Congyuan Xu,Jizhong Shen,Xin Du

DOI: https://doi.org/10.1016/j.jisa.2021.102879

IF: 4.96

2021-01-01

Journal of Information Security and Applications

Abstract:Low-rate Denial of Service (LDoS) attacks use the low-rate requests to achieve the occupation of the network resources and have strong concealment. The traditional signal analysis based detection methods are challenging to detect LDoS attacks in the fluctuating legitimate traffic. In this paper, an LDoS attack detection method based on hybrid deep neural networks is proposed using one-dimensional convolutional neural network and gated recurrent unit. In order to evaluate the proposed detection method in the real scenarios, we captured real legitimate traffic from a website in the datacenter, and carried out a variety of real LDoS attacks on the mirror of the website in the laboratory environment to obtain real attack traffic. The detection results on the real traffic show that the proposed detection method does not need to extract features manually and can effectively detect LDoS attacks in fluctuating HTTP traffic with an average detection rate of 98.68%, which is more advantageous than MF-DFA or power spectral density based detection methods.

Futai Zou,Dechao Meng,Wentao Gao,Linsen Li

DOI: https://doi.org/10.1109/trustcom53373.2021.00088

2021-01-01

Abstract:DNS attack is one of the main threats to the Internet. Aiming at detecting the privacy leakage of DoH (DNS-over-HTTPS), in this paper, we proposed a model called DePL based on n-shot learning. This model can analyze which websites the user visits by classifying DoH traffic, and then we evaluate the impact of DoH protocol on user privacy leakage risk. In our experiments, we only used 15 training samples to obtain an accuracy of 86.54% in a closed environment. In an open environment, when the threshold is set to 0.7, the model still has an accuracy of 78.86%. Compared with the existing algorithms, DePL solves the problem of insufficient samples in real applications. A small number of training samples can obtain high-accuracy recognition, which proves the possibility of the detection of privacy leakage in DoH traffic.

Muhammad Dawood,Chunagbai Xiao,Shanshan Tu,Faiz Abdullah Alotaibi,Mrim M. Alnfiai,Muhammad Farhan

DOI: https://doi.org/10.7717/peerj-cs.2027

2024-05-28

PeerJ Computer Science

Abstract:This article explores detecting and categorizing network traffic data using machine-learning (ML) methods, specifically focusing on the Domain Name Server (DNS) protocol. DNS has long been susceptible to various security flaws, frequently exploited over time, making DNS abuse a major concern in cybersecurity. Despite advanced attack, tactics employed by attackers to steal data in real-time, ensuring security and privacy for DNS queries and answers remains challenging. The evolving landscape of internet services has allowed attackers to launch cyber-attacks on computer networks. However, implementing Secure Socket Layer (SSL)-encrypted Hyper Text Transfer Protocol (HTTP) transmission, known as HTTPS, has significantly reduced DNS-based assaults. To further enhance security and mitigate threats like man-in-the-middle attacks, the security community has developed the concept of DNS over HTTPS (DoH). DoH aims to combat the eavesdropping and tampering of DNS data during communication. This study employs a ML-based classification approach on a dataset for traffic analysis. The AdaBoost model effectively classified Malicious and Non-DoH traffic, with accuracies of 75% and 73% for DoH traffic. The support vector classification model with a Radial Basis Function (SVC-RBF) achieved a 76% accuracy in classifying between malicious and non-DoH traffic. The quadratic discriminant analysis (QDA) model achieved 99% accuracy in classifying malicious traffic and 98% in classifying non-DoH traffic.

computer science, information systems, artificial intelligence, theory & methods

Qasem Abu Al-Haija,Manar Alohaly,Ammar Odeh

DOI: https://doi.org/10.3390/s23073489

2023-03-27

Abstract:The Domain Name System (DNS) protocol essentially translates domain names to IP addresses, enabling browsers to load and utilize Internet resources. Despite its major role, DNS is vulnerable to various security loopholes that attackers have continually abused. Therefore, delivering secure DNS traffic has become challenging since attackers use advanced and fast malicious information-stealing approaches. To overcome DNS vulnerabilities, the DNS over HTTPS (DoH) protocol was introduced to improve the security of the DNS protocol by encrypting the DNS traffic and communicating it over a covert network channel. This paper proposes a lightweight, double-stage scheme to identify malicious DoH traffic using a hybrid learning approach. The system comprises two layers. At the first layer, the traffic is examined using random fine trees (RF) and identified as DoH traffic or non-DoH traffic. At the second layer, the DoH traffic is further investigated using Adaboost trees (ADT) and identified as benign DoH or malicious DoH. Specifically, the proposed system is lightweight since it works with the least number of features (using only six out of thirty-three features) selected using principal component analysis (PCA) and minimizes the number of samples produced using a random under-sampling (RUS) approach. The experiential evaluation reported a high-performance system with a predictive accuracy of 99.4% and 100% and a predictive overhead of 0.83 µs and 2.27 µs for layer one and layer two, respectively. Hence, the reported results are superior and surpass existing models, given that our proposed model uses only 18% of the feature set and 17% of the sample set, distributed in balanced classes.

Shaojie Chen,Bo Lang,Hongyu Liu,Duokun Li,Chuan Gao

DOI: https://doi.org/10.1016/j.cose.2020.102095

2021-05-01

Abstract:<p>DNS is a kind of basic network protocol that is rarely blocked by firewalls; therefore, it is used to build covert channels. Malicious DNS covert channels play an important role in data exfiltration and botnets and do great harm to the network environment. To detect DNS covert channels, researchers extract multiple features from different perspectives of DNS traffic. At present, many detection methods using machine learning are based on manual features, which usually include complex data preprocessing and feature extraction. Additionally, these methods seriously rely on expert knowledge, and some potential features are hard to discover. To address these problems, we propose a DNS covert channel detection method using the LSTM model, which does not rely on feature engineering. First, we use the FQDNs of DNS packets as the input and implement an end-to-end detection approach using LSTM. Then, we filter the detection results of the LSTM model with the grouped filtering method to further reduce the false positive rate. Using the packets from the Internet and the packets generated by running different DNS covert channel tools, we construct our datasets, in which generalization test datasets are included in addition to the FQDN and the DNS packet datasets for model training. Our method achieves an accuracy rate of 99.38% on the test dataset and a recall rate of 98.52% on the generalization test dataset, which are better than the state-of-the-art methods. This method is also tested in a real network environment and has detected multiple malicious DNS covert channel events.</p>

computer science, information systems

Cong Dong,Jiahai Yang,Yun Li,Yue Wu,Yufan Chen,Chenglong Li,Haoran Jiao,Xia Yin,Yuling Liu

2024-03-19

Abstract:In recent years, DNS over Encrypted (DoE) methods have been regarded as a novel trend within the realm of the DNS ecosystem. In these DoE methods, DNS over HTTPS (DoH) provides encryption to protect data confidentiality while providing better obfuscation to avoid censorship by multiplexing port 443 with web services. This development introduced certain inconveniences in discovering publicly available DoH services. In this paper, we propose the E-DoH method for elegant and efficient DoH service detection. First, we optimized the probing mechanism to enable a single DoH connection to accomplish multiple tasks including service discovery, correctness validation and dependency construction. Second, we propose an efficient DoH detection tool. This tool can enhance probing efficiency while significantly reduce the required traffic volume. Third, based on the above optimization methods, we conducted an exploration of the IPv4 space and performed an in-depth analysis of DoH based on the collected information. Through experiments, our approach demonstrates a remarkable 80% improvement in time efficiency, and only requires 4%-20% traffic volume to complete the detection task. In wild detection, our approach discovered 46k DoH services, which nearly doubles the number discovered by the state-of-the-art. Based on the collected data, we present several intriguing conclusions about the current DoH service ecosystem.

Cryptography and Security,Networking and Internet Architecture

Siyu Zhang,Zhipeng Han,Kaida Jiang

DOI: https://doi.org/10.1109/ICPICS58376.2023.10235404

2023-01-01

Abstract:In recent years, malicious software that utilizes covert channels to transmit private data has become increasingly prevalent. The privacy information of affected users, such as accounts and passwords, is quietly transmitted to attackers. Hackers commonly employ covert tunnels that utilize the Domain Name System (DNS) to achieve this, transmitting stolen information through malicious domains. Traditional DNS tunneling techniques generate significant communication traffic, and related research has delved deeper into this area. However, they face challenges in detecting malicious software that transmits data at low rates. This paper proposes a DNS data leakage detection algorithm based on anomaly detection models. Through experimental verification combining simulated attacks with real data, this algorithm demonstrates high detection rates for low-rate data leakage channels, while also maintaining good detection performance for traditional DNS tunnels.

Franco Palau,Carlos Catania,Jorge Guerra,Sebastian Garcia,Maria Rigaki

DOI: https://doi.org/10.48550/arXiv.2006.06122

2020-06-15

Abstract:Domain Name Service is a trusted protocol made for name resolution, but during past years some approaches have been developed to use it for data transfer. DNS Tunneling is a method where data is encoded inside DNS queries, allowing information exchange through the DNS. This characteristic is attractive to hackers who exploit DNS Tunneling method to establish bidirectional communication with machines infected with malware with the objective of exfiltrating data or sending instructions in an obfuscated way. To detect these threats fast and accurately, the present work proposes a detection approach based on a Convolutional Neural Network (CNN) with a minimal architecture complexity. Due to the lack of quality datasets for evaluating DNS Tunneling connections, we also present a detailed construction and description of a novel dataset that contains DNS Tunneling domains generated with five well-known DNS tools. Despite its simple architecture, the resulting CNN model correctly detected more than 92% of total Tunneling domains with a false positive rate close to 0.8%.

Cryptography and Security,Machine Learning

Yongjie Wang,Chuanxin Shen,Dongdong Hou,Xinli Xiong,Yang Li

DOI: https://doi.org/10.3390/app122412644

2022-12-09

Applied Sciences

Abstract:In this paper, in order to accurately detect Domain Name System (DNS) covert channels based on DNS over HTTPS (DoH) encryption and to solve the problems of weak single-feature differentiation and poor performance in the existing detection methods, we have designed a DoH-encrypted DNS covert channel detection method based on features fusion, called FF-MR. FF-MR is based on a Multi-Head Attention and Residual Neural Network. It fuses session statistical features with multi-channel session byte sequence features. Some important features that play a key role in the detection task are screened out of the fused features through the calculation of the Multi-Head Attention mechanism. Finally, a Multi-Layer Perceptron (MLP) is used to detect encrypted DNS covert channels. By considering both global and focused features, the main idea of FF-MR is that the degree of correlation between each feature and all other features is expressed as an attention weight. Thus, features are re-represented as the result of the weighted fusion of all features using the Multi-Head Attention mechanism. Focusing on certain important features according to the distribution of attention weights improves the detection performance. While detecting the traffic in encrypted DNS covert channels, FF-MR can also accurately identify encrypted traffic generated by the three DNS covert channel tools. Experiments on the CIRA-CIC-DoHBrw-2020 dataset show that the macro-averaging recall and precision of the FF-MR method reach 99.73% and 99.72%, respectively, and the macro-averaging F1-Score reached 0.9978, which is up to 4.56% higher than the existing methods compared in the paper. FF-MR achieves at most an 11.32% improvement in macro-averaging F1-Score in identifying three encrypted DNS covert channels, indicating that FF-MR has a strong ability to detect and identify DoH-encrypted DNS covert channels.

materials science, multidisciplinary,engineering,chemistry,physics, applied

Ruming Tang,Cheng Huang,Yanti Zhou,Haoxian Wu,Xianglin Lu,Yongqian Sun,Qi Li,Jinjin Li,Weiyao Huang,Siyuan Sun,Dan Pei

DOI: https://doi.org/10.1007/978-3-030-63095-9_1

2020-01-01

Abstract:DNS is a key protocol of the Internet infrastructure, which ensures network connectivity. However, DNS suffers from various threats. In particular, DNS covert communication is one serious threat in enterprise networks, by which attackers establish stealthy communications between internal hosts and remote servers. In this paper, we propose D \({^2}\)C\(^2\) (Detection of DNS Covert Communication), a practical and flexible machine learning-based framework to detect DNS covert communications. D \({^2}\)C\(^2\) is an end-to-end framework contains modular detection models including supervised and unsupervised ones, which detect multiple types of threats efficiently and flexibly. We have deployed D \({^2}\)C\(^2\) in a large commercial bank with 100 millions of DNS queries per day. During the deployment, D \({^2}\)C\(^2\) detected over 4k anomalous DNS communications per day, achieving high precision over 0.97 on average. It uncovers a significant number of unnoticed security issues including seven compromised hosts in the enterprise network.

Sandra Siby,Marc Juarez,Claudia Diaz,Narseo Vallina-Rodriguez,Carmela Troncoso

DOI: https://doi.org/10.48550/arXiv.1906.09682

2019-10-07

Abstract:Virtually every connection to an Internet service is preceded by a DNS lookup which is performed without any traffic-level protection, thus enabling manipulation, redirection, surveillance, and censorship. To address these issues, large organizations such as Google and Cloudflare are deploying recently standardized protocols that encrypt DNS traffic between end users and recursive resolvers such as DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH). In this paper, we examine whether encrypting DNS traffic can protect users from traffic analysis-based monitoring and censoring. We propose a novel feature set to perform the attacks, as those used to attack HTTPS or Tor traffic are not suitable for DNS' characteristics. We show that traffic analysis enables the identification of domains with high accuracy in closed and open world settings, using 124 times less data than attacks on HTTPS flows. We find that factors such as location, resolver, platform, or client do mitigate the attacks performance but they are far from completely stopping them. Our results indicate that DNS-based censorship is still possible on encrypted DNS traffic. In fact, we demonstrate that the standardized padding schemes are not effective. Yet, Tor -- which does not effectively mitigate traffic analysis attacks on web traffic -- is a good defense against DoH traffic analysis.

Cryptography and Security

Andreas Berg,Daniel Forsberg

DOI: https://doi.org/10.48550/arXiv.1906.11246

2019-06-26

Abstract:DNS is a distributed, fault tolerant system that avoids a single point of failure. As such it is an integral part of the internet as we use it today and hence deemed a safe protocol which is let through firewalls and proxies with no or little checks. This can be exploited by malicious agents. Network forensics is effective but struggles due to size of data and manual labour. This paper explores to what extent predictive models can be used to predict network traffic, what protocols are tunneled in the DNS protocol and more specifically whether the predictive performance is enhanced when analyzing DNS-queries and responses together and which feature set that can be used for DNS-tunneled network prediction. The tested protocols are SSH, SFTP and Telnet and the machine learning models used are Multi Layered Perceptron and Random Forests. To train the models we extract the IP Packet length, Name length and Name entropy of both the queries and responses in the DNS traffic. With an experimental research strategy it is empirically shown that the performance of the models increases when training the models on the query and respose pairs rather than using only queries or responses. The accuracy of the models is >83% and reduction in data size when features are extracted is roughly 95%. Our results provides evidence that machine learning is a valuable tool in detecting network protocols in a DNS tunnel and that only an small subset of network traffic is needed to detect this anomaly.

Cryptography and Security,Machine Learning

Minzhao Lyu,Hassan Habibi Gharakheili,Vijay Sivaraman

DOI: https://doi.org/10.1145/3547331

2022-07-08

Abstract:The domain name system (DNS) that maps alphabetic names to numeric Internet Protocol (IP) addresses plays a foundational role for Internet communications. By default, DNS queries and responses are exchanged in unencrypted plaintext, and hence, can be read and/or hijacked by third parties. To protect user privacy, the networking community has proposed standard encryption technologies such as DNS over TLS (DoT), DNS over HTTPS (DoH), and DNS over QUIC (DoQ) for DNS communications, enabling clients to perform secure and private domain name lookups. We survey the DNS encryption literature published since 2016, focusing on its current landscape and how it is misused by malware, and highlighting the existing techniques developed to make inferences from encrypted DNS traffic. First, we provide an overview of various standards developed in the space of DNS encryption and their adoption status, performance, benefits, and security issues. Second, we highlight ways that various malware families can exploit DNS encryption to their advantage for botnet communications and/or data exfiltration. Third, we discuss existing inference methods for profiling normal patterns and/or detecting malicious encrypted DNS traffic. Several directions are presented to motivate future research in enhancing the performance and security of DNS encryption.

Cryptography and Security,Networking and Internet Architecture

Sergio Salinas Monroy,Aman Kumar Gupta,Garrett Wahlstedt

2023-10-17

Abstract:To maintain the privacy of users' web browsing history, popular browsers encrypt their DNS traffic using the DNS-over-HTTPS (DoH) protocol. Unfortunately, encrypting DNS packets prevents many existing intrusion detection systems from using plaintext domain names to detect malicious traffic. In this paper, we design an autoencoder that is capable of detecting malicious DNS traffic by only observing the encrypted DoH traffic. Compared to previous works, the proposed autoencoder looks for anomalies in DoH traffic, and thus can detect malicious traffic that has not been previously observed, i.e., zero-day attacks. We run extensive experiments to evaluate the performance of our proposed autoencoder and compare it to that of other anomaly detection algorithms, namely, local outlier factor, one-class support vector machine, isolation forest, and variational autoencoders. We find that our proposed autoencoder achieves the highest detection performance, with a median F-1 score of 99\% over several types of malicious traffic.

Cryptography and Security

Xiaoqing Sun,Zhiliang Wang,Jiahai Yang,Xinran Liu

DOI: https://doi.org/10.1016/j.cose.2020.102057

IF: 5.105

2020-01-01

Computers & Security

Abstract:As an essential network service, the Domain Name System (DNS) is widely abused by attackers, making malicious domain detection a crucial task when combating cybercrimes. The increasing sophistication of attackers calls for new detection methods against novel threats and evasions. In this paper, we analyze the DNS scene and design an intelligent malicious domain detection system, named DeepDom. With joint consideration of both domain’s local features and their global associations, DeepDom is more accurate and is harder for attackers to evade. In DeepDom, we first represent the DNS scene as a Heterogeneous Information Network (HIN) with diverse entities like clients, domains, IP addresses, and accounts to capture richer information. Then, considering the heterogeneous and dynamic nature of DNS, we propose a novel Graph Convolutional Network (GCN) method named SHetGCN to inductively classify domain nodes in the HIN. By guiding the convolution operations with meta-path based short random walks, SHetGCN can jointly handle node features together with structural information and support inductive node embedding. We build a prototype of DeepDom and validate its effectiveness with comprehensive experiments over the DNS data collected from a real-world network, CERNET2. The comparison results demonstrate that our approaches outperform other state-of-the-art techniques.

Futai Zou,Yundong Ren,Jiachen Zhu,Junhua Tang

DOI: https://doi.org/10.1109/hpcc-dss-smartcity-dependsys53884.2021.00090

2021-01-01

Abstract:In recent years, privacy data leakage has become a hot topic of security. After malware controls the target client, it needs to bypass the existing security defense to transmit the data to the controller. DNS is a common communication protocol in the network, thus traditional defense methods will not place strict restrictions on DNS traffic. Researchers have found various domain requests for covert data transmission in DNS traffic. In the past ten years, people have only noticed the communication of DNS tunnels, but the new kind of DNS data leakage has a more covert transmission mode through sub-domain name coding and other ways. DNS data leakage exhibits low traffic volume and periodicity, which is totally different from DNS tunnels with bi-directional data exchange and high traffic volume. In this paper, a detection model named as LSTM-AE is proposed. LSTM-AE integrates LSTM-based time-series characterization and unsupervised autoencoder to detect data leakage malware through DNS traffic. Experimental results show the detection performance of LSTM-AE is better than other ML-based methods and several unknown malicious domains related data leakage have been detected with real-world DNS traffic.

Timm Boettger,Felix Cuadrado,Gianni Antichi,Eder Leao Fernandes,Gareth Tyson,Ignacio Castro,Steve Uhlig

DOI: https://doi.org/10.48550/arXiv.1909.06192

2019-09-13

Abstract:DNS is a vital component for almost every networked application. Originally it was designed as an unencrypted protocol, making user security a concern. DNS-over-HTTPS (DoH) is the latest proposal to make name resolution more secure. In this paper we study the current DNS-over-HTTPS ecosystem, especially the cost of the additional security. We start by surveying the current DoH landscape by assessing standard compliance and supported features of public DoH servers. We then compare different transports for secure DNS, to highlight the improvements DoH makes over its predecessor, DNS-over-TLS (DoT). These improvements explain in part the significantly larger take-up of DoH in comparison to DoT. Finally, we quantify the overhead incurred by the additional layers of the DoH transport and their impact on web page load times. We find that these overheads only have limited impact on page load times, suggesting that it is possible to obtain the improved security of DoH with only marginal performance impact.

Networking and Internet Architecture

Xiaoqing Sun,Mingkai Tong,Jiahai Yang

DOI: https://doi.org/10.48550/arXiv.1909.01590

2019-09-04

Cryptography and Security

Abstract:Domain name system (DNS) is a crucial part of the Internet, yet has been widely exploited by cyber attackers. Apart from making static methods like blacklists or sinkholes infeasible, some weasel attackers can even bypass detection systems with machine learning based classifiers. As a solution to this problem, we propose a robust domain detection system named HinDom. Instead of relying on manually selected features, HinDom models the DNS scene as a Heterogeneous Information Network (HIN) consist of clients, domains, IP addresses and their diverse relationships. Besides, the metapath-based transductive classification method enables HinDom to detect malicious domains with only a small fraction of labeled samples. So far as we know, this is the first work to apply HIN in DNS analysis. We build a prototype of HinDom and evaluate it in CERNET2 and TUNET. The results reveal that HinDom is accurate, robust and can identify previously unknown malicious domains.

Love Allen Chijioke Ahakonye,Gabriel Chukwunonso Amaizu,Cosmas Ifeanyi Nwakanma,Jae Min Lee,Dong-Seong Kim

DOI: https://doi.org/10.23919/jcn.2023.000067

2024-03-06

Journal of Communications and Networks

Abstract:The domain name system (DNS) has evolved into an essential component of network communications, as well as a critical component of critical industrial systems (CIS) and Supervisory Control and Data Acquisition (SCADA) network connection. DNS over HTTPS (DoH) encapsulating DNS within hypertext transfer protocol secure (HTTPS) does not eliminate network access exploitation. This paper proposes a hybrid deep learning model for the early classification of encoded network traffic into one of the two classes: DoH and NonDoH. They can be malicious, benign, or zero-day attacks. The proposed scheme incorporates the swiftness of the convolutional neural network (CNN) in extracting useful information and the ease of long short-term memory (LSTM) in learning long-term dependencies. The simulation results showed that the proposed approach accurately classifies the encoded network traffic as DoH or NonDoH and characterizes the traffic as benign, zero-day, or malicious. The proposed robust hybrid deep learning model had high accuracy and precision of 99.28%, recall of 99.75%, and AUC of 0.9975 at a minimal training and testing time of 745s and 0.000324 s, respectively. In addition to outperforming other compared contemporary algorithms and existing techniques, the proposed technique significantly detects all attack types. This study also investigated the impact of the SMOTE technique as a tool for data balancing. To further validate the reliability of the proposed scheme, an industrial control system SCADA (ICS-SCADA) dataset, in addition to two (2) other cyber-security datasets (NSL-KDD and CICDS2017), were evaluated. Mathews correlation coefficient (MCC) was employed to validate the model performance, confirming the applicability of the proposed model in a critical industrial system such as SCADA.

computer science, information systems,telecommunications

Geetha T V,Deepa A J,Mary Linda M

DOI: https://doi.org/10.1007/s10489-024-05505-y

IF: 5.3

2024-05-25

Applied Intelligence

Abstract:The Intrusion Detection System (IDS) distinguishes the harmful entries from the normal ones in network traffic data and aids in network security. Due to the emergence of new and unknown network-connected devices, a lot of modern systems were penetrated. As a result, it is critical to improve information security and to detect new cyber-attacks exploiting various application protocols such as Hyper Text Transfer Protocol (HTTP) and Domain Name System (DNS). Therefore, this paper introduced an Optimized Bidirectional Convolutional Neural Network and Long-Short term Memory (OBCLSTM) method to detect whether the protocol HTTP and DNS is attacked or not. Initially, the records are fed to data normalization and data encoding. After pre-processing, the vectors are fed to the OBCLSTM model. The Bidirectional Channel Pooling (BiCP) layer is used to learn behavior-based features (which show interactions among hosts based on ports, destinations and behavior) and flow-based features (which identify basic flows, such as IP addresses of source-destination and ports), which improves the accuracy of detecting malicious attacks. In the OBCLSTM model, the best hyper parameter configuration for Convolutional Neural Network (CNN) to learn features is tuned using Enhanced Red Fox Optimization (ERFO). Then, bidirectional long short-term memory (BiLSTM) is used to extract features in the time domain and has the ability to preserve the long-term of the information from historical context, allowing attackers to be detected early before causing widespread damage to networks. Finally, the fully connected layer utilizes these features to classify the network data as attacks (types of attacks) or normal. Tests are conducted on the NSL - KDD99, TUIDS, UNSW-NB15 and BoT-IoT datasets. The proposed OBCLSTM method attains better performance in terms of precision, accuracy, recall, and F-measure.

computer science, artificial intelligence