In real-time application domains, like finance, healthcare and defence, delay in service or stealing information may lead to unrecoverable consequences. So, early detection of intrusion is important to prevent security breaches. In recent days, anomaly-based intrusion detection using Hybrid Deep Learning approaches are becoming more popular. The most used benchmark datasets in the literature are NSL-KDD and UNSW-NB15, and these datasets are imbalanced. The models built on imbalanced datasets may lead to biased results towards majority classes by neglecting the minority class, even though they are equally important. In many cases, high accuracy is achieved for majority classes in the imbalanced datasets. But, the class-level performances are poor with respect to the minority class. The class balancing will also play an important role in attenuating the bias in prediction for imbalanced datasets. In this paper, a Hybrid Deep Learning Based Intrusion Detection (HDLBID) framework is proposed with CNN-BiLSTM combination. The four techniques, namely, Random Oversampling (ROS), ADASYN, SMOTE, and SMOTE-Tomek, are used for class balancing in the proposed HDLBID framework. The proposed HDLBID with SMOTE-Tomek achieves an overall accuracy of 99.6% with NSL-KDD and 89.02% for UNSW-NB15. It results in an improvement of 13.67% for NSL-KDD and 10.62% for UNSW-NB15 over the existing recent related models. In the proposed HDLBID, in addition to overall accuracy, the class-level F1 score is also calculated. A comparative study is presented to show the effectiveness of balancing dataset compared to imbalanced dataset, and observed that the SMOTE-Tomek class balancing comparatively performed well. An improvement of 37.43% is observed in the U2R class of the NSL-KDD dataset and 61.65% improvement is seen in the Worms class of the UNSW-NB15 dataset, both with SMOTE-Tomek class balancing. Therefore, the proposed HDLBID with SMOTE-Tomek class balancing reports the best results in terms of overall accuracy compared to existing recent related approaches. Also, in terms of class-level analysis, HDLBID reports best results with SMOTE-Tomek over imbalanced version of datasets.

中文翻译：

---

使用基于混合深度学习的 IDS 框架减轻多数攻击类别偏差


在金融、医疗保健和国防等实时应用领域，服务延迟或窃取信息可能会导致无法挽回的后果。因此，及早检测入侵对于防止安全漏洞非常重要。最近几天，使用混合深度学习方法的基于异常的入侵检测变得越来越流行。文献中最常用的基准数据集是NSL-KDD和UNSW-NB15，这些数据集是不平衡的。基于不平衡数据集构建的模型可能会通过忽略少数类别而导致结果偏向多数类别，即使它们同样重要。在许多情况下，不平衡数据集中的大多数类都实现了高精度。但是，与少数民族班级相比，班级水平表现较差。类别平衡还将在减少不平衡数据集预测偏差方面发挥重要作用。本文提出了一种结合 CNN-BiLSTM 的混合深度学习入侵检测（HDLBID）框架。四种技术，即随机过采样 (ROS)、ADASYN、SMOTE 和 SMOTE-Tomek，用于在提议的 HDLBID 框架中进行类平衡。所提出的采用 SMOTE-Tomek 的 HDLBID 在 NSL-KDD 中实现了 99.6% 的总体准确率，在 UNSW-NB15 中实现了 89.02% 的总体准确率。与现有的最新相关模型相比，NSL-KDD 提高了 13.67%，UNSW-NB15 提高了 10.62%。在提出的HDLBID中，除了总体准确率之外，还计算类级别的F1分数。进行了比较研究，以显示平衡数据集与不平衡数据集相比的有效性，并观察到 ​​SMOTE-Tomek 类平衡表现相对较好。在 NSL-KDD 数据集的 U2R 类中观察到了 37.43% 的改进，61.UNSW-NB15 数据集的 Worms 类提高了 65%，均采用 SMOTE-Tomek 类平衡。因此，与现有的最新相关方法相比，提出的具有 SMOTE-Tomek 类平衡的 HDLBID 在整体精度方面报告了最佳结果。此外，在类级别分析方面，HDLBID 报告了 SMOTE-Tomek 在数据集不平衡版本上的最佳结果。