].These features include essential attributes such as packet size, protocol type, and connection duration, which help in distinguishing normal and malicious traffic. Standardization and normalization techniques are applied at this stage to ensure consistent data distribution, improving the model's learning efficiency. 2. Feature Extraction Layer: At this stage, Convolutional Neural Networks (CNNs) or Long Short-Term Memory (LSTM) networks are employed to learn hierarchical and sequential patterns in the network traffic. CNNs excel at capturing spatial dependencies within traffic features, while LSTMs are effective in recognizing temporal patterns and sequential anomalies in time-series data. This layer helps in reducing manual feature engineering efforts by automatically extracting relevant patterns from the input data. 3. Fully Connected Layers: The extracted features are then passed through multiple fully connected (Dense) layers. These layers utilize Rectified Linear Unit (ReLU) activation functions to introduce non-linearity, allowing the model to learn complex attack patterns. Dropout regularization is also applied in these layers to prevent overfitting and improve generalization across different network traffic scenarios. 4. Output Layer: The final layer is a Softmax layer responsible for multi-class classification of network traffic. It assigns probability scores to different categories, such as normal traffic or various types of attacks, enabling precise and reliable threat detection. The Softmax activation ensures that the output probabilities sum up to one, making it suitable for classifying network traffic into distinct attack types. The deep learning architecture leverages transfer learning to improve model performance, particularly in scenarios where labeled data is limited. Initially, a source model is trained on a large dataset with abundant labels, allowing it to learn complex feature representations. This model, trained on source data, captures hierarchical patterns essential for classification tasks. Once trained, the learned knowledge from the source model is transferred to a target model, which operates on a smaller dataset with fewer labels. By fine-tuning the pre-trained model on the target dataset, the architecture enhances its adaptability to new domains while reducing training time and computational resources. This approach significantly improves deep learning performance, particularly in intrusion detection and cybersecurity applications where labeled data is scarce. 3) Model Training & Evaluation The deep learning-based Intrusion Detection System (IDS) undergoes a comprehensive training and evaluation process to ensure its effectiveness in identifying cyber threats. This process includes multiple stages, ranging from training strategies to performance assessment using various evaluation metrics. 1. Training Strategy To optimize learning, the model is trained using the Adam optimizer , which provides an adaptive learning rate for efficient weight updates. Initially, a high learning rate is used to allow faster convergence, and it is gradually reduced using learning rate scheduling to refine model performance. The training phase involves backpropagation and gradient descent , ensuring that the model minimizes classification errors. The training dataset is fed in mini-batches to improve computational efficiency and prevent memory overload. Batch sizes are fine-tuned based on the dataset characteristics, balancing computational cost and convergence speed. Batch normalization is also applied to stabilize and accelerate training by normalizing activations within the network. 2. Loss Function The Categorical Cross-Entropy loss function is employed for multi-class classification. It computes the difference between predicted probabilities and actual labels, guiding the network in adjusting its parameters. This loss function is ideal for IDS since it effectively handles multiple attack categories. 3. Hyperparameter Tuning To optimize model performance, hyperparameters such as learning rate, batch size, dropout rate, number of layers, and number of neurons are tuned using techniques like: ● Grid Search: A systematic approach testing different hyperparameter combinations. ● Bayesian Optimization: An advanced method that intelligently searches for optimal parameters, reducing computational costs compared to brute-force approaches.[17] ● Random Search: A less exhaustive yet effective strategy that randomly selects hyperparameters and evaluates their performance. 4. Validation Strategy A k-fold cross-validation technique is used to ensure robustness. The dataset is divided into k subsets , with each subset serving as a validation set while the remaining are used for training. This prevents model overfitting and ensures its generalizability to unseen network traffic patterns. 5. Evaluation Metrics To assess the IDS model’s effectiveness, the following key evaluation metrics are employed: ● Accuracy: Measures the overall percentage of correctly classified network traffic instances. ● Precision: Evaluates the proportion of actual attack cases correctly identified among all predicted attacks. ● Recall (Sensitivity): Determines the proportion of correctly detected attacks among all actual attacks, ensuring that no threats are missed. ● F1-Score: Provides a balance between precision and recall, crucial for IDS where both false positives and false negatives must be minimized. ● False Positive Rate (FPR): Indicates the frequency of normal traffic being misclassified as malicious, which is critical to reducing unnecessary security alerts. ● False Negative Rate (FNR): Assesses how often actual attacks are misclassified as normal traffic, which can lead to undetected security breaches. ● ROC-AUC Curve: Measures the model’s ability to distinguish between attack and normal traffic classes, with a higher Area Under the Curve (AUC) indicating better classification performance. 6. Model Deployment and Real-Time Evaluation Once the model is trained and validated, it is deployed in a real-time network environment where its performance is monitored. The system continuously evaluates incoming network traffic and updates its predictions accordingly. To enhance scalability and adaptability, a continuous learning mechanism is integrated, allowing the model to retrain periodically on newly observed attack patterns. This ensures that the IDS remains effective against emerging cyber threats. By following this rigorous training and evaluation methodology, the proposed deep learning model achieves high accuracy and low false positive rates, making it a reliable tool for real-time intrusion detection in modern network security environments. IV. Experimental Setup & Results To rigorously evaluate the performance of the proposed deep learning-based Intrusion Detection System (IDS), experiments were conducted using the NSL-KDD and CICIDS2017 datasets. These datasets provide a diverse range of attack scenarios, ensuring a robust assessment of the model’s effectiveness. 1.1 Hardware & Software Environment Hardware Configuration: · On-Premise Testing: o Processor: Intel Core i7-12700K (12 cores, 20 threads) o RAM: 32GB DDR5 o GPU: NVIDIA RTX 3090 (24GB VRAM) o Storage: 1TB NVMe SSD · Cloud Deployment (AWS) : o Instance Type: AWS EC2 p3.2xlarge (NVIDIA V100 GPU) o RAM: 16GB o Storage: 500GB SSD o Network Bandwidth: 10 Gbps Software Stack: · Deep Learning Framework: TensorFlow 2.0 / PyTorch · Programming Language: Python 3.9 · Data Processing: Pandas, NumPy, Scikit-learn · Deployment Environment: Docker, Kubernetes, Flask API 1.2 Dataset Preprocessing & Feature Engineering · Feature Selection & Reduction: Used PCA (Principal Component Analysis) and mutual information-based selection . · Data Normalization: Min-Max scaling to ensure uniform data distribution. · Handling Imbalanced Data: Applied SMOTE (Synthetic Minority Over-Sampling Technique) . · Data Splitting: o Training Set: 70% o Validation Set: 15% o Testing Set: 15% 2. Deployment Environment To ensure real-world applicability, the IDS model was tested in different deployment environments: 2.1 On-Premise Deployment · Mode: Standalone execution on a high-performance workstation. · Use Case: Small-scale organizations that prefer local network monitoring. · Inference Speed: 1.8 milliseconds per packet · Limitations: Hardware resource constraints for scaling. 2.2 Cloud-Based Deployment · Mode: Deployed on AWS EC2 with Kubernetes for auto-scaling . · Use Case: Large-scale enterprises needing dynamic scalability. · Inference Speed: 2.1 milliseconds per packet · Advantages: Better scalability, automated model updates, and global accessibility. 2.3 Edge-Based Deployment · Mode: Deployed on an NVIDIA Jetson Xavier NX (8GB RAM) for real-time IoT threat detection. · Use Case: Low-latency detection for IoT and embedded systems. · Inference Speed: 3.5 milliseconds per packet · Limitations: Limited computational power for complex deep learning models. 3. Performance Benchmarking & Comparative Analysis The proposed IDS model was compared against existing state-of-the-art methods, including Random Forest (RF), Support Vector Machine (SVM), and Traditional CNN & LSTM architectures . Table 1 : Classification Performance Metrics Model Accuracy (%) Precision (%) Recall (%) F1-Score (%) FPR (%) FNR (%) ROC-AUC (%) Random Forest (RF) 88.7 85.3 82.6 83.9 11.3 17.4 90.2 SVM 90.2 87.1 85.4 86.2 9.8 14.6 92.5 CNN 92.4 91.2 88.6 89.8 7.4 11.4 95.2 LSTM 94.1 92.8 90.2 91.5 5.9 9.8 96.8 Proposed CNN-LSTM 96.3 95.1 93.4 94.2 3.7 6.6 98.5 Key Observations: · The CNN-LSTM hybrid model outperformed all other models in terms of accuracy (96.3%) , false positive rate (3.7%) , as shown in table 1.and false negative rate (6.6%) . · Traditional ML models (RF, SVM) struggled to detect zero-day attacks , leading to lower recall values. · Standalone CNN and LSTM models performed well, but combining spatial and sequential learning (CNN-LSTM) significantly improved detection rates . Table 2: Real-Time Scalability & Processing Speed Deployment Mode Inference Speed (ms/packet) Latency (ms) Scalability On-Premise 1.8 10 Limited Cloud-Based (AWS) 2.1 12 High Edge-Based (IoT) 3.5 15 Moderate The Findings: · Cloud deployment had the best scalability[11] , allowing real-time attack detection with minimal latency. · On-premise deployment was faster , but limited in scalability. · Edge-based IDS was slower but ideal for IoT applications , where security needs are growing as shown in table 2. Table 3: Comparative Performance Against Existing Research Approach Model Type Dataset Accuracy (%) False Positive Rate (%) He et al. (2022) CNN NSL-KDD 91.8 9.2 Li et al. (2023) LSTM CICIDS2017 93.2 7.8 Proposed Model CNN-LSTM NSL-KDD & CICIDS2017 96.3 3.7 Key Takeaways: · The proposed CNN-LSTM model outperforms existing state-of-the-art models in accuracy and false positive rate reduction as comparison with Table 3 · Hybrid architectures (CNN + LSTM) yield better results than standalone deep learning models. V . Discussion & Limitation 1. Strengths of the Proposed Approach The proposed hybrid CNN-LSTM-based IDS offers multiple advantages over traditional intrusion detection systems[12]: 1) Improved Attack Detection Accuracy: · By leveraging both CNN and LSTM, the model effectively identifies spatial and sequential attack patterns , resulting in higher detection rates compared to standalone ML models. 2) Reduced False Positives: · Through advanced feature selection (PCA) and data balancing techniques (SMOTE) , the model significantly reduces false alarms , improving its practical usability in cybersecurity operations. 3) Scalability Across Different Deployment Environments: · The model is tested on cloud, edge, and on-premise environments , making it adaptable for real-world applications with varying computational constraints. 4) Robust Multi-Dataset Training: · Unlike existing studies that focus on a single dataset, this research integrates NSL-KDD and CICIDS2017 , ensuring better generalization to diverse attack types . 5) Automated Feature Learning with Deep Learning: · Unlike traditional ML-based IDS models that require manual feature engineering , the proposed deep learning approach automates feature extraction , reducing human effort while improving model performance. 2. Challenges and Limitations a) Computational Complexity and Resource Requirements: · The deep learning-based[5] [6] IDS demands high computational power , making it difficult to deploy in resource-constrained environments (e.g., edge devices, IoT networks) . · Future work should explore lightweight deep learning models optimized for low-power environments. b) High Training Time and Data Dependency: · The model requires extensive training on labeled datasets , which is a limiting factor for real-time adaptability . · Implementing semi-supervised or self-learning models could reduce the dependency on labeled datasets. c) Adversarial Vulnerabilities: · Attackers can manipulate network traffic to bypass the IDS detection mechanism , leading to evasion attacks . · Further research is required to improve adversarial defense techniques in AI-driven cybersecurity. d) Lack of Explainability in Deep Learning Models: · Since deep learning models operate as black boxes , security analysts may struggle to interpret why an attack was flagged . · Explainable AI (XAI) techniques should be integrated to improve transparency and trust in IDS decisions. e) Scalability in Real-Time Environments: · Although the model performs well in controlled environments, handling large-scale, real-time network traffic remains a challenge . · Research into federated learning-based IDS solutions could enhance scalability across distributed networks. Future Work: Federated Learning for Decentralized IDS with RL-Based Response Automation As cyber threats become increasingly sophisticated, future research will focus on developing a Federated Learning (FL)-based decentralized IDS integrated with Reinforcement Learning (RL) for automated response mechanisms . 1) Federated Learning for Privacy-Preserving IDS: · Traditional IDS models rely on centralized data collection, posing privacy risks and scalability challenges. · FL will enable distributed training of IDS models across multiple network nodes (e.g., cloud, edge, IoT devices) without data sharing , ensuring privacy and compliance with regulations such as GDPR. 2) Decentralized Detection for Large-Scale Networks: · By leveraging FL, the IDS will learn from diverse threat environments across different network locations, improving adaptability to new attack patterns without centralized data storage . 3) Integration of RL for Automated Response Mechanisms: · The proposed system will incorporate Reinforcement Learning (RL) to enable IDS models to not only detect threats but also take autonomous response actions based on attack severity. · RL will optimize attack mitigation strategies , reducing reliance on human intervention while minimizing downtime and system disruption . 4) Self-Learning and Adaptive Threat Mitigation: · Unlike static rule-based IDS, the integration of FL + RL will allow continuous adaptation to emerging cyber threats. · The model will dynamically adjust its detection and response strategies without requiring frequent manual updates . Conclusion This research has explored the development of an AI-driven anomaly detection system for intrusion detection in cloud and edge environments. By leveraging deep learning models, particularly CNNs and LSTMs, we have demonstrated the potential of AI to enhance the accuracy and efficiency of IDS solutions. The integration of real-time detection capabilities ensures that our approach can effectively identify and mitigate cyber threats in dynamic and distributed network environments. The study highlights the significance of feature extraction, model training, and hyperparameter optimization in improving detection performance while addressing challenges such as high false positive rates and scalability constraints. Future Scope The research can be extended by incorporating federated learning to enable decentralized intrusion detection across multiple cloud and edge nodes while preserving data privacy. Additionally, integrating reinforcement learning (RL) can further automate response mechanisms, allowing IDS to adapt dynamically to emerging threats. Exploring lightweight deep learning architectures and edge-native AI models will also enhance the system's efficiency for deployment in resource-constrained environments. References Merve Ozkan-Okay et al., "A Comprehensive Systematic Literature Review on Intrusion Detection Systems," IEEE Access, 2021. Usama Ahmed et al., "Signature-based intrusion detection using machine learning and deep learning approaches empowered with fuzzy clustering," Scientific Reports, 2025. Salman Muneer et al., "A Critical Review of Artificial Intelligence-Based Approaches in Intrusion Detection: A Comprehensive Analysis," Journal of Engineering, 2024. Muneer et al., "AI Approaches in IDS: A Systematic Review," Journal of Engineering, 2024. Ahmed et al., "Deep Learning for Intrusion Detection," Scientific Reports, 2025. Muneer et al., "Challenges in AI-Based IDS," Journal of Engineering, 2024. Ozkan-Okay et al., "IDS Challenges in Cloud Computing," IEEE Access, 2021. Ahmed et al., "Computational Constraints in DL-Based IDS," Scientific Reports, 2025. Muneer et al., "Adversarial Attacks on IDS," Journal of Engineering, 2024. Ozkan-Okay et al., "Explainability in AI-Driven IDS," IEEE Access, 2021. Ahmed et al., "Cloud and Edge Computing Security Challenges," Scientific Reports, 2025. Muneer et al., "Hybrid Approaches in IDS," Journal of Engineering, 2024. Ozkan-Okay et al., "Federated Learning for IDS," IEEE Access, 2021. Ahmed et al., "Enhancing IDS with Explainable AI," Scientific Reports, 2025. Muneer et al., "Adaptive IDS Models for Future Threats," Journal of Engineering, 2024. Han, D. et al. Evaluating and improving adversarial robustness of machine learning-based network intrusion detectors. IEEE Journal on Selected Areas in Communications 39, 2632–2647 (2021). El-Kenawy, E.-S.M. et al. Greylag goose optimization: nature-inspired optimization algorithm. Expert Systems with Applications 238, 122147 (2024). Additional Declarations The authors declare no competing interests. Cite Share Download PDF Status: Posted Version 1 posted You are reading this latest preprint version Research Square lets you share your work early, gain feedback from the community, and start making changes to your manuscript prior to peer review in a journal. As a division of Research Square Company, we’re committed to making research communication faster, fairer, and more useful. We do this by developing innovative software and high quality services for the global research community. Our growing team is made up of researchers and industry professionals working together to solve the most critical problems facing scientific publishing. Also discoverable on Platform About Our Team In Review Editorial Policies Advisory Board Help Center Resources Author Services Accessibility API Access RSS feed Manage Cookie Preferences © Research Square 2026 | ISSN 2693-5015 (online) Privacy Policy Terms of Service Do Not Sell My Personal Information {"props":{"pageProps":{"initialData":{"identity":"rs-6928225","acceptedTermsAndConditions":true,"allowDirectSubmit":true,"archivedVersions":[],"articleType":"Research Article","associatedPublications":[],"authors":[{"id":473437291,"identity":"b40892e6-db1b-4f6f-b598-dcff54d2a5c4","order_by":0,"name":"Niki Modi","email":"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAZAAAAAyAQMAAABI0h/eAAAABlBMVEX///8AAABVwtN+AAAACXBIWXMAAA7EAAAOxAGVKw4bAAAA5ElEQVRIiWNgGAWjYDACZjaGA0CSh42ZsfHBB6AAGzuxWvjZmQ8bzgBpYSZoDRtYI4NkP1uaNA+EjR+Ys7MlHrpRYS1jcJjHQNrm1zZ5PmYGxg8fc3BrsWxmO3A450w6D0iLcW7fbcM2ZgZmyZnbcGsxOMzecDi37TBYS3Juz21GoBY2Zl5itRy27LltT4QWoMNAWiSb2RKbGX7cTiRGSwLYL/zMzIcZextuJ7cxMzbj98v5Y8afcyqs7dn4D7b/+PHntu389uaDHz7i0YIKGNvAZAOx6kHgDymKR8EoGAWjYKQAALjsTlnvz8XeAAAAAElFTkSuQmCC","orcid":"","institution":"","correspondingAuthor":true,"prefix":"","firstName":"Niki","middleName":"","lastName":"Modi","suffix":""}],"badges":[],"createdAt":"2025-06-19 06:54:28","currentVersionCode":1,"declarations":{"humanSubjects":true,"vertebrateSubjects":false,"conflictsOfInterestStatement":false,"humanSubjectEthicalGuidelines":true,"humanSubjectConsent":true,"humanSubjectClinicalTrial":false,"humanSubjectCaseReport":false,"vertebrateSubjectEthicalGuidelines":false},"doi":"10.21203/rs.3.rs-6928225/v1","doiUrl":"https://doi.org/10.21203/rs.3.rs-6928225/v1","draftVersion":[],"editorialEvents":[],"editorialNote":"","failedWorkflow":false,"files":[{"id":85028368,"identity":"8f394f3a-1dcf-435b-8765-ff48a2933faf","added_by":"auto","created_at":"2025-06-20 06:48:04","extension":"png","order_by":1,"title":"Figure 1","display":"","copyAsset":false,"role":"figure","size":69160,"visible":true,"origin":"","legend":"\u003cp\u003eThe proposed deep learning model\u003c/p\u003e","description":"","filename":"1.png","url":"https://assets-eu.researchsquare.com/files/rs-6928225/v1/3960be5b7389c8735d2d7f0c.png"},{"id":85029513,"identity":"ebf1f332-6e70-41f0-8241-4c8fff0e7be6","added_by":"auto","created_at":"2025-06-20 07:04:06","extension":"pdf","order_by":0,"title":"","display":"","copyAsset":false,"role":"manuscript-pdf","size":2649295,"visible":true,"origin":"","legend":"","description":"","filename":"manuscript.pdf","url":"https://assets-eu.researchsquare.com/files/rs-6928225/v1/148b4161-67a8-4b79-bd77-1b0e04de504e.pdf"}],"financialInterests":"The authors declare no competing interests.","formattedTitle":"\u003cp\u003eAI-Powered Intrusion Detection Using CNN-LSTM for Cloud and Edge Networks: A Hybrid Deep Learning Approach\u003c/p\u003e","fulltext":[{"header":"I. Introduction","content":"\u003cp\u003eAn Intrusion Detection System (IDS) is a network security mechanism designed to detect and analyze potential threats targeting applications, end devices, and network infrastructure. Operating as a passive monitoring tool, IDS listens to network traffic, identifies anomalies, and alerts administrators about suspicious activities. However, IDS alone cannot take preventive measures to mitigate an attack, making it insufficient as a standalone security solution.In cloud environments, IDS can be deployed as a Software as a Service (SaaS) or integrated into security solutions like Next-Generation Firewall as a Service (FWaaS) or Secure Access Service Edge (SASE). These cloud-based security architectures provide scalable, real-time threat detection across Infrastructure-as-a-Service (IaaS) environments.On the other hand, edge networks shift computing resources closer to the data source, reducing the load on central cloud data centers. Edge computing enables low-latency processing by handling data at or near IoT devices, ensuring faster threat detection and response. IDS in edge networks plays a crucial role in real-time security monitoring, improving network performance, bandwidth efficiency, and overall cybersecurity resilience by detecting attacks at the periphery of the network before they reach critical cloud infrastructure.\u003c/p\u003e \u003cp\u003eIntrusion Detection Systems (IDS) play a critical role in network security[\u003cspan citationid=\"CR1\" class=\"CitationRef\"\u003e1\u003c/span\u003e]; however, they face several challenges that affect their efficiency and reliability. One of the primary issues is the False Alarm Rate, where legitimate network activities are mistakenly flagged as malicious, leading to unnecessary alerts and increased workload for security analysts. Another major challenge is the Low Detection Rate, which occurs when IDS fails to identify actual threats, leaving networks vulnerable to attacks. Additionally, the Unbalanced Dataset problem arises due to the significant disparity between attack and normal traffic data in training models, which can lead to biased detection results. Lastly, Response Time is a crucial factor, as delays in identifying and mitigating threats can allow attackers to exploit vulnerabilities before preventive measures are taken. Addressing these challenges is essential to improving IDS effectiveness and ensuring robust cybersecurity defenses.\u003c/p\u003e \u003cp\u003eThe integration of Artificial Intelligence (AI) and Deep Learning (DL) has significantly improved the efficiency and adaptability of Intrusion Detection Systems (IDS). By leveraging deep networks (DN), IDS can gradually enhance its capacity through the addition of layers and nodes, enabling better feature extraction and pattern recognition in complex network traffic. The tuning process of these models is largely empirical, requiring extensive hyperparameter optimization, including learning rate adjustments and layer configurations, to achieve optimal detection accuracy. Additionally, model and dataset design changes play a crucial role in improving IDS performance. The collection, cleanup, and augmentation of datasets help in mitigating the unbalanced data issue, ensuring that the IDS can detect both common and rare cyber threats effectively. The incorporation of semi-supervised learning enables the system to learn from both labeled and unlabeled data, making it more adaptive to emerging threats. By continuously refining the training process, hyperparameters, and dataset quality, AI-driven IDS can achieve higher detection rates, lower false alarms, and real-time threat mitigation, making network security more robust and proactive.\u003c/p\u003e \u003cp\u003eThe goal of this research is to build a deep learning-driven anomaly detection system designed specifically for cloud and edge networks[\u003cspan citationid=\"CR2\" class=\"CitationRef\"\u003e2\u003c/span\u003e]. As cyber threats become more sophisticated, traditional security measures struggle to keep up. A deep learning-based approach can help by identifying complex attack patterns, adapting to new threats, and minimizing false alarms in real time. To enhance the system\u0026rsquo;s accuracy, we will gradually increase the depth of the neural network by adding more layers and nodes, allowing it to better recognize suspicious activity. However, fine-tuning the model is not just a theoretical process\u0026mdash;it requires experimenting with different hyperparameters, adjusting the learning rate, and optimizing network architecture to find the best balance between performance and efficiency. Another key challenge is dealing with imbalanced datasets, where normal network traffic far outweighs attack data. To address this, we will focus on curating high-quality datasets, cleaning up inconsistencies, and applying data augmentation techniques to ensure that the model learns effectively from a diverse range of attack scenarios. Additionally, by incorporating semi-supervised learning, the system will be able to detect previously unseen attacks using both labeled and unlabeled data.By continuously refining the model and improving how it processes network traffic, this research aims to develop an intelligent, real-time intrusion detection system that can secure cloud and edge environments more effectively, reducing false alarms and responding to threats before they cause damage.\u003c/p\u003e"},{"header":"II. Literature Review","content":"\u003cp\u003eIntrusion Detection Systems (IDS) play a crucial role in cybersecurity, evolving from traditional signature-based methods to advanced AI-driven approaches. Signature-based IDS rely on predefined attack patterns, making them effective for known threats but inadequate against novel attacks. Anomaly-based IDS, leveraging machine learning (ML) and statistical models, address this limitation by detecting deviations from normal behavior. However, high false positive rates pose a significant challenge, necessitating more sophisticated AI solutions that can adapt to evolving cyber threats.\u003c/p\u003e \u003cp\u003eArtificial Intelligence (AI)-based approaches in IDS [\u003cspan citationid=\"CR3\" class=\"CitationRef\"\u003e3\u003c/span\u003e] have gained significant attention due to their ability to analyze vast amounts of network traffic data and detect sophisticated cyber threats. AI models, particularly those based on machine learning (ML) and deep learning (DL), enhance IDS by enabling automated detection, adaptive learning, and predictive analytics. These techniques allow IDS to recognize subtle attack patterns that traditional methods may miss. ML-based IDS leverage algorithms such as Decision Trees, Support Vector Machines (SVM), and Random Forests, which classify network traffic by learning from past attack data. However, these models often require extensive feature engineering and may struggle with detecting evolving threats. To address this, DL techniques, including Convolutional Neural Networks (CNNs) and Long Short-Term Memory (LSTM) networks, provide superior feature extraction capabilities and improved accuracy in detecting zero-day attacks and advanced persistent threats (APTs).\u003c/p\u003e \u003cp\u003eMachine learning techniques such as Support Vector Machines (SVM), Random Forest (RF), Decision Trees (DT), and K-Nearest Neighbors (KNN) have been widely applied in IDS, improving detection accuracy by identifying patterns in network traffic. These models, however, often require extensive feature engineering and struggle with scalability when dealing with high-volume, real-time network data. Deep learning (DL) models, including Convolutional Neural Networks (CNNs), Long Short-Term Memory (LSTM), and Artificial Neural Networks (ANNs), have shown promise in overcoming these limitations by automatically extracting features and identifying complex attack patterns. CNNs effectively analyze structured network traffic data, while LSTMs excel in detecting sequential anomalies in time-series data. Despite their advantages, DL models require substantial labeled datasets and remain vulnerable to adversarial attacks that manipulate input data to evade detection.\u003c/p\u003e \u003cp\u003eAI-driven IDS face multiple challenges, including high false positive rates, computational overhead[\u003cspan citationid=\"CR8\" class=\"CitationRef\"\u003e8\u003c/span\u003e], and adversarial vulnerabilities. Anomaly-based detection systems often misclassify benign activities as threats, leading to unnecessary alerts that burden security teams. Additionally, processing high-dimensional network data demands significant computational resources, making real-time detection difficult. Adversarial attacks can further undermine IDS reliability by subtly altering malicious traffic to resemble normal behavior. Another major concern is the lack of explainability in AI-based IDS, as most deep learning models function as black boxes, making it difficult for security analysts to interpret and trust automated decisions. Efforts in Explainable AI (XAI) aim to address this by improving transparency and justifications for threat classifications.\u003c/p\u003e \u003cp\u003eThe emergence of cloud and edge computing introduces further complexities for IDS deployment. Cloud-based IDS provide centralized security monitoring but may struggle with latency in large-scale environments. Conversely, edge-based IDS must operate with minimal computational resources while maintaining high detection accuracy. Hybrid approaches combining ML, DL, and federated learning (FL) are increasingly being explored to enhance IDS efficiency. Federated learning enables IDS models to be trained collaboratively across distributed nodes without data sharing, preserving privacy while improving detection capabilities. This is particularly valuable for organizations handling sensitive data, as it allows models to learn from diverse threat landscapes without compromising security policies.\u003c/p\u003e \u003cp\u003eDespite significant advancements, existing IDS solutions face notable gaps. One of the primary challenges is real-time scalability, as many AI-based IDS struggle to process and analyze large-scale network traffic efficiently. Many current models exhibit high computational overhead, making them impractical for deployment in resource-constrained environments such as edge computing. Additionally, high false positive rates remain a critical issue, leading to frequent misclassification of benign traffic as threats, overwhelming security teams with unnecessary alerts. There is also a lack of comprehensive solutions that integrate adaptive learning mechanisms to ensure continuous model updates against evolving cyber threats. Addressing these gaps requires further research into lightweight, real-time AI models, improved anomaly detection techniques, and enhanced explainability to reduce false positives and improve the trustworthiness of AI-driven IDS[\u003cspan citationid=\"CR10\" class=\"CitationRef\"\u003e10\u003c/span\u003e].\u003c/p\u003e \u003cp\u003eFuture research directions focus on optimizing detection accuracy, reducing false positives, and mitigating computational constraints. Federated learning is expected to play a crucial role in training IDS models across distributed environments while ensuring data privacy. Adaptive security models with self-learning mechanisms are being developed to dynamically update IDS rules based on evolving threats, ensuring resilience against emerging cyber-attacks. As AI and DL continue to advance, their integration into IDS solutions will significantly enhance cybersecurity in cloud and edge networks, offering a proactive and adaptive approach to threat detection and prevention. However, for AI-driven IDS to be fully effective, continued efforts are needed to refine model accuracy, improve interpretability, and minimize computational overhead, ensuring scalable and reliable security solutions for modern digital infrastructures\u003c/p\u003e "},{"header":"III. Proposed Methodology","content":"\u003cp\u003e1) \u0026nbsp; \u0026nbsp;Data Collection \u0026amp; Processing\u003c/p\u003e\n\u003cp\u003eThis paper utilizes two widely used intrusion detection datasets: \u003cstrong\u003eNSL-KDD\u003c/strong\u003e and \u003cstrong\u003eCICIDS2017\u003c/strong\u003e. The NSL-KDD dataset improves upon the original KDD99 dataset by removing redundant and duplicate records, making it more balanced for training and testing IDS models. CICIDS2017 is a modern dataset containing realistic attack scenarios and diverse network traffic, making it highly suitable for training deep learning-based intrusion detection systems.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eData Preprocessing Steps:\u003c/strong\u003e\u003c/p\u003e\n\u003cp\u003e1. \u003cstrong\u003eFeature Selection and Extraction:\u003c/strong\u003e Reducing dimensionality using techniques like PCA (Principal Component Analysis) or autoencoders.\u003c/p\u003e\n\u003cp\u003e2. \u003cstrong\u003eData Normalization:\u003c/strong\u003e Standardizing features to a common scale for better deep learning model performance.\u003c/p\u003e\n\u003cp\u003e3. \u003cstrong\u003eHandling Imbalanced Data:\u003c/strong\u003e Applying techniques such as \u003cstrong\u003eSMOTE (Synthetic Minority Over-sampling Technique)\u003c/strong\u003e to ensure balanced class distribution.\u003c/p\u003e\n\u003cp\u003e4. \u003cstrong\u003eSplitting Data:\u003c/strong\u003e Dividing the dataset into \u003cstrong\u003etraining (70%), validation (15%), and testing (15%)\u003c/strong\u003e sets for model evaluation.\u003c/p\u003e\n\u003cp\u003e2) \u0026nbsp; \u0026nbsp;Deep Learning Model Architecture\u003c/p\u003e\n\u003cp\u003e1. \u003cstrong\u003eInput Layer:\u003c/strong\u003e The model begins with an input layer that receives preprocessed network traffic features as shown in Fig[1].These features include essential attributes such as packet size, protocol type, and connection duration, which help in distinguishing normal and malicious traffic. Standardization and normalization techniques are applied at this stage to ensure consistent data distribution, improving the model\u0026apos;s learning efficiency.\u003c/p\u003e\n\u003cp\u003e2. \u003cstrong\u003eFeature Extraction Layer:\u003c/strong\u003e At this stage, Convolutional Neural Networks (CNNs) or Long Short-Term Memory (LSTM) networks are employed to learn hierarchical and sequential patterns in the network traffic. CNNs excel at capturing spatial dependencies within traffic features, while LSTMs are effective in recognizing temporal patterns and sequential anomalies in time-series data. This layer helps in reducing manual feature engineering efforts by automatically extracting relevant patterns from the input data.\u003c/p\u003e\n\u003cp\u003e3.\u0026nbsp;\u003cstrong\u003eFully Connected Layers:\u003c/strong\u003e The extracted features are then passed through multiple fully connected (Dense) layers. These layers utilize Rectified Linear Unit (ReLU) activation functions to introduce non-linearity, allowing the model to learn complex attack patterns. Dropout regularization is also applied in these layers to prevent overfitting and improve generalization across different network traffic scenarios.\u003cbr\u003e\u0026nbsp;\u003c/p\u003e\n\u003cp\u003e4. \u003cstrong\u003eOutput Layer:\u003c/strong\u003e The final layer is a Softmax layer responsible for multi-class classification of network traffic. It assigns probability scores to different categories, such as normal traffic or various types of attacks, enabling precise and reliable threat detection. The Softmax activation ensures that the output probabilities sum up to one, making it suitable for classifying network traffic into distinct attack types.\u003c/p\u003e\n\u003cp\u003eThe deep learning architecture leverages transfer learning to improve model performance, particularly in scenarios where labeled data is limited. Initially, a source model is trained on a large dataset with abundant labels, allowing it to learn complex feature representations. This model, trained on source data, captures hierarchical patterns essential for classification tasks. Once trained, the learned knowledge from the source model is transferred to a target model, which operates on a smaller dataset with fewer labels. By fine-tuning the pre-trained model on the target dataset, the architecture enhances its adaptability to new domains while reducing training time and computational resources. This approach significantly improves deep learning performance, particularly in intrusion detection and cybersecurity applications where labeled data is scarce.\u003c/p\u003e\n\u003cp\u003e3) \u0026nbsp; \u0026nbsp;Model Training \u0026amp; Evaluation\u0026nbsp;\u003c/p\u003e\n\u003cp\u003eThe deep learning-based Intrusion Detection System (IDS) undergoes a comprehensive training and evaluation process to ensure its effectiveness in identifying cyber threats. This process includes multiple stages, ranging from training strategies to performance assessment using various evaluation metrics.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003e1. Training Strategy\u003c/strong\u003e\u003c/p\u003e\n\u003cp\u003eTo optimize learning, the model is trained using the \u003cstrong\u003eAdam optimizer\u003c/strong\u003e, which provides an adaptive learning rate for efficient weight updates. Initially, a high learning rate is used to allow faster convergence, and it is gradually reduced using \u003cstrong\u003elearning rate scheduling\u003c/strong\u003e to refine model performance. The training phase involves \u003cstrong\u003ebackpropagation and gradient descent\u003c/strong\u003e, ensuring that the model minimizes classification errors.\u003c/p\u003e\n\u003cp\u003eThe training dataset is fed in \u003cstrong\u003emini-batches\u003c/strong\u003e to improve computational efficiency and prevent memory overload. Batch sizes are fine-tuned based on the dataset characteristics, balancing computational cost and convergence speed. \u003cstrong\u003eBatch normalization\u003c/strong\u003e is also applied to stabilize and accelerate training by normalizing activations within the network.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003e2. Loss Function\u003c/strong\u003e\u003c/p\u003e\n\u003cp\u003eThe \u003cstrong\u003eCategorical Cross-Entropy\u003c/strong\u003e loss function is employed for multi-class classification. It computes the difference between predicted probabilities and actual labels, guiding the network in adjusting its parameters. This loss function is ideal for IDS since it effectively handles multiple attack categories.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003e3. Hyperparameter Tuning\u003c/strong\u003e\u003c/p\u003e\n\u003cp\u003eTo optimize model performance, hyperparameters such as \u003cstrong\u003elearning rate, batch size, dropout rate, number of layers, and number of neurons\u003c/strong\u003e are tuned using techniques like:\u003c/p\u003e\n\u003cp\u003e●\u0026nbsp;\u003cstrong\u003eGrid Search:\u003c/strong\u003e A systematic approach testing different hyperparameter combinations.\u003c/p\u003e\n\u003cp\u003e● \u003cstrong\u003eBayesian Optimization:\u003c/strong\u003e An advanced method that intelligently searches for optimal parameters, reducing computational costs compared to brute-force approaches.[17]\u003c/p\u003e\n\u003cp\u003e● \u003cstrong\u003eRandom Search:\u003c/strong\u003e A less exhaustive yet effective strategy that randomly selects hyperparameters and evaluates their performance.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003e4. Validation Strategy\u003c/strong\u003e\u003c/p\u003e\n\u003cp\u003eA \u003cstrong\u003ek-fold cross-validation\u003c/strong\u003e technique is used to ensure robustness. The dataset is divided into \u003cstrong\u003ek subsets\u003c/strong\u003e, with each subset serving as a validation set while the remaining are used for training. This prevents model overfitting and ensures its generalizability to unseen network traffic patterns.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003e5. Evaluation Metrics\u003c/strong\u003e\u003c/p\u003e\n\u003cp\u003eTo assess the IDS model\u0026rsquo;s effectiveness, the following key evaluation metrics are employed:\u003c/p\u003e\n\u003cp\u003e●\u0026nbsp;\u003cstrong\u003eAccuracy:\u003c/strong\u003e Measures the overall percentage of correctly classified network traffic instances.\u003c/p\u003e\n\u003cp\u003e●\u0026nbsp;\u003cstrong\u003ePrecision:\u003c/strong\u003e Evaluates the proportion of actual attack cases correctly identified among all predicted attacks.\u003c/p\u003e\n\u003cp\u003e●\u0026nbsp;\u003cstrong\u003eRecall (Sensitivity):\u003c/strong\u003e Determines the proportion of correctly detected attacks among all actual attacks, ensuring that no threats are missed.\u003c/p\u003e\n\u003cp\u003e●\u0026nbsp;\u003cstrong\u003eF1-Score:\u003c/strong\u003e Provides a balance between precision and recall, crucial for IDS where both false positives and false negatives must be minimized.\u003c/p\u003e\n\u003cp\u003e●\u0026nbsp;\u003cstrong\u003eFalse Positive Rate (FPR):\u003c/strong\u003e Indicates the frequency of normal traffic being misclassified as malicious, which is critical to reducing unnecessary security alerts.\u003c/p\u003e\n\u003cp\u003e● \u003cstrong\u003eFalse Negative Rate (FNR):\u003c/strong\u003e Assesses how often actual attacks are misclassified as normal traffic, which can lead to undetected security breaches.\u003c/p\u003e\n\u003cp\u003e● \u003cstrong\u003eROC-AUC Curve:\u003c/strong\u003e Measures the model\u0026rsquo;s ability to distinguish between attack and normal traffic classes, with a higher Area Under the Curve (AUC) indicating better classification performance.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003e6. Model Deployment and Real-Time Evaluation\u003c/strong\u003e\u003c/p\u003e\n\u003cp\u003eOnce the model is trained and validated, it is deployed in a real-time network environment where its performance is monitored. The system continuously evaluates incoming network traffic and updates its predictions accordingly. To enhance scalability and adaptability, a \u003cstrong\u003econtinuous learning mechanism\u003c/strong\u003e is integrated, allowing the model to retrain periodically on newly observed attack patterns. This ensures that the IDS remains effective against emerging cyber threats.\u003c/p\u003e\n\u003cp\u003eBy following this rigorous training and evaluation methodology, the proposed deep learning model achieves high accuracy and low false positive rates, making it a reliable tool for real-time intrusion detection in modern network security environments.\u003c/p\u003e"},{"header":"IV. Experimental Setup \u0026 Results","content":"\u003cp\u003eTo rigorously evaluate the performance of the proposed deep learning-based Intrusion Detection System (IDS), experiments were conducted using the \u003cstrong\u003eNSL-KDD\u003c/strong\u003e and \u003cstrong\u003eCICIDS2017\u003c/strong\u003e datasets. These datasets provide a diverse range of attack scenarios, ensuring a robust assessment of the model\u0026rsquo;s effectiveness.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003e1.1 Hardware \u0026amp; Software Environment\u003c/strong\u003e\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eHardware Configuration:\u003c/strong\u003e\u003c/p\u003e\n\u003cp\u003e\u0026middot; \u003cstrong\u003eOn-Premise Testing:\u003c/strong\u003e\u003c/p\u003e\n\u003cp\u003eo Processor: Intel Core i7-12700K (12 cores, 20 threads)\u003c/p\u003e\n\u003cp\u003eo RAM: 32GB DDR5\u003c/p\u003e\n\u003cp\u003eo GPU: NVIDIA RTX 3090 (24GB VRAM)\u003c/p\u003e\n\u003cp\u003eo Storage: 1TB NVMe SSD\u003c/p\u003e\n\u003cp\u003e\u0026middot; \u003cstrong\u003eCloud Deployment (AWS)\u003c/strong\u003e:\u003c/p\u003e\n\u003cp\u003eo Instance Type: AWS EC2 \u003cstrong\u003ep3.2xlarge\u003c/strong\u003e (NVIDIA V100 GPU)\u003c/p\u003e\n\u003cp\u003eo RAM: 16GB\u003c/p\u003e\n\u003cp\u003eo Storage: 500GB SSD\u003c/p\u003e\n\u003cp\u003eo Network Bandwidth: 10 Gbps\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eSoftware Stack:\u003c/strong\u003e\u003c/p\u003e\n\u003cp\u003e\u0026middot; \u003cstrong\u003eDeep Learning Framework:\u003c/strong\u003e TensorFlow 2.0 / PyTorch\u003c/p\u003e\n\u003cp\u003e\u0026middot; \u003cstrong\u003eProgramming Language:\u003c/strong\u003e Python 3.9\u003c/p\u003e\n\u003cp\u003e\u0026middot; \u003cstrong\u003eData Processing:\u003c/strong\u003e Pandas, NumPy, Scikit-learn\u003c/p\u003e\n\u003cp\u003e\u0026middot; \u003cstrong\u003eDeployment Environment:\u003c/strong\u003e Docker, Kubernetes, Flask API\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003e1.2 Dataset Preprocessing \u0026amp; Feature Engineering\u003c/strong\u003e\u003c/p\u003e\n\u003cp\u003e\u0026middot; \u003cstrong\u003eFeature Selection \u0026amp; Reduction:\u003c/strong\u003e Used \u003cstrong\u003ePCA (Principal Component Analysis)\u003c/strong\u003e and \u003cstrong\u003emutual information-based selection\u003c/strong\u003e.\u003c/p\u003e\n\u003cp\u003e\u0026middot; \u003cstrong\u003eData Normalization:\u003c/strong\u003e Min-Max scaling to ensure uniform data distribution.\u003c/p\u003e\n\u003cp\u003e\u0026middot; \u003cstrong\u003eHandling Imbalanced Data:\u003c/strong\u003e Applied \u003cstrong\u003eSMOTE (Synthetic Minority Over-Sampling Technique)\u003c/strong\u003e.\u003c/p\u003e\n\u003cp\u003e\u0026middot; \u003cstrong\u003eData Splitting:\u003c/strong\u003e\u003c/p\u003e\n\u003cp\u003eo \u003cstrong\u003eTraining Set:\u003c/strong\u003e 70%\u003c/p\u003e\n\u003cp\u003eo \u003cstrong\u003eValidation Set:\u003c/strong\u003e 15%\u003c/p\u003e\n\u003cp\u003eo \u003cstrong\u003eTesting Set:\u003c/strong\u003e 15%\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003e2. Deployment Environment\u003c/strong\u003e\u003c/p\u003e\n\u003cp\u003eTo ensure real-world applicability, the IDS model was tested in different deployment environments:\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003e2.1 On-Premise Deployment\u003c/strong\u003e\u003c/p\u003e\n\u003cp\u003e\u0026middot; \u003cstrong\u003eMode:\u003c/strong\u003e Standalone execution on a high-performance workstation.\u003c/p\u003e\n\u003cp\u003e\u0026middot; \u003cstrong\u003eUse Case:\u003c/strong\u003e Small-scale organizations that prefer local network monitoring.\u003c/p\u003e\n\u003cp\u003e\u0026middot; \u003cstrong\u003eInference Speed:\u003c/strong\u003e \u003cstrong\u003e1.8 milliseconds per packet\u003c/strong\u003e\u003c/p\u003e\n\u003cp\u003e\u0026middot; \u003cstrong\u003eLimitations:\u003c/strong\u003e Hardware resource constraints for scaling.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003e2.2 Cloud-Based Deployment\u003c/strong\u003e\u003c/p\u003e\n\u003cp\u003e\u0026middot; \u003cstrong\u003eMode:\u003c/strong\u003e Deployed on \u003cstrong\u003eAWS EC2 with Kubernetes for auto-scaling\u003c/strong\u003e.\u003c/p\u003e\n\u003cp\u003e\u0026middot; \u003cstrong\u003eUse Case:\u003c/strong\u003e Large-scale enterprises needing dynamic scalability.\u003c/p\u003e\n\u003cp\u003e\u0026middot; \u003cstrong\u003eInference Speed:\u003c/strong\u003e \u003cstrong\u003e2.1 milliseconds per packet\u003c/strong\u003e\u003c/p\u003e\n\u003cp\u003e\u0026middot; \u003cstrong\u003eAdvantages:\u003c/strong\u003e \u003cstrong\u003eBetter scalability, automated model updates, and global accessibility.\u003c/strong\u003e\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003e2.3 Edge-Based Deployment\u003c/strong\u003e\u003c/p\u003e\n\u003cp\u003e\u0026middot; \u003cstrong\u003eMode:\u003c/strong\u003e Deployed on an \u003cstrong\u003eNVIDIA Jetson Xavier NX (8GB RAM)\u003c/strong\u003e for real-time IoT threat detection.\u003c/p\u003e\n\u003cp\u003e\u0026middot; \u003cstrong\u003eUse Case:\u003c/strong\u003e Low-latency detection for IoT and embedded systems.\u003c/p\u003e\n\u003cp\u003e\u0026middot; \u003cstrong\u003eInference Speed:\u003c/strong\u003e \u003cstrong\u003e3.5 milliseconds per packet\u003c/strong\u003e\u003c/p\u003e\n\u003cp\u003e\u0026middot; \u003cstrong\u003eLimitations:\u003c/strong\u003e Limited computational power for complex deep learning models.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003e3. Performance Benchmarking \u0026amp; Comparative Analysis\u003c/strong\u003e\u003c/p\u003e\n\u003cp\u003eThe proposed IDS model was compared against existing state-of-the-art methods, including \u003cstrong\u003eRandom Forest (RF), Support Vector Machine (SVM), and Traditional CNN \u0026amp; LSTM architectures\u003c/strong\u003e.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eTable 1 : Classification Performance Metrics\u003c/strong\u003e\u003c/p\u003e\n\u003ctable border=\"1\" cellspacing=\"0\" cellpadding=\"0\" width=\"370\"\u003e\n \u003ctbody\u003e\n \u003ctr\u003e\n \u003ctd valign=\"top\" style=\"width: 14.6341%;\"\u003eModel\u003cbr\u003e\u003c/td\u003e\n \u003ctd valign=\"top\" style=\"width: 9.21409%;\"\u003eAccuracy (%)\u003cbr\u003e\u003c/td\u003e\n \u003ctd valign=\"top\" style=\"width: 17.3442%;\"\u003ePrecision (%)\u003cbr\u003e\u003c/td\u003e\n \u003ctd valign=\"top\" style=\"width: 13.0081%;\"\u003eRecall (%)\u003cbr\u003e\u003c/td\u003e\n \u003ctd valign=\"top\" style=\"width: 12.1951%;\"\u003eF1-Score (%)\u003cbr\u003e\u003c/td\u003e\n \u003ctd valign=\"top\" style=\"width: 10.2981%;\"\u003eFPR (%)\u003cbr\u003e\u003c/td\u003e\n \u003ctd valign=\"top\" style=\"width: 10.8401%;\"\u003eFNR (%)\u003cbr\u003e\u003c/td\u003e\n \u003ctd valign=\"top\" style=\"width: 12.4661%;\"\u003eROC-AUC (%)\u003cbr\u003e\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd valign=\"top\" style=\"width: 14.6341%;\"\u003eRandom Forest (RF)\u003cbr\u003e\u003c/td\u003e\n \u003ctd valign=\"top\" style=\"width: 9.21409%;\"\u003e88.7\u003cbr\u003e\u003c/td\u003e\n \u003ctd valign=\"top\" style=\"width: 17.3442%;\"\u003e85.3\u003cbr\u003e\u003c/td\u003e\n \u003ctd valign=\"top\" style=\"width: 13.0081%;\"\u003e82.6\u003cbr\u003e\u003c/td\u003e\n \u003ctd valign=\"top\" style=\"width: 12.1951%;\"\u003e83.9\u003cbr\u003e\u003c/td\u003e\n \u003ctd valign=\"top\" style=\"width: 10.2981%;\"\u003e11.3\u003cbr\u003e\u003c/td\u003e\n \u003ctd valign=\"top\" style=\"width: 10.8401%;\"\u003e17.4\u003cbr\u003e\u003c/td\u003e\n \u003ctd valign=\"top\" style=\"width: 12.4661%;\"\u003e90.2\u003cbr\u003e\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd valign=\"top\" style=\"width: 14.6341%;\"\u003eSVM\u003cbr\u003e\u003c/td\u003e\n \u003ctd valign=\"top\" style=\"width: 9.21409%;\"\u003e90.2\u003cbr\u003e\u003c/td\u003e\n \u003ctd valign=\"top\" style=\"width: 17.3442%;\"\u003e87.1\u003cbr\u003e\u003c/td\u003e\n \u003ctd valign=\"top\" style=\"width: 13.0081%;\"\u003e85.4\u003cbr\u003e\u003c/td\u003e\n \u003ctd valign=\"top\" style=\"width: 12.1951%;\"\u003e86.2\u003cbr\u003e\u003c/td\u003e\n \u003ctd valign=\"top\" style=\"width: 10.2981%;\"\u003e9.8\u003cbr\u003e\u003c/td\u003e\n \u003ctd valign=\"top\" style=\"width: 10.8401%;\"\u003e14.6\u003cbr\u003e\u003c/td\u003e\n \u003ctd valign=\"top\" style=\"width: 12.4661%;\"\u003e92.5\u003cbr\u003e\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd valign=\"top\" style=\"width: 14.6341%;\"\u003eCNN\u003cbr\u003e\u003c/td\u003e\n \u003ctd valign=\"top\" style=\"width: 9.21409%;\"\u003e92.4\u003cbr\u003e\u003c/td\u003e\n \u003ctd valign=\"top\" style=\"width: 17.3442%;\"\u003e91.2\u003cbr\u003e\u003c/td\u003e\n \u003ctd valign=\"top\" style=\"width: 13.0081%;\"\u003e88.6\u003cbr\u003e\u003c/td\u003e\n \u003ctd valign=\"top\" style=\"width: 12.1951%;\"\u003e89.8\u003cbr\u003e\u003c/td\u003e\n \u003ctd valign=\"top\" style=\"width: 10.2981%;\"\u003e7.4\u003cbr\u003e\u003c/td\u003e\n \u003ctd valign=\"top\" style=\"width: 10.8401%;\"\u003e11.4\u003cbr\u003e\u003c/td\u003e\n \u003ctd valign=\"top\" style=\"width: 12.4661%;\"\u003e95.2\u003cbr\u003e\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd valign=\"top\" style=\"width: 14.6341%;\"\u003eLSTM\u003cbr\u003e\u003c/td\u003e\n \u003ctd valign=\"top\" style=\"width: 9.21409%;\"\u003e94.1\u003cbr\u003e\u003c/td\u003e\n \u003ctd valign=\"top\" style=\"width: 17.3442%;\"\u003e92.8\u003cbr\u003e\u003c/td\u003e\n \u003ctd valign=\"top\" style=\"width: 13.0081%;\"\u003e90.2\u003cbr\u003e\u003c/td\u003e\n \u003ctd valign=\"top\" style=\"width: 12.1951%;\"\u003e91.5\u003cbr\u003e\u003c/td\u003e\n \u003ctd valign=\"top\" style=\"width: 10.2981%;\"\u003e5.9\u003cbr\u003e\u003c/td\u003e\n \u003ctd valign=\"top\" style=\"width: 10.8401%;\"\u003e9.8\u003cbr\u003e\u003c/td\u003e\n \u003ctd valign=\"top\" style=\"width: 12.4661%;\"\u003e96.8\u003cbr\u003e\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd valign=\"top\" style=\"width: 14.6341%;\"\u003e\u003cstrong\u003eProposed CNN-LSTM\u003c/strong\u003e\u003cbr\u003e\u003c/td\u003e\n \u003ctd valign=\"top\" style=\"width: 9.21409%;\"\u003e\u003cstrong\u003e96.3\u003c/strong\u003e\u003cbr\u003e\u003c/td\u003e\n \u003ctd valign=\"top\" style=\"width: 17.3442%;\"\u003e\u003cstrong\u003e95.1\u003c/strong\u003e\u003cbr\u003e\u003c/td\u003e\n \u003ctd valign=\"top\" style=\"width: 13.0081%;\"\u003e\u003cstrong\u003e93.4\u003c/strong\u003e\u003cbr\u003e\u003c/td\u003e\n \u003ctd valign=\"top\" style=\"width: 12.1951%;\"\u003e\u003cstrong\u003e94.2\u003c/strong\u003e\u003cbr\u003e\u003c/td\u003e\n \u003ctd valign=\"top\" style=\"width: 10.2981%;\"\u003e\u003cstrong\u003e3.7\u003c/strong\u003e\u003cbr\u003e\u003c/td\u003e\n \u003ctd valign=\"top\" style=\"width: 10.8401%;\"\u003e\u003cstrong\u003e6.6\u003c/strong\u003e\u003cbr\u003e\u003c/td\u003e\n \u003ctd valign=\"top\" style=\"width: 12.4661%;\"\u003e\u003cstrong\u003e98.5\u003c/strong\u003e\u003cbr\u003e\u003c/td\u003e\n \u003c/tr\u003e\n \u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003e\u003cstrong\u003eKey Observations:\u003c/strong\u003e\u003c/p\u003e\n\u003cp\u003e\u0026middot; The \u003cstrong\u003eCNN-LSTM hybrid model outperformed\u003c/strong\u003e all other models in terms of \u003cstrong\u003eaccuracy (96.3%)\u003c/strong\u003e, \u003cstrong\u003efalse positive rate (3.7%)\u003c/strong\u003e, as shown in table 1.and \u003cstrong\u003efalse negative rate (6.6%)\u003c/strong\u003e.\u003c/p\u003e\n\u003cp\u003e\u0026middot; \u003cstrong\u003eTraditional ML models (RF, SVM)\u003c/strong\u003e struggled to detect \u003cstrong\u003ezero-day attacks\u003c/strong\u003e, leading to lower recall values.\u003c/p\u003e\n\u003cp\u003e\u0026middot; \u003cstrong\u003eStandalone CNN and LSTM models\u003c/strong\u003e performed well, but \u003cstrong\u003ecombining spatial and sequential learning (CNN-LSTM) significantly improved detection rates\u003c/strong\u003e.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eTable 2: \u0026nbsp;Real-Time Scalability \u0026amp; Processing Speed\u003c/strong\u003e\u003c/p\u003e\n\u003ctable border=\"1\" cellspacing=\"0\" cellpadding=\"0\" width=\"315\"\u003e\n \u003ctbody\u003e\n \u003ctr\u003e\n \u003ctd valign=\"top\" style=\"width: 29.6178%;\"\u003e\u003cstrong\u003eDeployment Mode\u003c/strong\u003e\u003cbr\u003e\u003c/td\u003e\n \u003ctd valign=\"top\" style=\"width: 28.6624%;\"\u003e\u003cstrong\u003eInference Speed (ms/packet)\u003c/strong\u003e\u003cbr\u003e\u003c/td\u003e\n \u003ctd valign=\"top\" style=\"width: 21.3376%;\"\u003e\u003cstrong\u003eLatency (ms)\u003c/strong\u003e\u003cbr\u003e\u003c/td\u003e\n \u003ctd valign=\"top\" style=\"width: 20.3822%;\"\u003e\u003cstrong\u003eScalability\u003c/strong\u003e\u003cbr\u003e\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd valign=\"top\" style=\"width: 29.6178%;\"\u003e\u003cstrong\u003eOn-Premise\u003c/strong\u003e\u003cbr\u003e\u003c/td\u003e\n \u003ctd valign=\"top\" style=\"width: 28.6624%;\"\u003e1.8\u003cbr\u003e\u003c/td\u003e\n \u003ctd valign=\"top\" style=\"width: 21.3376%;\"\u003e10\u003cbr\u003e\u003c/td\u003e\n \u003ctd valign=\"top\" style=\"width: 20.3822%;\"\u003eLimited\u003cbr\u003e\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd valign=\"top\" style=\"width: 29.6178%;\"\u003e\u003cstrong\u003eCloud-Based (AWS)\u003c/strong\u003e\u003cbr\u003e\u003c/td\u003e\n \u003ctd valign=\"top\" style=\"width: 28.6624%;\"\u003e2.1\u003cbr\u003e\u003c/td\u003e\n \u003ctd valign=\"top\" style=\"width: 21.3376%;\"\u003e12\u003cbr\u003e\u003c/td\u003e\n \u003ctd valign=\"top\" style=\"width: 20.3822%;\"\u003eHigh\u003cbr\u003e\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd valign=\"top\" style=\"width: 29.6178%;\"\u003e\u003cstrong\u003eEdge-Based (IoT)\u003c/strong\u003e\u003cbr\u003e\u003c/td\u003e\n \u003ctd valign=\"top\" style=\"width: 28.6624%;\"\u003e3.5\u003cbr\u003e\u003c/td\u003e\n \u003ctd valign=\"top\" style=\"width: 21.3376%;\"\u003e15\u003cbr\u003e\u003c/td\u003e\n \u003ctd valign=\"top\" style=\"width: 20.3822%;\"\u003eModerate\u003cbr\u003e\u003c/td\u003e\n \u003c/tr\u003e\n \u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003eThe \u003cstrong\u003eFindings:\u003c/strong\u003e\u003c/p\u003e\n\u003cp\u003e\u0026middot; \u003cstrong\u003eCloud deployment had the best scalability[11]\u003c/strong\u003e\u003cstrong\u003e, allowing real-time attack detection with minimal latency.\u003c/strong\u003e\u003c/p\u003e\n\u003cp\u003e\u0026middot; \u003cstrong\u003eOn-premise deployment\u003c/strong\u003e\u003cstrong\u003e\u0026nbsp;was \u003cstrong\u003efaster\u003c/strong\u003e, but limited in scalability.\u003c/strong\u003e\u003c/p\u003e\n\u003cp\u003e\u0026middot; \u003cstrong\u003eEdge-based IDS\u003c/strong\u003e\u003cstrong\u003e\u0026nbsp;was slower but \u003cstrong\u003eideal for IoT applications\u003c/strong\u003e, where security\u003c/strong\u003e needs are growing as shown in table 2.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eTable 3: \u0026nbsp;Comparative Performance Against Existing Research\u003c/strong\u003e\u003c/p\u003e\n\u003ctable border=\"1\" cellspacing=\"0\" cellpadding=\"0\"\u003e\n \u003ctbody\u003e\n \u003ctr\u003e\n \u003ctd valign=\"top\"\u003eApproach\u003cbr\u003e\u003c/td\u003e\n \u003ctd valign=\"top\"\u003eModel Type\u003cbr\u003e\u003c/td\u003e\n \u003ctd valign=\"top\"\u003eDataset\u003cbr\u003e\u003c/td\u003e\n \u003ctd valign=\"top\"\u003eAccuracy (%)\u003cbr\u003e\u003c/td\u003e\n \u003ctd valign=\"top\"\u003eFalse Positive Rate (%)\u003cbr\u003e\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd valign=\"top\"\u003eHe et al. (2022)\u003cbr\u003e\u003c/td\u003e\n \u003ctd valign=\"top\"\u003eCNN\u003cbr\u003e\u003c/td\u003e\n \u003ctd valign=\"top\"\u003eNSL-KDD\u003cbr\u003e\u003c/td\u003e\n \u003ctd valign=\"top\"\u003e91.8\u003cbr\u003e\u003c/td\u003e\n \u003ctd valign=\"top\"\u003e9.2\u003cbr\u003e\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd valign=\"top\"\u003eLi et al. (2023)\u003cbr\u003e\u003c/td\u003e\n \u003ctd valign=\"top\"\u003eLSTM\u003cbr\u003e\u003c/td\u003e\n \u003ctd valign=\"top\"\u003eCICIDS2017\u003cbr\u003e\u003c/td\u003e\n \u003ctd valign=\"top\"\u003e93.2\u003cbr\u003e\u003c/td\u003e\n \u003ctd valign=\"top\"\u003e7.8\u003cbr\u003e\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd valign=\"top\"\u003e\u003cstrong\u003eProposed Model\u003c/strong\u003e\u003cbr\u003e\u003c/td\u003e\n \u003ctd valign=\"top\"\u003e\u003cstrong\u003eCNN-LSTM\u003c/strong\u003e\u003cbr\u003e\u003c/td\u003e\n \u003ctd valign=\"top\"\u003e\u003cstrong\u003eNSL-KDD \u0026amp; CICIDS2017\u003c/strong\u003e\u003cbr\u003e\u003c/td\u003e\n \u003ctd valign=\"top\"\u003e\u003cstrong\u003e96.3\u003c/strong\u003e\u003cbr\u003e\u003c/td\u003e\n \u003ctd valign=\"top\"\u003e\u003cstrong\u003e3.7\u003c/strong\u003e\u003cbr\u003e\u003c/td\u003e\n \u003c/tr\u003e\n \u003c/tbody\u003e\n\u003c/table\u003e\n\u003cp\u003e\u003cstrong\u003eKey Takeaways:\u003c/strong\u003e\u003c/p\u003e\n\u003cp\u003e\u0026middot; The proposed \u003cstrong\u003eCNN-LSTM model outperforms existing state-of-the-art models\u003c/strong\u003e in accuracy and \u003cstrong\u003efalse positive rate reduction\u003c/strong\u003e as comparison with Table 3\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003e\u0026middot; Hybrid architectures\u003c/strong\u003e (CNN + LSTM) \u003cstrong\u003eyield better results than standalone deep learning models.\u003c/strong\u003e\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eV\u003c/strong\u003e\u003cstrong\u003e.\u003c/strong\u003e Discussion \u0026amp; Limitation\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003e1. Strengths of the Proposed Approach\u003c/strong\u003e\u003c/p\u003e\n\u003cp\u003eThe proposed \u003cstrong\u003ehybrid CNN-LSTM-based IDS\u003c/strong\u003e offers multiple advantages over traditional intrusion detection systems[12]:\u003c/p\u003e\n\u003cp\u003e1) \u003cstrong\u003eImproved Attack Detection Accuracy:\u003c/strong\u003e\u003c/p\u003e\n\u003cp\u003e\u0026middot; By leveraging both CNN and LSTM, the model \u003cstrong\u003eeffectively identifies spatial and sequential attack patterns\u003c/strong\u003e, resulting in higher detection rates compared to standalone ML models.\u003c/p\u003e\n\u003cp\u003e2) \u003cstrong\u003eReduced False Positives:\u003c/strong\u003e\u003c/p\u003e\n\u003cp\u003e\u0026middot; Through advanced \u003cstrong\u003efeature selection (PCA) and data balancing techniques (SMOTE)\u003c/strong\u003e, the model significantly \u003cstrong\u003ereduces false alarms\u003c/strong\u003e, improving its practical usability in cybersecurity operations.\u003c/p\u003e\n\u003cp\u003e3) \u003cstrong\u003eScalability Across Different Deployment Environments:\u003c/strong\u003e\u003c/p\u003e\n\u003cp\u003e\u0026middot; The model is tested on \u003cstrong\u003ecloud, edge, and on-premise environments\u003c/strong\u003e, making it adaptable for \u003cstrong\u003ereal-world applications\u003c/strong\u003e with varying computational constraints.\u003c/p\u003e\n\u003cp\u003e4) \u003cstrong\u003eRobust Multi-Dataset Training:\u003c/strong\u003e\u003c/p\u003e\n\u003cp\u003e\u0026middot; Unlike existing studies that focus on a single dataset, this research \u003cstrong\u003eintegrates NSL-KDD and CICIDS2017\u003c/strong\u003e, ensuring \u003cstrong\u003ebetter generalization to diverse attack types\u003c/strong\u003e.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003e5) Automated Feature Learning with Deep Learning:\u003c/strong\u003e\u003c/p\u003e\n\u003cp\u003e\u0026middot; Unlike traditional ML-based IDS models that require \u003cstrong\u003emanual feature engineering\u003c/strong\u003e, the proposed deep learning approach \u003cstrong\u003eautomates feature extraction\u003c/strong\u003e, reducing human effort while improving model performance.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003e2. Challenges and Limitations\u003c/strong\u003e\u003c/p\u003e\n\u003cp\u003ea) \u003cstrong\u003eComputational Complexity and Resource Requirements:\u003c/strong\u003e\u003c/p\u003e\n\u003cp\u003e\u0026middot; The deep learning-based[5] [6] IDS demands \u003cstrong\u003ehigh computational power\u003c/strong\u003e, making it difficult to deploy in \u003cstrong\u003eresource-constrained environments (e.g., edge devices, IoT networks)\u003c/strong\u003e.\u003c/p\u003e\n\u003cp\u003e\u0026middot; Future work should explore \u003cstrong\u003elightweight deep learning models\u003c/strong\u003e optimized for low-power environments.\u003c/p\u003e\n\u003cp\u003eb) \u003cstrong\u003eHigh Training Time and Data Dependency:\u003c/strong\u003e\u003c/p\u003e\n\u003cp\u003e\u0026middot; The model \u003cstrong\u003erequires extensive training on labeled datasets\u003c/strong\u003e, which is a \u003cstrong\u003elimiting factor for real-time adaptability\u003c/strong\u003e.\u003c/p\u003e\n\u003cp\u003e\u0026middot; Implementing \u003cstrong\u003esemi-supervised or self-learning models\u003c/strong\u003e could reduce the dependency on labeled datasets.\u003c/p\u003e\n\u003cp\u003ec) \u003cstrong\u003eAdversarial Vulnerabilities:\u003c/strong\u003e\u003c/p\u003e\n\u003cp\u003e\u0026middot; Attackers can manipulate network traffic to \u003cstrong\u003ebypass the IDS detection mechanism\u003c/strong\u003e, leading to \u003cstrong\u003eevasion attacks\u003c/strong\u003e.\u003c/p\u003e\n\u003cp\u003e\u0026middot; Further research is required to \u003cstrong\u003eimprove adversarial defense techniques\u003c/strong\u003e in AI-driven cybersecurity.\u003c/p\u003e\n\u003cp\u003ed) \u003cstrong\u003eLack of Explainability in Deep Learning Models:\u003c/strong\u003e\u003c/p\u003e\n\u003cp\u003e\u0026middot; Since deep learning models operate as \u003cstrong\u003eblack boxes\u003c/strong\u003e, security analysts may struggle to \u003cstrong\u003einterpret why an attack was flagged\u003c/strong\u003e.\u003c/p\u003e\n\u003cp\u003e\u0026middot; \u003cstrong\u003eExplainable AI (XAI) techniques\u003c/strong\u003e should be integrated to improve transparency and trust in IDS decisions.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003ee) Scalability in Real-Time Environments:\u003c/strong\u003e\u003c/p\u003e\n\u003cp\u003e\u0026middot; Although the model performs well in controlled environments, \u003cstrong\u003ehandling large-scale, real-time network traffic remains a challenge\u003c/strong\u003e.\u003c/p\u003e\n\u003cp\u003e\u0026middot; Research into \u003cstrong\u003efederated learning-based IDS solutions\u003c/strong\u003e could enhance scalability across distributed networks.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eFuture Work: Federated Learning for Decentralized IDS with RL-Based Response Automation\u003c/strong\u003e\u003c/p\u003e\n\u003cp\u003eAs cyber threats become increasingly sophisticated, future research will focus on developing a \u003cstrong\u003eFederated Learning (FL)-based decentralized IDS\u003c/strong\u003e integrated with \u003cstrong\u003eReinforcement Learning (RL) for automated response mechanisms\u003c/strong\u003e.\u003c/p\u003e\n\u003cp\u003e1) \u003cstrong\u003eFederated Learning for Privacy-Preserving IDS:\u003c/strong\u003e\u003c/p\u003e\n\u003cp\u003e\u0026middot; Traditional IDS models rely on centralized data collection, posing privacy risks and scalability challenges.\u003c/p\u003e\n\u003cp\u003e\u0026middot; \u003cstrong\u003eFL will enable distributed training of IDS models across multiple network nodes\u003c/strong\u003e (e.g., cloud, edge, IoT devices) \u003cstrong\u003ewithout data sharing\u003c/strong\u003e, ensuring privacy and compliance with regulations such as GDPR.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003e2) \u003cstrong\u003eDecentralized Detection for Large-Scale Networks:\u003c/strong\u003e\u003c/strong\u003e\u003c/p\u003e\n\u003cp\u003e\u0026middot; By leveraging FL, the IDS will \u003cstrong\u003elearn from diverse threat environments\u003c/strong\u003e across different network locations, improving adaptability to \u003cstrong\u003enew attack patterns without centralized data storage\u003c/strong\u003e.\u003c/p\u003e\n\u003cp\u003e3) \u003cstrong\u003eIntegration of RL for Automated Response Mechanisms:\u003c/strong\u003e\u003c/p\u003e\n\u003cp\u003e\u0026middot; The proposed system will incorporate \u003cstrong\u003eReinforcement Learning (RL)\u003c/strong\u003e to enable IDS models to \u003cstrong\u003enot only detect threats but also take autonomous response actions\u003c/strong\u003e based on attack severity.\u003c/p\u003e\n\u003cp\u003e\u0026middot; RL will optimize \u003cstrong\u003eattack mitigation strategies\u003c/strong\u003e, reducing reliance on human intervention while \u003cstrong\u003eminimizing downtime and system disruption\u003c/strong\u003e.\u003c/p\u003e\n\u003cp\u003e4) \u003cstrong\u003eSelf-Learning and Adaptive Threat Mitigation:\u003c/strong\u003e\u003c/p\u003e\n\u003cp\u003e\u0026middot; Unlike static rule-based IDS, the integration of \u003cstrong\u003eFL + RL will allow continuous adaptation\u003c/strong\u003e to emerging cyber threats.\u003c/p\u003e\n\u003cp\u003e\u0026middot; The model will dynamically adjust its detection and response strategies \u003cstrong\u003ewithout requiring frequent manual updates\u003c/strong\u003e.\u003c/p\u003e"},{"header":"Conclusion","content":"\u003cp\u003eThis research has explored the development of an AI-driven anomaly detection system for intrusion detection in cloud and edge environments. By leveraging deep learning models, particularly CNNs and LSTMs, we have demonstrated the potential of AI to enhance the accuracy and efficiency of IDS solutions. The integration of real-time detection capabilities ensures that our approach can effectively identify and mitigate cyber threats in dynamic and distributed network environments. The study highlights the significance of feature extraction, model training, and hyperparameter optimization in improving detection performance while addressing challenges such as high false positive rates and scalability constraints.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eFuture Scope\u003c/strong\u003e\u003c/p\u003e\n\u003cp\u003eThe research can be extended by incorporating federated learning to enable decentralized intrusion detection across multiple cloud and edge nodes while preserving data privacy. Additionally, integrating reinforcement learning (RL) can further automate response mechanisms, allowing IDS to adapt dynamically to emerging threats. Exploring lightweight deep learning architectures and edge-native AI models will also enhance the system\u0026apos;s efficiency for deployment in resource-constrained environments.\u003c/p\u003e"},{"header":"References","content":"\u003col\u003e\n \u003cli\u003eMerve Ozkan-Okay et al., \u0026quot;A Comprehensive Systematic Literature Review on Intrusion Detection Systems,\u0026quot; IEEE Access, 2021.\u003c/li\u003e\n \u003cli\u003eUsama Ahmed et al., \u0026quot;Signature-based intrusion detection using machine learning and deep learning approaches empowered with fuzzy clustering,\u0026quot; Scientific Reports, 2025.\u003c/li\u003e\n \u003cli\u003eSalman Muneer et al., \u0026quot;A Critical Review of Artificial Intelligence-Based Approaches in Intrusion Detection: A Comprehensive Analysis,\u0026quot; Journal of Engineering, 2024.\u003c/li\u003e\n \u003cli\u003eMuneer et al., \u0026quot;AI Approaches in IDS: A Systematic Review,\u0026quot; Journal of Engineering, 2024.\u003c/li\u003e\n \u003cli\u003eAhmed et al., \u0026quot;Deep Learning for Intrusion Detection,\u0026quot; Scientific Reports, 2025.\u003c/li\u003e\n \u003cli\u003eMuneer et al., \u0026quot;Challenges in AI-Based IDS,\u0026quot; Journal of Engineering, 2024.\u003c/li\u003e\n \u003cli\u003eOzkan-Okay et al., \u0026quot;IDS Challenges in Cloud Computing,\u0026quot; IEEE Access, 2021.\u003c/li\u003e\n \u003cli\u003eAhmed et al., \u0026quot;Computational Constraints in DL-Based IDS,\u0026quot; Scientific Reports, 2025.\u003c/li\u003e\n \u003cli\u003eMuneer et al., \u0026quot;Adversarial Attacks on IDS,\u0026quot; Journal of Engineering, 2024.\u003c/li\u003e\n \u003cli\u003eOzkan-Okay et al., \u0026quot;Explainability in AI-Driven IDS,\u0026quot; IEEE Access, 2021.\u003c/li\u003e\n \u003cli\u003eAhmed et al., \u0026quot;Cloud and Edge Computing Security Challenges,\u0026quot; Scientific Reports, 2025.\u003c/li\u003e\n \u003cli\u003eMuneer et al., \u0026quot;Hybrid Approaches in IDS,\u0026quot; Journal of Engineering, 2024.\u003c/li\u003e\n \u003cli\u003eOzkan-Okay et al., \u0026quot;Federated Learning for IDS,\u0026quot; IEEE Access, 2021.\u003c/li\u003e\n \u003cli\u003eAhmed et al., \u0026quot;Enhancing IDS with Explainable AI,\u0026quot; Scientific Reports, 2025.\u003c/li\u003e\n \u003cli\u003eMuneer et al., \u0026quot;Adaptive IDS Models for Future Threats,\u0026quot; Journal of Engineering, 2024.\u003c/li\u003e\n \u003cli\u003eHan, D. et al. Evaluating and improving adversarial robustness of machine learning-based network intrusion detectors. IEEE Journal on Selected Areas in Communications 39, 2632\u0026ndash;2647 (2021).\u003c/li\u003e\n \u003cli\u003eEl-Kenawy, E.-S.M. et al. Greylag goose optimization: nature-inspired optimization algorithm. Expert Systems with Applications 238, 122147 (2024).\u003c/li\u003e\n\u003c/ol\u003e"}],"fulltextSource":"","fullText":"","funders":[],"hasAdminPriorityOnWorkflow":false,"hasManuscriptDocX":true,"hasOptedInToPreprint":true,"hasPassedJournalQc":"","hasAnyPriority":true,"hideJournal":true,"highlight":"","institution":"Thakur College of Engineering \u0026 Technology","isAcceptedByJournal":false,"isAuthorSuppliedPdf":false,"isDeskRejected":"","isHiddenFromSearch":false,"isInQc":false,"isInWorkflow":false,"isPdf":false,"isPdfUpToDate":true,"isWithdrawnOrRetracted":false,"journal":{"display":true,"email":"[email protected]","identity":"researchsquare","isNatureJournal":false,"hasQc":true,"allowDirectSubmit":true,"externalIdentity":"","sideBox":"","snPcode":"","submissionUrl":"/submission","title":"Research Square","twitterHandle":"researchsquare","acdcEnabled":true,"dfaEnabled":false,"editorialSystem":"","reportingPortfolio":"","inReviewEnabled":false,"inReviewRevisionsEnabled":true},"keywords":"AI-driven Security, Anomaly Detection, Cloud Computing, Cybersecurity, CNN, Edge Computing, Federated Learning, Intrusion Detection Systems, LSTM, Reinforcement Learning","lastPublishedDoi":"10.21203/rs.3.rs-6928225/v1","lastPublishedDoiUrl":"https://doi.org/10.21203/rs.3.rs-6928225/v1","license":{"name":"CC BY 4.0","url":"https://creativecommons.org/licenses/by/4.0/"},"manuscriptAbstract":"\u003cp\u003eIntrusion Detection Systems (IDS) play a vital role in safeguarding cloud and edge computing environments from cyber threats. Traditional IDS models, primarily signature-based approaches, are ineffective against evolving attack patterns and suffer from high false positive rates. To address these limitations, this research presents an AI-based anomaly detection framework leveraging deep learning models, including Convolutional Neural Networks (CNNs) and Long Short-Term Memory (LSTM) networks. The proposed system is trained using the NSL-KDD and CICIDS2017 datasets, ensuring robustness against a diverse range of network intrusions. Our methodology incorporates feature extraction, data normalization, and advanced deep learning architectures to enhance detection accuracy and minimize false alarms. Experimental results demonstrate significant improvements over conventional IDS solutions, with higher precision, recall, and overall detection efficiency. Additionally, a comparative analysis highlights the effectiveness of AI-driven IDS in handling large-scale, real-time network traffic. Deployment strategies in cloud and edge environments are discussed, along with the computational challenges associated with deep learning-based IDS. Future research will explore federated learning for decentralized IDS and reinforcement learning for automated threat response, ensuring a more adaptive and scalable cybersecurity framework.\u003c/p\u003e","manuscriptTitle":"AI-Powered Intrusion Detection Using CNN-LSTM for Cloud and Edge Networks: A Hybrid Deep Learning Approach","msid":"","msnumber":"","nonDraftVersions":[{"code":1,"date":"2025-06-20 06:48:00","doi":"10.21203/rs.3.rs-6928225/v1","editorialEvents":[{"type":"communityComments","content":0}],"status":"published","journal":{"display":true,"email":"[email protected]","identity":"researchsquare","isNatureJournal":false,"hasQc":true,"allowDirectSubmit":true,"externalIdentity":"","sideBox":"","snPcode":"","submissionUrl":"/submission","title":"Research Square","twitterHandle":"researchsquare","acdcEnabled":true,"dfaEnabled":false,"editorialSystem":"","reportingPortfolio":"","inReviewEnabled":false,"inReviewRevisionsEnabled":true}}],"origin":"","ownerIdentity":"679a0933-7e94-4e0a-b333-44aa767da75f","owner":[],"postedDate":"June 20th, 2025","published":true,"recentEditorialEvents":[],"rejectedJournal":[],"revision":"","amendment":"","status":"posted","subjectAreas":[{"id":50330666,"name":"Software Engineering"}],"tags":[],"updatedAt":"2025-06-20T06:48:00+00:00","versionOfRecord":[],"versionCreatedAt":"2025-06-20 06:48:00","video":"","vorDoi":"","vorDoiUrl":"","workflowStages":[]},"version":"v1","identity":"rs-6928225","journalConfig":"researchsquare"},"__N_SSP":true},"page":"/article/[identity]/[[...version]]","query":{"redirect":"/article/rs-6928225","identity":"rs-6928225","version":["v1"]},"buildId":"8U1c8b4HqxoKbykW_rLl7","isFallback":false,"isExperimentalCompile":false,"dynamicIds":[84888],"gssp":true,"scriptLoader":[]}