{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,29]],"date-time":"2026-05-29T18:48:14Z","timestamp":1780080494785,"version":"3.54.0"},"reference-count":39,"publisher":"Springer Science and Business Media LLC","issue":"1","license":[{"start":{"date-parts":[[2020,8,31]],"date-time":"2020-08-31T00:00:00Z","timestamp":1598832000000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2020,8,31]],"date-time":"2020-08-31T00:00:00Z","timestamp":1598832000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["J Big Data"],"published-print":{"date-parts":[[2020,12]]},"abstract":"<jats:title>Abstract<\/jats:title><jats:p>Anomaly-based Intrusion Detection System (IDS) has been a hot research topic because of its ability to detect new threats rather than only memorized signatures threats of signature-based IDS. Especially after the availability of advanced technologies that increase the number of hacking tools and increase the risk impact of an attack. The problem of any anomaly-based model is its high false-positive rate. The high false-positive rate is the reason why anomaly IDS is not commonly applied in practice. Because anomaly-based models classify an unseen pattern as a threat where it may be normal but not included in the training dataset. This type of problem is called overfitting where the model is not able to generalize. Optimizing Anomaly-based models by having a big training dataset that includes all possible normal cases may be an optimal solution but could not be applied in practice. Although we can increase the number of training samples to include much more normal cases, still we need a model that has more ability to generalize. In this research paper, we propose applying deep model instead of traditional models because it has more ability to generalize. Thus, we will obtain less false-positive by using big data and deep model. We made a comparison between machine learning and deep learning algorithms in the optimization of anomaly-based IDS by decreasing the false-positive rate. We did an experiment on the NSL-KDD benchmark and compared our results with one of the best used classifiers in traditional learning in IDS optimization. The experiment shows 10% lower false-positive by using deep learning instead of traditional learning.<\/jats:p>","DOI":"10.1186\/s40537-020-00346-1","type":"journal-article","created":{"date-parts":[[2020,8,31]],"date-time":"2020-08-31T10:03:10Z","timestamp":1598868190000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":65,"title":["Anomaly detection optimization using big data and deep learning to reduce false-positive"],"prefix":"10.1186","volume":"7","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-9474-9204","authenticated-orcid":false,"given":"Khloud","family":"Al Jallad","sequence":"first","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Mohamad","family":"Aljnidi","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Mohammad Said","family":"Desouki","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"297","published-online":{"date-parts":[[2020,8,31]]},"reference":[{"issue":"3","key":"346_CR1","first-page":"69","volume":"4","author":"M Bijone","year":"2016","unstructured":"Bijone M. A survey on secure network: intrusion detection & prevention approaches. Am J Inf Syst. 2016;4(3):69\u201388.","journal-title":"Am J Inf Syst"},{"key":"346_CR2","unstructured":"Calix RA, Sankaran R. Feature ranking and support vector machines classification analysis of the NSL-KDD intrusion detection corpus. In: FLAIRS conference. 2013. https:\/\/www.semanticscholar.org\/paper\/Feature-Ranking-and-Support-Vector-Machines-of-the-Calix-Sankaran\/dfd45d96fc8ddb366ca109ec62dfbf8c9f56f842"},{"issue":"12","key":"346_CR3","first-page":"1848","volume":"2","author":"S Revathi","year":"2013","unstructured":"Revathi S, Malathi DA. A detailed analysis on NSL-KDD dataset using various machine learning techniques for intrusion detection. Int J Eng Res Technol. 2013;2(12):1848\u201353.","journal-title":"Int J Eng Res Technol"},{"issue":"4","key":"346_CR4","doi-asserted-by":"publisher","first-page":"70","DOI":"10.1145\/2627534.2627557","volume":"41","author":"S Suthaharan","year":"2014","unstructured":"Suthaharan S. Big data classification: problems and challenges in network intrusion prediction with machine learning. Perform Eval Rev. 2014;41(4):70\u20133.","journal-title":"Perform Eval Rev"},{"key":"346_CR5","doi-asserted-by":"publisher","first-page":"13624","DOI":"10.1109\/ACCESS.2018.2810198","volume":"6","author":"P Tao","year":"2018","unstructured":"Tao P, Sun Z, Sun Z. An improved intrusion detection algorithm based on GA and SVM. IEEE Access. 2018;6:13624\u201331.","journal-title":"IEEE Access"},{"key":"346_CR6","unstructured":"SVM_figure, researchgate, [Online]. 2019. https:\/\/www.researchgate.net\/figure\/Classification-of-data-by-support-vector-machine-SVM_fig8_304611323. Accessed 2019."},{"key":"346_CR7","doi-asserted-by":"publisher","first-page":"4","DOI":"10.1016\/j.ins.2011.08.011","volume":"231","author":"J Song","year":"2013","unstructured":"Song J, Takakura H, Okabe Y, Nakao K. Toward a more practical unsupervised anomaly detection system. Inf Sci. 2013;231:4\u201314.","journal-title":"Inf Sci"},{"key":"346_CR8","doi-asserted-by":"crossref","unstructured":"Zhao G, Song J, Song J. Analysis about performance of multiclass SVM applying in IDS. In: Proceedings of the 2013 International Conference on Information, Business and Education Technology (ICIBET 2013). Atlantis Press; 2013. https:\/\/www.researchgate.net\/publication\/266648815_Analysis_about_Performance_of_Multiclass_SVM_Applying_in_IDS","DOI":"10.2991\/icibet.2013.46"},{"key":"346_CR9","doi-asserted-by":"publisher","unstructured":"Araki S, Yamaguchi Y, Shimada H, Takakura H. Unknown attack detection by multistage one-class SVM focusing on communication interval. In: Loo CK, Yap KS, Wong KW, Beng Jin AT, Huang K (eds) Neural information processing. ICONIP 2014. Lecture notes in computer science, vol 8836. Cham: Springer; 2014. https:\/\/doi.org\/10.1007\/978-3-319-12643-2_40.","DOI":"10.1007\/978-3-319-12643-2_40"},{"key":"346_CR10","doi-asserted-by":"publisher","unstructured":"Enache A, Patriciu V. Intrusions detection based on support vector machine optimized with swarm intelligence. In: 2014 IEEE 9th IEEE international symposium on applied computational intelligence and informatics (SACI). Timisoara, Romania: IEEE; 2014. p. 153\u2013158. https:\/\/doi.org\/10.1109\/SACI.2014.6840052","DOI":"10.1109\/SACI.2014.6840052"},{"issue":"2","key":"346_CR11","doi-asserted-by":"publisher","first-page":"1822","DOI":"10.1016\/j.eswa.2011.08.068","volume":"39","author":"CA Catania","year":"2012","unstructured":"Catania CA, Bromberg F, Garino CG. An autonomous labeling approach to support vector machines algorithms for network traffic anomaly detection. Expert Syst Appl. 2012;39(2):1822\u20139.","journal-title":"Expert Syst Appl"},{"issue":"6","key":"346_CR12","doi-asserted-by":"publisher","first-page":"7698","DOI":"10.1016\/j.eswa.2010.12.141","volume":"38","author":"Y Yi","year":"2011","unstructured":"Yi Y, Wu J, Xu W. Incremental SVM based on reserved set for network intrusion detection. Expert Syst Appl. 2011;38(6):7698\u2013707.","journal-title":"Expert Syst Appl"},{"key":"346_CR13","unstructured":"K. Atefi, S. Yahya, A. Y. Dak, A. Atefi, A hybrid intrusion detection system based on different machine learning algorithms. In: 4th International Conference on Computing and Informatics, Sarawak, Malaysia, 2013."},{"issue":"7\u20138","key":"346_CR14","doi-asserted-by":"publisher","first-page":"1671","DOI":"10.1007\/s00521-013-1370-6","volume":"24","author":"I Ahmad","year":"2014","unstructured":"Ahmad I, Hussain M, Alghamdi A, Alelaiwi A. Enhancing SVM performance in intrusion detection using optimal feature subset selection based on genetic principal components. Neural Comput Appl. 2014;24(7\u20138):1671\u201382.","journal-title":"Neural Comput Appl"},{"key":"346_CR15","doi-asserted-by":"publisher","unstructured":"Sung AH, Mukkamala S. Identifying important features for intrusion detection using support vector machines and neural networks. In: 2003 symposium on applications and the internet, 2003. Proceedings. Orlando, FL, USA: IEEE; 2003, p. 209-216. https:\/\/doi.org\/10.1109\/SAINT.2003.1183050.","DOI":"10.1109\/SAINT.2003.1183050"},{"key":"346_CR16","doi-asserted-by":"publisher","first-page":"178","DOI":"10.1016\/j.asoc.2014.01.028","volume":"18","author":"F Kuang","year":"2014","unstructured":"Kuang F, Xu W, Zhang S. A novel hybrid KPCA and SVM with GA model for intrusion detection. Appl Soft Comput. 2014;18:178\u201384.","journal-title":"Appl Soft Comput"},{"key":"346_CR17","doi-asserted-by":"publisher","first-page":"231","DOI":"10.1016\/j.cose.2014.06.006","volume":"45","author":"R Chitrakar","year":"2014","unstructured":"Chitrakar R, Huang C. Selection of candidate support vectors in incremental SVM for network intrusion detection. Comput Secur. 2014;45:231\u201341.","journal-title":"Comput Secur"},{"issue":"1","key":"346_CR18","first-page":"157","volume":"6","author":"L Khalvati","year":"2017","unstructured":"Khalvati L, Keshtgary M, Rikhtegar N. Intrusion detection based on a novel hybrid learning approach. JAIDM. 2017;6(1):157\u201362.","journal-title":"JAIDM"},{"issue":"1","key":"346_CR19","doi-asserted-by":"publisher","first-page":"178","DOI":"10.1007\/s10489-013-0452-6","volume":"40","author":"C Guo","year":"2014","unstructured":"Guo C, Zhou Y, Ping Y, Zhang Z, Liu G, Yang Y. A distance sum-based hybrid method for intrusion detection. Appl Intell. 2014;40(1):178\u201388.","journal-title":"Appl Intell"},{"issue":"6","key":"346_CR20","doi-asserted-by":"publisher","first-page":"1669","DOI":"10.1007\/s00521-015-1964-2","volume":"27","author":"B Aslahi-Shahri","year":"2015","unstructured":"Aslahi-Shahri B, Rahmani R, Chizari M, Maralani A, Eslami M, Golkar M, et al. A hybrid method consisting of GA and SVM for intrusion detection system. Neural Comput Appl. 2015;27(6):1669\u2013766.","journal-title":"Neural Comput Appl"},{"issue":"2","key":"346_CR21","doi-asserted-by":"publisher","first-page":"133","DOI":"10.20532\/cit.2016.1002701","volume":"24","author":"ST Ikram","year":"2016","unstructured":"Ikram ST, Cherukuri AK. Improving accuracy of intrusion detection model using PCA and optimized SVM. J Comput Inf Technol. 2016;24(2):133\u201348.","journal-title":"J Comput Inf Technol"},{"issue":"10","key":"346_CR22","doi-asserted-by":"publisher","first-page":"3198","DOI":"10.3390\/s18103198","volume":"18","author":"V Garcia-Font","year":"2018","unstructured":"Garcia-Font V, Garrigues C, Rif\u00e0-Pous H. Difficulties and challenges of anomaly detection in smart cities: a laboratory analysis. Sensors. 2018;18(10):3198.","journal-title":"Sensors"},{"issue":"12","key":"346_CR23","first-page":"3873","volume":"96","author":"EM Chakir","year":"2018","unstructured":"Chakir EM, Moughit M, Khamlichi YI. An effective intrusion detection model based on SVM with feature selection and parameters optimization. J Theor Appl Inf Technol. 2018;96(12):3873\u201385.","journal-title":"J Theor Appl Inf Technol"},{"issue":"36","key":"346_CR24","first-page":"0975","volume":"181","author":"S Benqdara","year":"2019","unstructured":"Benqdara S. Anomaly intrusion detection based on a hybrid classification algorithm (GSVM). Int J Comp Appl. 2019;181(36):0975\u20138887.","journal-title":"Int J Comp Appl"},{"issue":"2","key":"346_CR25","first-page":"13","volume":"8","author":"S Kurnaz","year":"2019","unstructured":"Kurnaz S, Obaid IA. Support vector machine (SVM) based on wavelet transform (WT) for intrusion detection system (IDS). Int J Comp Sci Mob Comput. 2019;8(2):13\u20139.","journal-title":"Int J Comp Sci Mob Comput"},{"key":"346_CR26","doi-asserted-by":"publisher","first-page":"88","DOI":"10.1186\/s40537-019-0248-6","volume":"6","author":"KA Jallad","year":"2019","unstructured":"Jallad KA, Aljnidi M, Desouki MS. Big data analysis and distributed deep learning for next-generation intrusion detection system optimization. J Big Data. 2019;6:88.","journal-title":"J Big Data"},{"key":"346_CR27","unstructured":"\"Understanding-LSTMs,\" [Online]. 2015. https:\/\/colah.github.io\/posts\/2015-08-Understanding-LSTMs\/. Accessed Aug 2015."},{"issue":"8","key":"346_CR28","doi-asserted-by":"publisher","first-page":"1735","DOI":"10.1162\/neco.1997.9.8.1735","volume":"9","author":"S Hochreiter","year":"1997","unstructured":"Hochreiter S, Schmidhuber J. Long short-term memory. Neural Comput. 1997;9(8):1735\u201380.","journal-title":"Neural Comput"},{"key":"346_CR29","unstructured":"\"Understanding-lstm-and-its-diagrams,\" medium, [Online]. 2019. https:\/\/medium.com\/mlreview\/understanding-lstm-and-its-diagrams-37e2f46f1714. Accessed 2019."},{"key":"346_CR30","unstructured":"\"Colab,\" Google, [Online]. 2018. https:\/\/colab.research.google.com\/. Accessed 2018."},{"key":"346_CR31","unstructured":"\"Keras,\" [Online]. 2018. https:\/\/keras.io\/. Accessed 2018."},{"key":"346_CR32","unstructured":"\"KDD Cup 1999 Data\" [Online]. 1999. https:\/\/kdd.ics.uci.edu\/databases\/kddcup99\/kddcup99.html. Accessed 2017."},{"key":"346_CR33","doi-asserted-by":"publisher","unstructured":"Tavallaee M, Bagheri E, Lu W, Ghorbani AA. A detailed analysis of the KDD CUP 99 data set. In: 2009 IEEE symposium on computational intelligence for security and defense applications, Ottawa, ON: IEEE; 2009. p. 1\u20136. https:\/\/doi.org\/10.1109\/CISDA.2009.5356528.","DOI":"10.1109\/CISDA.2009.5356528"},{"key":"346_CR34","unstructured":"\"NSL-KDD,\" [Online]. https:\/\/www.unb.ca\/cic\/datasets\/nsl.html. Accessed 10 Oct 2019."},{"key":"346_CR35","unstructured":"\"List-of-features-of-NSL-KDD-dataset,\" Researchgate [Online]. 2019. https:\/\/www.researchgate.net\/figure\/List-of-features-of-NSL-KDD-dataset_tbl1_325709588. Accessed 2019."},{"key":"346_CR36","unstructured":"Andrew Ng. Machine learning yearning, deeplearning.ai project, draft version. Andrew Ng; 2018. https:\/\/www.deeplearning.ai\/machine-learning-yearning\/."},{"key":"346_CR37","unstructured":"A. NG. Deep learning course. http:\/\/cs229.stanford.edu\/materials\/CS229-DeepLearning.pdf. Accessed 10 Oct 2019."},{"key":"346_CR38","unstructured":"\"ResearchGate,\" [Online]. https:\/\/www.researchgate.net\/figure\/Structure-of-the-LSTM-cell-and-equations-that-describe-the-gates-of-an-LSTM-cell_fig5_329362532. Accessed 10 Oct 2019."},{"key":"346_CR39","unstructured":"Understanding-architecture-of-lstm-cell-from-scratch-with-code. 2018. https:\/\/medium.com\/m\/signin?redirect=https%3A%2F%2Fhackernoon.com%2Funderstanding-architecture-of-lstm-cell-from-scratch-with-code-8da40f0b71f4%3Fsource%3Dquote_menu. Accessed 10 Oct 2019."}],"container-title":["Journal of Big Data"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1186\/s40537-020-00346-1.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1186\/s40537-020-00346-1\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1186\/s40537-020-00346-1.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2021,8,30]],"date-time":"2021-08-30T23:17:55Z","timestamp":1630365475000},"score":1,"resource":{"primary":{"URL":"https:\/\/journalofbigdata.springeropen.com\/articles\/10.1186\/s40537-020-00346-1"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2020,8,31]]},"references-count":39,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2020,12]]}},"alternative-id":["346"],"URL":"https:\/\/doi.org\/10.1186\/s40537-020-00346-1","relation":{},"ISSN":["2196-1115"],"issn-type":[{"value":"2196-1115","type":"electronic"}],"subject":[],"published":{"date-parts":[[2020,8,31]]},"assertion":[{"value":"28 March 2019","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"14 August 2020","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"31 August 2020","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"The authors Ethics approval and consent to participate.","order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Ethics approval and consent to participate"}},{"value":"The authors consent for publication.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Consent for publication"}},{"value":"The authors declare that they have no competing interests.","order":3,"name":"Ethics","group":{"name":"EthicsHeading","label":"Competing interests"}}],"article-number":"68"}}