Keywords

1 Introduction

Network security is a key aspect of any company’s data policy nowadays. Roughly, these policies contemplate from application deployments, transfer of sensitive information, until the implementation of a communications network to offer external and internal services [11]. The security violations such as unauthorized accesses or intrusions can put at risk some of the established policies which, in summary, are related to availability, integrity, and confidentiality of the company information. The National Institute of Standards and Technology (NIST) defines an intrusion as the attempt to create a threat on the security policies or jump security mechanisms in networks or hosts [12]. These intrusion threats are fought by intrusion detection systems (IDS).

Previously, intrusion detection models were based on a catalog of threats that were updated periodically and protected only some parts of the network, such as centralized nodes or priority hosts. Thus, the system exposed other parts of the same network which the attackers use to invade a segment of interest. Accordingly, the trend of designing and implementing new methodologies and approaches to detect intrusion attacks is being highly influenced by the inclusion of machine learning-based methods [18].

Both, the threats and the traffic volume in networks, have increased at an exponential rate in the last years. For instance, only in the last ten years, traffic volume in mobile networks went from gigabytes to exabytes in monthly measures [8]. On the other hand, it is estimated that cyber-attacks can generate losses in the order of trillions of dollars in businesses [14]. Accordingly, the implementation of an intrusion detection model based on a static threat catalog is not relevant. Instead, it is better to choose a dynamic option to continuously monitor and classify traffic threats. Many types of attacks can dramatically affect a network, some of them are denial of service (DoS), distributed denial of service (DDoS), user to root (U2R), web attack, infiltration, or probing and remote-to-local (R2L) attacks.

Typically, IDS can be classified into two types: host-based and network-based. In host-based IDS, some software is installed on a particular host (e.g., antivirus plugins) and its operation is reactive; i.e., it waits for a potential attack to enter its domain and then neutralizes it. A network-based IDS is similar, only that it is implemented in network elements such as firewalls, allowing the analysis of network traffic coming from or going to multiple hosts [13]. At a functional level, the intrusion detection models can detect anomalies based on normal traffic behavior or directly classify attacks based on previous training. The advantage of detection based on normal traffic patterns is that intrusions that are unknown (i.e., they are not known in the training stage) can be detected. However, this can produce a decrease in the efficiency of the model due to the increase of false positives when anomalous behavior is generated by normal traffic. Despite this, the classification of attacks according to a training bench is ineffective against unknown attacks [24].

In order to address the problems presented in traditional intrusion detection models, machine learning, as well as deep learning techniques, is very effective in detecting such attacks [5, 6]. Support vector machine (SVM) [7, 9], neural networks [15, 19, 25], and clustering algorithms are widely studied techniques in this field. The combination of intrusion detection techniques in data preparation, data processing, and data classification is considered emergent and has many potentialities. Although there are several proposals for intrusion detection, most of them have been tested on old datasets such as NLS-KDD [20] that do not consider the diversity of contemporary attacks as well current changes in traffic behavior.

This work aims to implement a hybrid intrusion detection model using deep learning and other traditional machine learning technique. Thus, the major contributions of this paper are the use of image recognition based on convolutional neural networks (CNN) to perform feature extraction of traffic patterns, and image classification using an SVM to identify the type of attack. Furthermore, the model has been trained and tested by using a modern dataset called CIC-IDS2017 [16] that contains several types of attack and allows its performance to be measured in order to compare the proposed model with previous approaches.

The rest of this paper is structured as follows: Sect. 2 contains a general review of previous work. The proposed intrusion detection model is described in Sect. 3. In Sect. 4, dataset description and preparation are provided. Performance analysis and detection results are also discussed. Finally, the conclusions and future work are presented in Sect. 5.

2 Related Work

Traditional network intrusion detection methods are rule-based, ignore contextual information, and because the size of the data is extremely high, these methods introduce complexity and reduce detection accuracy. In order to deal with these problems in the literature, several works have implemented intrusion detection methods based on machine learning [5] or deep learning techniques [6]. However, deep learning techniques are being widely used to improve the accuracy of intrusion predictions instead of traditional machine learning-based methods. The intrusion detection method presented in Ludwig [11] combines multiple assembled classifiers in a way that the individual results are merged in favor of multi-class classification. In this work, the authors used various deep neural networks (DNN) to distinguish normal behaviors from attacks. While the results show that a precision above 95% can be achieved applied to NLS-KDD dataset, the authors suggest that by including more techniques in the model, overall precision can be improved.

A hybrid model, based on the auto-encoder network (AN) to feature dimensionality reduction and long short-time memory (LSTM) to predict intrusion detection types, is addressed in [25]. With this proposal, the accuracy of this method is improved by 2% on average when compared with classical IDS. A semantic re-encoding and deep learning model (SRDLM) is proposed in Wu et al. [22] for intrusion detection. The SRDLM model re-encodes the semantics of network traffic (i.e., transform traffic data to words), increments the distinguishability of traffic, and improves the generalization by using deep learning techniques (i.e., ResNet network architecture). Results showed that the SRDLM method achieves more than 99% of accuracy to detect the Web character injection attack.

A deep learning network is implemented in [4] to automatically build a smart intrusion detection model. The authors rely on hybrid optimization framework (IGASAA) based on improved genetic algorithm (IGA) and a simulated annealing algorithm (SAA). This approach, which is called machine learning IDS (MLIDS), uses the IGASAA to find the optimal combination of the most relevant values that will serve as parameters in the construction of the IDS using a DNN. The values to consider are the input features, the data normalization, the activation function for the neural model, the learning rate, and the momentum. Optimal selection ensures a high efficiently of the model in terms of its hit rate, precision, and false-positive rate. The results obtained with this technique show an accuracy greater than 99.8%, which exceeds other approaches compared by authors.

A technique that shows promising results to improve the accuracy, false alarm rate, and timeliness of traditional intrusion detection algorithms is to convert the traffic data of an incoming network into images to transform the intrusion detection in an image classification problem. According to Xiao et al. [23], the use of CNN provides a method to automatically extract the features of the dimensionality reduction data, and the supervised learning to extract more effective information for intrusion identification. In this approach, the computational cost is reduced by converting the original traffic vector format into an image. The simulation results on NLS-KDD dataset indicated that the model reaches a detection accuracy of 94.0%, but for U2R and R2L attacks, the detection rates are significantly low at 20.61% and 18.96%, respectively. In [19], the traffic data of an incoming network is represented in grayscale images, thus transforming the anomaly detection problem to an image processing problem where texture is the key for detection. The authors also use the NSL-KDD dataset for model implementation, training, and validation. The results showed that the performance reaches a precision higher than 97.8%. However, the execution time of the model is very long when the number of layers of the CNN increases. Consequently, the authors mentioned the need for more work to improve the proposed model.

In more recent work, network traffic feature (NTF) is transformed into four-channel Red, Green, Blue, and Alpha (RGBA) images [21]. In [21], a multistage deep learning image recognition system (ResNet50) employing transfer learning is proposed to detect contemporary malicious behavior (network attack) and to recognize the attack type. Empirical quantification of the attack type recognition allowed to achieve 99.8% in detection accuracy of the generic attack on the UNSW-NB15 dataset, and 99.7% in detection accuracy of the DDoS attack on the BOUN DDoS dataset. In [17], authors proposed a hybrid model which combines an LSTM for feature extraction and a CNN for intrusion detection. The model validation in the UNSW-NB15 dataset showed a detection accuracy of 98% which improves the performance of RNN-based intrusion detection models.

Note that most of the literature reviewed focused on external intrusions. In fact, there are attacks such as operating system scripts that can be represented an internal threat per host. In [15], authors have studied the possibility of predicting whether a script executed in the operating system may be malicious based on a short sample of the data it manipulates. Consequently, the authors propose a recurrent neural network (RNN) to predict malicious behavior based on data from the operating system. The scope was to study the ability of the model for detecting malware families and variants that have not been previously stored known as zero-day attacks. In training the model, around 3000 malware samples are used, reaching 95% accuracy when one second of malicious code execution has passed.

Regardless of the type of technique used for the implementation of intrusion detection systems, in Table 1 can be seen that there is a trend toward the use of deep learning techniques to enhance the models accuracy compared to traditional methods. On the other hand, the possibility of implementing techniques based on image processing is highlighted to transform each data record of the dataset into an image. Most of the works reviewed can provide a guide to design an intrusion detection model applying deep learning techniques. But, to evaluate the performance model, it is relevant to use a dataset that includes modern attack types and traffic patterns rather than just data contained in legacy dataset such as NSL-KDD.

Table 1 Summary of related work
Full size table

In this paper, the proposed hybrid method for intrusion detection is supported on a CNN to perform feature extraction of traffic patterns. Furthermore, in order to provide the capability to detect several types of attack, a SVM-based classifier is incorporated into the proposed model, because SVM has proven to be effective in intrusion classification problems [7, 9, 23]. Therefore, unlike previous works, a hybrid intrusion detection model using deep learning and a classification algorithm is proposed to address the detection of several contemporary types of attack. To train and test the proposed hybrid model, the CIC-IDS2017 dataset is considered. Note that this dataset is cleaned and normalized, eliminating out-of-range data, and using a common data scale for used features.

3 Proposed Method

In order to take advantage of deep learning and traditional machine learning techniques for intrusion detection, a hybrid model is proposed. The key to the implementation of this model arises in image recognition and a classifier algorithm. In this section, the hybrid model implementation process is described.

3.1 Hybrid Intrusion Detection Model Description

Figure 1 summarizes the overall framework used to detect and classify attacks using the proposed hybrid model. The model implementation considers six fundamental steps:

Fig. 1
figure 1

Process flow of the proposed hybrid IDS model

Full size image

  • Step 1. Data cleansing: To generate a normalized, balanced and diverse dataset for training the proposed model. The key is to preserve the features with high variability while a dimension reduction is applied.

  • Step 2. Labeling attacks: To categorize attacks of the same type in a unique label in order to group attacks with similar effects in the network behavior or damage.

  • Step 3. Feature normalization and image creations: To balance the dataset and generate a bank of images through the transformation of each traffic record in an 8 * 8 image with 8-bit depth.

  • Step 4. Image dataset consolidation: To train the model based on image recognition and test the classification performance. The dataset is randomly divided into 70% records for training and 30% for testing. Next, an image scaling technique and a summer color map are applied to convert it into a 224 * 224 RGB image.

  • Step 5. Hybrid intrusion detection model: To implement the hybrid intrusion detection model combining CNN and SVM algorithms: CNN for feature extraction and image recognition, and SVM for attacks classification.

  • Step 6. Performance evaluation: To analyze the detection accuracy by applying the hybrid model in the testing dataset.

3.2 Implementation Process

A convolutional neural network (CNN) processes data with a grid pattern, such as images, and to automatically and adaptively learn spatial hierarchies of features, from low-to high-level patterns. The CNN is built as a set of three layers between the input and output layers: a convolutional layer, a pooling layer, and a fully connected layer. The number of convolution layers as well as the number of pooling layers defines the CNNs structure. Suppose the CNN input feature is feature map of the layer i is Mi (M0 = X). Then, Eq. (1) expresses the convolution process as [23]:

$$ M_1 = f\left( {M_{i - 1} \ast W_i + b_i } \right) $$
(1)

where Wi corresponds to the convolution kernel weight vector of the i layer; * represents the convolution operation; bi corresponds to the offset vector of the i layer; and f(x) is the activation function and corresponds to the ReLU function. This activation function is widely used in CNN to replace all negative values in the feature map to zero. By specifying different window values, distinct feature information is extracted from the \(M_{i - 1}\) data matrix in the convolutional layer, and through different convolution kernels, distinct features \(M_i\) in the data are extracted. The same parameters (weight and offset) are shared in the same convolutional kernel of the convolutional operation, which substantially reduces the number of parameters in the whole CNN. In the pooling layer, the feature map is mapped according to different sampling rules after the convolutional layer. The feature dimension is reduced in the pooling layer, and as a consequence, the influence of redundant features in the model is also decreased.

In the proposed hybrid model, the advantages of a CNN are exploited. Therefore, in order to provide the appropriated input to the proposed hybrid intrusion detection model, as part of the implementation, each record of the cleansed and normalized dataset is transformed in an 8 * 8 image with 8-bit depth. This image bank is the input of a Residual Network 50 (ResNet50 [1]) CNN for image feature extraction. It receives a 224 * 224 image of three layers (i.e., RGB), so the constructed images are transformed using a nearest-neighbor interpolation image scaling technique and grayscale to color conversion using a summer color map. Figure 2 is presented the implementation details of the ResNet50.

Fig. 2
figure 2

Implementation details of the proposed hybrid IDS model

Full size image

A ResNet50 architecture has demonstrated high accuracy for intrusion detection [21, 22]. On the other hand, as shown in [3], a ResNet architecture, particularly ResNet50, has less computational complexity than other CNN models such as VGG or AlexNet. Likewise, it is more accurate than models like GoogleNet or ShufleNet. While the ResNet101 or ResNet152 improve the accuracy of the model, they increase its complexity to a greater extent compared to the ResNet50. For these reasons, the ResNet50 was chosen as CNN because it maintains a balance between precision and computational complexity compared to other models.

Additionally, the capability to classify various types of attacks in the proposed hybrid model is provided by a support vector machine (SVM). This is because SVM has been shown to be an effective method to train the base learners in intrusion classifiers to detect several types of attack [7, 23], and the combination CNN-SVM achieves a better performance than FCN or the use of other classifiers [2]. Thus, the second last output of the ResNet50 is considered to train an SVM classifier, and its input is a vector with 1000 features of the image built to represent the intrusion attack and being traffic. In the SVM classifier, this input vector is first mapped into a higher-dimensional feature space where the optimal separation hyperplane is obtained [4].

Furthermore, a decision boundary, which is basically the separation hyperplane, is defined by support vectors rather than all training samples, and thus, the SVM provides high robustness to outliers. In the proposed model, a linear SVM is implemented that encodes the input samples using a one vs all encoder, which consists of dividing the multi-class classification problem into multiple binary classification problems. In this way, a new entry only satisfies the condition imposed by the region of the closest class. Finally, the output of the SVM is the classification of the input vectors into the attack classes and being traffic as learned from the input labels. The complexity of the proposed model is given by the ResNet50, i.e., O(n4).

4 Simulation and Results

In order to test and evaluate the accuracy of the proposed hybrid model for intrusion detection, we have implemented the model in MATLABR2020b using a machine with 4 CPU, 16 GB of RAM, and 1 TB of storage. This section describes the data preparation and normalization processes and the image creation to consolidate the image bank. Finally, the performance analysis of the hybrid model is presented.

4.1 Dataset Preparation

Sharafaldin et al. [16] proposed the CIC-IDS2017 dataset with the eleven most significant characteristics required by the Canadian Institute for Cybersecurity (CIC): attack diversity, anonymity, available protocols, full capture, full interaction, full network configuration, full traffic, feature set, heterogeneity tagging, and metadata. Compliance with these characteristics makes the dataset contains 13 up-to-date attacks that resemble data from networks deployed in reality. In addition, it has records for benign traffic, and all of them are labeled [16]. The network architecture used to collect data is based on two networks: attack and victim [16].

The selected dataset consists of 78 columns, an additional column labeled the type of attack, and 2.8 millions of records. In this work, all the fields in the dataset are not used for the analysis of our hybrid approach because they have no relevance to the intrusion detection case study. For this reason, columns 1 and 44–51 of the dataset were removed, leaving a total of 69 columns. The cleaning process (presented in Fig. 1) has the main objective to preserve the features in the dataset that generate more variability, delete duplicated records and keep the attacks with more diversity of records. It is important to note how the features that represent attributes of the size of the packets (either sent or received), duration of the traffic session during attacks and other time variables, such as inter-arrival time, have high variability in the dataset. The result is a dataset with 24 features and about 2.5 million records that can be grouped 4 types of measurements:

  1. 1.

    Four measures of traffic for total packets and their lengths: Total Fwd/Bwd Packets and Total Length of Fwd/Bwd Packets

  2. 2.

    Eight measures of forwarding and backwarding packages involved in communication: Fwd Packet Length Max/Min/Mean/Std and Bwd Packet Length Max/Min/Mean/Std

  3. 3.

    Four measures of duration time of the flows in communication: Flow Duration, Flow Bytes_s, Flow Packets_s

  4. 4.

    Eight measures of inter-arrival time for the communication flows and the forwarding packets: Flow IAT Mean/Std/Max/Min and Fwd IAT Total/Mean/Std/Max/Min

At this point, the dataset is still labeled with eleven different attacks. However, analyzing the dataset it can observe that there exist some attacks with several subtypes, but globally these represent a single attack, e.g., DoS Hulk, DoS Goldeneye, and DoS Slowloris can be represented as a DoS attack. The difference between them is the script that generates them. Moreover, some attacks such as Heartbleed, Infiltration, and Botnet have irrelevant representation in the dataset as they have less than 0.01% of total dataset size so the associated records are excluded from the analysis of this work. After filtering and grouping procedure, the attacks were thus classified into the seven classes as shown in Table 2.

Table 2 Attacks classification in new classes
Full size table

When a histogram is generated to see how many records belong to each label, it becomes evident that the data is unbalanced as shown in Fig. 3a. In order to balance the amount of data per attack, the type with the fewest number of records is taken into account as a reference to others. Thus, Web Attack with a total of 2.1 thousand records is selected to limit the number of data records per attack class. Then, from each class, a random sample of the same amount of records is taken, so a new dataset is built with near 15 thousand records which contain the six types of attack and an additional class for benign traffic. Balancing the data allows avoiding bias in the training of a neural network, in this case, the ResNet-50 CNN. The result of balancing the number of records per attack is shown in Fig. 3b.

Fig. 3
figure 3

Data balancing result per each traffic label

Full size image

4.2 Dataset Normalization

For dataset normalization, it is considered that the range between maximum and minimum values in some features is too large and needs some preprocessing. First, we apply a logarithmic function to shorten the range. Note that all features are in the positive domain because their measures are related to lengths, time, or quantities. However, zero value is possible. Therefore, before applying the logarithmic function, a unit is added to all values. The next step is to perform a linear normalization using Eq. (2).

$$ x_{i}^{{''}} = \frac{{x_{i}^{'} - {\text{min}}\left( {x_{i}^{'} } \right)}}{{\max \left( {x_{i}^{'} } \right) - {\text{min}}\left( {x_{i}^{'} } \right)}} $$
(2)

where \( x_{i}^{{\prime }} = \ln (x_{i} + 1) \) and \(x_i^\prime \prime\) is the normalized value. With this normalization, all features in the dataset are compressed to a range from 0 to 1. When a descriptive analysis is performed separating the benign from the malign traffic (i.e., grouping all attacks in one unique class), the result shows that attacks typically have more packets sent but fewer packets received which is to be expected in attacks such as a DoS attack. Also, the total size of packets sent shows that in the attacks there is greater variability toward values closer to zero. These considerations are key for training the model and discussing the results

4.3 Image Creation

Each record of the cleansed and normalized dataset is converted into an 8 * 8 image with 8-bit depth in concordance with the method presented in Li et al. [10]. Thus, 20 intervals are set for encoding the values of the features using one-hot encoding as shown in Fig. 4a; i.e., each normalized value of 24 features or metrics is considered as a symbol that is encoded into a word of 20 bits. Once this is applied to each record of the normalized traffic dataset, the result is a new binary dataset with 480 columns. Considering the target dimensions of the image, 32 columns with zero values are added to dataset to complete 512 columns. After that, an 8 * 8 matrix is constructed using a binary to decimal conversion each 8-bits in the record as shown in Fig. 4b. It is important to have in mind that the same procedure is applied to all data records in the cleansed dataset to generate an image bank with six types of attack and also being traffic.

Fig. 4
figure 4

Encoding procedure performed on each data record

Full size image

Then, the decimal values in the matrix are converted into an image using a grayscale conversion with 8 bits of depth. With this method, for each class of attack in the dataset, at least two thousand images are obtained to be used as input of the deep learning model. An example of the resulting images for some data records is shown in Fig. 5. Since the ResNet50 has 224 * 224 RGB images as input, an image scaling method is applied, as well as a summer-type color map. This ensures that the images meet the ResNet50 entry conditions.

Fig. 5
figure 5

Images created for the traffic dataset records

Full size image

4.4 Performance Evaluation

Performance evaluation of the proposed hybrid model is carried out by considering the accuracy and the confusion matrix generated from the detection results as shown in Table 3. Attack classified correctly or incorrectly by the model is represented as T (True) or F (False), respectively. P (Positive) and N (Negative) symbolize the prediction results of the hybrid detection model as an attack or being traffic, respectively. In this sense, four groups (TP, TN, FP, and FN) are considered to categorize the output of the hybrid model. If the detection result of the hybrid model is an attack for testing data, and the detection result is correct, then the result is TP; i.e., the model has detected and classified appropriately the attack; TN indicates that the detection result of the model is positive and correct; i.e., benign traffic is not detected as an attack; FP means that the model predicts the data as an attack, but the detection result is incorrect; i.e., the benign traffic is detected as attack; FN indicates that the model predicts the data as benign traffic, but the detection result is erroneous; i.e., attack traffic is classified as benign traffic. As can be seen in Eq. (3), accuracy (AC) represents the probability that the samples are correctly classified by the hybrid model with respect to the total number of samples.

Table 3 Confusion matrix using the proposed hybrid model
Full size table
$$ {\text{AC = }}\frac{{\text{TP + TN}}}{{\text{TP + TN + FP + FN}}} $$
(3)

Figure 6 shows that our model can achieve 86.7% detection accuracy in the case of benign traffic (B), 95.3% in the DoS (A2) case, 96.8% for Web Attack (A6), and 97.5% for SSH Patator (A5) when it is applied to a contemporary dataset such as CIC-IDS2017. Also, the accuracy obtained in the classification of DDoS (A1), FTP Patator (A3), and PortScan (A4) attacks is greater than 99%. One possible explanation for the relatively low accuracy in benign traffic is that benign traffic generated by applications such as bittorrent, online video games, or video conferencing is more likely to have been labeled as an attack than an attack as benign traffic. This is an important consideration when choosing a dataset because the dynamic behavior in modern services demand to generate multiple patterns in network traffic measures. In addition, the number of benign data records is the same that each attack data record, so in this work, the probability of benign data record being classified as an attack is higher than if all the data had been considered.

Fig. 6
figure 6

Detection accuracy results for the proposed hybrid model

Full size image

In order to compare the performance of the proposed hybrid model for intrusion detection with other related works, the average of the accuracy obtained for all traffic classes is calculated. Thus, the proposed hybrid model has 96.53% accuracy in the average for intrusion detection. Other models like the one proposed in Wu et al. [22] can achieve a 94.03% accuracy when applying a semantic re-encoding and deep learning model but on the NSL-KDD dataset. Then, the proposed hybrid model outperforms the detection accuracy of this model. Regarding the model proposed in Zhang et al. [25], which is based on an auto-encoder and an LSTM, it achieved 97.6% accuracy for benign traffic classification and 95.3% for the DoS case on the NSL-KDD dataset. If compared to this last case, the proposed hybrid model is capable of detecting DoS attacks with better accuracy.

Similar to the approach in this paper, in [19] and [23] the authors have already proposed a method that converts the traffic data into an image and transforms the anomaly detection problem into an image processing problem. Despite these two works also considering the use of CNN as part of their models, they had not contemplated the use of an external classifier to detect the type of attack. In [23], principal component analysis (PCA) is considered data dimensionality reduction as part of data preprocessing in the entire IDS. Thus, detection accuracy using the IDS-CNN model on the NSL-KDD dataset is 94.0% [23]. Whereas in [19] the CNN is used for intrusion detection with any other technique for images classification of the NSL-KDD traffic patterns achieving a detection accuracy of 97.8%. Compared with these results, our hybrid approach is capable of detecting several intrusion threats with a similar accuracy but in a contemporary dataset.

5 Conclusions and Future Work

In this work, a hybrid intrusion detection model was implemented using a deep learning framework in combination with traditional machine learning techniques on a modern dataset. Our approach uses convolutional neural networks (CNN) to perform feature extraction of traffic patterns and classification using support vector machines (SVM) to identify the type of attack. Experimental results demonstrated that it is possible to use image processing techniques to characterize network traffic in order to detect anomalies related to intrusion attacks.

Moreover, with the proposed hybrid approach, it was possible to obtain a global accuracy of 96.53% and more than 99% accuracy in the recognition of attacks such as DDoS, FTP Patator, and PortScan. Compared with previous works, the global precision reaches similar values in the recognition of attacks with the advantage that it was tested to a contemporary dataset that contemplates several types of behavior in network traffic. Therefore, the combination of deep learning techniques can be considered an interesting strategy to improve the effectiveness of intrusion detection systems.

An intrusion detection that is not applied to a real environment does not show its true functionality to protect a network. For this reason, in future work the deployment of the proposed hybrid model in some network environment either real or simulated will be carried out. Also, some attacks can be included in the approach such as zero-day attacks. The aim is to build a zero-day attack system and retrain the proposed approach to detect it. Last, new techniques to create images from the dataset (e.g., RGBA) and other classifiers models [e.g., K-nearest neighbors (KNN) or random forest (RF)] can be considered to address a new comparative study with the proposed model and other contemporary datasets (e.g., UNSW-NB15 or BOUN).