COMPARATIVE ANALYSIS OF DEEP AND MACHINE LEARNING METHODS FOR NETWORK INTRUSION DETECTION
DOI:
https://doi.org/10.28925/2663-4023.2026.32.1115Keywords:
intrusion detection system, deep learning, machine learning, CNN, LSTM, LightGBM, Transformer, Mamba, network traffic classificationAbstract
This paper presents the results of a comprehensive comparative study of six machine learning and deep learning methods for the task of multi-class network attack classification. We evaluate the effectiveness of a convolutional neural network (CNN-IDS), long short-term memory network (LSTM-IDS), LightGBM and CatBoost gradient boosting, Transformer-IDS based on the self-attention mechanism, and Mamba-IDS based on Selective State Space Models (S6). Experiments are conducted on four benchmark network traffic datasets: CIC-IDS2017, CIC-IDS2018, UNSW-NB15 and CICIoT2023. To ensure reproducibility, we apply a unified preprocessing protocol with feature standardization, stratified 70/15/15 splitting, and weighted loss functions to address class imbalance. Evaluation is performed using Accuracy, Macro F1-score, MCC (Matthews Correlation Coefficient), and Weighted F1-score. Results show that LightGBM gradient boosting achieves the highest accuracy across all four datasets. Deep learning models (CNN, LSTM, Transformer, Mamba) demonstrate better generalization on imbalanced datasets, particularly higher Macro Recall for rare attack classes. Mamba-IDS shows competitive results compared to Transformer-IDS with linear O(n) computational complexity instead of quadratic O(n²), making it promising for real-time processing of long network traffic sequences. Per-class F1-score analysis reveals significant differences in models' ability to recognize rare attack classes, emphasizing the need for multi-class evaluation beyond overall accuracy. The study contributes to understanding the strengths and limitations of modern neural network architectures for intrusion detection systems and provides practical recommendations for selecting the optimal method depending on dataset characteristics and processing time requirements.
Downloads
References
Momand, A., Jan, S. U., & Ramzan, N. (2023). A systematic and comprehensive survey of recent advances in intrusion detection systems using machine learning: Deep learning, datasets, and attack taxonomy. Journal of Sensors, 2023, Article 6048087. https://doi.org/10.1155/2023/6048087
Lansky, J., et al. (2021). Deep learning-based intrusion detection systems: A systematic review. IEEE Access, 9, 112054–112072. https://doi.org/10.1109/ACCESS.2021.3097247
Ahmad, Z., et al. (2021). Network intrusion detection system: A systematic study of machine learning and deep learning approaches. Transactions on Emerging Telecommunications Technologies, 32(12), e4150. https://doi.org/10.1002/ett.4150
Halbouni, A., et al. (2022). CNN-LSTM: Hybrid deep neural network for network intrusion detection system. IEEE Access, 10, 99855–99873. https://doi.org/10.1109/ACCESS.2022.3206425
Liu, G., Zhao, W., & Wang, Q. (2021). A fast network intrusion detection system using adaptive synthetic oversampling and LightGBM. Computers & Security, 102, Article 102289. https://doi.org/10.1016/j.cose.2021.102289
Douiba, M., Benber, S., Idri, S., & Nassih, B. (2023). An improved anomaly detection model for IoT security using decision tree and gradient boosting. The Journal of Supercomputing, 79, 16261–16285. https://doi.org/10.1007/s11227-022-04783-y
Manocchio, L., et al. (2024). FlowTransformer: A transformer framework for flow-based network intrusion detection systems. Expert Systems with Applications, 237, Article 122564. https://doi.org/10.1016/j.eswa.2023.122564
Lin, X., et al. (2022). ET-BERT: A contextualized datagram representation with pre-training transformers for encrypted traffic classification. In Proceedings of the ACM Web Conference 2022 (pp. 2230–2240). https://doi.org/10.1145/3485447.3512217
Ferrag, M. A., et al. (2022). Edge-IIoTset: A new comprehensive realistic cybersecurity dataset of IoT and IIoT applications for centralized and federated learning. IEEE Access, 10, 40281–40306. https://doi.org/10.1109/ACCESS.2022.3165809
Gu, A., & Dao, T. (2023). Mamba: Linear-time sequence modeling with selective state spaces. arXiv. https://doi.org/10.48550/arXiv.2312.00752
Gu, A., Goel, K., & Ré, C. (2022). Efficiently modeling long sequences with structured state spaces. In International Conference on Learning Representations (ICLR 2022). https://openreview.net/forum?id=uYLFoz1vlAC
Engelen, G., Rimmer, V., & Joosen, W. (2021). Troubleshooting an intrusion detection dataset: The CICIDS2017 case study. In IEEE Security and Privacy Workshops (SPW 2021) (pp. 96–102). https://doi.org/10.1109/SPW53761.2021.00009
Neto, E. C. P., et al. (2023). CICIoT2023: A real-time dataset and benchmark for large-scale attacks in IoT environment. Sensors, 23(13), Article 5941. https://doi.org/10.3390/s23135941
Chicco, D., Tötsch, N., & Jurman, G. (2021). The Matthews correlation coefficient (MCC) is more reliable than balanced accuracy, bookmaker informedness, and markedness in two-class confusion matrix evaluation. BioData Mining, 14, Article 13. https://doi.org/10.1186/s13040-021-00244-z
Grinsztajn, L., Oyallon, E., & Varoquaux, G. (2022). Why do tree-based models still outperform deep learning on typical tabular data? In Advances in Neural Information Processing Systems (NeurIPS 2022). https://proceedings.neurips.cc/paper_files/paper/2022/hash/0378c7692da36807bdec87ab043cdadc-Abstract-Datasets_and_Benchmarks.html
Published
How to Cite
Issue
Section
License
Copyright (c) 2026 Володимир Рихва, Ганна Солодовник
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
