{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,14]],"date-time":"2026-04-14T17:35:13Z","timestamp":1776188113599,"version":"3.50.1"},"reference-count":51,"publisher":"MDPI AG","issue":"4","license":[{"start":{"date-parts":[[2019,4,22]],"date-time":"2019-04-22T00:00:00Z","timestamp":1555891200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"name":"Ministry of Science, ICT","award":["IITP-2018-2016-0-00465"],"award-info":[{"award-number":["IITP-2018-2016-0-00465"]}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Symmetry"],"abstract":"<jats:p>With the rapid advancements of ubiquitous information and communication technologies, a large number of trustworthy online systems and services have been deployed. However, cybersecurity threats are still mounting. An intrusion detection (ID) system can play a significant role in detecting such security threats. Thus, developing an intelligent and accurate ID system is a non-trivial research problem. Existing ID systems that are typically used in traditional network intrusion detection system often fail and cannot detect many known and new security threats, largely because those approaches are based on classical machine learning methods that provide less focus on accurate feature selection and classification. Consequently, many known signatures from the attack traffic remain unidentifiable and become latent. Furthermore, since a massive network infrastructure can produce large-scale data, these approaches often fail to handle them flexibly, hence are not scalable. To address these issues and improve the accuracy and scalability, we propose a scalable and hybrid IDS, which is based on Spark ML and the convolutional-LSTM (Conv-LSTM) network. This IDS is a two-stage ID system: the first stage employs the anomaly detection module, which is based on Spark ML. The second stage acts as a misuse detection module, which is based on the Conv-LSTM network, such that both global and local latent threat signatures can be addressed. Evaluations of several baseline models in the ISCX-UNB dataset show that our hybrid IDS can identify network misuses accurately in 97.29% of cases and outperforms state-of-the-art approaches during 10-fold cross-validation tests.<\/jats:p>","DOI":"10.3390\/sym11040583","type":"journal-article","created":{"date-parts":[[2019,4,22]],"date-time":"2019-04-22T11:02:53Z","timestamp":1555930973000},"page":"583","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":149,"title":["A Scalable and Hybrid Intrusion Detection System Based on the Convolutional-LSTM Network"],"prefix":"10.3390","volume":"11","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-9664-2734","authenticated-orcid":false,"given":"Muhammad","family":"Khan","sequence":"first","affiliation":[{"name":"Department of Information and Communication Engineering, Dongguk University, 30-Pildong-ro 1-gil, Jung-gu, Seoul 100-715, Korea"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-6804-9183","authenticated-orcid":false,"given":"Md.","family":"Karim","sequence":"additional","affiliation":[{"name":"Fraunhofer Institute for Applied Information Technology FIT, 53754 Sankt Augustin, Germany"},{"name":"Chair of Computer Science 5, RWTH Aachen University, 52074 Aachen, Germany"}]},{"given":"Yangwoo","family":"Kim","sequence":"additional","affiliation":[{"name":"Department of Information and Communication Engineering, Dongguk University, 30-Pildong-ro 1-gil, Jung-gu, Seoul 100-715, Korea"}]}],"member":"1968","published-online":{"date-parts":[[2019,4,22]]},"reference":[{"key":"ref_1","doi-asserted-by":"crossref","first-page":"48697","DOI":"10.1109\/ACCESS.2018.2867564","article-title":"An intrusion detection system using a deep neural network with gated recurrent units","volume":"6","author":"Xu","year":"2018","journal-title":"IEEE Access"},{"key":"ref_2","doi-asserted-by":"crossref","unstructured":"Vinayakumar, R., Soman, K.P., and Poornachandran, P. (2017, January 13\u201316). Applying convolutional neural network for network intrusion detection. Proceedings of the International Conference on Advances in Computing, Communications and Informatics (ICACCI), Udupi, India.","DOI":"10.1109\/ICACCI.2017.8126009"},{"key":"ref_3","first-page":"69","article-title":"Intrusion detection system: A review","volume":"9","author":"Sharma","year":"2015","journal-title":"Int. J. Secur. Its Appl."},{"key":"ref_4","doi-asserted-by":"crossref","unstructured":"Allen, J., Christie, A., Fithen, W., Mchugh, J., and Pickel, J. (2000). State of the Practice of Intrusion Detection Technologies, Carnegie-Mellon Univ Pittsburgh Pa Software Engineering Inst.","DOI":"10.21236\/ADA375846"},{"key":"ref_5","doi-asserted-by":"crossref","unstructured":"Mighan, S.N., and Kahani, M. (2018, January 8\u201310). Deep Learning Based Latent Feature Extraction for Intrusion Detection. Proceedings of the Iranian Conference on Electrical Engineering (ICEE), Mashhad, Iran.","DOI":"10.1109\/ICEE.2018.8472418"},{"key":"ref_6","first-page":"69","article-title":"A survey on secure network: Intrusion detection prevention approaches","volume":"4","author":"Bijone","year":"2016","journal-title":"Am. J. Inf. Syst."},{"key":"ref_7","unstructured":"Hodo, E., Bellekens, X., Hamilton, A., Tachtatzis, C., and Atkinson, R. (2017). Shallow and deep networks intrusion detection system: A taxonomy and survey. arXiv."},{"key":"ref_8","unstructured":"Axelsson, S. (2000). Intrusion Detection Systems: A Survey and Taxonomy, Chalmers University. Technical Report."},{"key":"ref_9","unstructured":"Kim, J., and Kim, H. (2017, January 13\u201315). An effective intrusion detection classifier using long short-term memory with gradient descent optimization. Proceedings of the IIEEE international Conference on Platform Technology and Service (PlatCon), Busan, Korea."},{"key":"ref_10","doi-asserted-by":"crossref","first-page":"1527","DOI":"10.1162\/neco.2006.18.7.1527","article-title":"A fast learning algorithm for deep belief nets","volume":"18","author":"Hinton","year":"2006","journal-title":"Neural Comput."},{"key":"ref_11","doi-asserted-by":"crossref","unstructured":"Wu, Z., Wang, X., Jiang, Y.G., Ye, H., and Xue, X. (2015, January 26\u201330). Modeling spatial-temporal clues in a hybrid deep learning framework for video classification. Proceedings of the 23rd ACM International Conference on Multimedia, Brisbane, Australia.","DOI":"10.1145\/2733373.2806222"},{"key":"ref_12","doi-asserted-by":"crossref","unstructured":"Tang, D., Qin, B., and Liu, T. (2015, January 17\u201321). Document modeling with gated recurrent neural network for sentiment classification. Proceedings of the Conference on Empirical Methods in Natural Language Processing (EMNLP), Lisbon, Portugal.","DOI":"10.18653\/v1\/D15-1167"},{"key":"ref_13","doi-asserted-by":"crossref","unstructured":"Fan, Y., Lu, X., Li, D., and Liu, Y. (2016, January 12\u201316). Video-based emotion recognition using CNN-RNN and C3D hybrid networks. Proceedings of the 18th ACM International Conference on Multimodal Interaction, Tokyo, Japan.","DOI":"10.1145\/2993148.2997632"},{"key":"ref_14","doi-asserted-by":"crossref","unstructured":"Vignesh, K., Yadav, G., and Sethi, A. (2017, January 21\u201326). Abnormal Event Detection on BMTT-PETS Surveillance Challenge. Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition Workshops (CVPRW), Honolulu, HI, USA.","DOI":"10.1109\/CVPRW.2017.268"},{"key":"ref_15","doi-asserted-by":"crossref","first-page":"21954","DOI":"10.1109\/ACCESS.2017.2762418","article-title":"A Deep Learning Approach for Intrusion Detection Using Recurrent Neural Networks","volume":"5","author":"Yin","year":"2017","journal-title":"IEEE Access"},{"key":"ref_16","doi-asserted-by":"crossref","first-page":"178","DOI":"10.1016\/j.asoc.2014.01.028","article-title":"A novel hybrid KPCA and SVM with GA model for intrusion detection","volume":"18","author":"Kuang","year":"2014","journal-title":"Appl. Soft Comput."},{"key":"ref_17","doi-asserted-by":"crossref","unstructured":"Reddy, R.R., Ramadevi, Y., and Sunitha, K.V.N. (2016, January 21\u201324). Effective discriminant function for intrusion detection using SVM. Proceedings of the International Conference on Advances in Computing, Communications and Informatics (ICACCI), Jaipur, India.","DOI":"10.1109\/ICACCI.2016.7732199"},{"key":"ref_18","first-page":"240217","article-title":"A new intrusion detection system based on KNN classification algorithm in wireless sensor network","volume":"2014","author":"Li","year":"2014","journal-title":"J. Electr. Comput. Eng."},{"key":"ref_19","doi-asserted-by":"crossref","first-page":"213","DOI":"10.1016\/j.procs.2016.06.047","article-title":"Random forest modeling for network intrusion detection system","volume":"89","author":"Farnaaz","year":"2016","journal-title":"Procedia Comput. Sci."},{"key":"ref_20","doi-asserted-by":"crossref","first-page":"649","DOI":"10.1109\/TSMCC.2008.923876","article-title":"Random-Forests-Based Network Intrusion Detection Systems","volume":"38","author":"Zhang","year":"2008","journal-title":"IEEE Trans. Syst. Man Cybern. Part C Appl. Rev."},{"key":"ref_21","doi-asserted-by":"crossref","first-page":"1690","DOI":"10.1016\/j.eswa.2013.08.066","article-title":"A novel hybrid intrusion detection method integrating anomaly detection with misuse detection","volume":"41","author":"Kim","year":"2014","journal-title":"Expert Syst. Appl."},{"key":"ref_22","first-page":"258","article-title":"Network intrusion detection using naive bays","volume":"7","author":"Panda","year":"2007","journal-title":"Int. J. Comput. Sci. Netw. Secur."},{"key":"ref_23","doi-asserted-by":"crossref","unstructured":"Zaman, S., and Karray, F. (2009, January 10\u201313). Features selection for intrusion detection systems based on support vector machines. Proceedings of the IEEE Consumer Communications and Networking Conference, Las Vegas, NV, USA.","DOI":"10.1109\/CCNC.2009.4784780"},{"key":"ref_24","doi-asserted-by":"crossref","first-page":"713","DOI":"10.1016\/j.eswa.2005.05.002","article-title":"An intelligent intrusion detection system (IDS) for anomaly and misuse detection in computer networks","volume":"4","author":"Depren","year":"2005","journal-title":"Expert Syst. Appl."},{"key":"ref_25","first-page":"3884","article-title":"Effective Dimensionality Reduction of Payload-Based Anomaly Detection in TMAD Model for HTTP Payload","volume":"10","author":"Kakavand","year":"2016","journal-title":"KSII Trans. Internet Inf. Syst."},{"key":"ref_26","doi-asserted-by":"crossref","first-page":"962185","DOI":"10.1155\/2013\/962185","article-title":"Design of an evolutionary approach for intrusion detection","volume":"2013","author":"Kumar","year":"2013","journal-title":"Sci. World J."},{"key":"ref_27","unstructured":"Yassin, W., Udzir, N.I., Muda, Z., and Sulaiman, M.N. (2013, January 28\u201330). Anomaly-based intrusion detection through k-means clustering and naives Bayes classification. Proceedings of the 4th International Conference on Computing and Informatics, ICOCI, Kuching, Malaysia."},{"key":"ref_28","doi-asserted-by":"crossref","unstructured":"Tahir, H.M., Said, A.M., Osman, N.H., Zakaria, N.H., Sabri, P.N.A.M., and Katuk, N. (2016, January 15\u201317). Oving K-means clustering using discretization technique in network intrusion detection system. Proceedings of the 3rd International Conference on Computer and Information Sciences (ICCOINS), Kuala Lumpur, Malaysia.","DOI":"10.1109\/ICCOINS.2016.7783222"},{"key":"ref_29","doi-asserted-by":"crossref","first-page":"2519","DOI":"10.1109\/TC.2014.2375218","article-title":"Detection of Denial-of-Service Attacks Based on Computer Vision Techniques","volume":"64","author":"Tan","year":"2015","journal-title":"IEEE Trans. Comput."},{"key":"ref_30","doi-asserted-by":"crossref","unstructured":"Sallay, H., Ammar, A., Saad, M.B., and Bourouis, S. (2013, January 22\u201324). A real time adaptive intrusion detection alert classifier for high speed networks. Proceedings of the IEEE 12th International Symposium on Network Computing and Applications (NCA), Cambridge, MA, USA.","DOI":"10.1109\/NCA.2013.16"},{"key":"ref_31","doi-asserted-by":"crossref","unstructured":"Ingre, B., and Yadav, A. (2015, January 2\u20133). Performance analysis of NSL-KDD dataset using ANN. Proceedings of the IEEE International Conference on Signal Processing and Communication Engineering Systems, Guntur, India.","DOI":"10.1109\/SPACES.2015.7058223"},{"key":"ref_32","unstructured":"Lipton, Z.C., Berkowitz, J., and Elkan, C. (2015). A critical review of recurrent neural networks for sequence learning. arXiv."},{"key":"ref_33","doi-asserted-by":"crossref","unstructured":"Gao, N., Gao, L., Gao, Q., and Wang, H. (2014, January 20\u201322). An intrusion detection model based on deep belief networks. Proceedings of the IEEE Second International Conference on Advanced Cloud and Big Data, Huangshan, China.","DOI":"10.1109\/CBD.2014.41"},{"key":"ref_34","unstructured":"Moradi, M., and Zulkernine, M. (2004, January 4\u20136). A neural network-based system for intrusion detection and classification of attacks. Proceedings of the IEEE International Conference on Advances in Intelligent Systems-Theory and Applications, Guwahati, India."},{"key":"ref_35","first-page":"82","article-title":"Extracting salient features for network intrusion detection using machine learning methods","volume":"52","author":"Staudemeyer","year":"2014","journal-title":"S. Afr. Comput. J."},{"key":"ref_36","doi-asserted-by":"crossref","unstructured":"Staudemeyer, R.C., and Omlin, C.W. (2013, January 7\u20139). Evaluating performance of long short-term memory recurrent neural networks on intrusion detection data. Proceedings of the South African Institute for Computer Scientists and Information Technologists Conference, East London, Africa.","DOI":"10.1145\/2513456.2513490"},{"key":"ref_37","first-page":"136","article-title":"Applying long short-term memory recurrent neural networks to intrusion detection","volume":"56","author":"Staudemeyer","year":"2015","journal-title":"S. Afr. Comput. J."},{"key":"ref_38","doi-asserted-by":"crossref","first-page":"167","DOI":"10.1016\/j.jnca.2004.01.003","article-title":"Intrusion detection using an ensemble of intelligent paradigms","volume":"28","author":"Mukkamala","year":"2005","journal-title":"J. Netw. Comput. Appl."},{"key":"ref_39","doi-asserted-by":"crossref","unstructured":"Javaid, A., Niyaz, Q., Sun, W., and Alam, M. (2016, January 3\u20135). A deep learning approach for network intrusion detection system. Proceedings of the 9th EAI International Conference on Bio-inspired Information and Communications Technologies (formerly BIONETICS), ICST (Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering), New York, NY, USA.","DOI":"10.4108\/eai.3-12-2015.2262516"},{"key":"ref_40","first-page":"28","article-title":"Neural networks learning improvement using the K-means clustering algorithm to detect network intrusions","volume":"5","author":"Faraoun","year":"2006","journal-title":"INFOCOMP"},{"key":"ref_41","doi-asserted-by":"crossref","unstructured":"Santos, L., Rabadao, C., and Gon\u00e7alves, R. (2018, January 13\u201316). Intrusion detection systems in Internet of Things: A literature review. Proceedings of the IEEE 13th Iberian Conference on Information Systems and Technologies (CISTI), Caceres, Spain.","DOI":"10.23919\/CISTI.2018.8399291"},{"key":"ref_42","doi-asserted-by":"crossref","unstructured":"Tsiropoulou, E.E., Baras, J.S., Papavassiliou, S., and Qu, G. (2016). On the Mitigation of Interference Imposed by Intruders in Passive RFID Networks. International Conference on Decision and Game Theory for Security, Springer.","DOI":"10.1007\/978-3-319-47413-7_4"},{"key":"ref_43","doi-asserted-by":"crossref","first-page":"609","DOI":"10.1016\/j.jare.2014.02.009","article-title":"A hybrid approach for efficient anomaly detection using metaheuristic methods","volume":"6","author":"Ghanem","year":"2015","journal-title":"J. Adv. Res."},{"key":"ref_44","unstructured":"Sabhnani, M., and Serpen, G. (2003, January 23\u201326). Application of Machine Learning Algorithms to KDD Intrusion Detection Dataset within Misuse Detection Context. Proceedings of the International Conference on Machine Learning: Models, Technologies, and Applications (MLMTA), Las Vegas, NV, USA."},{"key":"ref_45","doi-asserted-by":"crossref","first-page":"3014","DOI":"10.1016\/j.asoc.2012.04.020","article-title":"A hybrid network intrusion detection system using simplified swarm optimization (SSO)","volume":"12","author":"Chung","year":"2012","journal-title":"Appl. Soft Comput."},{"key":"ref_46","doi-asserted-by":"crossref","first-page":"357","DOI":"10.1016\/j.cose.2011.12.012","article-title":"Toward developing a systematic approach to generate benchmark datasets for intrusion detection","volume":"31","author":"Shiravi","year":"2012","journal-title":"Comput. Secur."},{"key":"ref_47","doi-asserted-by":"crossref","first-page":"1735","DOI":"10.1162\/neco.1997.9.8.1735","article-title":"Long Short-Term Memory. Long short-term memory","volume":"9","author":"Hochreiter","year":"1997","journal-title":"Neural Comput."},{"key":"ref_48","first-page":"115","article-title":"Learning precise timing with LSTM recurrent networks","volume":"3","author":"Gers","year":"2002","journal-title":"J. Mach. Learn. Res."},{"key":"ref_49","unstructured":"Giancarlo, Z., and Karim, M.R. (2018). Deep Learning with TensorFlow: Explore Neural Networks and Build Intelligent Systems with Python, Packt Publishing Ltd."},{"key":"ref_50","doi-asserted-by":"crossref","unstructured":"Khan, M.A., Karim, M.R., and Kim, Y. (2018). A Two-Stage Big Data Analytics Framework with Real World Applications Using Spark Machine Learning and Long Short-Term Memory Network. Symmetry, 10.","DOI":"10.3390\/sym10100485"},{"key":"ref_51","unstructured":"Karim, M.R., Cochez, M., and Dietrich-Rebholz, S. (2018). Recurrent Deep Embedding Networks for Genotype Clustering and Ethnicity Prediction. arXiv."}],"container-title":["Symmetry"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2073-8994\/11\/4\/583\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,11]],"date-time":"2025-10-11T12:46:16Z","timestamp":1760186776000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2073-8994\/11\/4\/583"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2019,4,22]]},"references-count":51,"journal-issue":{"issue":"4","published-online":{"date-parts":[[2019,4]]}},"alternative-id":["sym11040583"],"URL":"https:\/\/doi.org\/10.3390\/sym11040583","relation":{},"ISSN":["2073-8994"],"issn-type":[{"value":"2073-8994","type":"electronic"}],"subject":[],"published":{"date-parts":[[2019,4,22]]}}}