Received November 27, 2020, accepted December 27, 2020, date of publication December 30, 2020,

date of current version January 13, 2021.

Digital Object Identifier 10.1109/ACCESS.2020.3048198

Intrusion Detection of Imbalanced Network

Traffic Based on Machine Learning
and Deep Learning
LAN LIU 1, PENGCHENG WANG 1, JUN LIN 2, AND LANGZHOU LIU 1
1 School of Electronic and Information Engineering, Guangdong Polytechnic Normal University, Guangzhou 510655, China
2 China Electronic Product Reliability and Environmental Testing Research Institute, Guangzhou 510610, China

Corresponding author: Jun Lin (linjun@ceprei.com)

This work was supported in part by the National Natural Science Foundation of China under Grant 61972104, in part by the Special Project
for Research and Development in Key Areas of Guangdong Province under Grant 2019B010121001, and in part by the Special Fund for
Science and Technology Innovation Strategy of Guangdong Province under Grant 2020A0332.

ABSTRACT In imbalanced network traffic, malicious cyber-attacks can often hide in large amounts of
normal data. It exhibits a high degree of stealth and obfuscation in cyberspace, making it difficult for Network
Intrusion Detection System(NIDS) to ensure the accuracy and timeliness of detection. This paper researches
machine learning and deep learning for intrusion detection in imbalanced network traffic. It proposes a novel
Difficult Set Sampling Technique(DSSTE) algorithm to tackle the class imbalance problem. First, use the
Edited Nearest Neighbor(ENN) algorithm to divide the imbalanced training set into the difficult set and the
easy set. Next, use the KMeans algorithm to compress the majority samples in the difficult set to reduce
the majority. Zoom in and out the minority samples’ continuous attributes in the difficult set synthesize new
samples to increase the minority number. Finally, the easy set, the compressed set of majority in the difficult,
and the minority in the difficult set are combined with its augmentation samples to make up a new training set.
The algorithm reduces the imbalance of the original training set and provides targeted data augment for the
minority class that needs to learn. It enables the classifier to learn the differences in the training stage better
and improve classification performance. To verify the proposed method, we conduct experiments on the
classic intrusion dataset NSL-KDD and the newer and comprehensive intrusion dataset CSE-CIC-IDS2018.
We use classical classification models: random forest(RF), Support Vector Machine(SVM), XGBoost,
Long and Short-term Memory(LSTM), AlexNet, Mini-VGGNet. We compare the other 24 methods; the
experimental results demonstrate that our proposed DSSTE algorithm outperforms the other methods.

INDEX TERMS IDS, imbalanced network traffic, machine learning, deep learning, CSE-CIC-IDS2018.

I. INTRODUCTION James Anderson first proposed the concept of intrusion

With the rapid development and wide application of 5G, IoT, detection in 1980, and then some scholars applied machine
Cloud Computing, and other technologies, network scale, learning methods in intrusion detection [1]. However, due
and real-time traffic become more complex and massive, to the limitation of computer storage and computing power
cyber-attacks have also become complex and diverse, bring- at that time, machine learning failed to attract attention.
ing significant challenges to cyberspace security. As the sec- With the rapid development of computers and the emer-
ond line of defense behind the firewall, the Network Intrusion gence and promotion of Artificial Intelligence(AI) and other
Detection System(NIDS) needs to accurately identify mali- technologies, many scholars have applied machine learning
cious network attacks, provide real-time monitoring and methods to network security. They have achieved certain
dynamic protection measures, and formulate strategies. results [2]–[4].
In real cyberspace, normal activities occupy the dominant
position, so most traffic data are normal traffic; only a few
The associate editor coordinating the review of this manuscript and are malicious cyber-attacks, resulting in a high imbalance of
approving it for publication was Emre Koyuncu . categories. In the highly imbalanced and redundant network

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
7550 VOLUME 9, 2021
L. Liu et al.: Intrusion Detection of Imbalanced Network Traffic Based on Machine Learning and Deep Learning

traffic data, intrusion detection is facing tremendous pressure. Pervez proposed a new method for feature selec-
Cyber-attacks can hide in a large amount of normal traf- tion and classification merging of multi-class NSL-KDD
fic. Therefore, the machine learning algorithm cannot fully Cup99 dataset using Support Vector Machine(SVM) and dis-
learn the distribution of a few categories, and it is easy to cussed the classification accuracy of classifiers under dif-
misclassify [5]. ferent dimension features [12]. Shiraz studied some new
Since Lecun et al. [6] proposed the theory of Deep Learn- technologies to improve CANN intrusion detection methods’
ing as an essential subfield of machine learning, deep learn- classification performance and evaluated their performance
ing has shown excellent performance in Computer Vision on the NSL-KDD Cup99 dataset [13]. He used the K Farthest
(CV) [7], Natural Language Processing (NLP) [8]. Intrusion Neighbor(KFN) and the K Nearest Neighbor(KNN) to clas-
detection technology based on deep learning has been widely sify the data and used the Second Nearest Neighbor(SNN)
studied in academia and industry. The method of deep learn- of the data when the nearest and farthest neighbors have
ing is to mine the potential features of high-dimensional data the same class label. The result shows the CANN detec-
through training models and convert network traffic anomaly tion rate and reduces the failure the alert rate is improved
detection problems into classification problems [9]. By train- or provides the same performance. Bhattacharya proposed
ing a large number of data samples, adaptive learning of the a machine learning model based on hybrid Principal Com-
difference between normal behavior and abnormal behavior ponent Analysis(PCA)-Firefly [14]. The dataset used was
effectively enhances the real-time performance of intrusion the open dataset collected from Kaggle. Firstly, the model
processing. However, in the multi-classification of network performs one key coding for transforming the IDS dataset,
traffic, the imbalance of classification still affects. then uses the hybrid PCA-Firefly algorithm to reduce the
Faced with imbalanced network traffic data, we propose a dimension, and the XGBoost algorithm classifies the reduced
novel Difficult Set Sampling Technique(DSSTE) algorithm dataset.
to tackle the class imbalance problem in network traffic. In recent years, with the powerful ability of automatic fea-
This method effectively reduces the imbalance and makes the ture extraction, deep learning has made remarkable achieve-
classification model learning difficult samples more effective. ments in the fields of Computer Vision(CV), Autonomous
We use classic machine learning and deep learning algorithms driving(AD), Natural Language Processing(NLP). Many
to verify on two benchmark datasets. The specific contribu- scholars apply deep learning to intrusion detection for traf-
tions are as follows. fic classification, which has become a hot spot of current
(1) We use the classic NSL-KDD and the up-to-date CSE- research. The method of deep learning is to mine the potential
CIC-IDS2018 as benchmark datasets and conduct detailed characteristics of high-dimensional data through a training
analysis and data cleaning. model and transform network traffic anomaly detection into
(2) This work proposes a novel DSSTE algorithm, reducing classification problem [15]. Through a large number of sam-
the majority samples and augmenting the minority samples ple data training, adaptive learning between normal network
in the difficult set, tackling the class imbalance problem in traffic and abnormal network traffic effectively enhances
intrusion detection so that the classifier learns the differences real-time intrusion processing.
better in training. Torres et al. [16] first converted network traffic charac-
(3) The classification model uses Random Forest(RF), teristics into a series of characters and then used Recurrent
Support Vector Machine(SVM), XGBoost, Long and Short Neural Network(RNN) to learn their temporal characteristics,
Time Memory(LSTM), AlexNet, Mini-VGGNet. Compar- which were further used to detect malicious network traffic.
ing with other methods, we divide the experiment into Wang et al. [17] proposed a malicious software traf-
30 methods. fic classification algorithm based on Convolutional Neu-
The rest of this article is organized as follows. The second ral Network(CNN). By mapping the traffic characteristics
part mainly introduces the related work of intrusion detection to pixels, the network traffic image is generated, and the
and class imbalance research. The third section introduces image is used as the input of the CNN to realize traffic
our proposed DSSTE algorithm, machine learning, and deep classification. Staudemeyer and Shamsinejad [13] proposed
learning algorithm. The fourth section analyzes and experi- an intrusion detection algorithm based on Long Short-Term
ments on the benchmark dataset. Finally, the paper concludes Memory(LSTM), which detects DoS attacks and probe
in the fifth section. attacks with unique time series in the KDD Cup99 dataset.
Kwon et al. [18] has carried out relevant research on the deep
learning model, focusing on data simplification, dimension
II. RELATED WORKS reduction, classification, and other technologies, and pro-
A. INTRUSION DETECTION SYSTEM(IDS) poses a Fully Convolutional Network(FCN) model. By com-
In the research of network intrusion detection based on paring with the traditional machine learning technology, it is
machine learning, scholars mainly distinguish normal net- proved that the FCN model is useful for network traffic anal-
work traffic from abnormal network traffic by dimensionality ysis. Tama et al. [19] proposed an anomaly-based IDS based
reduction, clustering, and classification, to realize the identi- on a two-stage meta-classifier, which uses a hybrid feature
fication of malicious attacks [10], [11]. selection method to obtain accurate feature representations.

VOLUME 9, 2021 7551

 L. Liu et al.: Intrusion Detection of Imbalanced Network Traffic Based on Machine Learning and Deep Learning

They conducted on the proposed method on the NSL-KDD III. METHOD

and UNSW-NB15 intrusion datasets and improved detection Faced with imbalanced network traffic, we propose the
rates. Difficult Set Sampling Technique(DSSTE) algorithm to
compress the majority samples and augment the num-
B. CLASS BALANCING METHODS ber of minority samples in difficult samples, reducing
In the field of machine learning, the problem of category imbalance in the training set that the intrusion detec-
imbalance has always been a challenge. Therefore, intrusion tion system can achieve better classification accuracy.
detection also faces enormous challenges in network traf- We use Random Forest, SVM, XGBoost, LSTM, Mini-
fic with extremely imbalanced categories. Therefore, many VGGNet, and AlexNet as classifiers for classification
scholars have begun to study how to improve the intrusion models.
recognition accuracy of imbalanced network traffic data. We proposed the intrusion detection model shown in
Piyasak proposed a method to improve the accuracy Figure 1. Data pre-processing first performed in our intrusion
of minority classification [20]. This method combines the detection structure, including duplicate, outlier, and miss-
Synthetic Minority Over-sampling Technique(SMOTE) and ing value processing. Then, partitioning the test set and the
Complementary Neural Network(CMTNN) to solve imbal- training set, and the training set processed for data balanc-
anced data classification. Experiments on the UCI dataset ing using our proposed DSSTE algorithm. Before model-
show that the proposed combination technique can improve ing, to increase the speed of the convergence, we use Stan-
class imbalance problems. Yan proposed an improved dardScaler to standardize the data and digitize the sample
local adaptive composite minority sampling algorithm labels. Finally, the processed training set is used to train the
(LA-SMOTE) to deal with the network traffic imbalance classification model, and then the model is evaluated by the
problem and then based on the deep learning GRU neural test set.
network to detect the network traffic anomaly [21]. Abdul-
hammed et al. [22] deal with the imbalanced dataset CIDDS-
001 using data Upsampling and Downsampling methods, and A. DSSTE ALGORITHM
by Deep Neural Networks, Random Forest, Voting, Varia- In imbalanced network traffic, different traffic data types
tional Autoencoder, and Stacking Machine Learning clas- have similar representations, especially minority attacks can
sifiers to evaluate datasets. In their proposed method, the hide among a large amount of normal traffic, making it
accuracy can reach 99.99%. difficult for the classifier to learn the differences between
Recently, Chuang and Wu [23] trained the depth automatic them during the training process. In the similar samples of
encoder to establish a data generation model to generate the imbalanced training set, the majority class is redundant
reasonable data needed to form a balanced dataset. His exper- noise data. The number is much larger than the minority
iments show that the generation of balanced datasets helps to class, making the classifier unable to learn the distribu-
deal with the problem of over fitting caused by imbalanced tion of the minority class, so we compress the majority
data, and it can prevent the training model from misjudging class. The minority class discrete attributes remain constant,
new data types, including those not in the training dataset. and there are differences in continuous attributes. There-
Bedi et al. [24] proposed a new type of IDS based on Siamese fore, the minority class’s continuous attributes are zoomed
Neural Network(Siamese-NN), the proposed Siam-IDS can to produce data that conforms to the true distribution.
detect R2L and U2R attacks without using traditional class Therefore, we propose the DSSTE algorithm to reduce the
balancing techniques, such as over-sampling and random imbalance.
under-sampling. The performance of Siam-IDS was com- First, the imbalanced training set to divide into
pared with Deep Neural Network(DNN) and CNN, Siam-IDS near-neighbor set and far-neighbor set by Edited Nearest
can achieve a higher recall value for R2L and U2R attack Neighbor(ENN) algorithm. The samples in the near-neighbor
categories compared with similar products. set are highly similar, making it very difficult for the classifier
Most scholars use interpolation, oversampling, encoder to learn the differences between the categories, so we refer
synthesis data, and other data augmentation methods, balance to the samples in the near-neighbor set as difficult samples
the training set, and achieve better experimental performance and the far-neighbor set as easy samples. Next, we zoom
results. Although their method synthetic close to real data and in and out the minority samples in difficult set. Finally,
effectively expand the minority class, the test data distribu- the easy set and minority in difficult set are combined with its
tion may exceed the range. The classifier cannot accurately augmentation samples to make up a new training set. We use
predict this distribution. We propose the DSSTE algorithm the K neighbors in the ENN algorithm as the scaling factor
to mine the difficult samples in the imbalanced training set, of the entire algorithm. When scaling factor K increases,
compress the majority class among them, and zoom in or the number of difficult samples increases, and the compres-
out the minority class’s continuous attributes. This method sion rate of the majority of samples and the synthesis rate of
reduces the imbalance and produces data that conforms to the the minority of class also increase. The DSSTE algorithm is
true distribution. written as Algorithm 1.

7552 VOLUME 9, 2021

L. Liu et al.: Intrusion Detection of Imbalanced Network Traffic Based on Machine Learning and Deep Learning

FIGURE 1. The overall framework of network intrusion detection model.

B. MACHINE LEARNING AND DEEP LEARNING small sample, nonlinear, and high-dimensional pattern recog-
ALGORITHMS nition and can be extended to other functions such as function
In the classifier’s design, we use Random Forest, SVM, fitting Machine learning problems [27]. Before the rise of
XGBoost, LSTM, AlexNet, and Mini-VGGNet to train and deep learning, SVM was considered the most successful and
test, which are detailed in the following part. best-performing machine learning method in recent decades.
The SVM method is based on the Vapnik Chervonenkis(VC)
dimension theory of statistical learning theory and the prin-
1) RANDOM FOREST
ciple of structural risk minimization. Its basic idea is to find
Leo Breiman proposed random Forest in 2001 [25]. Random
a separation hyperplane between different categories, so that
Forest is an excellent supervised learning algorithm that can
different category can be better separated. The SVM method
train a model to predict which classification results in a
believes that when deciding to separate the hyperplane, only
certain sample type belong to based on a given dataset’s char-
the sample point closest to the hyperplane, as long as the
acteristic attributes and classification results. Random Forest
support vector is found, the hyperplane can be determined.
is based on a decision tree and adopts the Bagging(Bootstrap
aggregating) method to create different training sample sets.
The random subspace division strategy selects the best
attribute from some randomly selected attributes to split inter- 3) XGBoost
nal nodes. The various decision trees formed are used as
XGBoost is a parallel regression tree model that combines
weak classifiers, and multiple weak classifiers form a robust
the idea of Boosting, which is improved based on gradient
classifier, and the voting mechanism is used to classify the
descent decision tree by Chen and Guestrin [28]. Compared
input samples. After a random forest has established a large
with the GBDT(Gradient Boosting Decision Tree) model,
number of decision trees according to a certain random rule
XGBoost overcomes the limited calculation speed and accu-
when a new set of samples is input, each decision tree in the
racy. XGBoost adds regularization to the original GBDT loss
forest makes a prediction on this set of samples separately,
function to prevent the model from overfitting. The traditional
and integrates the prediction results of each tree, get a final
GBDT performs a first-order Taylor expansion on the calcu-
result.
lated loss function and takes the negative gradient value as
the residual value of the current model. In contrast, XGBoost
2) SUPPORT VECTOR MACHINE performs a second-order Taylor expansion to ensure the accu-
Coretes and Vapink first proposed support Vector Machine racy of the model. Moreover, XGBoost blocks and sorts each
(SVM) in 1995 [26]. It shows many unique advantages in a feature, making it possible to parallelize the calculation when

VOLUME 9, 2021 7553

 L. Liu et al.: Intrusion Detection of Imbalanced Network Traffic Based on Machine Learning and Deep Learning

Algorithm 1 DSSTE Algorithm

Input: Imbalanced training set S, scaling factor K
Output: New training set SN
1: Step1: Distinguish easy set and difficult set
2: Take all samples from S and set it as SE
3: for each sample ∈ SE do
4: Compute its K nearest neighbors
5: Remove whose most K nearest neighbor samples are of different classes from SE
6: end for
7: Easy set SE , difficult set SD = S − SE
8: Step2: Compress the majority samples in difficult set by the cluster centroid
9: Take all the majority samples from SD and set it as SMaj
10: Use KMeans algorithm with K cluster
11: Use the coordinates of the K cluster centroids replace the majority samples in SMaj
12: Compressed the majority samples set SMaj
13: Step3: Zoom augmentation
14: Take the minority samples from SD and set it as SMin
15: Take the Discrete attributes from SMin and set it as XD
16: Take the Continuous attributes from SMin and set it as XC
17: Take the Label attributes from SMin and set it as Y
18: for n ∈ range(K , K + S .shape[0] ) do // zoom range is [1 − K1 , 1 + K1 ], SMin .shape[0] is number of samples in SMin
number
Min
19: XD1 = XD
20: XC1 = XC × (1 − 1n )
21: XD2 = XD
22: XC2 = XC × (1 + 1n )
23: SZ append [concat(XD1 , XC1 , Y ), concat(XD2 , XC2 , Y )]
24: end for
25: New training set SN = SE + SMaj + SMin + SZ

looking for the best split point, which significantly acceler- connected layers, which are not counted in the Activation
ates the calculation speed [29]. layer and pooling layer. The ReLU function is used as the acti-
vation function in the AlexNet convolutional layer, instead
4) LONG SHORT-TERM MEMORY of the Sigmoid function widely used in previous networks.
The Long Short-Term Memory(LSTM) network is a Recur- The introduction of the ReLU function solves the problem
rent Neural Network(RNN) structure proposed by Hochreiter of gradient dispersion when the neural network is deep. The
and Jurgen in 1997 [30]. Like most RNN, the LSTM network AlexNet neural network uses the Maxpooling method in the
is universal because as long as there is a suitable weight convolutional layer to downsample the feature map output by
matrix, the LSTM network can calculate any network element the convolutional layer, instead of the average pooling com-
that can be calculated by any conventional computer. Dif- monly used before. Therefore, the AlexNet neural network
ferent from the traditional RNN, the LSTM network is very has better performance than the previous neural network.
suitable for learning from experience. When there is a time
lag of unknown size and boundary between important events, 6) MINI-VGGNet
the time series can be classified, processed, and predicted. In 2014, researchers from the Visual Geometry Group of
LSTM is not sensitive to gap length and has advantages over Oxford University and Google DeepMind jointly developed
other RNN and hidden Markov models and other sequence a new deep convolutional neural network: VGGNet and
learning methods in many applications [31]. The problem of won second place in the ILSVRC2014 classification project.
gradient disappearance and gradient explosion is solved by Their paper ‘‘Very Deep Learning Convolutional Neural Net-
introducing the gate structure and storage unit. works for Large-Scale Image Recognition’’ mainly focuses
on the influence of convolutional neural networks’ depth
5) AlexNet on the recognition accuracy of large-scale image sets [33].
AlexNet is one of the classic basic networks of deep learning. The main contribution is to use a small convolution kernel
It was proposed by Hinton and his student Alex Krizhevsky (3 × 33 × 3) to construct various depths of convolutional neu-
in 2012 [32]. Its main structure is an 8-layer deep neural net- ral network structures. Moreover, it evaluated these network
work, including 5-layer convolutional layers and 3-layer fully structures and finally proved that the 16-19 layer network

7554 VOLUME 9, 2021

L. Liu et al.: Intrusion Detection of Imbalanced Network Traffic Based on Machine Learning and Deep Learning

depth could achieve better recognition accuracy. VGG-16 and TABLE 1. Description of the NSL-KDD features.
VGG-19 are commonly used to extract image features. VGG
can be regarded as a deepened version of AlexNet. The entire
network is superimposed by a convolutional layer and a fully
connected layer. Unlike AlexNet, VGGNet uses a small-sized
convolution kernel(3 × 3).
AlexNet is one of the classic basic networks of deep
learning. It was proposed by Hinton and his student Alex
Krizhevsky in 2012 [32]. Its main structure is an 8-layer deep
neural network, including 5-layer convolutional layers and
3-layer fully connected layers, which are not counted in the
Activation layer and pooling layer. The ReLU function is CSE-CIC-IDS2018 is an intrusion detection dataset cre-
used as the activation function in the AlexNet convolutional ated by the Canadian Institute of Cyber Security (CIC) on
layer, instead of the Sigmoid function widely used in previ- AWS (Amazon Web Services) in 2018. It is also the latest and
ous networks. The introduction of the ReLU function solves comprehensive intrusion dataset currently publicly available
the problem of gradient dispersion when the neural network [39]. CSE-CIC-IDS2018 is a dataset collected for launching
is deep. The AlexNet neural network uses the Maxpooling real attacks. It is an improvement based on the CSE-CIC-
method in the convolutional layer to downsample the feature IDS2017 dataset. It contains the necessary standards for the
map output by the convolutional layer, instead of the average attack dataset and covers various known attack types. The
pooling commonly used before. Therefore, the AlexNet neu- dataset contains six different attack scenarios: Brute Force,
ral network has better performance than the previous neural Botnet, DoS, DDoS, Web Attacks, and Infiltration. Each
network. sample in CSE-CIC-IDS2018 includes 83 features listed
In this experiment, because we have fewer traffic character- in Table 2.
istics, we used the Mini-VGGNet(miniVGG) network men-
tioned by Ismail for classification experiments [34]. In gen- TABLE 2. Description of the CSE-CIC-IDS2018 features.
eral, Mini-VGGNet contains two sets of CONV = > RELU
= > CONV = > RELU = > POOL, followed by FC = >
RELU = > FC = > SOFTMAX layer. The first two CONV
layers will learn 32 3 × 3 cores. The last two CONV layers
will learn 64 cores that are also 3 × 3. The POOL layer will
perform a Maxpooling operation with 2 × 2 cores and a Stride
of 2 × 2.

IV. EXPERIMENT
In this experiment, we use the classical classification algo-
rithms of machine learning and deep learning, includ-
ing Random Forest(RF), Support Vector Machine(SVM),
XGBoost, Long Short-Term Memory(LSTM), AlexNet, and
Mini-VGGNet. And compared with other oversampling
methods, including Random Under-sampling(RUS) [35],
Random Over-sampling(ROS) [36] and Synthetic Minority We use t-SNE to visualize the NSL-KDD and CSE-CIC-
Over-sampling TEchnique(SMOTE) [37], it is divided into IDS2018 by dimensionality reduction [40]. As shown in
30 methods to combine. Figure 2, we can see that the normal samples are much larger
than the attack samples, making some attacks easy to hide and
A. BENCHMARK DATASET confusion among them makes traditional intrusion detection
We choose NSL-KDD and CSE-CIC-IDS2018 as the bench- technology increasingly challenging to detect.
mark dataset for experiments. In NSL-KDD dataset, we use KDDTrain+ and KDDTest+
NSL-KDD is the most classic dataset in the field of as the training set and test set, and it is divided into five
intrusion detection [38]. It is an improvement based on the categories: Normal, DOS, R2L, Probe, U2R. Since CSE-CIC-
KDD99 dataset and is reasonably divided into different diffi- IDS2018 is a huge and redundant dataset, there is no official
culty levels in the test set. Although it still has some problems division between training and test sets. In order to ensure
and is not a perfect representation of the existing real network, the imbalance of traffic data and verify the effectiveness of
it can still be used as an effective benchmark dataset to our proposed method. We randomly selected 40,000 Benign
help researchers compare different intrusion detection meth- traffic. For the attack traffic data with more than 20,000,
ods. Each sample in NSL-KDD includes 41 features listed we randomly selected 20,000 from them. For the attack traffic
in Table 1. data with less than 20,000, we all pick it out. Since DoS

VOLUME 9, 2021 7555

 L. Liu et al.: Intrusion Detection of Imbalanced Network Traffic Based on Machine Learning and Deep Learning

FIGURE 2. Use t-SNE to visualize NSL-KDD(a) and CSE-CIC-IDS2018(b).

attacks-SlowHTTPTest only has three valid data after remov- divided into three categories, including 11 categories for flag
ing features such as Timestamp, we will not add them to our function and 70 categories for service function. Therefore,
experiment. Furthermore, divide 80% of the selected data into the 41 dimensions initial feature vector becomes 122 dimen-
the training set and 20% into the test set. sions.
NSL-KDD, CSE-CIC-IDS2018 are highly imbalanced (4) Numerical standardization: In order to eliminate the
datasets, with normal traffic accounting for the vast majority, dimensional influence between indicators and accelerate the
which conforms to traffic data distribution in the whole net- gradient descent and model convergence, the data is standard-
work world. We have performed traffic label statistics on tens ized, that is, the method of obtaining Z-Score, so that the
of millions of samples, and it can be seen that the abnormal average value of each feature becomes 0 and the standard
traffic is much smaller than the normal traffic. The specific deviation becomes 1, converted to a standard normal distribu-
results are shown in Table 3. tion, which is related to the overall sample distribution, and
each sample point can have an impact on standardization. The
B. DATA PREPROCESSING standardization formula is as follows, u is the mean of each
When the dataset is extracted, part of the data contains some feature, s is the standard deviation of each feature, and xi0 is
noisy data, duplicate values, missing values, infinity values, the element corresponding to each column’s features.
etc. due to extraction errors or input errors. Therefore, we first XN
perform data preprocessing. The main work is as follows. u= xi (1)
i=1
(1) Duplicate values: delete the sample’s duplicate value, XN
only keep one valid data. s= (xi − u)2 (2)
i=1
(2) Outliers: in the sample data, the sample size of missing xi − u
values(Not a Number, NaN) and Infinite values(Inf) is small, xi0 = (3)
s
so we delete this.
(3) Features delete and transform: In CSE-CIC-IDS2018, C. EXPERIMENTAL PARAMETERS
we delete features such as ‘‘Timestamp’’, ‘‘Destination The proposed method uses the Sklearn(machine learning
Address’’, ‘‘Source Address’’, ‘‘Source Port’’, etc. If features framework) and Tensorflow(deep learning framework) and
‘‘Init Bwd Win Byts’’ and features ‘‘Init Fwd Win Byts’’ have completes related experiments on the Google Colaboratory
a value of −1, we add two check dimensions. The mark of platform. The machine learning algorithm uses CPU calcula-
−1 is 1. Otherwise, it is 0. In NSL-KDD, we use the OneHot tions, and the deep learning algorithm uses TPU for acceler-
encoder to complete this conversion. For example, ‘‘TCP’’, ation. The specific parameters are shown in Table 4.
‘‘UDP’’ and ‘‘ICMP’’ are functions of three protocol types. To prevent overfitting, we standardized the data.
After OneHot encoding, they become binary vectors (1, 0, In machine learning, the integrated learning model uses
0), (0, 1, 0), (0, 0, 1). The protocol type function can be shallow trees to prevent overfitting. In the deep learning

7556 VOLUME 9, 2021

L. Liu et al.: Intrusion Detection of Imbalanced Network Traffic Based on Machine Learning and Deep Learning

TABLE 3. Distribution of the benchmark datasets.

TABLE 4. Development environment. TABLE 5. Machine learning model related parameters.

model, we use TPU for acceleration, so we chose a

larger Batch and increased the epochs accordingly. Overfit-
ting was further prevented by observing the accuracy and
loss changes during the training phase, using appropriate
learning rates, and adding Dropout to the neural network
layer.
For the machine learning algorithm, we used the Ran-
domForestClassifier, svm.LinearSVC, XGBClassifier exper-
iments provided in Sklearn. The specific parameters are 41 0 dimensions at the end of the feature and then reshaped
shown in Table 5. the single-channel two-dimensional matrix processing (12 ×
For deep learning algorithms, LSTM and GRU use the 12 × 1). We uniformly adopt Adam’s optimizer (lr = 0.001)
original one-dimensional sequence (144 × 1) of the learn- and perform 100 epochs in the model training stage, and the
ing data set. For AlexNet and MiniVGGNet, We added batch size is 1024. The parameters are shown in Table 6.

VOLUME 9, 2021 7557

 L. Liu et al.: Intrusion Detection of Imbalanced Network Traffic Based on Machine Learning and Deep Learning

TABLE 6. Deep learning model related parameters. that the DSSTE algorithm achieves the best sampling results,
we experimented with different scaling factors.
We processed the training set in NSL-KDD and CSE-CIC-
IDS2018 using different scaling factors K . We performed
experiments on the proposed six classifiers, and performance
was evaluated using the average F1-Score of each classifier,
as shown in Figure 3.

D. EVALUATION METRICS
We use the Accuracy, Prediction, Recall, and F1-Score to
evaluate the experimental model’s performance. These eval-
uation criteria reflect the performance of the intrusion detec-
tion system’s flow recognition accuracy rate, and false alarm
rate. The combination of the model prediction results and
the true label is divided into four types: False Negative(FN),
a positive sample, which is mistakenly judged as a negative
sample. False Positive(FP), negative samples are misjudged
as positive samples. True Negative(TN), actually negative
samples, are correctly judged as negative samples. True Posi-
tive(TP), actually positive samples, are judged as the positive
sample. These metrics are calculated according to Equa- FIGURE 3. F1-Score of DSSTE algorithm with different scaling factor K .
tions 4-7.
TP + TN In NSL-KDD, the classifiers achieve excellent average
Accuracy = (4)
TP + TN + FP + FN performance at K = 50. In CSE-CIC-IDS2018, the classifiers
TP achieve excellent average performance at K = 10. Therefore,
Precision = (5) based on the average F1-Score, in NSL-KDD, we used the
TP + FP
TP + TN scaling factor k = 50, where the difficult samples in Normal,
Recall = (6) DoS, and Probe were compressed, and the difficult samples
TP + TN + FP + FN
2 × Precision × Recall in R2L and U2R were augmented with data. In CSE-CIC-
F1_Score = (7) IDS2018, we used the scaling factor K = 10 and performed a
Precision + Recall
similar treatment to NSL-KDD for the difficult samples. The
E. EXPERIMENTAL RESULTS new training set after the treatment is shown in Table 7.
In our experiments, we first explored the classifier’s perfor- Table 8 summarizes the comparison between DSSTE
mance on the training set treated with different deflation fac- and other sampling methods, and our proposed DSSTE
tors. In the proposed DSSTE algorithm, there is a parameter algorithm outperforms other methods in NSL-KDD and
scaling factor of K . When K increases within a certain range, CSE-CIC-IDS2018.
the number of difficult samples will also increase, but when In the experimental results for the NSL-KDD dataset,
K exceeds the range, the number of difficult samples will LSTM achieved the highest accuracy of 78.24% and the high-
constantly be constant. However, the majority compression est F1-Score of 75.03% in the original training set. After sam-
and the minority augmentation in the difficult samples will pling the RUS algorithm’s training, XGBoost achieved the
increase with K change. Therefore, to ensure that the data highest accuracy rate of 78.79%, and miniVGGNet achieved
sampling is useful and does not generate excessive noise and the highest recall rate of 75.57%. After sampling the ROS

7558 VOLUME 9, 2021

L. Liu et al.: Intrusion Detection of Imbalanced Network Traffic Based on Machine Learning and Deep Learning

TABLE 7. The new training set class distribution processed by the DSSTE algorithm.

FIGURE 4. Comparison of the performance of different sampling methods(Accuracy and F1-Score are the average of each classifier).

algorithm’s training, LSTM achieved the highest accuracy of 94.89 % and the highest F1-Score of 94.72 % in the unpro-
rate of 78.72% and the highest recall rate of 75.82%. After the cessed training set. After the RUS, ROS, and SMOTE algo-
SMOTE algorithm sampled the training set, AleNet achieved rithms sampled the training set. The random forest achieved
the highest accuracy rate of 78.75% and the highest recall the highest accuracy and F1-Score. However, the perfor-
rate of 77.27%. In the training set sampled by DSSTE pro- mance improvement was very small or even lower than that of
posed in this paper, AleNet achieved the highest accuracy rate the original data set. In the training set sampled by the DSSTE
of 82.84% and the highest recall rate of 81.66%. algorithm proposed in this paper, miniVGGNet achieves the
In the experimental results of the CSE-CIC-IDS2018 highest accuracy of 96.99% and the highest recall of 97.04%.
dataset, random forest achieves the highest accuracy However, the accuracy and recall of random forest are also

VOLUME 9, 2021 7559

 L. Liu et al.: Intrusion Detection of Imbalanced Network Traffic Based on Machine Learning and Deep Learning

TABLE 8. Comparison results between DSSTE and different methods(Acc, Pre, and F1-Score are the average of multiple classes, weighted by the number
of samples in each class).

very close to each other. Random forest exhibits the gen- In the CSE-CIC-IDS2018 dataset, performance gains are
eralization capability of integrated learning when used in very slight or even degraded after using the RUS, ROS, and
combination with each sampling algorithm, and it requires SMOTE sampling algorithms. After the training set with
fewer hardware resources. DSSTE algorithm sampling proposed in this paper, the aver-
As shown in Figure 4, we counted the average accu- age accuracy improves by 2.54%, and the average F1-Score
racy and F1-Score of the classifier for each sampling improves by 3.13%.
method. In the NSL-KDD dataset, the sampling algo- The F1-Score is a harmonic average of the prediction
rithms’ performance using RUS, ROS, and SMOTE are and recall rates, which is a good indicator of a classifica-
all improved compared to the original algorithm. In terms tion model’s performance. So we adopt F1-Score and accu-
of prediction accuracy and F1-Score, the improvement is racy as the metrics to compare the different methods pro-
very slight. The proposed DSSTE algorithm is significantly posed by other authors in the face of imbalanced network
improved, in which the average accuracy is improved by traffic. As shown in Table 9, our proposed data sampling
4.75%, and the average F1-Score is improved by 7.1%. method DSSTE has a higher accuracy than other meth-

7560 VOLUME 9, 2021

L. Liu et al.: Intrusion Detection of Imbalanced Network Traffic Based on Machine Learning and Deep Learning

FIGURE 5. Confusion matrix of CIC-IDS-2018 by DSSTE+minVGGNet.

TABLE 9. Comparison results of DSSTE with the existing approaches on model. Therefore, our proposed method is more generalizable
NSL-KDD KDDTest+.
to imbalanced network traffic.
The CIC-IDS-2018 is a large and redundant dataset, and
data are selected and processed differently by different schol-
ars. Therefore, we do not compare it with other authors on
the CIC-IDS-2018 dataset. In our experiments, we can see
that the DSSTE method is significantly better than other sam-
pling algorithms. As shown in Figure 5, DSSTE+AlexNet
exhibits excellent performance on the CIC-IDS-2018 dataset.
It achieves close to 100% detection rate in some attacks, and
also improves the identification of Brute Force and Infilter-
ation attacks.
To sum up, traditional sampling methods reduce the imbal-
ance in the training set and synthesize close to the real data;
it does not produce a distribution that matches the real data.
ods on KDDTest+. The F1-Score is very close to that of RUS algorithm leads to loss of valid information; the ROS
AESMOTE, which exhibits the advantage of reinforcement algorithm leads to data redundancy and overfitting. At the
learning for automatic pairwise sequence learning, but rein- same time, SMOTE interpolation generates noise traffic and
forcement learning training requires a lot of time to build the data overlap, increasing the number of difficult samples in the

VOLUME 9, 2021 7561

 L. Liu et al.: Intrusion Detection of Imbalanced Network Traffic Based on Machine Learning and Deep Learning

training set. Our proposed DSSTE algorithm is very targeted [9] N. Shone, T. N. Ngoc, V. D. Phai, and Q. Shi, ‘‘A deep learning approach to
to compress and augment difficult data from an imbalanced network intrusion detection,’’ IEEE Trans. Emerg. Topics Comput. Intell.,
vol. 2, no. 1, pp. 41–50, Feb. 2018.
training set. It enables the classifier to grasp more data distri- [10] D. A. Cieslak, N. V. Chawla, and A. Striegel, ‘‘Combating imbalance in
bution, thus improving the classification performance. network intrusion datasets,’’ in Proc. IEEE Int. Conf. Granular Comput.,
May 2006, pp. 732–737.
[11] M. Zamani and M. Movahedi, ‘‘Machine learning techniques for intru-
V. CONCLUSION sion detection,’’ 2013, arXiv:1312.2177. [Online]. Available: http://arxiv.
As network intrusion continues to evolve, the pressure on org/abs/1312.2177
network intrusion detection is also increasing. In particular, [12] M. S. Pervez and D. M. Farid, ‘‘Feature selection and intrusion classifi-
cation in NSL-KDD cup 99 dataset employing SVMs,’’ in Proc. 8th Int.
the problems caused by imbalanced network traffic make it Conf. Softw., Knowl., Inf. Manage. Appl. (SKIMA), Dec. 2014, pp. 1–6.
difficult for intrusion detection systems to predict the distri- [13] H. Shapoorifard and P. Shamsinejad, ‘‘Intrusion detection using a novel
bution of malicious attacks, making cyberspace security face hybrid method incorporating an improved KNN,’’ Int. J. Comput. Appl.,
vol. 173, no. 1, pp. 5–9, Sep. 2017.
a considerable threat. [14] S. Bhattacharya, P. K. R. Maddikunta, R. Kaluri, S. Singh, T. R. Gadekallu,
This paper proposed a novel Difficult Set Sampling Tech- M. Alazab, and U. Tariq, ‘‘A novel PCA-firefly based XGBoost classifi-
nique(DSSTE) algorithm, which enables the classification cation model for intrusion detection in networks using GPU,’’ Electronics,
vol. 9, no. 2, p. 219, Jan. 2020.
model to strengthen imbalanced network data learning. A tar-
[15] A. Javaid, Q. Niyaz, W. Sun, and M. Alam, ‘‘A deep learning approach
geted increase in the number of minority samples that need for network intrusion detection system,’’ in Proc. 9th EAI Int. Conf. Bio-
to be learned can reduce the imbalance of network traffic and inspired Inf. Commun. Technol. (Formerly BIONETICS), 2016, pp. 21–26.
strengthen the minority’s learning under challenging samples [16] P. Torres, C. Catania, S. Garcia, and C. G. Garino, ‘‘An analysis of recurrent
neural networks for botnet detection behavior,’’ in Proc. IEEE Biennial
to improve the classification accuracy. We used six classical Congr. Argentina (ARGENCON), Jun. 2016, pp. 1–6.
classification methods in machine learning and deep learning [17] W. Wang, M. Zhu, X. Zeng, X. Ye, and Y. Sheng, ‘‘Malware traffic clas-
and combined them with other sampling techniques. Exper- sification using convolutional neural network for representation learning,’’
in Proc. Int. Conf. Inf. Netw. (ICOIN), 2017, pp. 712–717.
iments show that our method can accurately determine the [18] D. Kwon, H. Kim, J. Kim, S. C. Suh, I. Kim, and K. J. Kim, ‘‘A survey
samples that need to be expanded in the imbalanced network of deep learning-based network anomaly detection,’’ Cluster Comput.,
traffic and improve the attack recognition more effectively. vol. 22, pp. 949–961, 2019.
In the experiment, we found that deep learning perfor- [19] B. A. Tama, M. Comuzzi, and K.-H. Rhee, ‘‘TSE-IDS: A two-stage clas-
sifier ensemble for intelligent anomaly-based intrusion detection system,’’
mance is better than machine learning after sampling the IEEE Access, vol. 7, pp. 94497–94507, 2019.
imbalanced training set samples through the DSSTE algo- [20] P. Jeatrakul, K. W. Wong, and C. C. Fung, ‘‘Classification of imbal-
rithm. Although the neural networks strengthen data expres- anced data by combining the complementary neural network and smote
algorithm,’’ in Proc. Int. Conf. Neural Inf. Process. Springer, 2010,
sion, the current public datasets have already extracted the pp. 152–159.
data features in advance, which is more limited for deep learn- [21] B. Yan and G. Han, ‘‘LA-GRU: Building combined intrusion detection
ing to learn the preprocessed features and cannot take advan- model based on imbalanced learning and gated recurrent unit neural net-
work,’’ Secur. Commun. Netw., vol. 2018, pp. 1–13, Aug. 2018.
tage of its automatic feature extraction. Therefore, in the next
[22] R. Abdulhammed, M. Faezipour, A. Abuzneid, and A. AbuMallouh,
step, we plan to directly use the deep learning model for ‘‘Deep and machine learning approaches for anomaly-based intrusion
feature extraction and model training on the original network detection of imbalanced network traffic,’’ IEEE sensors Lett., vol. 3, no. 1,
traffic data, performance the advantages of deep learning in Jan. 2019, Art. no. 7101404.
[23] P.-J. Chuang and D.-Y. Wu, ‘‘Applying deep learning to balancing network
feature extraction, reduce the impact of imbalanced data and intrusion detection datasets,’’ in Proc. IEEE 11th Int. Conf. Adv. Infocomm
achieve more accurate classification. Technol. (ICAIT), Oct. 2019, pp. 213–217.
[24] P. Bedi, N. Gupta, and V. Jindal, ‘‘Siam-IDS: Handling class imbalance
problem in intrusion detection systems using siamese neural network,’’
REFERENCES Procedia Comput. Sci., vol. 171, pp. 780–789, 2020.
[1] D. E. Denning, ‘‘An intrusion-detection model,’’ IEEE Trans. Softw. Eng., [25] L. Breiman, ‘‘Random forests,’’ Mach. Learn., vol. 45, no. 1, pp. 5–32,
vol. SE-13, no. 2, pp. 222–232, Feb. 1987. 2001.
[26] C. Cortes and V. Vapnik, ‘‘Support vector machine,’’ Mach. Learn., vol. 20,
[2] N. B. Amor, S. Benferhat, and Z. Elouedi, ‘‘Naive Bayes vs decision trees
no. 3, pp. 273–297, 1995.
in intrusion detection systems,’’ in Proc. ACM Symp. Appl. Comput. (SAC),
2004, pp. 420–424. [27] L. Feng, L. Yu, L. Xueqiang, and L. Zhuo, ‘‘Research on query topic
classification method,’’ Data Anal. Knowl. Discovery, vol. 31, no. 4,
[3] M. Panda and M. R. Patra, ‘‘Network intrusion detection using Naive pp. 10–17, 2015.
Bayes,’’ Int. J. Comput. Sci. Netw. Secur., vol. 7, no. 12, pp. 258–263, 2007.
[28] T. Chen and C. Guestrin, ‘‘XGBoost: A scalable tree BOOSTING system,’’
[4] M. A. M. Hasan, M. Nasser, B. Pal, and S. Ahmad, ‘‘Support vec- in Proc. 22nd ACM SIGKDD Int. Conf. Knowl. Discovery Data Mining,
tor machine and random forest modeling for intrusion detection system 2016, pp. 785–794.
(IDS),’’ J. Intell. Learn. Syst. Appl., vol. 6, no. 1, pp. 45–52, 2014.
[29] X. Lei and Y. Xie, ‘‘Improved XGBoost model based on genetic algorithm
[5] N. Japkowicz, ‘‘The class imbalance problem: Significance and strate- for hypertension recipe recognition,’’ Comput. Sci, vol. 45, pp. 476–481,
gies,’’ in Proc. Int. Conf. Artif. Intell., vol. 56, 2000, pp. 111–117. 2018.
[6] Y. LeCun, Y. Bengio, and G. Hinton, ‘‘Deep learning,’’ Nature, vol. 521, [30] S. Hochreiter and J. Schmidhuber, ‘‘Long short-term memory,’’ Neural
no. 7553, pp. 436–444, 2015. Comput., vol. 9, no. 8, pp. 1735–1780, 1997.
[7] Y. Guo, Y. Liu, A. Oerlemans, S. Lao, S. Wu, and M. S. Lew, ‘‘Deep [31] A. Raghavan, F. D. Troia, and M. Stamp, ‘‘Hidden Markov models with
learning for visual understanding: A review,’’ Neurocomputing, vol. 187, random restarts versus boosting for malware detection,’’ J. Comput. Virol.
pp. 27–48, Apr. 2016. Hacking Techn., vol. 15, no. 2, pp. 97–107, Jun. 2019.
[8] T. Young, D. Hazarika, S. Poria, and E. Cambria, ‘‘Recent trends in [32] A. Krizhevsky, I. Sutskever, and G. E. Hinton, ‘‘Imagenet classification
deep learning based natural language processing [review article],’’ IEEE with deep convolutional neural networks,’’ in Proc. Adv. Neural Inf. Pro-
Comput. Intell. Mag., vol. 13, no. 3, pp. 55–75, Aug. 2018. cess. Syst., 2012, pp. 1097–1105.

7562 VOLUME 9, 2021

L. Liu et al.: Intrusion Detection of Imbalanced Network Traffic Based on Machine Learning and Deep Learning

[33] K. Simonyan and A. Zisserman, ‘‘Very deep convolutional networks for PENGCHENG WANG was born in Nanchong,
large-scale image recognition,’’ 2014, arXiv:1409.1556. [Online]. Avail- China. He received the B.S. degree in communi-
able: https://arxiv.org/abs/1409.1556 cation engineering from Physical and Electronic
[34] A. Ismail, S. A. Ahmad, A. C. Soh, K. Hassan, and H. H. Harith, ‘‘Improv- Information Engineering, Neijiang Normal Uni-
ing convolutional neural network (CNN) architecture (miniVGGNet) with versity, in 2019. He is currently pursuing the
batch normalization and learning rate decay factor for image classifica- M.S. degree in electronics and communication
tion,’’ Int. J. Integr. Eng., vol. 11, no. 4, pp. 1–9, 2019. engineering with Guangdong Polytechnic Normal
[35] M. A. Tahir, J. Kittler, and F. Yan, ‘‘Inverse random under sampling for
University. His main research interests include
class imbalance problem and its application to multi-label classification,’’
network information security and deep learning.
Pattern Recognit., vol. 45, no. 10, pp. 3738–3750, Oct. 2012.
[36] A. Liu, J. Ghosh, and C. E. Martin, ‘‘Generative oversampling for mining
imbalanced datasets,’’ in Proc. DMIN, 2007, pp. 66–72.
[37] N. V. Chawla, K. W. Bowyer, L. O. Hall, and W. P. Kegelmeyer, ‘‘SMOTE:
Synthetic minority over-sampling technique,’’ J. Artif. Intell. Res., vol. 16,
pp. 321–357, Jun. 2002.
[38] M. Tavallaee, E. Bagheri, W. Lu, and A. A. Ghorbani, ‘‘A detailed analysis
of the KDD CUP 99 data set,’’ in Proc. IEEE Symp. Comput. Intell. Secur.
Defense Appl., Jul. 2009, pp. 1–6.
[39] I. Sharafaldin, A. H. Lashkari, and A. A. Ghorbani, ‘‘Toward generating a
new intrusion detection dataset and intrusion traffic characterization,’’ in
Proc. 4th Int. Conf. Inf. Syst. Secur. Privacy, 2018, pp. 108–116.
[40] L. van der Maaten and G. Hinton, ‘‘Visualizing data using t-SNE,’’ J. Mach. JUN LIN received the M.S. degree in computer
Learn. Res., vol. 9, pp. 2579–2605, Nov. 2008. architecture from the Huazhong University of Sci-
[41] X. Ma and W. Shi, ‘‘AESMOTE: Adversarial reinforcement learning with ence and Technology, in 2002. He is currently
SMOTE for anomaly detection,’’ IEEE Trans. Netw. Sci. Eng., early access, a Senior Engineer and the Vice Director of the
Jun. 24, 2020, doi: 10.1109/TNSE.2020.3004312. Software & System Research Unit, China Elec-
[42] P. Bedi, N. Gupta, and V. Jindal, ‘‘I-SiamIDS: An improved Siam-IDS for tronic Product Reliability and Environment Test-
handling class imbalance in network-based intrusion detection systems,’’ ing Research Institute. He is mainly engaged
Appl. Intell., pp. 1–19, Sep. 2020. in computer software development and quality
[43] G. Caminero, M. Lopez-Martin, and B. Carro, ‘‘Adversarial environment engineering technology research and service in
reinforcement learning algorithm for intrusion detection,’’ Comput. Netw., mobile communication, computer network, indus-
vol. 159, pp. 96–109, Aug. 2019.
trial control system, information security, and other relevant fields with
[44] A. K. Verma, P. Kaushik, and G. Shrivastava, ‘‘A network intrusion detec-
solid research foundation and rich experience in engineering, toke charge
tion approach using variant of convolution neural network,’’ in Proc. Int.
Conf. Commun. Electron. Syst. (ICCES), Jul. 2019, pp. 409–416. or mainly participated in the research of dozen important scientific research
[45] J.-T. Wang and C.-H. Wang, ‘‘High performance WGAN-GP based projects funded by national or provincial government focusing on frontier
multiple-category network anomaly classification system,’’ in Proc. Int. fields, such as new-generation broadband wireless mobile network, industry
Conf. Cyber Secur. Emerg. Technol. (CSET), Oct. 2019, pp. 1–7. internet, IoT, infrastructure software, and so on. He is responsible in technol-
[46] M. Lopez-Martin, B. Carro, A. Sanchez-Esguevillas, and J. Lloret, ‘‘Con- ogy for IEEE P360 intelligent wearable technology standard establishment.
ditional variational autoencoder for prediction and feature recovery applied He has published more than ten articles. He holds eight invention patents and
to intrusion detection in IoT,’’ Sensors, vol. 17, no. 9, p. 1967, Aug. 2017. seven software copyrights. He received six awards in science and technology.

LAN LIU was born in Yiyang, China, in 1977. She

received the B.S., M.S., and Ph.D. degrees in com-
puter architecture from the Huazhong University
of Science and Technology, Wuhan, Hubei, China,
in 1999, 2002, and 2007, respectively. She joined
Guangdong Polytechnic Normal University, as an LANGZHOU LIU was born in Hubei, China.
Assistant, in 2003. She was an Associate Professor He received the bachelor’s degree in engineering.
and a Master Tutor with the Department of Elec- He is currently pursuing the master’s degree with
tronic Information, in 2008 and 2015, respectively. Guangdong Polytechnic Normal University. His
She was a Visiting Professor to research network main research interests include network informa-
security with the Computer Science Laboratory, University of Waikato, tion security and deep learning.
Hamilton, New Zealand, in 2016. She is the author of more than 30 articles
that are published on IEEE conferences and journals (EI indexed or SCI
indexed). Her research interests include network security, deep learning, and
software defined networks.

VOLUME 9, 2021 7563