Enhancing IoT Security with CNN and

LSTM-Based Intrusion Detection Systems

Afrah Gueriani Hamza Kheddar Ahmed Cherif Mazari
LSEA Lab., Faculty of Technology LSEA Lab., Faculty of Technology LSEA Lab, Faculty of Science
University of MEDEA University of MEDEA University of MEDEA
Medea 26000, Algeria Medea 26000, Algeria Medea 26000, Algeria
gueriani.afrah@univ-medea.dz kheddar.hamza@univ-medea.dz mazari.ahmedcherif@univ-medea.dz
arXiv:2405.18624v1 [cs.CR] 28 May 2024

Abstract—Protecting Internet of things (IoT) devices against pose threats to the security of information systems based
cyber attacks is imperative owing to inherent security vul- on standards when activities deviate from these standards or
nerabilities. These vulnerabilities can include a spectrum of baseline, the IDS alerts us at an early stage. In the realm of
sophisticated attacks that pose significant damage to both
individuals and organizations. Employing robust security mea- security components, IDSs provide two distinct forms : (1)
sures like intrusion detection systems (IDSs) is essential to host-based (HIDS) which focuses on monitoring and analyz-
solve these problems and protect IoT systems from such ing activities transpiring on a server, and (2) network-based
attacks. In this context, our proposed IDS model consists on (NIDS), tasked with the observation of network activities
a combination of convolutional neural network (CNN) and and communications [4]. Numerous organizations opt for a
long short-term memory (LSTM) deep learning (DL) models.
This fusion facilitates the detection and classification of IoT hybrid approach, incorporating both HIDS and NIDS [5].
traffic into binary categories, benign and malicious activities Based on the nature of the analysis performed, IDSs are
by leveraging the spatial feature extraction capabilities of CNN
categorized as either signature-based or anomaly-based [6].
for pattern recognition and the sequential memory retention
of LSTM for discerning complex temporal dependencies in Signature-based schemes, alternatively referred to as misuse-
achieving enhanced accuracy and efficiency. In assessing the based, aim to identify predefined patterns, or signatures,
performance of our proposed model, the authors employed the within the analyzed data, these systems serve to identify
new CICIoT2023 dataset for both training and final testing, specified and well-known attacks but may fail to detect novel
while further validating the model’s performance through a
and unfamiliar intrusions [4, 6–8]. Whereas, the anomaly-
conclusive testing phase utilizing the CICIDS2017 dataset.
Our proposed model achieves an accuracy rate of 98.42%, based IDSs are employed to observe the behavior of a
accompanied by a minimal loss of 0.0275. False positive rate standard network and establish a threshold for detecting
(FPR) is equally important, reaching 9.17% with an F1- deviations from the norm [4]. Their main benefit is the ability
score of 98.57%. These results demonstrate the effectiveness to detect previously unseen and unknown intrusion activities
of our proposed CNN-LSTM IDS model in fortifying IoT
[9].
environments against potential cyber threats.
Index Terms—Intrusion detection system, deep learning, In addressing security threats, IDS software is frequently
internet of things, CNN, LSTM, cyber security, CICIoT2023. developed employing artificial intelligence (AI) algorithms,
including techniques such as machine learning (ML) and
I. I NTRODUCTION data mining (DM). These methods have proven to be highly
IoTs have grown notably to sweep the whole world, it effective, in identifying intrusions [7]. DL is a broader sub-
involves billions of devices connected to each other without field of ML, its architectural configuration comprises an
any human interactions (interplay). The IoT generates large initial input layer succeeded by a series of hidden layers,
data analytics through using sensors, actuators, and control which subsequently propagate inputs to the output layer
devices. These data are leveraged for diverse tasks and [1]. The CNN represents a DL model extensively applied
objectives across different fields including healthcare, indus- in different domains, like in [10] for image classifications,
try, agriculture, military, and other sectors. The expansive in [11–14] for speech processing and security, and in [15]
realm of the IoT is proportionate to its exposure to a for cyber attacks. LSTM is a special class of recurrent
myriad of threats and cyber attacks that have the potential to neural network (RNN), which lies in its capability to be
compromise the integrity and security of connected devices directly applied to raw data without necessitating the usage
and networks. Hence, it is imperative to address optimal of any feature selection methods [1]. Nevertheless, LSTM
solutions for countering such behaviors. Moreover, IDSs entails a lengthier training duration and demands more
assume a pivotal role in identifying and mitigating cyber computational resources compared to CNN [9]. Hence, this
attacks in any network [1–3]. study introduces an advanced unified model, CNN-LSTM,
An IDS functions as a monitoring tool, it serves to identify which combines the strength of CNN and LSTM models.
any form of potentially malicious network traffic such as The below steps constitute the procedural flow and the
intrusion attempts, viral attacks, and suspicious traffic that contribution of this paper.

979-8-3503-5026-5/24/$31.00 ©2024 IEEE

• Propose a new IDS using CNN-LSTM hybrid model for III. PROPOSED METHODOLOGY
enhancing the security of IoT infrastructures,
This section is reserved for the explanation of our pro-
• The assessment of the suggested model entails employing
posed model, which is a combination of CNN-LSTM. This
a subset of the new CICIoT2023 dataset. The effective-
architecture is designed to detect and classify both benign
ness and generalizability of the proposed approach are
and malicious traffic in a new environment dataset. The
validated through its application to other segments of the
proposed scheme has the following steps:
same dataset, as well as a distinct CICIDS2017 dataset,
• Compare our proposed methodology with the existing • Data preprocessing: Our initial dataset comprised a ta-
state-of-the-art work using diverse datasets. ble encompassing 45 distinct features, consisting of 33
different attack instances along with benign traffic. The
The remaining sections of the paper are structured as fol- features were then extracted and organized into a matrix of
lows: Section II gives preliminaries that contain a literature vectors to facilitate model training. The subsequent phase
review. Section III provides the proposed methodology. This involved the conversion of the dataset to two dimensions
is followed by section IV which delves into the aspects of to align with the input of our model. Additionally, the
experimentation, results, and discussion. Section V covered numerical transformation of the labels into binary form
our conclusion and future directions. was performed.
• Data splitting: The pre-processed selected sets of the
dataset are divided into two segments: The first one is
II. L ITERATURE REVIEW
further subdivided into two subsets training and validation,
for the second segment, is reserved for the final testing of
DL models have successfully demonstrated considerable the model.
efficacy across various fields such as cyber security, image The initial segment comprises 80% for training the model
processing, speech recognition, healthcare, and many more. and 20% for validating its performance. Significantly, the
These methods are notably pronounced in their effectiveness second segment pertains to the conclusive testing phase of
compared to traditional ML techniques. our model, representing a distinct subset from the initial
The focus area of [16] is the combination of the strengths division. This partition is instrumental in reinforcing the
of convolutional auto-encoders (CAE) and one-class support performance evaluation of our model (Figure 1).
vector machine learning (SVM), aiming to enhance the per- • Model architecture: Our proposed model was formulated
formance of network intrusion detection. The proposed work employing multiple layers, including an input layer, CNN-
uses the CAE to extract meaningful features from network 1D layers, average pooling layers, a flattened layer, and a
traffic and detect anomalies, then the authors apply one-class dense layer as shown in Figure 2, with a combination of
SVM to classify network traffic into normal and abnormal two separate DL models, a CNN-1D model and an LSTM
categories. They have used two benchmark datasets to vali- model.
date their proposed scheme. The results obtained outperform First, the model receives a sequence of 45 features, it’s
the existing traditional ML and DL. the first input layer that takes in raw network traffic data.
However in [17], the paper investigates adversarial at- Then, a series of convolutional layers, batch normaliza-
tacks on DL-based IDS for IoT network security, they tion, and average pooling layers are applied to the input
have employed two DL models including feed-forward neu- sequence. This is done to extract features and patterns
ral networks (FNN) and self-normalizing neural networks from the sequence. Afterward, dense layers with ReLU
(SNN) in order to classify intrusion attacks in IoT networks. activation are used to transform the features into a higher-
The results demonstrate that the FNN is well at multi- level representation. The outputs of the last two dense
classification metrics such as Cohen Cappa’s score. Upon layers are passed through a dense layer with 2 units and
assessment of adversarial robustness, the SNN demonstrates a softmax activation function. This is the first task, which
better resilience when confronted with adversarial samples is to predict the class of the input sequence. The results
derived from the IoT dataset. Chouhan et al. [18] introduced of the final two dense layers are also reshaped into a
an architectural framework termed channel boosted and 2D array comprising 16 units, subsequently traversing
residual learning-based deep convolutional neural network through multiple LSTM layers, an LSTM layer with a
(CBR-CNN) to address the task of NIDS. The proposed kernel size of 1x256 and a recurrent kernel size of 64x256.
methodology integrates stacked auto-encoders (SAE) and This is followed by another LSTM layer with the same
leverages unsupervised training techniques. R. Vinayakumar configuration. Following this, the outputs of the LSTM
et al. [5] presents a DNN model that serves to detect and layers traverse through a dense layer featuring 2 units and
classify unforeseen and unpredictable cyber-attacks in IoT a sigmoid activation function, constituting the second task
networks in a timely and automatic manner. The perfor- of predicting the authenticity of malicious traffic. The out-
mance was tested using many datasets. Table I presents comes of both the classification and prediction tasks are
a collection of various aforementioned studies that have concatenated along the last axis. The concatenated outputs
employed IDS based on DL within the framework of IoT then traverse through a concluding dense layer with 2
environments to detect and mitigate cyber-attacks. units and a softmax activation function, representing the
TABLE I: Summary of related works on intrusion detection. The results presented in this table were derived by opting for
the most favorable outcome when authors employed various datasets or models.
Year Authors Focus area Models Datasets Performance (%)
Unsupervised DL approaches, for network NSL-KDD, UNSW-
2021 A. Binbusayyis et al. [16] CAE-OCSVM Acc= 94.28
intrusion detection NB-15
Analyzing adversarial attacks against DL
2019 O. Ibitoye [17] FNN, SNN BoT-IoT Acc= 95.1
for intrusion detection in IoT networks
Improving network anomaly detection in IoT networks using a
2019 Chouhan et al [18] CNN NSL-KDD Acc= 89.41
deep learning
KDD Cup 1999,
2019 R. Vinayakumar et al. [5] Intrusion detection on DL/ML approaches in IoT networks DNN NSL-KDD, UNSW- Acc= 99
NB-15, WSN-DS

comprehensive output of the model. The output layer has

two nodes labeled malicious and benign, indicating that
the model is used for binary classification.

Fig. 1: The classification framework for CNN-LSTM-based

IDS.
Fig. 2: CNN-LSTM proposed IDS model.
IV. E XPERIMENTATION , RESULTS AND DISCUSSION
A. Dataset exploration
In order to evaluate the performance of our DL-IDS, involved in the incident, comprising 67 IoT devices that
we have utilized the most recent and extensive Canadian actively participated in the attacks, while 38 Zigbee and
institut for cybersecurity 2023 (CIC-IoT2023) dataset1 to Z-Wave devices were connected to five distinct hubs. This
carry out the suggested workflow. This dataset boosts the devices includes various categories such as smart home com-
creation of security analytics applications for actual IoTs ponents, cameras, sensors, and microcontrollers. Notably,
operations, it contains seven classes with 33 attacks, namely: within this ensemble, certain devices assumed the role of
DDoS, DoS, Recon, Web-based, Brute Force, Spoofing, victims, while others assumed an active role as attackers.
and Mirai as shown in Table II. The Mirai attack system This dataset encompasses a total of 169 files available in two
involves a massive DDoS attack targeting IoT devices, both distinct file formats, namely PCAP and CSV. The CSV files
of these categories represent typical and emerging attack represent processed versions of the PCAP files. It contains
classifications within IoT network traffic. Lastly, all attacks almost 47 million instances with both attack and normal data
are carried out by malicious IoT devices that are directed at with 45 different features that indicate the different types
other IoT devices. A total of 105 devices were intricately of attacks. For the hardware computation limit, we have
extracted a subset of the dataset for the purpose of our study,
1 https://www.unb.ca/cic/datasets/iotdataset-2023.html comprising approximately 1,191,264 rows representing both
 TABLE II: The types of attacks in CIC-IoT2023 dataset epochs progresses. This indicates that the model is learn-
Classes Attacks ing and enhancing its efficiency across successive epochs.
ACK fragmentation, UDP flood, SlowLoris, ICMP flood, RSTFIN
DDoS flood, PSHACK flood, HTTP flood, UDP fragmentation, TCP flood,
The accuracy starts with a value of 98% and reaches
SYN flood, SynonymousIP flood 98.42% proving the accuracy of the model. On the other
Brute force Dictionary brute force
hand. In Figure 3 (a), the model decreases significantly
Spoofing ARP spoofing, DNS spoofing
through the number of epochs, starting approximately
DoS TCP flood, HTTP flood, SYN flood, UDP flood
Recon Ping sweep, OS scan, Vulnerability scan, Port scan, Host discovery
from 0.03 to reaching 0.0275 at the last epoch. Evidently,
SQL injection, Command injection, Backdoor malware, Uploading
the CNN–LSTM model for the validation demonstrates
Web-based
attack, XSS, Browser hijacking stability and convergence compared to the training, it
Mirai GREIP flood, Greeth flood, UDPPlain
indicates that the model is learning effectively and not
overfitting the training data.

attack and normal traffic. For the conclusive evaluation of the

optimal preservation model, the final test dataset comprises
1,175,692 rows.

B. Performance metrics
The performance of our proposed model for the detection
of diverse types of attacks is quantified using standard
metrics, including accuracy, precision, recall, F1-score and
FPR, which are defined in [13, 19, 20]. The corresponding
equations are presented below:
TP + TN
Acc = (1)
TP + FP + TN + FN

TP TP
Rc = , Pr = (2)
TP + FN TP + FP

Precision × Recall
F1 − Score = 2 × (3)
Precision + Recall

FP
FPR = (4)
FP + TN
Where, the term ”true positive” (TP) denotes instances
where the IDS accurately identifies an intrusion, while ”true
negative” (TN) signifies the correct identification of normal
traffic. Conversely, ”false positives” (FP) denote instances
where benign traffic is mistakenly flagged as malicious, and
”false negatives” (FN) represent failures of the IDS to detect
actual intrusions. A robust F1 score, which integrates preci-
sion and recall, is indicative of effective IDS performance,
particularly when it reflects low rates of FP and FN [19].

C. Results
This subsection introduces the results of our proposed Fig. 3: Accuracy and loss model during the training phases.
model. This method used a combination of CNN-LSTM for (a): train and validation losses. (b) training and validation
network security, the results were obtained by splitting the accuracies.
dataset into 80% for training and 20% for the validation.
In the conducted experiment, the model underwent training • Classification Report: Table III presents a detailed evalu-
using the CIC-IoT2023 dataset, encompassing both benign ation of the binary classification of our system using a set
and malicious network traffic and the training procedure was of metrics like precision, recall, F1-score, and support. It
executed on Google Colab, employing 25 epochs and the is obvious that the model’s performance changes through
Adam optimizer. different classes, especially for the first and second classes
• Accuracy and loss graph: Figure 3 shows the accuracy (normal traffic and attacks). Concerning the first class, the
and loss performance of both training and validation precision obtained is 90% compared to other classes, this
established based on the numbers of epochs equal to 25. In implies that the model could face difficulties in precisely
Figure 3 (b), the model increases as the number of training classifying instances associated with the normal situation
 TABLE III: Classification report.
Precision Recall F1-score Support
Normal traffic 90% 61% 73% 8321
Attacks 99% 100% 99% 229932
Accuracy 98% 238253
Macro avg 95% 80% 86% 238253
Weighted avg 98% 98% 98% 238253

category. For the same class, the recall is documented at Fig. 4: Confusion matrix during the training phase.
61%, indicating that the model might encounter difficul-
ties in identifying all positive instances (a higher recall
indicates fewer false negative results). For this particular
class, the F1-score stands at 73%, which is determined
by both precision and recall. The challenges encountered
may stem from the inherent resemblance between certain
features of benign network traffic and malicious attacks.
For the other class (attacks), the F1-score reaches a value
of 99%.
It is evident that the model exhibits commendable per-
formance in accuracy, precision, recall, and F1-score.
Nevertheless, it is imperative to note that while accuracy
provides valuable insights, it alone may not suffice for
making the final decision regarding the system’s perfor-
mance.
• FPR: An FPR of 9.17% is generally considered an
acceptable result, signifying that only 9.17% of instances Fig. 5: ROC curve.
representing normal traffic were erroneously categorized
as attacks. This denotes the classifier’s proficiency in accu-
rately discerning the majority of normal traffic instances, the loss metric maintains an analogous value to that
a critical factor in mitigating false alarms and enhancing observed during the training phase, registering at 0.02%,
the overall efficacy of the system (Determined using the while the FPR manifested a numerical value of 9.17%. It
confusion matrix). is noteworthy that all obtained results closely align with
• Confusion matrix: Referring to Figure 4, it is discerned those of the training model. Besides, we have conducted
that the classification performance is notably robust, with experiments utilizing an alternative dataset, namely the
an accuracy rate of 90% for the first class (representing CICIDS2017. The primary objective is to assess the
normal traffic), and an even higher accuracy of 99% for model’s performance across diverse datasets and ascertain
the second class, designated for cyberthreats. Regarding its generalization capabilities. The targeted metric for
mis-classifications, a marginal 10% pertains to instances performance evaluation in this context is the same as
where the first class is erroneously classified as the previous tests, achieving an accuracy rate of 97.45%, loss
second, whereas a mere 1% of attacks are misclassified of 0.06, precision of 97.17%, recall 97.15%, F1-score
as normal traffic which substantiates our proposition as 97.07% and FPR 2.08%. This meticulous examination of
delineated in the classification report. the model’s proficiency on a distinct dataset serves to
• Receiver operating characteristics (ROC): ROC pre- reinforce the robustness and reliability of its predictive
sented in Figure 5 indicates the commendable perfor- capabilities, contributing to a more nuanced understanding
mance of our CNN-LSTM model in the classification of of its potential applications in real-world scenarios. The
attacks, with high TPR values and low FPR values. The confusion matrix of the final test described related to CIC-
model has an elevated capability to discriminate between IoT2023 and CICIDS2017 datasets are in Figure 6 (a)
normal network traffic and instances of attacks. This is and (b) respectively. The results showed similar results to
likely because the ROC curve is positioned near the left previous tests. However, regarding the confusion matrics
corner suggesting that the models’ predictions are both of the CICIDS2017, the classifier correctly identified 98%
accurate and precise. instances and misclassified 0.02% instances as ”attacks”.
• Generalization verification: Additional subsets of CI- Out of instances that are true ”attacks”, the classifier cor-
CIoT2023 dataset is conducted in our study. The ensuing rectly identified 94% and misclassified 0.06% instances as
accuracy from this evaluation attains 98.43%, accom- ”normal traffic” which shows that the classifier performs
panied by the precision, recall, and F1-score values of well in identifying ”normal traffic” but has some error rate
98.85%, 98.43%, and 98.57%, respectively. Remarkably, in detecting ”attacks”.
TABLE IV: Performance metrics of the proposed model CNN-LSTM compared to state-of-the-art for binary classification.
Work year Model datasets Accuracy (%) Loss Precision (%) Recall (%) F1-score (%) FPR (%)

CICIDS2017 86.47 94.40 86.47

A. Kim et al. [21] 2020 CNN-LSTM 91, 93 ✗ ✗
CSIC-2010 98.54 81.36 80.65
S. S. S. Sugi et al. [22] 2020 LSTM BoT-IoT 97.28 ✗ ✗ ✗ ✗ ✗
CNN- N: 98, N: 99, N: 98,
M. M. Hassan et al. [23] 2020 UNSW-NB15 97.17 ✗ ✗
WDLSTM A: 94 A: 82 A: 88
LSTM-
W. Yao et al.[24] 2023 CICIoT2023 97.7 ✗ 97.4 97.4 97.4 ✗
XGboost
S. Abba et al. [25] 2024 RNN CICIoT2023 96.52 ✗ 96.25 96.52 96.73 ✗
CICIoT2023
Our 2024 CNN-LSTM 98.42 0.0275 98.85 98.42 98.57 9.17
(first subset)
CICIoT2023
98.43 0.0275 98.85 98.43 98.57 9.17
(second subset)
CICIDS2017 97.46 0.0627 97.17 97.15 97.09 2.08
Abbreviations: Normal (N), Abnormal (A)

model in effectively detecting and classifying traffic into

binary classification. For future works, we consider using
all the CICIoT2023 datasets to achieve more results. Fur-
thermore, integrating a Transformer, such as an attention
layer, could significantly enhance the results [26–28]. This
layer is adept at capturing intricate features within lengthy
dependencies and sequences, thereby refining the overall
performance. Given our engagement in binary classification,
another next task involves the development of the model to
Fig. 6: Confusion matrix of the generalization verification. facilitate multi-class classification, encompassing a diverse
(a): the remaining CICIoT2023 subsets. (b): when using the range of attacks, another prospective avenue to consider in
CICIDS2017 dataset. our future work is to study the effectiveness of our proposed
approach in a real-time scenario, where the proposed model
will be implemented on Raspberry, FPGA, and more.
• Comparison with state-of-the-art: Table IV illustrates ACKNOWLEDGMENT
the outcomes of our system, encompassing a myriad
of metrics for comparison with extant works employing The authors acknowledge that the study was partially
different models (CNN-LSTM, LSTM, CNN-WDLSTM, funded by the PRFU-A25N01UN260120230001 grant from
LSTM-XGboost, and RNN) and alternative datasets. It the Algerian Ministry of Higher Education and Scientific
is noteworthy that our study introduces a pioneering Research.
dataset. The tabulated data unequivocally demonstrates the R EFERENCES
superior performance of our proposed model compared to [1] M. Roopak, G. Y. Tian, and J. Chambers, “Deep
state-of-the-art models across various binary classification learning models for cyber security in iot networks,” in
datasets, as evidenced by elevated accuracy, lower loss, 2019 IEEE 9th annual computing and communication
and heightened recall and precision values. workshop and conference (CCWC). IEEE, 2019, pp.
0452–0457.
V. C ONCLUSION
[2] ——, “An intrusion detection system against ddos
This paper introduces a new IDS that leverages the com- attacks in iot networks,” in 2020 10th annual com-
bined strength of two robust DL models, CNN-LSTM. These puting and communication workshop and conference
models are adept at the detection and binary classification (CCWC). IEEE, 2020, pp. 0562–0567.
of diverse attacks as well as benign traffic. The training [3] M. Haggag, M. M. Tantawy, and M. M. El-Soudani,
and validation processes of the proposed model are con- “Implementing a deep learning model for intrusion
ducted using a specific partition of the recently introduced detection on apache spark platform,” IEEE Access,
CICIoT2023 dataset. Subsequently, a distinct subset from vol. 8, pp. 163 660–163 672, 2020.
this dataset is designated for the conclusive testing phase. In [4] K. Albulayhi, A. A. Smadi, F. T. Sheldon, and R. K.
addition to this, to further elucidate the performance of our Abercrombie, “IoT intrusion detection taxonomy, ref-
proposed method, a separate dataset, namely CICIDS2017, erence architecture, and analyses,” Sensors, vol. 21,
is introduced for the final testing evaluation. This methodical no. 19, p. 6432, 2021.
approach ensures a comprehensive assessment of the model’s [5] R. Vinayakumar, M. Alazab, K. Soman, P. Poornachan-
generalization across different datasets, thereby enhancing dran, A. Al-Nemrat, and S. Venkatraman, “Deep learn-
the credibility of its observed performance outcomes. The ing approach for intelligent intrusion detection system,”
results obtained demonstrate the efficacy of the CNN-LSTM Ieee Access, vol. 7, pp. 41 525–41 550, 2019.
 [6] P. Garcia-Teodoro, J. Diaz-Verdejo, G. Maciá- [17] O. Ibitoye, O. Shafiq, and A. Matrawy, “Analyzing
Fernández, and E. Vázquez, “Anomaly-based network adversarial attacks against deep learning for intrusion
intrusion detection: Techniques, systems and chal- detection in IoT networks,” in 2019 IEEE global com-
lenges,” computers & security, vol. 28, no. 1-2, pp. munications conference (GLOBECOM). IEEE, 2019,
18–28, 2009. pp. 1–6.
[7] H. Kheddar, Y. Himeur, and A. I. Awad, “Deep transfer [18] N. Chouhan, A. Khan et al., “Network anomaly de-
learning for intrusion detection in industrial control net- tection using channel boosted and residual learning
works: A comprehensive review,” Journal of Network based deep convolutional neural network,” Applied Soft
and Computer Applications, vol. 220, p. 103760, 2023. Computing, vol. 83, p. 105612, 2019.
[8] M. F. Elrawy, A. I. Awad, and H. F. Hamed, “Intrusion [19] A. Gueriani, H. Kheddar, and A. C. Mazari, “Deep
detection systems for iot-based smart environments: a reinforcement learning for intrusion detection in IoT:
survey,” Journal of Cloud Computing, vol. 7, no. 1, pp. A survey,” in 2023 2nd International Conference on
1–20, 2018. Electronics, Energy and Measurement (IC2EM), vol. 1.
[9] P. R. Kanna and P. Santhi, “Unified deep learning IEEE, 2023, pp. 1–7.
approach for efficient intrusion detection system us- [20] H. Kheddar, Y. Himeur, S. Al-Maadeed, A. Amira,
ing integrated spatial–temporal features,” Knowledge- and F. Bensaali, “Deep transfer learning for automatic
Based Systems, vol. 226, p. 107132, 2021. speech recognition: Towards better generalization,”
[10] Y. Habchi, Y. Himeur, H. Kheddar, A. Boukabou, Knowledge-Based Systems, vol. 277, p. 110851, 2023.
S. Atalla, A. Chouchane, A. Ouamane, and W. Man- [21] A. Kim, M. Park, and D. H. Lee, “Ai-ids: Application
soor, “AI in thyroid cancer diagnosis: Techniques, of deep learning to real-time web intrusion detection,”
trends, and future directions,” Systems, vol. 11, no. 10, IEEE Access, vol. 8, pp. 70 245–70 261, 2020.
p. 519, 2023. [22] S. S. S. Sugi and S. R. Ratna, “Investigation of machine
[11] H. Kheddar, D. Megias, and M. Bouzid, “Fourier learning techniques in intrusion detection system for
magnitude-based steganography for hiding 2.4 kbps iot network,” in 2020 3rd international conference on
MELP secret speech,” in 2018 International Confer- intelligent sustainable systems (ICISS). IEEE, 2020,
ence on Applied Smart Systems (ICASS). IEEE, 2018, pp. 1164–1167.
pp. 1–5. [23] M. M. Hassan, A. Gumaei, A. Alsanad, M. Alrubaian,
[12] N. Djeffal, D. Addou, H. Kheddar, and S. A. Selouani, and G. Fortino, “A hybrid deep learning model for
“Noise-robust speech recognition: A comparative anal- efficient intrusion detection in big data environment,”
ysis of LSTM and CNN approaches,” in 2023 2nd Information Sciences, vol. 513, pp. 386–396, 2020.
International Conference on Electronics, Energy and [24] W. Yao, H. Zhao, and H. Shi, “Privacy-preserving
Measurement (IC2EM), vol. 1. IEEE, 2023, pp. 1–6. collaborative intrusion detection in edge of internet of
[13] H. Kheddar, M. Hemis, Y. Himeur, D. Megı́as, and things: A robust and efficient deep generative learning
A. Amira, “Deep learning for steganalysis of diverse approach,” IEEE Internet of Things Journal, 2023.
data types: A review of methods, taxonomy, challenges [25] S. Abbas, I. Bouazzi, S. Ojo, A. Al Hejaili, G. A.
and future directions,” Neurocomputing, p. 127528, Sampedro, A. Almadhor, and M. Gregus, “Evaluating
2024. deep learning variants for cyber-attacks detection and
[14] H. Kheddar and D. Megı́as, “High capacity speech multi-class classification in IoT networks,” PeerJ Com-
steganography for the G723.1 coder based on quan- puter Science, vol. 10, p. e1793, 2024.
tised line spectral pairs interpolation and CNN auto- [26] H. Kheddar, M. Hemis, and Y. Himeur, “Automatic
encoding,” Applied Intelligence, vol. 52, no. 8, pp. speech recognition using advanced deep learning ap-
9441–9459, 2022. proaches: A survey,” Information Fusion, p. 102422,
[15] M. Shafiq, Z. Tian, Y. Sun, X. Du, and M. Guizani, 2024.
“Selection of effective machine learning algorithm and [27] Y. Habchi, H. Kheddar, Y. Himeur, A. Boukabou,
bot-iot attacks traffic identification for internet of things A. Chouchane, A. Ouamane, S. Atalla, and W. Man-
in smart city,” Future Generation Computer Systems, soor, “Machine learning and vision transformers for
vol. 107, pp. 433–442, 2020. thyroid carcinoma diagnosis: A review,” arXiv preprint
[16] A. Binbusayyis and T. Vaiyapuri, “Unsupervised deep arXiv:2403.13843, 2024.
learning approach for network intrusion detection com- [28] N. Djeffal, H. Kheddar, D. Addou, A. C. Mazari,
bining convolutional autoencoder and one-class SVM,” and Y. Himeur, “Automatic speech recognition with
Applied Intelligence, vol. 51, no. 10, pp. 7094–7108, BERT and CTC transformers: A review,” in 2023 2nd
2021. International Conference on Electronics, Energy and
Measurement (IC2EM), vol. 1. IEEE, 2023, pp. 1–8.