Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Preliminary study on artificial intelligence methods for cybersecurity threat detection in computer networks based on raw data packets

Aleksander Ogonowski, Michał Żebrowski, Arkadiusz Ćwiek, Tobiasz Jarosiewicz, Konrad Klimaszewski, Adam Padee, Piotr Wasiuk, Michał Wójcik

TL;DR

The paper tackles real-time intrusion detection directly from raw network packets by proposing a packet-based framework that stacks packets into windows and treats each window as a 2D input for deep learning models. It evaluates four architectures—FCNN, CNN, CNN-LSTM, and EfficientNet—on the CIC IDS-2017 dataset, using a custom packet-labeling pipeline, randomised header replacement, and oversampling to address class imbalance, plus saliency maps for model interpretability. Key contributions include a detailed data preparation workflow, a comparative study of 1D versus 2D inputs, and an analysis of loss functions and labeling schemes, with EfficientNet providing the best window-based performance at the cost of speed. The findings show that packet-level models can achieve strong detection with varying reliance on header versus payload features, and they point to ensemble strategies and dynamic windowing as promising directions for improved generalization and real-time applicability. Overall, the work demonstrates the feasibility of direct packet-based, real-time threat detection and offers concrete guidance for future dataset expansion and model design in cybersecurity ML.

Abstract

Most of the intrusion detection methods in computer networks are based on traffic flow characteristics. However, this approach may not fully exploit the potential of deep learning algorithms to directly extract features and patterns from raw packets. Moreover, it impedes real-time monitoring due to the necessity of waiting for the processing pipeline to complete and introduces dependencies on additional software components. In this paper, we investigate deep learning methodologies capable of detecting attacks in real-time directly from raw packet data within network traffic. We propose a novel approach where packets are stacked into windows and separately recognised, with a 2D image representation suitable for processing with computer vision models. Our investigation utilizes the CIC IDS-2017 dataset, which includes both benign traffic and prevalent real-world attacks, providing a comprehensive foundation for our research.

Preliminary study on artificial intelligence methods for cybersecurity threat detection in computer networks based on raw data packets

TL;DR

The paper tackles real-time intrusion detection directly from raw network packets by proposing a packet-based framework that stacks packets into windows and treats each window as a 2D input for deep learning models. It evaluates four architectures—FCNN, CNN, CNN-LSTM, and EfficientNet—on the CIC IDS-2017 dataset, using a custom packet-labeling pipeline, randomised header replacement, and oversampling to address class imbalance, plus saliency maps for model interpretability. Key contributions include a detailed data preparation workflow, a comparative study of 1D versus 2D inputs, and an analysis of loss functions and labeling schemes, with EfficientNet providing the best window-based performance at the cost of speed. The findings show that packet-level models can achieve strong detection with varying reliance on header versus payload features, and they point to ensemble strategies and dynamic windowing as promising directions for improved generalization and real-time applicability. Overall, the work demonstrates the feasibility of direct packet-based, real-time threat detection and offers concrete guidance for future dataset expansion and model design in cybersecurity ML.

Abstract

Most of the intrusion detection methods in computer networks are based on traffic flow characteristics. However, this approach may not fully exploit the potential of deep learning algorithms to directly extract features and patterns from raw packets. Moreover, it impedes real-time monitoring due to the necessity of waiting for the processing pipeline to complete and introduces dependencies on additional software components. In this paper, we investigate deep learning methodologies capable of detecting attacks in real-time directly from raw packet data within network traffic. We propose a novel approach where packets are stacked into windows and separately recognised, with a 2D image representation suitable for processing with computer vision models. Our investigation utilizes the CIC IDS-2017 dataset, which includes both benign traffic and prevalent real-world attacks, providing a comprehensive foundation for our research.
Paper Structure (29 sections, 1 equation, 16 figures, 9 tables)

This paper contains 29 sections, 1 equation, 16 figures, 9 tables.

Table of Contents

  1. Introduction
  2. Related Work
  3. Dataset
  4. Description
  5. Preparation
  6. Methods
  7. Solution concept
  8. Training
  9. Windows
  10. Randomised replacement
  11. Labeling
  12. Oversampling
  13. Models
  14. Fully connected neural network
  15. Convolutional neural network
  16. ...and 14 more sections

Figures (16)

  • Figure 1: Approaches of classification in NIDS.
  • Figure 2: Data preprocessing pipeline.
  • Figure 3: Assumed solution - classification of the separate packets in the packets window.
  • Figure 4: Packets preprocessing.
  • Figure 5: Histogram of packets length.
  • ...and 11 more figures