{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,1]],"date-time":"2026-05-01T15:18:20Z","timestamp":1777648700342,"version":"3.51.4"},"reference-count":33,"publisher":"MDPI AG","issue":"3","license":[{"start":{"date-parts":[[2026,3,8]],"date-time":"2026-03-08T00:00:00Z","timestamp":1772928000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"name":"Agency for Innovative Development under the Ministry of Higher Education, Science and Innovation of the Republic of Uzbekistan","award":["AL-9424104925-R1"],"award-info":[{"award-number":["AL-9424104925-R1"]}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Computers"],"abstract":"<jats:p>Zero-day intrusion detection is still a difficult task because of the difference between high laboratory precision and real-time deployability under strict operational constraints. This paper proposes a lightweight two-stage cascade architecture that is specifically designed for CPU-only environments and strict zero-day evaluation. The proposed architecture only uses statistical and flow-level metadata attributes, which are independent of payload analysis, to ensure compatibility with encrypted traffic. The first stage of the proposed architecture is precision oriented to detect potentially malicious traffic with a low decision threshold, and the second stage is precision oriented to enhance classification and remove false positives. To avoid optimistic bias, a strict attack-type separation protocol is employed, where testing attack types are strictly prohibited from training. The proposed method is tested on three benchmark datasets: CSIC 2012 (HTTP level), UNSW-NB15 (intra-domain), and CSE-CIC-IDS2018 (cross-domain). The experimental results show the excellent intra-domain zero-day detection capability (up to 94.81% accuracy with 0.50% FPR), controllable performance degradation in the cross-domain setting (80.53% accuracy with near-zero FPR), and extremely low FP rates on all datasets. The system provides microsecond-level inference latency (0.002\u20130.006 ms), a throughput of up to 470,000 requests per second, and memory usage below 6.2 MB without GPU support. These results confirm the significance of architectural optimization and thorough evaluation in building efficient zero-day detection systems.<\/jats:p>","DOI":"10.3390\/computers15030174","type":"journal-article","created":{"date-parts":[[2026,3,9]],"date-time":"2026-03-09T08:58:45Z","timestamp":1773046725000},"page":"174","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":1,"title":["A Lightweight Cascade-Based Farmework for Real-Time Zero-Day Attack Detection"],"prefix":"10.3390","volume":"15","author":[{"given":"Alpamis","family":"Kutlimuratov","sequence":"first","affiliation":[{"name":"Department of Applied Informatics, Kimyo International University in Tashkent, Tashkent 100121, Uzbekistan"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-7008-9384","authenticated-orcid":false,"given":"Furkat","family":"Rakhmatov","sequence":"additional","affiliation":[{"name":"Department of Programming Technologies, Tashkent University of Information Technologies Named After Muhammad al-Khwarizmi, Tashkent 100084, Uzbekistan"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0009-6335-0394","authenticated-orcid":false,"given":"Jamshid","family":"Khamzaev","sequence":"additional","affiliation":[{"name":"Department of Computer Systems, Tashkent University of Information Technologies Named After Muhammad al-Khwarizmi, Tashkent 100084, Uzbekistan"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-3530-4488","authenticated-orcid":false,"given":"Islambek","family":"Saymanov","sequence":"additional","affiliation":[{"name":"School of Mathematics and Natural Sciences, New Uzbekistan University, Mustaqillik Ave. 54, Tashkent 100007, Uzbekistan"},{"name":"Applied Mathematics and Intelligent Technologies Faculty, National University of Uzbekistan, Tashkent 100174, Uzbekistan"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Piratdin","family":"Allayarov","sequence":"additional","affiliation":[{"name":"Department of Econometrics, Tashkent State University of Economics, Tashkent 100066, Uzbekistan"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0002-3523-3819","authenticated-orcid":false,"given":"Gamzatdin","family":"Bekbaev","sequence":"additional","affiliation":[{"name":"Department of Finance and Digital Economy, Tashkent State University of Economics, Tashkent 100066, Uzbekistan"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Shavkat","family":"Otamurodov","sequence":"additional","affiliation":[{"name":"Department of Economics, Termez University of Economics and Service, Termez 190111, Uzbekistan"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-3594-0137","authenticated-orcid":false,"given":"Fazliddin","family":"Makhmudov","sequence":"additional","affiliation":[{"name":"Department of Computer Engineering, Gachon University, Seongnam 13120, Republic of Korea"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"1968","published-online":{"date-parts":[[2026,3,8]]},"reference":[{"key":"ref_1","doi-asserted-by":"crossref","first-page":"113404","DOI":"10.1016\/j.engappai.2025.113404","article-title":"Wide residual quantum dilated convolutional neural network for zero-day attack detection","volume":"166","author":"Sameera","year":"2026","journal-title":"Eng. Appl. Artif. Intell."},{"key":"ref_2","doi-asserted-by":"crossref","first-page":"131628","DOI":"10.1016\/j.neucom.2025.131628","article-title":"A survey of machine learning and deep learning methods for vibration-based Bearing fault diagnosis: The need, challenges, and potential future research directions","volume":"659","author":"Puntambekar","year":"2026","journal-title":"Neurocomputing"},{"key":"ref_3","doi-asserted-by":"crossref","first-page":"114322","DOI":"10.1016\/j.knosys.2025.114322","article-title":"Enhanced network security through an intelligent deep learning-based intrusion detection system with optimized performance","volume":"329","author":"Nithya","year":"2025","journal-title":"Knowl.-Based Syst."},{"key":"ref_4","doi-asserted-by":"crossref","first-page":"104127","DOI":"10.1016\/j.cose.2024.104127","article-title":"E-WebGuard: Enhanced neural architectures for precision web attack detection","volume":"148","author":"Zhou","year":"2025","journal-title":"Comput. Secur."},{"key":"ref_5","doi-asserted-by":"crossref","first-page":"100345","DOI":"10.1016\/j.jnlest.2026.100345","article-title":"ZeroDefense: An adaptive hybrid fusion-based intrusion detection system for zero-day threat detection in IoT networks","volume":"24","author":"Wakili","year":"2026","journal-title":"J. Electron. Sci. Technol."},{"key":"ref_6","doi-asserted-by":"crossref","first-page":"200182","DOI":"10.1016\/j.sasc.2024.200182","article-title":"Cascaded intrusion detection system using machine learning","volume":"7","author":"Ahamed","year":"2025","journal-title":"Syst. Soft Comput."},{"key":"ref_7","doi-asserted-by":"crossref","first-page":"104709","DOI":"10.1016\/j.cose.2025.104709","article-title":"Surviving zero-day attacks using spatial specialization","volume":"160","author":"Asadujjaman","year":"2026","journal-title":"Comput. Secur."},{"key":"ref_8","doi-asserted-by":"crossref","first-page":"103843","DOI":"10.1016\/j.cose.2024.103843","article-title":"PhishingRTDS: A real-time detection system for phishing attacks using a Deep Learning model","volume":"141","author":"Asiri","year":"2024","journal-title":"Comput. Secur."},{"key":"ref_9","doi-asserted-by":"crossref","first-page":"111875","DOI":"10.1016\/j.comnet.2025.111875","article-title":"Hybrid multi-stage framework for identifying zero-day attacks and known threats in network traffic","volume":"275","author":"Park","year":"2026","journal-title":"Comput. Netw."},{"key":"ref_10","doi-asserted-by":"crossref","first-page":"357","DOI":"10.1016\/j.cose.2011.12.012","article-title":"Toward developing a systematic approach to generate benchmark datasets for intrusion detection","volume":"31","author":"Shiravi","year":"2012","journal-title":"Comput. Secur."},{"key":"ref_11","doi-asserted-by":"crossref","unstructured":"Moustafa, N., and Slay, J. (2015, January 10\u201312). UNSW-NB15: A comprehensive dataset for network intrusion detection systems. Proceedings of the 2015 Military Communications and Information Systems Conference (MilCIS), Canberra, Australia.","DOI":"10.1109\/MilCIS.2015.7348942"},{"key":"ref_12","first-page":"108","article-title":"Toward generating a new intrusion detection dataset and intrusion traffic characterization (CSE-CIC-IDS2018)","volume":"1","author":"Sharafaldin","year":"2018","journal-title":"ICISSp"},{"key":"ref_13","doi-asserted-by":"crossref","unstructured":"Dai, Z., Por, L.Y., Chen, Y.L., Yang, J., Ku, C.S., Alizadehsani, R., and P\u0142awiak, P. (2024). An intrusion detection model to detect zero-day attacks in unseen data using machine learning. PLoS ONE, 19.","DOI":"10.1371\/journal.pone.0308469"},{"key":"ref_14","doi-asserted-by":"crossref","unstructured":"Ali, S., Rehman, S.U., Imran, A., Adeem, G., Iqba, Z., and Kim, K.-I. (2022). Comparative Evaluation of AI-Based Techniques for Zero-Day Attacks Detection. Electronics, 11.","DOI":"10.3390\/electronics11233934"},{"key":"ref_15","doi-asserted-by":"crossref","first-page":"175","DOI":"10.1016\/j.comcom.2022.11.001","article-title":"A review of Machine Learning-based zero-day attack detection: Challenges and future directions","volume":"198","author":"Guo","year":"2023","journal-title":"Comput. Commun."},{"key":"ref_16","doi-asserted-by":"crossref","unstructured":"Babaey, V., and Faragardi, H.R. (2025). Detecting Zero-Day Web Attacks with an Ensemble of LSTM, GRU, and Stacked Autoencoders. Computers, 14.","DOI":"10.3390\/computers14060205"},{"key":"ref_17","doi-asserted-by":"crossref","first-page":"123027","DOI":"10.1016\/j.eswa.2023.123027","article-title":"Dugat-LSTM: Deep learning based network intrusion detection system using chaotic optimization strategy","volume":"245","author":"Devendiran","year":"2024","journal-title":"Expert Syst. Appl."},{"key":"ref_18","doi-asserted-by":"crossref","unstructured":"Jayaprakasam, B.S., Mandala, R.R., Garikipati, V., Ubagaram, C., Dyavani, N.R., and Ogunmola, G.A. (2025). Hybrid Deep Learning for Intrusion Detection in IoT Networks Using CNNs, Bigrus, Attention Mechanisms, and Advanced Binary Snake Optimizer (BSO) Techniques. J. Multiscale Model., 2640001.","DOI":"10.1142\/S1756973726400019"},{"key":"ref_19","first-page":"280","article-title":"Hybrid Bio-Inspired Routing Algorithms for Scalable and Adaptive Wireless Ad Hoc Networks","volume":"7","author":"Bostani","year":"2025","journal-title":"National J. Antennas Propag."},{"key":"ref_20","doi-asserted-by":"crossref","first-page":"39989","DOI":"10.1038\/s41598-025-23754-w","article-title":"Elevating intrusion detection and security fortification in intelligent networks through cutting-edge machine learning paradigms","volume":"15","author":"Munna","year":"2025","journal-title":"Sci. Rep."},{"key":"ref_21","doi-asserted-by":"crossref","unstructured":"Nishimura, T., and Hisanori, T. (2020, January 15\u201316). Anomaly detection and analysis by a gradient boosting trees and neural network ensemble model. Proceedings of the 2020 International Symposium on Semiconductor Manufacturing (ISSM), Tokyo, Japan.","DOI":"10.1109\/ISSM51728.2020.9377494"},{"key":"ref_22","doi-asserted-by":"crossref","unstructured":"Yilmaz, M.N., and Bardak, B. (2022, January 7\u20139). An Explainable Anomaly Detection Benchmark of Gradient Boosting Algorithms for Network Intrusion Detection Systems. Proceedings of the 2022 Innovations in Intelligent Systems and Applications Conference (ASYU), Antalya, Turkey.","DOI":"10.1109\/ASYU56188.2022.9925451"},{"key":"ref_23","doi-asserted-by":"crossref","first-page":"110476","DOI":"10.1016\/j.comnet.2024.110476","article-title":"A framework for detecting zero-day exploits in network flows","volume":"248","author":"Imine","year":"2024","journal-title":"Comput. Netw."},{"key":"ref_24","doi-asserted-by":"crossref","unstructured":"Makhmudov, F., Privalov, A., Egorenkov, S., Pryadkin, A., Kutlimuratov, A., Bekbaev, G., and Cho, Y.I. (2025). Analytical Approach to UAV Cargo Delivery Processes Under Malicious Interference Conditions. Mathematics, 13.","DOI":"10.3390\/math13122008"},{"key":"ref_25","doi-asserted-by":"crossref","unstructured":"Dawadi, B.R., Adhikari, B., and Srivastava, D.K. (2023). Deep Learning Technique-Enabled Web Application Firewall for the Detection of Web Attacks. Sensors, 23.","DOI":"10.3390\/s23042073"},{"key":"ref_26","doi-asserted-by":"crossref","unstructured":"Lu, G., Zhang, H., Qassrawi, M., and Yu, X. (2012, January 12\u201316). Comparison and Analysis of Flow Features at the Packet Level for Traffic Classification. Proceedings of the International Conference on Connected Vehicles and Expo, Beijing, China.","DOI":"10.1109\/ICCVE.2012.58"},{"key":"ref_27","first-page":"88","article-title":"Algorithm for Detection and Classification of Anomalies in the Traffic of Electronic Network Resources","volume":"10","author":"Mukhammadjon","year":"2025","journal-title":"Adv. Appl. Sci."},{"key":"ref_28","doi-asserted-by":"crossref","first-page":"105570","DOI":"10.1016\/j.scs.2024.105570","article-title":"Investigating the impact of data normalization methods on predicting electricity consumption in a building using different artificial neural network models","volume":"118","author":"Kim","year":"2025","journal-title":"Sustain. Cities Soc."},{"key":"ref_29","unstructured":"Chen, H.-H. (2024). Understanding Gradient Boosting Classifier. arXiv."},{"key":"ref_30","unstructured":"Rakhimovich, M.A., Kadirbergenovich, K.K., and Rakhmovich, O.U. (2022). Application of a Piecewise Linear Decision Tree Algorithm to Detect Phishing URLs in IoT Devices. Proceedings of the 12th World Conference \u201cIntelligent System for Industrial Automation\u201d (WCIS-2022), Springer Nature."},{"key":"ref_31","doi-asserted-by":"crossref","first-page":"173656","DOI":"10.1109\/ACCESS.2025.3616052","article-title":"On the Transparency of Decision-Making in Classification by Precedents With Fuzzy Descriptions","volume":"13","author":"Madrakhimov","year":"2025","journal-title":"IEEE Access"},{"key":"ref_32","unstructured":"Rakhmatov, F. (2026, March 03). Real-time Zero-Day Attack Detection, 2026. Available online: https:\/\/github.com\/FRakhmatov\/desktop-tutorial\/releases\/tag\/Zero-Day."},{"key":"ref_33","first-page":"247","article-title":"Blockchain-Based Wireless Network Security Algorithm for Data Integrity in History Education","volume":"16","author":"Makhmaraimova","year":"2025","journal-title":"J. Wirel. Mob. Netw. Ubiquitous Comput. Dependable Appl."}],"container-title":["Computers"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2073-431X\/15\/3\/174\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,3,9]],"date-time":"2026-03-09T10:32:40Z","timestamp":1773052360000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2073-431X\/15\/3\/174"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,3,8]]},"references-count":33,"journal-issue":{"issue":"3","published-online":{"date-parts":[[2026,3]]}},"alternative-id":["computers15030174"],"URL":"https:\/\/doi.org\/10.3390\/computers15030174","relation":{},"ISSN":["2073-431X"],"issn-type":[{"value":"2073-431X","type":"electronic"}],"subject":[],"published":{"date-parts":[[2026,3,8]]}}}