DLMHS: Flow‐based intrusion detection system using deep learning neural network and meta‐heuristic scale

Summary The technological growth of the internet gained applications in various areas of human life like banking, public networking, online transactions, and electronic trade. The exponential growth of these services leads to increase of network traffic, and results increase in the number of possible network attacks. The researchers proposed various methodologies to address these from decades. It is evident from the literature that machine learning techniques, ANN methods, and Meta‐Heuristic approaches have gained significant reputation in handling security attacks and these methods depend on features of requests for extracting the knowledge. It is observed that the exponential growth in the volume of transactions in network traffic contains diversified behavior and exhibits deviation in feature values. Hence, it is required to consider the associability of transactions and its feature values. In this paper, a unique set of flow level features is defined to extract the knowledge from the traffic. The diversified behavior of the traffic is addressed with ensemble classifiers with distribution similarity and drift detection. The proposed model derives a threshold value using feature impact scale for the classifiers defined in the ensemble and analyzes the flow characteristics based on the threshold. The Deep Learning Neural Network (DLNN) is used for attack detection at flow level to validate the traffic as normal or attack. The experimental study is carried out with NSL‐KDD benchmark datasets to analyze the statistical parameters. Furthermore, the proposed model (DLMHS) is compared with existing models described in literature. Deep learning Neural Network (DLNN)‐based attack classification at flow level has been presented in the manuscript. The flow‐based detection is the novel approach, earlier the attack detection was done at packet level, and these packet level approaches are prone to detection accuracy and false alarms. This issue has been addressed and improved the detection accuracy with DLNN classification method at flow level detection rather than request level with predefined unique set of flow features. However, the diversity of the incoming traffic and flow characteristics occurs when the volume of the input corpus increases. The diversified characteristics of the traffic are evaluated with KS test and improved the detection accuracy and minimize the false alarms for the traffic from distributed environments.