Complete network configuration.

Firewalls, Routers, Switches, Modems and the existence of Windows operating systems make up a full network topology.

Packet protocols.

Internet Control Message Protocol (ICMP), TCP/IP and User Datagram Protocol/Internet Protocol (UDP/IP).

Anomaly-based protocols.

Here, an IDS has been configured to identify irregularities in protocols that are generally said to be an attack. If a particular protocol has more than 50% “Packet Loss” during normal operation, the proposed model gives an alert. This happens only when the detected norms differ from the packet loss percentage.

Data flow analysis.

When there is a sudden change in transmitting a large amount of data, the proposed model examines the data flow across the network and pinpoints the location of any anonymous issue. The raw traffic were captured using the TCP/IP dump tool.

Preprocessing.

The preprocessing of the input dataset consists of reading the data, resizing the dataset and removing the junk values, unknown characters etc., from the raw dataset. Our proposed model uses NIDS dataset V.10 2017 which has more than 2,00,000 data’s available as.CSV file.

Initially we are generating a feature matrix “X” and an observation vector “Y” with respect to “X” to find out any missing values. These missing values are estimated by calculating “Median” “Mean” and “Variance”. Then our learned class “Label.Encoder()” will convert the “categorical values” into “numerical values”.

To avoid “biasing” problem and to reduce the training cost, “feature scaling” should be done. To narrow down the data values “Scale to Range” method is proposed in our work. To regularize and to set the data in a similar scale, “Normalization” is done to rescale our data between of “0 to 1”. This method helps in finding the data losses and outliers in the proposed model.

To reduce the size of the dataset “PCA” algorithm, a dimensionality reduction technique is proposed to minimize the residuals, information loss and overfitting. The “variance” and “performance” of the proposed model is maximized after principal values are achieved.

To obtain singular values in the dataset “SVD” algorithm, a matrix decomposition technique is implemented. Eigen vectors are calculated to find the Eigen values of the matrices. The square roots of each Eigen values which is greater than zero are considered to be “Singular values”.

As a result of doing the above methods, a new structured dataset is created. Finally, our dataset is divided into 70% → “Training set” + 30% → “Testing set”, an ideal proportion to train and test our proposed model.

Fig 1 shows the screenshot of the NIDS Dataset under training. The dataset is preprocessed for the further analysis during the training session. The type of protocol utilized, type of service, flag status, byte sent from source and received by the destination are considered important for the analysis.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 1. Trained dataset after preprocessing.

https://doi.org/10.1371/journal.pone.0283725.g001

Fig 2 shows the screenshot of the NIDS Dataset under test. The dataset is preprocessed for the further analysis during the testing session. The type of protocol utilized, type of service, flag status, byte sent from source and received by the destination are considered merely important for the analysis.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 2. Test dataset after preprocessing.

https://doi.org/10.1371/journal.pone.0283725.g002

Feature extraction of NIDS.

Our proposed method uses NIDS dataset V.10 2017 to train and test the model. Our dataset is preprocessed by applying Normalization technique which converts the set of data into a range of scale. After the features are extracted, it is fed into Fast R-CNN, which is a pre-trained model. This model identifies and detects the cyber-attack based on the anomaly pattern generated. At the same time, simultaneously, our proposed method uses PCA to reduce the dimensionality of data. Another method SVD, a matrix factorization technique decomposes several matrices into original matrix. After the features are extracted from the dataset, it is given as an input to gradient boost regression combined with Fast R-CNN, a hybrid model to learn the features very fast and also to boost the performance of the proposed model. Based on the pattern generated, our proposed hybrid model detects the cyber-attack from Fast R-CNN architecture. The output are then classified as “Normal” or “Anomaly” as binary-class classification and further categorized as “R2L, U2R, DoS, DDoS and Probe as multi-class classification. Simultaneously, our proposed stacked model predicts the cyber-attack from gradient boost regression hybridized with Fast R-CNN. The output are then classified as “Normal” or “Anomaly” as binary-class classification and further categorized as “R2L, U2R, DoS, DDoS and Probe as multi-class classification. Our proposed model now compare both the results and decides the best detected cyber-attack through a “Decision Making” block which is shown in Fig 3. Finally our proposed NIDS model gives a warning dialog box as “Buffer Overflow” as attack detected which is shown in Fig 4.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 3. Feature extraction of proposed NIDS.

https://doi.org/10.1371/journal.pone.0283725.g003

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 4. Warning dialog box of proposed NIDS.

https://doi.org/10.1371/journal.pone.0283725.g004

Principal Component Analysis (PCA) for network intrusion detection system.

To identify the principal components present in the dataset, a dimensionality reduction technique called PCA is utilized in our proposed work. This method not only reduces the dimension of the dataset, but also retains the maximum number of information. At first the standard regression co-efficients are calculated. Once the matrix is reduced, the “Regression co-efficient” which has only particular features exceeds a threshold “T_h” value, then it is detected as “ATTACK”. This Threshold value is calculated using Cross-validation. If the particular features do not exceeds the “T_h” value then the value is detected as “NORMAL”. Eq 1 represents the condition for the “Cyber-Attack”. (1) Where “T_h” denotes “Threshold Value”.

Before performing PCA, normalize the data into standard dataset. We should also ensure that the Mean should be “0” and Variance should be “1”. This can be achieved by “Min-Max” scaling technique, by doing shifting or rescaling. (2) Where, Xmax and Xmin are Feature values.

After rescaling is done, we have to compute “Covariance Matrix (p × p)”. Where “p” is the number of dimensions. This matrix understands the correlation between two or more features. That is, how the variables of the input dataset are varying from “Mean” with respect to each other. (3) (4) Where “X” and “Y” are 2 Dimensional dataset with 2 variables

In order to compute the covariance matrix, we need to define the various elements of it, such as the "Eigen Vectors" and "Eigen Values”. These two components are then computed by the special variable for analysis SVD. The order of the "Eigen Values" and "Eigen Vectors" is taken into account to identify the principal components of the matrix.

After identifying the principal components, the feature vectors are calculated to form a Matrix that contain “1s” only. These feature vectors are isolated by identifying the lesser significance (of low “Eigen Values”).

The normal Scrutiny is defined as (5) The deviation from the average is defined as (6) Once the “Feature Vectors” are calculated, the featured data are reshaped along the “Principal Component Axes”, using the “Eigen Vectors” of the covariance matrix. The final dataset is calculated by applying the following formula, (7) By performing all the above steps, our final NIDS dataset is created for further process. It maximizes the “Variance” of the data and minimizes the “Residuals” (Squared distance). It increases the interpretability of the model. (Understanding in-terms of humans). It also minimizes the “Information Loss” and mitigates the “Overfitting” problem. Finally our proposed model’s performance is increased at a very low cost [31].

Singular Value Decomposition (SVD) for PCA.

This method can transform correlated variables into uncorrelated ones by exposing the relationships among the data elements. The segment of grid “A” that’s at line i and line j is referred to as A[ij]. If "B" is a "p×n" network and "A" is a "m×p" matrix, then the product of two matrices is "C = AB" must contain “m×n” shape. The final matrix “C” can be calculated using the formula, (8) The matching row and column vectors in matrices A and B are dot products of product matrix “C”. The square roots of the values of "C" which are greater than zero, represent the singular ones [32].

Method for residual detection.

The extracted features may contain some incorrect values, missing values or outliers during the time of experimental analysis. Due to these reasons, the accuracy level of the target object detection is reduced and it is not convinced. In order to increase the target object’s detection accuracy, the residual detection approach is applied in this research. Gradient Boost Regression and Fast R-CNN train the identical training set and produce a detector in the experiment. In-order to obtain the assurance of the detected text, the extracted feature values of the relevant contour and target object contour is created first using the Deep Learning Network (DLN) with Fast R-CNN architecture. In-order to detect the same text and to get the associated feature point set, Gradient boost detector is deployed. The qualities of feature matching are assessed in accordance with the view of repeatability (repetition rate). The Eigenvalues which are extracted by the two algorithms are calculated. The contour region is determined by assigning the confidence level to 100% which matches the similar result. The Threshold value is fixed in the range 0 to 1. To identify the cyber-attack the matched pattern which are greater than the 0.5 threshold values are termed as “ATTACK” and less than or equal to 0.5 values are termed as “NORMAL”. The hybrid GBR model continues to get the analysis if the DLN suggestion is class 2 of anomaly. Based on the feature mappings already made and stored as.MAT file with the backend model, the classification of the abnormality of intrusions are categorized.

The RoI pooling layer.

One must understand the Sub-Sampling Ratio before beginning the Region of Interest (RoI) Projection. It is the proportion of the feature map’s size to the image’s original size. The concept behind RoI projection is that we need to project the RoI proposal with regard to the subsampling ratio in order to obtain the bounding box coordinates from the RoI proposal and place them on the feature maps. We represent the co-ordinates of bounding box in 2 ways.

1. Co-ordinates for the box’s midpoint is (A,B) and width and height are represented as (X,Y)
2. Co-ordinates on the bounding box’s opposite side is represented as [A1,B1 & A2,B2].

In our proposed work we need 2D output since our model is a pre-trained network. It may not be possible to divide them equally, if the dimensions are odd numbered. So we are rounding the value to the nearest number. Now, the height and width are divided to form a fixed dimensional box as per the required data and rounding them to the nearest value. The output is calculated after max-pooling each block. We proposed [6x6] grid pooling in Fast R-CNN, because our proposed model utilizes “ALEXNET” architecture. Our Fast R-CNN model is 146 times faster than the existing one and it is very efficient in solving bounding box regressor’s L2 loss, SVM and Log loss.

Fine tuning for detection.

To design our proposed NIDS model very efficiently, we need to be very careful in choosing the hyper-parameters. Our proposed model uses “Regression Learner app” for selecting the hyper-parameter values which are present in the hyper-parameter optimization blog. Using an optimization strategy that aims to reduce the model MSE, the app experiments with various combinations of hyper-parameter values and then returns a model with the optimized hyper-parameters.

First, we have to choose the best optimizer values. To search the corresponding data points in the dataset, iterations must be matched. Among the two types of “Grid Search” and “Random Search”, my proposed work uses the “Random Search” method with matching iterations of “1000 Epochs”.

We suggest a training strategy that is more effective and makes use of feature sharing. Stochastic gradient descent (SGD) mini-batches are hierarchically sampled in Fast R-CNN training. “N” data points are sampled first and the each data from R/N RoI’s are then sampled. “Memory” and “Computation” for the backward and forward passes are shared by RoIs from the same data. Mini-batch computation is decreased when “N” is made small. In our proposed work we use N = 2 and Mini Batch size as 128 which made my model 64 times faster. Even though the training time is high because of data correlation, we used SGD method which achieves better results than the existing methods. Instead of training a SVMs, regressors and Softmax classifier, in three different phases, they both are combined in a single stage of Fast R-CNN during the training process [38, 39].

Multitasking loss.

A Fast R-CNN has two interconnected output layers. Layer 1 computes a discrete probability distribution from each RoI, That is k = (k0, k1,……..,kN), over N + 1 categories. The conventional method for calculating “k” is to use a Softmax over the N+1 outputs of a fully connected layer. The second sibling layer provides bounding-box regression offsets for each of the N object classes, indexed by r, as follows: t^r = (t^r_x, t^r_y, t^r_w, t^r_h). Here t^r specifies the log-space height/width shift and scale-invariant translation which are related to object proposals. Here “X” and “Y” are labelled as “ground-truth class” and “ground-truth bounding box regression target” for every one RoI. In-order to train the said label, we utilized a multitasking loss “M” on every labelled RoI. (17) where, M_cls(k,v) = -log k_v is true class log loss of “X”. M_loc, the next loss is specified over a pair of real target class “X” for bounding-box regression. s = (s_x, s_y, s_w, s_h), and a predicted tuple tⁿ = (tⁿ_x, tⁿ_y, tⁿ_w, tⁿ_h) again for class “X”.[v ≥ 1] calculates to 1, or else 0. All background classes are labelled as X = 0. Since there is no concept of a ground-truth bounding box for background RoIs, L_loc is disregarded. Loss function used for bounding-box regression is, (18) in which (19) Exploding gradients should be prevented when there are unbounding regression targets. We should be very careful when we tune the learning rates during L₂ loss training. Losses between the two tasks are balanced by controlling the hyper-parameter “γ” in Eq 15.

To achieve “Mean = 0” and “Variance = 1” the ground-truth regression targets “Y” is normalized [38].

Batch size and epochs.

Our proposed method uses 1000 training samples with batch size as 128. The proposed algorithm takes the 1^st 1000 samples (that is from 1 to 1000) from the training dataset to train the network. Again the process repeats for the 2^nd 1000 samples (that is from 1001 to 2000) to train the network. This process is repeated until all the samples are extracted from the dataset. The biggest advantage is it takes only less memory to train the model. Each time when we update the weights, the model is trained fast which will be an added advantage.

The one hyper-parameter which we should observe is nothing but an “Epochs”. Our proposed algorithm walks throughout the training dataset for the defined epochs. Our model is trained and tested with a minimum of “5” and a maximum of “1000” epochs. Our internal model parameters gets updated in the training dataset for every “1” epoch (that is for each sample) [40].

Stochastic Gradient Descent (SGD).

The most common optimizer algorithm which is proposed in our work is SGD. This algorithm optimizes the “learning rate” and “momentum”. The weights are controlled by the learning rate at the final stage of each batch, while the momentum updates the current weight which is influenced from the previous update. Our proposed model takes the “learning rate value as 0.0001” and “momentum value as 0.9” [39].

SGD can be calculated by using the below mentioned formula, (20) Here, “Ƞ” represents the → learning rate

“δ (Error)” represents → the derivative of error with respect to weight.

Softmax classifier.

The features which are extracted finally from the hidden layer nodes are then given to “Softmax” classifier section which is placed at the end. Then they are categorized accordingly based on the pattern generated. This proposed classifier uses “One-Hot encoding to calculate the “Cross-Entropy Loss” and gain the maximum value. A true distribution “p” and an estimated distribution “q” have the following cross-entropy: (21) To minimize the cross-entropy between the true distribution and the predicted class, Softmax classifier seeks all the probability mass in the correct class. Then our proposed model should identify the correct object (cyber-attack) using the cross-entropy function. When the prediction is more accurate, the loss function is reduced.

Deep Inspection Packet (DPI).

A type of “Packet Filtering” method which is implemented in our proposed work to capture the anomaly packet. This method uses the technique called “Pattern Matching” as key for security in our proposed IDS model. This technique will decide the packets that must be allowed. One of the effective methods in identifying the “Anomaly packet” and in detecting the cyber-attacks. (Specially in DoS and U2R attacks).

Experimental setup.

The performance of binary and multiclass classification are evaluated using the trained NIDS dataset, which is centered on our Fast R-CNN model, and is used to assess. According to the results of research, the majority of more than 99 percent of scenarios are true. Algorithm 1 describes our proposed model’s training process.

Algorithm 1: Hybrid Deep Learning

Procedure: Training

Preprocessed NIDS train →Training Dataset

Preprocessed NIDS test → Testing Dataset

Feature extraction → PCA Values

Matrix decomposition → SVD Values

Compute the values for “X” → Gradient Boost Regression

i ← 0

Epoch ← 50

While i ≠ epoch do

For each epoch repeat the training procedure

“Y” → Result is stored

Analyze the bias result and compare it to X.

if testing accuracy is 0 (or) i = 0 then

Testing Accuracy → Best testing Accuracy

end if

The suggested algorithms must be conducted in a stable environmental setting throughout the training and testing phases. The utilized software and hardware setups are displayed in the Table 3.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Table 3. Environmental setup.

https://doi.org/10.1371/journal.pone.0283725.t003

In-order to prevent the data present in the computer system and IoT devices from external cyber threat, we need a best tool that protects the data efficiently. Many software tools are available for doing research work. Comparatively, “MATLAB” tool plays a vital role when it comes into the picture. Using MATLAB “Code Window” and “Simulink” we designed our proposed NIDS in an effective manner. Some of the key-points are shown below to develop our NIDS.

• Security → Design modelling and Code generation is secured.
• Analysis → Look for “Vulnerabilities” and “Compliance” in the code.
• Detection → “Cyber-Attack” detection at an early stage
• Performance → “Architecture” model can be checked.
• Design confidence increased when we use analytical methods.
• Reports → Address new risks after bug reports.
• Countermeasures → Defense mechanism can be added.
• Verifications → Automatic “Updates” and “Security checks” can be done.

During the testing phase, the Accuracy, Precision, Recall and F1-score evaluation measures are combined to create a performance grade for the deep learning model.

Scenario– 1.

Most of the existing IDS models fail in detecting cyber-attacks because of their high False Positive Rate (FPR) and high False Negative Rate (FNR). Hackers, virus and malwares become more risky for Computer networks nowadays. When developing an efficient IDS, Detection Rate (DR) should be considered as one of the main parameters. “Adaptive ability” should be considered as another parameter when developing an IDS. Poor lagging and failing are noticed in many existing models when a new intrusion behavior happens in the network.

Nowadays, huge amount of data are utilized for processing in various application fields, especially in the field of Image processing. As a result, “Big Data Analytics” came in light which can access large amount of data in a short span of time. Traditional IDS fails to identify any abnormal behavior at this place. This becomes a great challenge for an efficient IDS [41].

Our proposed model has high True Positive Rate (TPR) and less FPR. It also has the ability to withstand large dataset with high DR.

Scenario– 2.

As data becomes more prevalent online, new options for attacks to target sensitive data have emerged, posing numerous security concerns. Among the 5 types of cyber-attacks, DDoS is considered as a major threat for computer network field. Most of the existing IDS are in-effective in handling high speed data. However traditional IDS performs well only with less amount of data with slow speed. Moreover time consumption is too high in detecting the DDoS attack. So when developing an efficient IDS, the model’s speed and time consumption should also be considered as main parameters [42].

Our proposed work consumes only 9.19 seconds in detecting the DDoS attack. Hence our proposed model is efficient and it outperforms in the above said issue.

Scenario– 3.

To build a complete anomaly-based Network Intrusion Detection System (A-NIDS), hybrid method plays a crucial role. Here, Glowworm Swarm Optimization-Principal Component Analysis (GSO-PCA) is hybridized to enhance the performance of the IoT. So detecting the anomaly pattern efficiently will increase the performance of the model [43].

Our proposed model is developed by hybridizing Fast R-CNN with GBR to increase the performance of the model. We also proposed PCA technique to extract the features from the dataset. Our proposed method consumes less time in detecting the “Anomaly attack” with an overall performance of above 99% which outperforms the existing methods.

Accuracy.

The accuracy ratio is calculated by taking into account the number of attacks that have been correctly classified against the number of attacks that have been counted incorrectly. (22) Where “True Negative” (TN) represents a situation in which there has been no attack and there has been no detection. While “False Negative” (FN) represents when an attack occurs but no alarm is sounded.

Precision.

The precision measure is used to analyze the fraction of test data that is considered an attack. (23) Where “True Positive” (TP) is a real attack that sets off an alert. While “False Positive” (FP) represents a signal that sets off an alert even though there hasn’t been an attack.

Recall.

The term recall is used to describe a sensitivity or true positivity. The terms recall and sensitivity are often interchangeably used to describe true positivity or sensitivity.

(24)

F-Measure.

The F-measure is a type of harmonic mean that is composed of the combination of recall and precision, (25)

Mean square error.

The square of the difference between actual and predicted values is referred to as the mean or average. (26) Where “n” is the sample size.

Gradient Boost Regression results.

Fig 7(A)–7(C) show the results of “Direct method (Fast R-CNN)”, “Gradient Boost Regression” and “Hybrid Model” respectively of Buffer Overflow attack. The intrusions which are fetched from the proposed Fast R-CNN model (i.e., after PCA and SVD) and the feedback considered from the test input are given into the Gradient Boost Regression (GBR) model to analyze the relative correlation. Higher the correlation with the training anomaly considering Smurf, Neptune, Guess Password, IP Sweep, Buffer Overflow and Normal higher the formation of class.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 7.

(a). Proposed result using direct method. (b). Proposed result using gradient boost regression. (c). Proposed result of hybrid method using In–Built MATLAB. (d). Proposed result of mean square error (MSE).

https://doi.org/10.1371/journal.pone.0283725.g007

Fig 7(D) shows the “Mean Square Error (MSE)” of the proposed model. It is computed by finding the “Mean” or the “Average” of the squared errors from data related to the function. Our model shows that the “Regression Line” is very close to the data set. By reducing the “Mean Square Error” values, the performance of the model increased [44].

Fig 8 shows the overall “Accuracy” comparison result with various algorithms for our proposed model. “Artificial Fish Swarm Algorithm-Genetic Algorithm-Particle Swarm Optimization-Deep Belief Network (AFSA-GA-PSO-DBN), PSO-DBN, GA-PSO-DBN, AFSA-PSO-DBN, Crossover Mutation Particle Swarm Optimization (CMPSO-DBN), SVM, Random Forest (RF) AND Naive Bayes algorithms has very less percentage of accuracy in detecting the cyber-attacks. Algorithms like SVM-J48, DNN-LSTM-DBN, and Artificial Neural Network (ANN) has accuracy percentage of 89.01%, 88.04% and 82.32% respectively, which are slightly better than above said algorithms. DNN-Binary-PSO, AE, Back Propagation Neural Network (BPNN), GSO, Glowworm Swarm Optimization-Principal Component Analysis (GSO-PCA) have accuracy percentage of 95.00%, 91.7%, 91.09%, 91.36%, and 92.98% respectively, which are even better than the other existing algorithms [45, 46].

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 8. Overall accuracy comparison for different algorithms.

https://doi.org/10.1371/journal.pone.0283725.g008

Finally, our proposed hybrid model has the highest accuracy percentage of 99.5% which outperforms all other algorithms. Hence the above graph clearly proves that our model is best in detecting the cyber-attacks efficiently.

Fig 9 compares the individual cyber-attacks for accuracy results with other methods such as ANN, SVM, BPNN, PSO and GSO-PCA against four types of attacks namely DoS/DDoS, Probe, R2L and U2R attacks [42].

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 9. Accuracy comparison for individual cyber attack with various algorithms.

https://doi.org/10.1371/journal.pone.0283725.g009

In all cases, proposed hybrid Fast R-CNN-GBR framework attains higher accuracy of more than 99.64%, 99.72%, 99.74%, 99.69% and 99.78% for the above-mentioned cases which are comparatively higher than the existing algorithms.

Fig 10 shows the performance metrics comparison of Precision, Recall and F-Measure for various algorithms which are compared with our proposed work. From the figure, Logistic Regression (LR) shows very less performance when compared to other algorithms. Extreme Gradient Boosting (XG Boost), Decision Tree (DT) and K-Nearest Neighbor (KNN) performs slightly better than LR and Random Forest (RF’s) Recall value shows only 82% which is less.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 10. Performance metrics comparison of various algorithms.

https://doi.org/10.1371/journal.pone.0283725.g010

Hybrid methods like Adam, Adaptive Gradient (Ada Grad) and Root Mean Squared Propagation (RMS Prop), SVM, Ada Boost Regression Classifier (ABRC) and GSO-PCA shows high performance in all the three parameters which overcomes other methods [42, 47–49].

Finally our proposed hybrid model shows the best overall performance in all the three metrics (Precision, Recall and F-Score) of about 98.75% which outperforms all other existing algorithms.

In Fig 11, the proposed model shows that it outperforms other network models in terms of its performance. It also performed well in terms of its F1 score and accuracy. The proposed model does not require the use of manual feature extraction, which is typically required for traditional methods such as Greedy randomized Adaptive search procedure with Annealed Randomness (GAR-Forest) or Naïve Bayes (NB) Tree. It can improve the accuracy and reduce the need for manual intervention. The proposed model was able to achieve better classification results than the AE when it was compared with CNN.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 11. Performance comparison analysis.

https://doi.org/10.1371/journal.pone.0283725.g011

It was first able to extract the data from the various features of the network traffic. The proposed model takes into account the various features of the network and re-assigns the channel weights according to their relationship with the other features. The proposed PCA SVD Fast R-CNN-GBR model achieves an accuracy of 99.5%, and Precision, Recall and F-Measure values as 98.75%. It is widely used for developing network security systems and it outperforms other reference models [50–57].

The accuracy comparison for various datasets are compared with our proposed NIDS dataset V.10 2017 as shown in Fig 12. From the figure the NSL-KDD dataset shows less detection accuracy of only 87.2% when compared to other datasets. UNSW-NB15, KDD Cup’99 and BoT-IoT datasets overcome the previous mentioned datasets in detecting the cyber-attacks ranging from 90% to 95% respectively. The CIC-IDS 2017 and KDD Train+ datasets surpasses the other datasets in detecting the cyber-attacks with 98% accuracy level. After choosing hyper-parameters carefully and fine tuning the model, our proposed method outperforms other all datasets in detecting the cyber-attacks, and hence our proposed model is efficient when compared to other existing methods [25, 58–61]

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 12. Accuracy comparison with various datasets.

https://doi.org/10.1371/journal.pone.0283725.g012