An improved long short term memory network for intrusion detection

PLOS ONE RESEARCH ARTICLE An improved long short term memory network for intrusion detection Asmaa Ahmed Awad2, Ahmed Fouad Ali2,3☯, Tarek Gaber ID1,2☯* 1 School of Science, Engineering and Environment University Salford, Manchester, United Kingdom, 2 Department of Computer Science, Faculty of Computers and Informatics, Suez Canal University, Ismailia, Egypt, 3 Faculty of Information Technology, Misr University for Science and Technology, Egypt ☯ These authors contributed equally to this work. * a1111111111 a1111111111 a1111111111 a1111111111 a1111111111 OPEN ACCESS Citation: Awad AA, Ali AF, Gaber T (2023) An improved long short term memory network for intrusion detection. PLoS ONE 18(8): e0284795. https://doi.org/10.1371/journal.pone.0284795 Editor: Nebojsa Bacanin, Univerzitet Singidunum, SERBIA Received: December 16, 2022 Accepted: April 7, 2023 Published: August 1, 2023 Peer Review History: PLOS recognizes the benefits of transparency in the peer review process; therefore, we enable the publication of all of the content of peer review and author responses alongside final, published articles. The editorial history of this article is available here: https://doi.org/10.1371/journal.pone.0284795 Copyright: © 2023 Awad et al. This is an open access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original author and source are credited. Data Availability Statement: The data underlying the results presented in the study are available from (http://nsl.cs.unb.ca/NSL-KDD/). The standard dataset, NSL-KDD 2009 (Network Security Laboratory- Knowledge Discovery and Data Mining) was used and it is available at https:// Abstract Over the years, intrusion detection system has played a crucial role in network security by discovering attacks from network traffics and generating an alarm signal to be sent to the security team. Machine learning methods, e.g., Support Vector Machine, K Nearest Neighbour, have been used in building intrusion detection systems but such systems still suffer from low accuracy and high false alarm rate. Deep learning models (e.g., Long Short-Term Memory, LSTM) have been employed in designing intrusion detection systems to address this issue. However, LSTM needs a high number of iterations to achieve high performance. In this paper, a novel, and improved version of the Long Short-Term Memory (ILSTM) algorithm was proposed. The ILSTM is based on the novel integration of the chaotic butterfly optimization algorithm (CBOA) and particle swarm optimization (PSO) to improve the accuracy of the LSTM algorithm. The ILSTM was then used to build an efficient intrusion detection system for binary and multi-class classification cases. The proposed algorithm has two phases: phase one involves training a conventional LSTM network to get initial weights, and phase two involves using the hybrid swarm algorithms, CBOA and PSO, to optimize the weights of LSTM to improve the accuracy. The performance of ILSTM and the intrusion detection system were evaluated using two public datasets (NSL-KDD dataset and LITNET2020) under nine performance metrics. The results showed that the proposed ILSTM algorithm outperformed the original LSTM and other related deep-learning algorithms regarding accuracy and precision. The ILSTM achieved an accuracy of 93.09% and a precision of 96.86% while LSTM gave an accuracy of 82.74% and a precision of 76.49%. Also, the ILSTM performed better than LSTM in both datasets. In addition, the statistical analysis showed that ILSTM is more statistically significant than LSTM. Further, the proposed ISTLM gave better results of multiclassification of intrusion types such as DoS, Prob, and U2R attacks. 1 Introduction With the growth of the internet and the increasing use of technology in our daily lives, cybercrime has become a major concern for individuals, businesses, and governments alike. PLOS ONE | https://doi.org/10.1371/journal.pone.0284795 August 1, 2023 1 / 44 PLOS ONE www.unb.ca/cic/datasets/nsl.html. A second dataset was also used and it is available here: https://dataset.litnet.lt/data.php. Funding: The authors received no specific funding for this work. Competing interests: The authors have declared that no competing interests exist. iSLTM network for intrusion detection Cybercrime refers to criminal activities that are carried out using computers or the internet, such as hacking, phishing, identity theft, and malware attacks [1]. Many of the applications (like online banking, e-commerce, and healthcare services) which we use in our daily lives contain confidential and personal information that needs to be protected. To protect these applications, it is important to take a proactive approach to cybersecurity [2]. Furthermore, with the increasing number of connected smart devices in the IoT environment, there are also increasing security threats and vulnerabilities. Therefore, additional security considerations are necessary to safeguard these devices and the data they transmit. AI-based security solutions such as anomaly and intrusion detection and network traffic monitoring can be useful tools in enhancing IoT security [3, 4]. The concept of intrusion detection (ID) dates back to 1970 when it was extensively adopted to protect computer networks against both known and unknown attacks [5]. An intrusion detection system (IDS) is software that monitors a network for malicious activities and generates an alarm signal to be sent to the security team. Anomaly- and signature-based are the two main methods used in IDS. Signature-based IDS detects attacks based on matching input data with the signatures of known attacks. An anomaly-based IDS catches attacks by comparing abnormal behaviour to normal behaviour. Signature-based detection is unable to detect attacks that have not been seen before while anomaly-based detection often has high false positive rates [6]. Machine learning (ML) algorithms have been used for over 20 years to improve the performance of IDS [7]. Two types of ML have been for building anomaly detection models: shallow learning and deep learning. In general, shallow learning (Bayesian networks, support vector machines (SVMs), and artificial neural networks (ANNs)) depends on extracting features creating the prediction model [2] while deep learning has the ability to generate superior models by extracting better representations from the raw data [8]. Deep learning is a type of ML that uses artificial neural networks with multiple layers to learn hierarchical representations of data. DL can learn feature hierarchies based on massive amounts of unlabeled information, making it particularly useful for processing complex, high-dimensional data. Examples of DL algorithms include deep neural networks (DNNs) [9], convolutional neural networks (CNNs) [10], and recurrent neural networks (RNNs). One of the advantage (...truncated)