NETWATCH: A Hybrid AI Approach for Network Traffic Behavior Analysis System

Abstract

NETWATCH is a real-time Network Intrusion Detection System (NIDS) designed to detect unknown and zero-day cyber-attacks. The system captures live network traffic and converts raw packet data into useful features for analysis. An Isolation Forest model detects unusual activities by learning normal network behavior, while a Long Short-Term Memory (LSTM) Autoencoder analyzes traffic patterns over time and identifies deviations based on reconstruction error. A hybrid decision method combines results of both models to improve accuracy and reduce false alarms. When an anomaly is detected, the system further classifies it into attack types such as DoS/DDoS, port scanning, brute force, and web attacks. All results are stored in a MySQL database and displayed on a real- time dashboard for easy monitoring. This hybrid approach effectively detects new and unseen cyber threats.

Introduction

The text describes NETWATCH, a real-time network intrusion detection system designed to improve cybersecurity using a combination of machine learning and deep learning techniques.

It explains that modern networks face increasing cyber threats such as DoS attacks, port scanning, and brute-force attacks, while traditional signature-based intrusion detection systems struggle to detect unknown or zero-day attacks. To overcome these limitations, NETWATCH focuses on analyzing live network traffic behavior rather than predefined attack signatures.

The proposed system captures network packets in real time and extracts key features like packet count, flow duration, and data volume. It uses a hybrid AI approach, combining Isolation Forest (for anomaly detection) and an LSTM Autoencoder (for sequential pattern analysis). Their outputs are merged using a hybrid decision engine to improve accuracy and reduce false positives. A Random Forest classifier is then used to identify specific attack types.

The system architecture includes modules for packet capture, feature extraction, anomaly detection, attack classification, and visualization. All detected events are stored in a MySQL database, and a real-time dashboard provides monitoring and alerts.

Conclusion

This paper presented NETWATCH, a hybrid AI- based real-time Network Intrusion Detection System that combines Isolation Forest and LSTM Autoencoder for anomaly detection. The system addresses the fundamental limitation of traditional signature-based IDS by enabling detection of zero-day and unknown attacks. Experimental evaluation on the CICIDS2017 dataset demonstrates that the proposed hybrid approach achieves 96.8% accuracy, outperforming individual models. The integration of a real- time SOC-style dashboard enhances practical usability for network administrators

References

[1] M. Cantone, \"Machine Learning in Network Intrusion Detection: A Cross-Dataset Generalization Study,\" IEEE Access, vol. 12, pp. 45231–45248, 2024. [2] Z. Ullah, \"Balanced Multi-Class Network Intrusion Detection Using Machine Learning,\" IEEE Transactions on Network and Service Management, 2024. [3] A. Mirzaei, \"A Comprehensive Survey on Intrusion Detection Systems with Advances in Machine Learning, Deep Learning and Emerging Cybersecurity Challenges,\" ACM Computing Surveys, vol. 57, no. 3, 2025. [4] F. T. Liu, K. M. Ting, and Z. H. Zhou, \"Isolation Forest,\" in Proc. 8th IEEE Int. Conf. Data Mining, Pisa, Italy, 2008, pp. 413–422. [5] S. Hochreiter and J. Schmidhuber, \"Long Short-Term Memory,\" Neural Computation, vol. 9, no. 8, pp. 1735–1780, 1997. [6] I. Sharafaldin, A. H. Lashkari, and A. A. Ghorbani, \"Toward Generating a New Intrusion Detection Dataset and Intrusion Traffic Characterization,\" in Proc. 4th Int. Conf. Inf. Syst. Secur. Privacy, 2018, pp. 108–116. [7] L. Breiman, \"Random Forests,\" Machine Learning, vol. 45, no. 1, pp. 5–32, 2001.

Copyright

Copyright © 2026 Yogeshwaran K, Nethen Kumaran A, Sanjaigohul A, Nithin Krishnan B, J. Rosalind Geetha. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.