A multimodal hybrid parallel network intrusion detection model

Abstract

With the rapid growth of Internet data traffic, the means of malicious attack become more diversified. The single modal intrusion detection model cannot fully exploit the rich feature information in the massive network traffic data, resulting in unsatisfactory detection results. To address this issue, this paper proposes a multimodal hybrid parallel network intrusion detection model (MHPN). The proposed model extracts network traffic features from two modalities: the statistical information of network traffic and the original load of traffic, and constructs appropriate neural network models for each modal information. Firstly, a two-branch convolutional neural network is combined with Long Short-Term Memory (LSTM) network to extract the spatio-temporal feature information of network traffic from the original load mode of traffic, and a convolutional neural network is used to extract the feature information of traffic statistics. Then, the feature information extracted from the two modalities is fused and fed to the CosMargin classifier for network traffic classification. The experimental results on the ISCX-IDS 2012 and CIC-IDS-2017 datasets show that the MHPN model outperforms the single-modal models and achieves an average accuracy of 99.98$\mathrm{\%}$. The model also demonstrates strong robustness and a positive sample recognition rate.

Keywords:

• Intrusion detection
• network traffic
• convolutional neural network
• long short-term memory (LSTM)

1. Introduction

The acceleration of the construction (Yang et al., 2022) of new-generation information infrastructure, the rapid iterative upgrading of digital technology, and the rise of digital platforms in various fields have resulted in a surge in global Internet traffic. And the COVID-19 pandemic has further accelerated global digitisation, leading to exponential growth in Internet traffic. Simultaneously, malicious attack traffic has grown even faster with frequent various network attacks, posing a severe threat to network security and even national security.

Intrusion Detection System (IDS) (Ahmim et al., 2018) is an effective security mechanism for monitoring network traffic and preventing malicious requests. The attack behaviour can be detected by analysing the data traffic generated by network users. Traditional Machine Learning (ML) techniques have been widely used in IDS. However, IDS based on traditional ML require professional researchers to annotate features, which cannot adapt to the dynamic and challenging network environment. With the development of Deep Learning (DL) technology, convolutional neural network (CNN) (Liu & Zhang, 2020, may), recurrent neural network (RNN) (Yin et al., 2017) and Long Short-Term Memory (LSTM) (Roy et al., 2017) are becoming increasingly popular in intrusion detection.

The existing IDS based on DL lack flexibility and adaptability. Only a single mode is used in the end-to-end DL IDS, resulting in significant deviations in the detection results. This is a major issue in intrusion detection, as small deviations in detection can lead to more attacks and potential threats (Z. Wang et al., 2022). Network security researchers often make a comprehensive judgment through various information such as abnormal traffic information, traffic load content, and communication interaction process when auditing and analysing malicious traffic. Multimodal learning is a method that seeks to process and understand different modal information through ML and DL. It is more closely aligned with the general laws of human understanding of the world than traditional ML methods that rely on a single mode.

Moreover, data imbalance (Buda et al., 2018; Cai et al., 2022) is a serious problem in intrusion detection research based on DL and ML, which significantly affects the performance of intrusion detection algorithms. Data imbalance refers to the huge difference in the amount of traffic attack data of different categories. To reduce the impact of data imbalance on the accuracy of the IDS, this paper carries out data unbalance processing onthe input of each modality and uses the feature screening method for the statistical traffic information mode to delete redundant features and retain the features with stronger distinguishing ability. For the original data mode of the data stream, the original feature distribution of the stream is retained. And an improved original feature extraction algorithm of the data stream is proposed, which avoids the introduction of too many 0 elements that are not conducive to network learning and accelerates the convergence speed of the network.

In this paper, a parallel network intrusion detection model based on multimodal feature fusion is proposed, combining multimodal DL methods with intrusion detection technology, to make full use of complex network traffic information and further improve the performance of IDS. The main contributions of this paper are summarised as follows.

1. A hybrid parallel network intrusion detection model (MHPN) is proposed. The network traffic characteristics are extracted from the statistical information of network traffic and the original load of traffic, and the appropriate neural network models are constructed for different modal information. Firstly, a two-branch CNN combined with LSTM network is used to extract the spatio-temporal feature information of network traffic for the original load mode of traffic, and CNN is used to extract the feature information of traffic statistics. Then, the feature information extracted from the two modalities is fused and fed to the CosMargin classifier for network traffic classification.

2. Ablation experiments were conducted on the ISCX-IDS 2012 and CIC-IDS-2017 datasets to evaluate the performance of the MHPN model. The results of the experiments demonstrate that the MHPN model is capable of effectively dealing with unbalanced abnormal traffic data, improving the accuracy of anomaly detection, and exhibiting strong robustness and a positive sample recognition rate. Furthermore, compared with the single modal model, the experimental the results indicate that the MHPN model is significantly better in terms of intrusion detection performance. The proposed model can also improve the security and reliability of industrial internet of things (IIoT), a recent research area that connects digital devices and services with physical systems. The IIoT produces large volumes of data from multiple sensors, but also faces various cyberattacks that threaten its operations and information.

The rest of the paper is organised as follows. Section 2 begins with a description of related work. Section 3 is design and method of the model. Section 4 conducts simulation experiments on the proposed model. Section 5 concludes the paper (Table 1).

Table 1. Table of acronyms.

Acronym	Full name
IDS	Intrusion Detection System
ML	Machine Learning
DL	Deep Learning
CNN	Convolutional Neural Network
RNN	Recurrent Neural Network
LSTM	Long Short-Term Memory
FCN	Fully Convolutional Network
CV	Computer Vision
IIoT	Industrial Internet of Things
KMP	Knuth-Morris-Pratt Algorithm
BM	Boyer-Moore Algorithm
BMH	Boyer-Moore-Horspool Algorithm
BMHS	Boyer-Moore-Horspool-Sunday Algorithm
DT	Decision Tree
SVM	Support Vector Machine
MHPN	Multimodal Hybrid Parallel Network Intrusion Detection Model
PCCN	Parallel Cross-fused Convolutional Neural Network

Table 2. Related work.

Author	Method	Pattern matching	ML	DL	Multimodal	Year
Wu and Shen	AC-BM	Yes				2012
Hnaif et al.	PDMA	Yes				2021
Anthi et al.	A Supervised Intrusion Detection System for Smart Home IoT Devices		Yes			2019
Jan et al.	SVM		Yes			2019
J. Li et al.	AI-Based Two-Stage Intrusion Detection for Software Defined IoT Networks		Yes			2019
Dong et al.	Real-Time Network Intrusion Detection System Based on Deep Learning			Yes		2019
Bontemps et al.	Collective Anomaly Detection Based on Long Short-Term Memory Recurrent Neural Networks			Yes		2016
Y. Zhang et al.	PCCN			Yes		2019
X. Wang et al.	App-Net				Yes	2020
Aceto et al.	MIMETIC				Yes	2019
Aceto et al.	DISTILLER				Yes	2021

2. Related work

Existing methods for intrusion detection are typically classified into three categories, namely traditional pattern matching, ML, and DL.

In the early stages of the study, pattern matching algorithms were commonly used. It is the central algorithm utilised in IDS based on feature matching (H. Zhang, 2009). Wu and Shen (2012) summarise the pattern matching algorithms used in IDS, which include the KMP, BM, BMH, BMHS, AC, and AC-BM. To improve matching speed, an improved AC-BM algorithm is proposed. Hnaif et al. (2021) Parallelize the Direct Matching Algorithm (PDMA) using OpenMP technology under multi-core architecture to implement PDMA and improve the speed of the IDS detection engine. However, traditional pattern matching algorithms exhibit high false negative and false positive rates, which cannot meet the requirements of IDS.

To overcome these limitations, scholars have increasingly turned to combine traditional ML with IDS, resulting in promising outcomes. Anthi et al. (2019) propose a three-layer intrusion detection system and employ Decision Tree (DT) for attack classification. Jan et al. (2019) utilise Support Vector Machine (SVM) to detect abnormal traffic, extracted a feature pool from samples, and used the remaining label vectors to train SVM, which yielded satisfactory classification accuracy. J. Li et al. (2019) propose a two-stage intrusion detection system. that employs bat algorithm, population splitting, and binary differential mutation to select typical features, and then utilises the random forest to adaptively adjust sample weight for traffic classification.

Although IDS based on traditional ML address the issues of traffic classification and computational cost, it requires researchers in the field of network security to label features as well as extensive preprocessing of abnormal traffic data and intricate feature engineering (Guo & Han, 2023; Su et al., 2020). In the complex and dynamic network environment, ML methods cannot resolve the problem of massive abnormal traffic classification.

Considering the limitations of IDS based on traditional ML, network security researchers have applied DL to IDS. DL (Alzubaidi et al., 2021) is a branch of ML. IDS based on DL achieves automatic feature extraction by automatically obtaining structured table features and directly inputting raw data for training. At present, DL has achieved remarkable results in the field of intrusion detection. CNNs and their related architectures, such as LeNet-5 (Lecun et al., 1998), have gained considerable attention due to their outstanding performance in computer vision (CV) (He et al., 2016). Although CNN architectures are commonly applied to CV problems, they have demonstrated promising results in IDS (Dong et al., 2019; Vinayakumar et al., 2017). LSTM networks are highly suitable for classification and prediction based on time series data. Bontemps et al. (2016) propose a real-time anomaly detection model based on neural network learning, which employs LSTM to train with normal time series data before performing real-time prediction for each time step. Experiments show that the model can provide effective anomaly detection. Y. Zhang et al. (2019) propose a DL model with two-layer parallel learning cross fusion (PCCN) to learn flow features by fusing two-branch CNNs and improve the detection results of unbalanced abnormal flows.

DL has yielded promising results in traffic classification, however, current IDS based on DL are limited in their flexibility and adaptability in the face of rapidly increasing network traffic. These systems utilise only a single mode and do not fully exploit the heterogeneous nature of traffic data, leading to significant discrepancies in the results obtained. Since minor deviations in detection can result in additional attacks and potential security threats (Cai et al., 2022). Multimodal learning is a promising technique for network intrusion detection, as it can leverage the rich and diverse information in network traffic data, such as traffic statistics and raw payload, to enhance the performance and robustness of traffic classification models. X. Wang et al. (2020) proposed App-Net, a hybrid neural network based method for encrypted mobile traffic classification, which combines bidirectional Long Short-Term Memory network (bi-LSTM) and one-dimensional Convolutional neural network (1D-CNN) to extract effective features from the packet length sequence of TLS bidirectional flow and the payload bytes of initial packets, respectively. Then, a feature fusion layer is used to learn a joint flow-app embedding, which can differentiate various mobile apps. MIMETIC (Aceto et al., 2019) can exploit the heterogeneity of traffic data, learn the characteristics of different views, and capture the dependencies between views, to improve the traffic classification performance in mobile scenarios. DISTILLER (Aceto et al., 2021) can simultaneously solve multiple traffic classification tasks by leveraging different types of input data, such as payload bytes and header fields. The method uses a two-step training process to learn intra-modality and inter-modality dependencies and avoid overfitting. Existing works on multimodal deep learning for traffic classification have some limitations regarding the use environment, feature extraction, feature fusion and classification tasks. To overcome these limitations and achieve better results, we propose a novel multimodal deep learning model for traffic classification in this paper.

3. Design and method of the model

In this section, a multimodal hybrid parallel network intrusion detection model, called MHPN, is proposed. MHPN selects appropriate sub-models for training on two different modes, namely statistical traffic information and original traffic load, and then fuses the output results of multiple models to integrate different types of features to enhance the performance of the model detection. As illustrated in Figure 1, for the training of traffic statistics, a CNN is employed in this paper to extract spatial feature information in traffic statistics. Additionally, a parallel DL model that fuses spatio-temporal features is applied in the training of the original load of traffic. Two parallel CNNs are utilised to extract spatial information, and then the fused features are fed into two parallel LSTMs to analyse the temporal information of the fused features. The processed feature information of the two modalities is fused, and finally, the CosMargin classifier is utilised for classification.

Figure 1. Network structure diagram.

3.1. Parallel cross-fused spatio-temporal feature sub-model

In this paper, a parallel cross-fused spatio-temporal feature model is proposed to process the raw traffic data. The model consists of two parallel CNNs for spatial features extraction and two parallel LSTMs for temporal features extraction. Moreover, feature fusion technology is employed to cross-fuse the features of the two branches, thus enhancing the robustness of the learned features.

A parallel cross-fused spatio-temporal feature sub-model is proposed to extract spatio-temporal features. The upper branch utilises the integration of a Fully Convolutional Network (FCN) (Long et al., 2015) and an LSTM, while the lower layer utilises a conventional CNN combined with an LSTM. Furthermore, multiple feature of the upper and lower layers are cross-fused to strengthen the features. The network learns more discriminative and robust features by fusing the features extracted from the two branch networks.

3.1.1. Upper branch

The upper branch can extract richer feature information in network traffic for highly imbalanced small-sample attacks. The FCN has the characteristic of using convolutional layers in the network to replace the pooling layer. The MHPN model replaces the pooling layer with convolution for downsampling. The upper branch employs a fully convolutional layer, which convolves the input four times using four convolutional layers. The first and third convolutional layers have a kernel size of 3, a padding of 1, and a step size of 1. Meanwhile, the second and fourth convolutional layers have a kernel size of 3, a padding of 1, and a step size of 2.

The four-step convolution operation in the upper branch has two main advantages over the traditional convolution plus pooling operation.

1. It extracts richer semantic information from streaming data without losing traffic information, thanks to the increased number of convolutional layers.

2. It allows for more robustness by enabling flexible control of the network parameters, which prevents overfitting.

3.1.2. Lower branch

The lower branch can extract the spatial and temporal feature information of network traffic. For complex network traffic, too many redundant features are learned when convolution is performed. The pooling operation reduces redundant features by dividing the input into several regions and outputting only one value as a feature. Since each packet in a data stream contains varying information and malicious traffic often contains less information, the analysis needs to consider the invariance of different packets. The pooling layer can provide translation, rotation, and scale invariance to facilitate this analysis. In the lower branch, convolution and pooling are combined to remove redundant information, expand the perception field, and reduce the dimension and the number of parameters.

3.1.3. Feature fusion

The parallel cross-fused spatio-temporal feature sub-model is proposed, which uses four feature fusion operations. Different from the previous feature fusion using channel concatenation operation, both channel concatenation and addition operations are involved in our paper. The convolution kernels for each output channel are independent, thus allowing for the examination of the output of a single channel. Suppose the two input channels are $X1,X2,\dots ,Xc$ and $Y1,Y2,\dots Yc$. Then the single output channel of the channel concatenation is: (1) $Z_{\mathrm{concat}}=\sum _{i=1}^c{X}_i⨂K_i+\sum _{i=1}^c{Y}_i⨂K_{i+c}$(1) The single output channel for the addition operation is: (2) $Z_{\mathrm{add}}=\sum _{i=1}^c(X_i+Y_i)⨂K_i=\sum _{i=1}^c{X}_i⨂K_i+\sum _{i=1}^c{Y}_i⨂K_i$(2) Therefore, the addition operation can be used instead of the channel concatenation operation when the two inputs have semantically similar properties of the corresponding channels' feature graph, which saves more parameters and computation. In the parallel cross-fused spatio-temporal feature sub-model, the CNN semantics of the upper and lower layers of the branch are similar. To reduce the network overhead, the first three feature cross fusion uses the addition operation to fuse the features of the two layers of the CNN. The channel concatenation operation is then used before passing to the LSTM to avoid information loss.

3.2. CNN sub-model

CNNs are a type of neural network that possess the characteristics of local connection and weight sharing and have been shown to achieve good results in the field of computer vision (D. Li et al., 2022a; Rawat & Wang, 2017; Shen et al., 2022, december). The convolutional layer is used to extract the spatial features of network traffic, and ReLU is selected as the activation function. Compared to Sigmoid and other functions, ReLU has a more effective gradient descent and backpropagation, as well as a simpler calculation process.

The output of the convolution neuron is as follows: (3) $y_i=max(0,\sum _{iϵ[0,n]}^{}x[i:i+c,:\mathrm{channel}]\ast c_j+b_j)$(3) Where i represents the position after convolution, j represents the convolution kernel sequence number, c represents the convolution kernel length, and b represents the bias.

In order to address the issue of imbalanced abnormal traffic data, a batch normalisation layer is added after each convolutional layer to ensure that all batch data is distributed uniformly and then input to the next layer. This helps to stabilise the output of each convolutional layer in the network, making it easier to converge and reducing the risk of overfitting. Batch normalisation (Chen et al., 2022; Ioffe & Szegedy, 2015; J. Li et al., 2023) is an improvement over normal distribution normalisation, as it fixes the mean and variance in mini-batches to learn appropriate scaling and offset, thus accelerating the convergence process.

For each batch of input $B=\{x_1,\dots .,x_m\}$, the mean and variance of the training batch data are obtained, and then the obtained mean and variance are used to normalise the training data of the batch. The process is as follows. (4) $\begin{array}{rl}\mu & =\frac{1}{m}\sum _{i=1}^m{x}_i\end{array}$(4) (5) $\begin{array}{rl}{\sigma }_2^B& =\frac{1}{m}\sum _{i=1}^m(x_i-{\mu }_B{)}^2\end{array}$(5) (6) $\begin{array}{rl}\widehat{x_i}& =\frac{x_i-{\mu }_B}{\sqrt{{\sigma }_2^B+\epsilon }}\end{array}$(6) Where ${\mu }_B$ is the mean of batch data and ${\sigma }_2^B$ is the variance of batch data. The sample $x_i$ is subtracted from the mean of the batch and divided by the standard deviation of the batch to get $\widehat{x_i}$, where ε is the tiny positive number to avoid the divisor is zero.

To enhance the robustness of the network, the data are scaled and shifted. The value needs to be adjusted by multiplying $x_i$ by γ and adding the offset by β to get $y_i$, where γ is the scale factor and β is the translation factor. Because the normalised $x_i$ is limited to the normal distribution, the expression ability of the network is reduced. To solve this problem, two new parameters, γ and β, are introduced. β and β are learned by the network itself during training.

Therefore, the final output after adding batch normalisation is expressed as: (7) $y_i\leftarrow B{N}_{\gamma ,\beta }(x_i)={\gamma }_i+\beta$(7) Therefore, the final output after adding batch normalisation is expressed as: (8) $y_i=max(0,B{N}_{\gamma ,\beta }(\sum _{iϵ[0,n]}^{}x[i:i+c,:\mathrm{channel}]\ast c_j+b_j))$(8)

3.3. Sequential learning model

In the real network environment, network traffic is observed to occur in a sequence rather than in isolation, and the number and content of packets in traffic vary over time, suggesting the presence of time-structured information in traffic data. In this paper, LSTM with hidden layers is exploited to automatically extract temporal features, as opposed to the RNN approach proposed in Yin et al. (2017).

3.4. Traffic classification based on multimode

With the ongoing advancement of the attack-defense game, malicious traffic constantly upgrades technologies to evade detection, making malicious network traffic more and more concealed. To extract the abundant hidden information in network traffic, multimodal fusion and parallel cross-fused spatio-temporal feature fusion models can be employed to further extract and integrate this information, thereby enhancing the accuracy of recognition.

Before traffic classification, the features obtained from the two sub-models, the parallel cross-fused spatio-temporal feature sub-model and the CNN sub-model, need to be aggregated. To preserve the characteristics of multiple modes of network traffic as much as possible, the feature vector matrix $X=[x_1,x_2,\dots ,x_m]$ output from the parallel cross-fused spatio-temporal feature fusion sub-model and the feature vector matrix $Y=[y_1,y_2,\dots ,y_m]$ output from the CNN sub-model are cascaded to obtain the fused feature matrix $Z_{\mathrm{concat}}=[x_1,x_2,\dots ,x_m,y_1,y_2,\dots ,y_3]$. The channel concatenation operation splices the original features and feeds them into the network that will learn on its own how to fuse the features without lossing information.

The CosMargin classifier is utilised to classify network traffic instead of the widely-used Softmax in the DL domain. The Softmax function is the most commonly used loss function for classification tasks in the field of deep learning. The formula for the Softmax function is as follows: (9) $L_s=-\frac{1}{m}\sum _{i=1}^m\log \frac{e^{w_{y_i}^T{x}_i+b_{y_i}}}{\sum _{j=1}^n{e}^{w_j^T{x}_i+b_j}}$(9) In this formula, $x_i$ represents the deep feature of the ith sample belonging to the $y_i$ class, while m denotes the batch size, n refers to the number of classes present in the dataset, $b_j$ indicates bias, w represents weight, and $w_j$ represents the weight of the jth sample in the current batch. Furthermore, $e^{w_j^T{x}_i+b_j}$ signifies the output of the fully connected layer of the network. During the process of decreasing loss $L_S$, the direction propagation update parameter continuously increases the proportion of $e^{w_{y_i}^T{x}_i+b_{y_i}}$. This ensures that more samples of the same class are correctly classified and fall within the decision boundary.

It is evident that Softmax's primary objective is to ascertain whether the sample is correctly classified. It lacks intra-class and inter-class constraints, thus rendering its classification effect inadequate for the imbalance problem. To address this issue, CosMargin (Cai et al., 2022) is chosen as the network classifier, which is modified on Softmax to indirectly establish a marginal boundary on the feature layer, thereby allowing the network to achieve superior generalisation performance and a better trade-off between basic and novel categories. To derive a Margin Loss formula from Softmax, we set the bias $b_j=0$ and use the law of cosines to express the inner product of the weights $W_j$ and the input $x_i$ as $W_j^T=\Vert W_j\Vert \Vert x_i\Vert \cos {\theta }_j$, where ${\theta }_j$ is the angle between $W_j$ and $x_i$. We apply L2 regularisation on both $W_j$ and $x_i$ to make $\Vert W_j\Vert =1$ and $\Vert x_i\Vert =1$. However, since a small norm of $x_i$ leads to a large training loss (a small value of Softmax), we scale it by a fixed factor s. Next, we introduce a cosine margin to impose a constraint, such that the current sample still belongs to its class after subtracting a margin m, that is $\cos {\theta }_1-m>\cos {\theta }_2$. This gives us the Cosmargin used in this paper: (10) $L_{ML}=-\frac{1}{m}\sum _{i=1}^m\log \frac{e^{s(\cos ({\theta }_{y_i}-m))}}{e^{s(\cos ({\theta }_{y_i}-m))}+\sum _{j=1,j\ne y_i}^n{e}^{s\cdot \cos {\theta }_j}}$(10)

4. Experiment and result analysis

The experimental environment is shown in Table 3.

Table 3. Experiment environment.

Equipment	Example
CPU	Intel(R) Xeon(R) Silver 4116 CPU@2.10GHz
GPU	Quadro P4000
RAM	64GB
OS	Ubuntu 16.04
Python	3.8.3
Database	ISCXIDS 2012, CICIDS2017

4.1. Datasets and data processing

In the field of network intrusion detection, there are numerous public datasets available. Traditional IDS can extract network traffic features from network traffic header files and train models based on these features. However, the method of extracting features from packet headers based on fixed rules only utilise the information stored in the header and overlook the payload. On the other hand, each single data packet is treated as the detection object, disregarding the correlation between the data packets. Therefore, a novel multimodal intrusion detection dataset construction method is proposed by using the CIC-IDS2017 (Sharafaldin et al., 2018) and ISCX 2012 datasets (Shiravi et al., 2012) that cover a wide range and are closer to the real world. Meanwhile, the original PCAP file of network flow is selected to make full use of the abundant information on network flow. Tables 4 and 5 display the distribution of attack flows in our experiments.

Table 4. The distribution of CIC-IDS2017.

Tag	Traffic type	Number	Percentage
0	Botnet	412	0.18%
1	DDoS	50157	22.27%
2	GlodenEye	4009	1.78%
3	Dos Hulk	89293	39.65%
4	Dos Slowhttp	1357	0.60%
5	Dos Slowloris	2102	0.93%
6	Ftp Patator	3987	1.77%
7	Heartbleed	1972	0.88%
8	Infiltration	1067	0.47%
9	Port Scan	63482	28.19%
10	SSH Patator	5509	2.45%
11	Web Attack	1873	0.83%

Table 5. The distribution of ISCX 2012.

Day	Traffic type	Flow Number	Percentage
Friday	Normal	378,667	40.9%
Saturday	Infiltration	109,140	11.8%
Sunday	Infiltration	14,728	1.6%
Monday	HTTP_DDoS	41,041	4.4%
Tuesday	DDos	53,603	5.8%
Wednesday	Normal	322,263	34.8%
Thursday	Brute Force SSH	6425	0.6%

4.1.1. Traffic statistics processing

Traditional IDS extract a variety of features from the header file of the PCAP file of network traffic. For instance, CICFlower can extract over 80 network traffic features. By using traffic feature extraction tools, CIC-IDS2017 and ISCX 2012 both provide network flow features extracted from network traffic and fill them into CSV files named by dates with labels. The provided tag file is processed as follows.

1. Data cleaning: The data in the tag file is inspected and analysed, and rows with missing values are removed to eliminate duplicate data. Data refinement is conducted to ensure data quality. A random forest feature selection algorithm (Breiman, 2001) is employed for feature selection to delete redundant features and retain features with stronger distinguishing abilities, so as to improve the classification and identification of unbalanced network traffic data. The statistical features of the CIC-IDS2017 dataset are screened by random forest feature selection algorithm, and the redundant features that had little effect on classification are discarded, leaving 64 statistical features.

2. Data standardisation: As can be seen from the label files, the range of each feature value in intrusion detection varies greatly. In this paper, Z-Score normalisation is used to standardise network flow features. (11) $x_i^{\prime }=\frac{x_i-\overline{x}}{v}$(11) In the above formula, $\overline{x}=(1/n)\sum _{i-1}^n{x}_i$, $v=\sqrt{(1/(n-1)\sum _{i=1}^n(x_i-\overline{x}{)}^2}$, n is the total sample number, $x_i$ is the eigenvalue of one dimension of the sample data before standardisation, and $x_i^{\prime }$ is the corresponding dimension eigenvalue of the sample data after standardisation (Liu & Zhang, 2020, may).

4.1.2. Original traffic load processing

The DL-based malicious traffic detection method is employed to build an end-to-end monitoring model. The original traffic load is used as the information of another mode for feature extraction to enable the model to learn the deep features implied in the network traffic.

A novel original traffic feature extraction method is proposed to address the data imbalance problem of data sets in intrusion detection. The proposed algorithm divides the data traffic into data streams based on the five-tuple information of source IP address, source port, destination IP address, destination port, and transport layer protocol. The number of data packets in the divided data stream is limited to increase the number of data streams, while the data enhancement method is used to alleviate the problem of data imbalance. The specific process of the algorithm is described in detail.

1. Extract malicious traffic: Tshark is used to obtain the original hexadecimal data of the flow, and scapy is used to parse each traffic packet in turn to obtain the five-tuple information and compare it with the five-tuple in the label file provided by the data set to determine whether the data packet belonged to malicious traffic. To account for the real network environment, we retain the header fields of the MAC layer. If the five-tuple information of the packet is the same as the five-tuple information of the malicious traffic in the label file, the five-tuple, the original data, and the corresponding label are stored in the corresponding CSV file named after the malicious traffic.

2. Data cleaning: Each CSV file is screened to find duplicate and empty data, and eliminate them. The data quality is improved, and the model error is reduced.

3. Partition the data stream: The five-tuple information in the CSV file is used to partition the data stream. The number of packets contained in each stream is limited to s, and the number of bytes in each packet is limited to len. The extra traffic packets whose traffic exceeds s are taken as new data flows, which increases the number of data flows and enhances the data. If the traffic is less than s, the previous data packet is used to supplement, avoiding too many 0 elements in the data and reducing redundant features. If the number of bytes in a packet is less than len, 0 is used to replenish the packet. In this study, s is usually set to 5 and len is set to 96.

4.2. Evaluation criteria

In this paper, five common threshold-independent metrics, namely Precision, Recall, False Alarm Rate (FAR), Accuracy, and F1-score, are employed to evaluate the performance of the proposed method. Specifically, TP denotes the number of correctly identified abnormal samples, TN represents the number of correctly identified normal samples, FP represents the number of incorrectly identified normal samples, and FN is the number of incorrectly identified abnormal samples. (12) $\begin{array}{rl}\mathrm{Precision}& =\frac{\mathrm{TP}}{\mathrm{TP}+\mathrm{FP}}\end{array}$(12) (13) $\begin{array}{rl}\mathrm{Recall}& =\frac{\mathrm{TP}}{\mathrm{TP}+\mathrm{FN}}\end{array}$(13) (14) $\begin{array}{rl}\mathrm{FAR}& =\frac{\mathrm{FP}}{\mathrm{FP}+\mathrm{TN}}\end{array}$(14) (15) $\begin{array}{rl}\mathrm{Accuracy}& =\frac{\mathrm{TP}+\mathrm{TN}}{\mathrm{TP}+\mathrm{TN}+\mathrm{FP}+\mathrm{FN}}\end{array}$(15) (16) $\begin{array}{rl}\mathrm{F}1-\mathrm{score}& =2\ast \left(\frac{\mathrm{Precision}\ast \mathrm{Recall}}{\mathrm{Precision}+\mathrm{Recall}}\right)\end{array}$(16)

4.3. The setting of the hyperparameter

In the process of training our model, we utilised the Adam optimiser to expedite network convergence. The momentum was fixed at 0.9, and the weight decay was set at 0.0005 to mitigate overfitting. As different learning rates have varying effects on convergence, we employed a learning rate of 0.001 for the first eight rounds, 0.0001 for the last three rounds, and 0.00001 for the final two rounds, totalling 15 epochs. Our experiments were conducted on an RTX2060 graphics card, with a batch size of 256 during training and 512 during verification and testing. To effectively evaluate the performance of the MHPN model, we refrained from utilising additional data augmentation techniques during training and testing.

4.4. Experiments and results

In order to comprehensively evaluate the proposed MHPN model, experiments are conducted on the CICIDS2017 and ISCX-IDS 2012 datasets, and comparison tests are conducted based on previous research methods. By default, the original traffic load with a better classification effect is selected as the input of the comparison model, and the statistical traffic features is selected as the input of the post-marked (T) model. The detailed experimental results of the CIC-IDS2017 dataset are presented in Tables 2–5.

Figure 2 illustrates the overall accuracy of the model on the CIC-IDS2017 dataset, which reveals that the MHPN model has a higher overall accuracy than the other comparable models, regardless of whether the model uses the original traffic load or statistical traffic features as input.

Figure 2. Comparison of CICIDS2017 experimental results.

It can be seen from Table 6 that the detection accuracy of the proposed MHPN model is significantly superior to that of the existing intrusion detection models. Among the classification of 12 types of unbalanced abnormal traffic, the accuracy of the 11th type of abnormal traffic is slightly lower than that of the PCCN model, but it is still higher than that of other models. Moreover, the classification accuracy of the other 11 types is significantly better than that of other comparable models. Tables 7–9 demonstrate that the Recall, F1-score, and FAR of the proposed MHPN model are all optimal among the 12-class classification, indicating that the model has enhanced robustness and positive sample recognition ability.

Table 6. Precision comparison table.

	0	1	2	3	4	5	6	7	8	9	10	11
CNN-T	1	1	0.9879	0.9926	0.9851	0.9877	1	1	1	0.9999	0.9947	0.982
CNN	0.9952	1	0.986	0.9977	0.983	0.9914	1	1	0.9991	0.9999	0.9996	0.9967
LSTM	0.9915	0.9998	0.9628	0.9902	0.9088	0.9492	0.9985	0.9995	0.9432	1	0.9913	0.9723
CNN-LSTM	0.9952	1	0.9774	0.9945	0.9763	0.9886	0.9995	1	1	0.9999	0.9996	0.9971
PCCN	1	1	0.9929	0.9994	0.9896	0.9929	1	1	1	1	0.9998	0.9986
MHPN	1	1	0.9983	1	0.9911	0.9962	1	1	1	0.9999	1	0.9979

Table 7. Recall comparison table.

	0	1	2	3	4	5	6	7	8	9	10	11
CNN-T	1	1	0.9985	1	0.9749	0.99	0.999	1	1	0.9955	0.9938	0.9626
CNN	0.9976	1	0.946	0.9995	0.9794	0.9881	0.999	0.9995	1	0.9999	0.9996	0.9976
LSTM	0.8447	0.9999	0.781	0.9993	0.8814	0.96	0.998	0.999	0.9963	0.9989	0.9936	0.9754
CNN-LSTM	1	1	0.872	0.9993	0.9698	0.9877	0.9987	1	1	0.9999	0.9993	0.9934
PCCN	1	1	0.9869	0.9997	0.9838	0.9938	0.9997	1	1	1	0.9998	0.9995
MHPN	1	1	0.999	1	0.9897	0.9952	1	1	1	1	0.9998	0.9984

Table 8. F1-score comparison table.

	0	1	2	3	4	5	6	7	8	9	10	11
CNN-T	1	1	0.9932	0.9963	0.98	0.9888	0.9995	1	1	0.9977	0.9943	0.9722
CNN	0.9964	1	0.9656	0.9986	0.9812	0.9898	0.9995	0.9997	0.9995	0.9999	0.9996	0.9972
LSTM	0.9122	0.9999	0.8624	0.9947	0.8949	0.9546	0.9982	0.9992	0.969	0.9994	0.9925	0.9739
CNN-LSTM	0.9976	1	0.9217	0.9969	0.973	0.9881	0.9991	1	1	0.9999	0.9995	0.9952
PCCN	1	1	0.9899	0.9996	0.9867	0.9934	0.9999	1	1	1	0.9998	0.9991
MHPN	1	1	0.9986	1	0.9904	0.9957	1	1	1	1	0.9999	0.9981

Table 9. FAR comparison table.

	0	1	2	3	4	5	6	7	8	9	10	11
CNN-T	0	0	0.0013	0.0013	0.0005	0.0006	0	0	0	0	0.0008	0.0008
CNN	0	0	0.0002	0.0016	0.0001	0.0001	0	0	0	0	0	0
LSTM	0	0	0.0005	0.0065	0.0005	0.0005	0	0	0.0003	0	0.0002	0.0002
CNN-LSTM	0	0	0.0004	0.0038	0.0001	0.0001	0	0	0	0	0	0
PCCN	0	0	0.0001	0.0004	0.0001	0.0001	0	0	0	0	0	0
MHPN	0	0	0	0	0.0001	0	0	0	0	0	0	0

Figure 3 presents the confusion matrix of the final test results of the model, which reveals that all 12 kinds of abnormal flows are correctly classified. There is almost no misclassification of abnormal flows with large samples, and a satisfactory classification effect is achieved for abnormal flows with small samples. Consequently, the model has excellent detection performance for unbalanced abnormal traffic.

Figure 3. Confusion matrix of CIC-IDS2017.

To verify the generality of the proposed multimodal model, the same experiments are conducted on the ISCX2012 dataset. As shown in Figure 4, the overall detection accuracy of the MHPN model still surpasses the other models. Subfigures (A), (B), (C) and (D) in Figure 5 illustrate that the four indicators of the proposed model are superior to other models on the ISCX-IDS 2012 dataset.

Figure 4. Comparison of ISCX2012 experimental results.

Figure 5. ISCX2012 dataset results. (a) Precision. (b) Recall. (c) F1-score. (d) FAR.

In conclusion, the proposed MHPN model is superior to the previous network model, and all evaluation indicators are better than the comparison model and maintain excellent values. The model not only has strong stability and positive sample recognition ability, but also shows satisfactory detection performance for unbalanced abnormal traffic.

4.5. Multimodal functional analysis

Unlike other intrusion detection models, this paper proposes a novel intrusion detection model that utilises a variety of modalities, such as traffic statistics and raw load, to represent network traffic information from multiple perspectives. To evaluate the complementarity and multimodality of network features, three scenarios,traffic statistical information mode, original traffic load mode, and multimodal mode, are tested. Three models are experimented with, and the results are presented.

• CNN model: Only traffic statistics are used as model input for abnormal traffic detection.

• PCSN model: A cross-fused spatio-temporal feature model using only the raw load of traffic as input.

• MHPN model: Abnormal traffic detection is performed using both traffic statistics and raw load of traffic.

Comparing the multimodal model with its branch sub-models of two modes, it can be seen from Figure 6 that the performance of the multimodal model is significantly improved.

Figure 6. Comparison of multimodal experimental results.

As shown in Figure 7, it can be found that the multimodal model proposed in this paper has a better improvement than the single mode. Among the F1-score, FAR, Precision, Recall, and other indicators of 12 kinds of abnormal flows, the multimodal model has a significant improvement in the evaluation indicators of each category compared with the single mode model. In general, the multimodal model proposed in this paper can improve the performance of intrusion detection, showing better abnormal traffic detection performance than the single modal model when establishing the intrusion detection model.

Figure 7. Comparison of multimodal experimental results. (a) Precision. (b) Recall. (c) F1-score. (d) FAR.

4.6. Functional analysis of FCN

This section aims to examine the functionality of FCN. We present Comparison Table 10 to illustrate the advantages of FCN.

Table 10. Comparison of employing the FCN and wiithout FCN.

	0	1	2	3	4	5	6	7	8	9	10	11
CNN_LSTM	1	1	0.872	0.9993	0.9698	0.9877	0.9987	1	1	0.9999	0.9993	0.9934
CMHPN	1	1	0.9852	0.9954	0.9831	0.9934	0.9995	1	1	0.9999	0.9998	0.9973
MHPN	1	1	0.999	1	0.9897	0.9952	1	1	1	1	0.9998	0.9984

CNN+LSTM is used to extract features using a single set of CNN and LSTM. CMHPN is a variant of MHPN that uses two sets of CNN+LSTM to extract features, replacing the full convolution of its upper branch with the convolution and pooling operation. The experimental results in Table 10 demonstrate that using two sets of CNNS and LSTMS yields a significant improvement compared to using only one set. Additionally, the use of FCN in the upper branch of MHPN yields significantly better results than the use of CMHPN.

4.7. Complexity analysis

To assess the time efficiency of the model, we measured the test time of each model during the inference phase. For a fair comparison, we ran all our models on the same machine and used the same parameters for all neural network models. Table 11 shows the test times for each model.

Table 11. Test time of models.

Model	Test Time(s)	Model	Test Time(s)
CNN	4.32	KNN	31245
LSTM	4.89	CNN_LSTM	5.23
PCCN	6.78	MHPN	6.33

The results indicate that the proposed MHPN model is slightly slower than the compared models. As shown in Table 11, MHPN takes 6.33 seconds at test time, which is second only to CNN_LSTM and faster than PCCN. This demonstrates that it can process data more efficiently and quickly and that it is more concise and optimised than PCCN. Moreover, the training time of the machine learning algorithm KNN is much longer than that of the deep learning algorithm, which makes it unsuitable for big data computing in network intrusion detection. In summary, MHPN is a novel and efficient deep learning model with reasonable and acceptable test time, and it outperforms other models.

5. Conclusion

Faced with complex network traffic, single modal intrusion detection models cannot make the most of the information contained in network traffic. To address this issue, this paper proposes a multimodal hybrid parallel network intrusion detection model, MHPN. The MHPN model synthesises network traffic characteristics from two modes of network traffic, traffic statistics information and original traffic load, and builds appropriate neural network sub-models for each mode. The spatio-temporal features of network traffic are extracted by combining two-branch convolutional neural networks and LSTM for the original load mode of traffic. In addition, convolutional neural networks are used for feature extraction of statistical traffic information. Finally, the information of the two modes are fused and sent to the fully convolutional neural network to extract features for classification. Ablation experiments are conducted on the ISCX-IDS 2012 and CIC-IDS-2017 datasets to evaluate the performance of the MHPN model. The results of the experiments demonstrate that the MHPN model can effectively deal with unbalanced abnormal traffic data, improve the accuracy of anomaly detection, and exhibit strong robustness and a positive sample recognition rate. The model exhibits an average accuracy of 99.98$\mathrm{\%}$. Furthermore, compared with the single modal model, the MHPN model outperforms the single modal model in terms of intrusion detection performance.

Despite its superiority in all aspects, the MHPN model has a limitation in scalability due to its reliance on a closed set protocol. This protocol only allows the classification of known classes that appear in the training data, and fails to detect unknown attacks or even misclassifies them as known classes. Considering the increasing complexity of the network environment, scalable open-set recognition models are more suitable for real network applications. Therefore, in future research, we will further investigate and address the scalability of MHPN, and then test and refine it in real-time network environments. In addition, the model relies on a centralised architecture that may not be scalable or resilient to attacks. A possible direction for future work is to integrate blockchain technology with intrusion detection systems to enhance their security and trustworthiness (Gao et al., 2022; Han, Zhu et al., 2022; D. Li et al., 2022b). Blockchain is a decentralised and distributed ledger that can provide data integrity, transparency, and immutability (Han, Pan et al., 2022; H. Li et al., 2022). Blockchain can also enable collaborative intrusion detection systems (CIDS) that can share data and alerts among different nodes without compromising data privacy and confidentiality.

Disclosure statement

No potential conflict of interest was reported by the author(s).

Appendix. Source code

The source code for the algorithms and implementations presented in this paper is available upon request. To facilitate this, we gladly offer the source code to interested readers for research and academic purposes. For those seeking access, please feel free to contact us via email using the subject line “Source Code Request – [A multimodal hybrid parallel network intrusion detection model].” In your email, kindly provide a brief overview of how you intend to use the code and include information about your affiliation. We will be prompt in our response and look forward to supporting your research endeavors.