A Lightweight AI-Based Intrusion Detection System Using 1D-CNN and SMOTE on the NSL-KDD Dataset

Abstract

This Network intrusion detection is an important security task because modern networks face denial-of-service attacks, probing, unauthorized access attempts, and other malicious activities. Traditional signature-based intrusion detection systems work well for known attacks, but they are weak whenthe attack pattern is new or slightly changed.Anomaly-based intrusiondetection tries to learn the difference between normal and abnormal traffic, so it is useful for detecting suspicious network behavior. However, anomaly-based systems also face problems such as false alarms, imbalanced datasets, and difficulty in real-world evaluation (García-Teodoro et al., 2009). This paper presents a lightweight AI-based intrusion detection system using a one-dimensional convolutional neural network and SMOTE balancing on the NSL-KDD dataset. The proposed work uses simple preprocessing, one-hot encoding, min-max normalization, SMOTE oversampling, and binary classification of network traffic as normal or attack. The model is compared with Random Forest and a multilayer perceptron baseline. The experiment used 25,192 NSL-KDD training records and 22,544 testing records.The 1D-CNN achieved75.94%accuracy,91.52% precision,63.63%recall,and 75.06%F1-scoreon KDDTest+. The result shows that a small deep learning model can detect attacks with high precision, but recall still needs improvementfor difficult and novel attack records.

Introduction

It begins by explaining that IDS monitors network traffic to identify attacks, using either signature-based methods (known patterns) or anomaly-based methods (deviations from normal behavior). The study highlights challenges in IDS research such as poor dataset quality, unrealistic evaluation setups, class imbalance, and high false alarm rates. The NSL-KDD dataset is chosen because it is a cleaner and more reliable version of KDD Cup99.

The proposed system develops a lightweight 1D-CNN model combined with SMOTE to handle class imbalance. The workflow includes data preprocessing, one-hot encoding, normalization, SMOTE-based balancing (only on training data), model training, and evaluation. The system is compared with Random Forest and MLP classifiers.

Key results show that:

• The 1D-CNN achieves about 75.94% accuracy
• It has good precision but moderate recall, meaning it misses some attacks
• MLP performs slightly better overall in this experiment

The confusion matrix shows a major limitation: a large number of false negatives (missed attacks), which is critical for real-world security systems.

Conclusion

This paper presented an AI-based intrusion detection system using 1D-CNN and SMOTE on the NSL-KDD dataset. The work followed a simple and reproducible pipeline: preprocessing, one-hot encoding, normalization, SMOTE balancing, 1D-CNN training, and testing on KDDTest+. The experiment showed that the proposed 1D-CNN achieved 75.94% accuracy, 91.52% precision, 63.63% recall, and 75.06% F1-score. The result is honest for a small model trained on the 20% NSL-KDD training subset. Future work should test a CNN-LSTM model, tune thresholds using validation data, perform multiclass classification, and compare NSL-KDD results with modern datasets such as UNSW-NB15 and CICIDS2017. The work can also be extended by adding feature selection, explainable AI, and real-time alert generation.

References

[1] Aceto,G.,Ciuonzo,D.,Montieri,A.,&Pescapé,A.(2018).Mobileencryptedtrafficclassificationusingdeeplearning.Proceedingsofthe2018NetworkTrafficMeasurement and Analysis Conference (TMA), 1-8. doi:10.23919/TMA.2018.8506538 [2] Axelsson,S.(1999).Thebaseratefallacyanditsimplicationsforthedifficultyofintrusiondetection.Proceedingsofthe6thACMConferenceonComputerandCommunications Security, 1-7. doi:10.1145/319709.319710 [3] Breiman,L.(2001).Randomforests.MachineLearning,45(1),5-32.doi:10.1023/A:1010933404324 [4] Breunig,M.M.,Kriegel,H.P.,Ng,R.T.,&Sander,J.(2000).LOF:Identifyingdensitybasedlocaloutliers.ProceedingsoftheACMSIGMODInternational Conference on Management of Data, 93-104. doi:10.1145/335191.335388 [5] Cevallos M., J. F., Rizzardi, A., Sicari, S., & Coen-Porisini, A. (2023). Deep reinforcement learning for intrusion detection in Internet of Things: Bestpractices, lessons learnt, and open challenges. Computer Networks, 236, 110016. doi:10.1016/j.comnet.2023.110016 [6] Chawla, N. V., Bowyer, K. W., Hall, L. O., Chandola, V., Banerjee, A., & Kumar, V. (2009). Anomaly detection: A survey. ACM Computing Surveys,41(3), Article 15, 1-58. doi:10.1145/1541880.1541882 [7] Kegelmeyer,W.P.(2002).SMOTE:Syntheticminorityover-samplingtechnique.JournalofArtificialIntelligenceResearch,16,321-357.doi:10.1613/jair.953 [8] Denning,D.E.(1987).Anintrusion-detectionmodel.IEEETransactionsonSoftwareEngineering,SE-13(2),222-232.doi:10.1109/TSE.1987.232894 [9] García-Teodoro, P., Díaz-Verdejo, J., Maciá-Fernández, G., & Vázquez, E. (2009). Anomaly-based network intrusion detection: Techniques, systemsand challenges. Computers & Security, 28(1-2), 18-28. doi:10.1016/j.cose.2008.08.003 [10] Kim, H., & Feamster, N. (2013). Improving network management with software defined networking. IEEE Communications Magazine, 51(2), 114-119.doi:10.1109/MCOM.2013.6461195 [11] Lazarevic, A., Ertöz, L., Öz?ür, A., Kumar, V., & Srivastava, J. (2003). A comparative study of anomaly detection schemes in network intrusiondetection. Proceedings of the Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specification, IEEE Std. 802.11, 1997. ThirdSIAM International Conference on Data Mining, 25-36. doi:10.1137/1.9781611972733.3 [12] Lippmann, R. P., Fried, D. J., Haines, J. W., Bos, D., Sekar, R., & Durst, K. (2000). Evaluating intrusion detection systems: The 1998 DARPA off-lineintrusion detection evaluation. Proceedings of DARPA Information Survivability Conference and Exposition, 2, 12-26.doi:10.1109/DISCEX.2000.821506 [13] Lopez-Martin, M., Carro, B., Sanchez-Esguevillas, A., & Lloret, J. (2017). Network traffic classifier with convolutional and recurrent neural networksfor Internet of Things. IEEE Access, 5, 18042-18050. doi:10.1109/ACCESS.2017.2747560 [14] McHugh, J. (2000).Testingintrusiondetection systems: Acritiqueofthe 1998 and1999 DARPAintrusion detection systemevaluationsasperformedbyLincoln Laboratory. ACM Transactions on Information and System Security, 3(4), 262-294. doi:10.1145/382912.382923 [15] Moustafa, N., & Slay, J. (2015). UNSW-NB15: A comprehensive data set for network intrusion detection systems. 2015 Military Communications andInformation Systems Conference (MilCIS), 1-6. doi:10.1109/MilCIS.2015.7348942 [16] Niyaz, Q., Sun, W.,Javaid, A.Y., & Alam, M. (2016). A deep learning approach for network intrusion detection system.Proceedings of the 9th EAIInternational Conference on Bio-inspired Information and Communications Technologies, 21-26. doi:10.4108/eai.3-12-2015.2262516 [17] Rezaei,S.,&Liu,X.(2019).Deeplearningforencryptedtrafficclassification:Anoverview.IEEECommunicationsMagazine,57(5),7681.doi:10.1109/MCOM.2019.1800819 [18] Ring,M.,Wunderlich,S.,Scheuring,D.,Landes,D.,&Hotho,A.(2019).Asurveyofnetwork-basedintrusiondetectiondatasets.Computers&Security, 86, 147-167. doi:10.1016/j.cose.2019.06.005 [19] Sharafaldin,I.,HabibiLashkari,A.,&Ghorbani,A.A.(2018).Towardgeneratinganewintrusiondetectiondatasetandintrusiontrafficcharacterization. [20] Proceedingsofthe4thInternationalConferenceonInformationSystemsSecurityandPrivacy,108-116.doi:10.5220/0006639801080116 [21] Shone, N., Ngoc, T. N., Phai, V. D.,& Shi, Q. (2018). Adeeplearning approach to network intrusion detection.IEEE Transactions on Emerging Topicsin Computational Intelligence, 2(1), 41-50. doi:10.1109/TETCI.2017.2772792 [22] Sommer,R.,&Paxson,V.(2010).Outsidetheclosedworld:Onusingmachinelearningfornetworkintrusiondetection.2010IEEESymposiumonSecurity and Privacy, 305-316. doi:10.1109/SP.2010.25 [23] Tavallaee,M.,Bagheri,E.,Lu,W.,&Ghorbani,A.A.(2009).AdetailedanalysisoftheKDDCUP99dataset.2009IEEESymposiumonComputational Intelligence for Security and Defense Applications, 1-6. doi:10.1109/CISDA.2009.5356528 [24] Tsai, C.-F., Hsu, Y.-F., Lin, C.-Y., & Lin, W.-Y. (2009). Intrusion detection by machine learning: A review. Expert Systems with Applications, 36(10),11994-12000.doi:10.1016/j.eswa.2009.05.029 [25] Wang,W.,Zhu,M.,Wang,J.,Zeng,X.,&Yang,Z.(2017).End-to-endencryptedtrafficclassificationwithone-dimensionalconvolutionneuralnetworks. 2017 IEEE International Conference on Intelligence and Security Informatics, 43-48. doi:10.1109/ISI.2017.8004872 [26] Yin,C.,Zhu,Y.,Fei,J.,&He,X.(2017).Adeeplearningapproachforintrusiondetectionusingrecurrentneuralnetworks.IEEEAccess,5,21954-21961.doi:10.1109/ACCESS.2017.2762418

Copyright

Copyright © 2026 Deepak ., Jyoti Sharma. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.