Cloud-based Real-time Network Intrusion Detection
Using Deep Learning
Santhosh Parampottupadam, and Arghir-Nicolae Moldovann
School of Computing, National College of Ireland, Mayor Street, IFSC, Dublin 1, Ireland
E-mail: santhosh.parampottupadam@student.ncirl.ie; arghir.moldovan@ncirl.ie
Abstract—Deep learning has increased in popularity with
researchers and developers investigating and using it for various
use cases and applications. This research work focuses on real-
time network intrusion detection by making use of deep learning.
A cloud-based prototype system was developed to investigate
the capability of deep learning based binomial classification and
multinomial models to detect network intrusions in real-time. An
evaluation study was carried out using the benchmark NSL-KDD
dataset to compare deep learning models built using H2O and
DeepLearning4J libraries, with other commonly used machine
learning models such as Support Vector Machines, Random
Forest, Logistic Regression and Na
¨
ıve Bayes. The results showed
that the choice of the deep learning library is an important factor
to consider for real-time applications. The H2O deep learning
based binomial and multinomial models generally outperformed
the other models, achieving over 99.5% accuracy using cross-
validation on the NSL-KDD training dataset and over 83%
accuracy on the test dataset.
Index Terms—Network security, intrusion detection, deep
learning, cloud computing, NSL-KDD.
I. INTR ODUCTION
Internet and related technologies such as networking and
cloud computing are the backbone of a multitude of applica-
tions and services that are used for every aspect of modern life,
from work, education to entertainment. Ericsson [1] estimated
that by 2020 there will be over 8.6 billion connected phones,
1.7 billion connected PCs and tablets, and 18.1 billion IoT
devices. With the increasing dependence on online services,
cyber security attacks represent a major risk facing users and
businesses [2]. Notorious cyber attacks include the Yahoo
breach when 3 billion user accounts were compromised, and
the Target stores breach when the credit card information of
110 million users was compromised [3]. While organizations
are working hard build better security features by incorporating
recent attack types, new attacks are continuously emerging.
In this context there is increasing need for new solutions to
predict and prevent network intrusion attacks in real-time.
According to Wang and Jones [4], intrusion detection can
be categorized into 3 types based on its detection mecha-
nism: anomaly-based detection, signature based detection, and
hybrid detection which is a combination of the other two.
These detection systems are based on studying the network
parameters and body contents once an attack has happened.
The anomaly based detection systems analyse the attacks
payload information, and other information such as the source
and destination port and internet protocol addresses to build
the anomaly model [5]. These models tend to be efficient when
the same attack comes again into the system, as these models
are built based on the previous attack parameters. But as new
attacks arise more effective self-learning models should be
implemented in order to enable systems to predict and prevent
yet unseen attacks.
Deep learning has emerged as a new solution that has
the potential to provide more effective network intrusion
detection as it uses algorithms such as feed forward and
back propagation [6]. Smith [7] described best practices for
building novel applications using machine learning models and
suggested developing deep learning based neural networks for
intrusion detection.
This paper investigates the capability of using deep learning
models for network intrusion detection in real-time. A cloud
hosted prototype system was developed that combines a deep
learning binomial classification model to predict if there is
an intrusion, with a multinomial model to identify the attack
category. The prototype system integrates deep learning mod-
els built using the H2O framework [8], as well a messaging
service to alert the network administrator. An evaluation study
was carried out using the well-known benchmarked NSL-KDD
dataset [9] to compare the H2O deep learning models with
models built using DeepLearning4J, LibSVM, Random Forest,
Logistic Regression and Na
¨
ıve Bayes. The results showed that
H2O deep learning models generally outperformed the other
models, achieving over 99.5% accuracy using cross-validation
on the training dataset and over 83% accuracy on the test
dataset, for both binomial and multinomial classification.
The rest of the paper is structured as follows. Section II
presents previous research works on network intrusion de-
tection. Section III present the methodology of this research
study, while section IV describes the prototype system. Sec-
tion V presents the evaluation results, while section VI con-
cludes the paper and presents future work directions.
II. RELATED WORK
A. Anomaly Based Network Intrusion Detection
Anomaly based intrusion detection is usually the first stage
of defence [4]. Cui and He [10] proposed a solution that used
Hadoop MapReduce to process the input data and supply it
to the Weka machine learning framework. The drawbacks are
that the entire MapReduce iteration must be run again when