A Robust Hybrid Model Based on ANN and KNN for Multi-Class Network Attack Detection and Classification
Article Sidebar
Main Article Content
Abstract
This paper investigates whether a lightweight hybrid approach, which combines learned representations with instancebased decisions, can improve multi-class intrusion detection under realistic class imbalance conditions. We propose A2K, which uses an Artificial Neural Network (ANN) to learn discriminative embeddings from preprocessed network-flow features and a KNearest Neighbours(KNN) classifier to make final decisions in the ANN’s latent space. The pipeline begins with min–max normalization and a feature selection routine combining mutual information, correlation analysis, and an ANN-wrapper evaluation to retain the most informative, non-redundant predictors. The ANN is a compact feed-forward model (41-d input, two hidden layers with 64 and 32 neurons, softmax output), trained to capture non-linear structures; its 32-d intermediate activations form the embedding for KNN, which exploits neighbourhood structures via Euclidean distances and majority voting. Using the NSL-KDD benchmark, we adopt a 70/30 train–test split and evaluate with Accuracy, Precision, Recall, and F1-score, alongside class-wise analyses and confusion matrices. We compare our results against strong baselines, including SVM, standalone ANN, standalone KNN, and Random Forest, all under the same preprocessing and protocol. Empirically, A2K attains 97.75% accuracy, 96.80% precision, 96.65% recall, and 96.56% F1-score, outperforming SVM (94.25% accuracy), KNN (91.25%), standalone ANN (95.80%), and Random Forest (96.20%). Classwise results demonstrate excellent performance on Normal and DoS traffic, as well as measurable gains on minority classes (U2R and R2L) compared to baselines. However, these categories remain the primary source of residual error, consistent with their rarity. Confusion-matrix patterns indicate that embedding-space distances help refine decision boundaries learned by the ANN, improving separability without heavy computation or extensive retraining. In sum, what we contribute is a modular hybrid for IDS; how we realize it is by late fusing ANN embeddings with KNN neighbourhood evidence after principled preprocessing and feature selection; and why it matters is that this design yields higher overall accuracy and more balanced class detection while preserving simplicity and near real-time feasibility—key properties for deployable network defence.
Downloads
Article Details
Section
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
How to Cite
References
Farnaaz, N. and M. A. Jabbar. Random forest modelling for a network intrusion detection system. Procedia Computer Science 89, 213–217 (2016). DOI: https://doi.org/10.1016/j.procs.2016.06.047
Al-Zewairi, M., S. Almajali and M. Ayyash. Unknown security attack detection using shallow and deep ANN classifiers. Electronics 9, 2006 (2020). DOI: https://doi.org/10.3390/electronics9122006
Thakkar, A. and R. Lohiya. Attack classification using feature selection techniques: a comparative study. Journal of Ambient Intelligence and Humanized Computing 12, 1249–1266 (2021). DOI: https://doi.org/10.1007/s12652-020-02167-9
Ioannou, C. and V. Vassiliou. Network attack classification in IoT using support vector machines. Journal of Sensor and Actuator Networks 10(3), 58 (2021). DOI: https://doi.org/10.3390/jsan10030058
Singh, K., A. Mahajan and V. Mansotra. 1D-CNN-based model for classification and analysis of network attacks. International Journal of Advanced Computer Science and Applications 12(11), 604–613 (2021). https://thesai.org/Publications/ViewPaper?Volume=12&Issue=11&Code=IJACSA&SerialNo=69
Primartha, A. and I. L. Tama. An efficient intrusion detection system for IoT security using a CNN decision forest. Electronics 12(24), 4953 (2023). DOI: https://doi.org/10.3390/electronics12244953
Kalbhor, M., S. Shinde, D. E. Popescu and D. J. Hemanth. Hybridization of deep learning pre-trained models with machine learning classifiers and fuzzy min–max neural network for cervical cancer diagnosis. Diagnostics 13, 1363 (2023).
DOI: https://doi.org/10.3390/diagnostics13071363
Shone, N., T. N. Ngoc, V. D. Phai and Q. Shi. A deep learning approach to network intrusion detection. IEEE Transactions on Emerging Topics in Computational Intelligence 2(1), 41–50 (2018). DOI: https://doi.org/10.1109/TETCI.2017.2772792
Vinayakumar, R., K. P. Soman and P. Poornachandran. Applying a convolutional neural network for network intrusion detection. In Proc. 2017 International Conference on Advances in Computing, Communications and Informatics (ICACCI), 1222–1228 (2017).
DOI: https://doi.org/10.1109/ICACCI.2017.8126027
Zhang, J., P. Li, C. Wang and Z. Zhang. A hybrid intrusion detection system based on data preprocessing and a gated recurrent unit network. IEEE Access 7, 64366–64373 (2019). DOI: https://doi.org/10.1109/ACCESS.2019.2917213
Alsamhi, S. H., N. S. Rajput and M. S. Ansari. A hybrid deep learning model with KNN for an intrusion detection system. Computers, Materials & Continua 66(3), 2713–2727 (2020). DOI: https://doi.org/10.32604/cmc.2020.012076
Oliveira, Nuno, et al. "Intelligent cyber-attack detection and classification for network-based intrusion detection systems."Applied Sciences 11.4 (2021): 1674. https://www.mdpi.com/2076-3417/11/4/1674
Xia, Z., Y. Wang, X. Zhang and Z. Wang. A novel hybrid model based on random forest and deep neural network for network intrusion detection. IEEE Access, vol. 8, pp. 68370–68381 (2020). DOI: https://doi.org/10.1109/ACCESS.2020.2986491
Waghmode, P., M. Kanumuri, H. El-Ocla and T. Boyle. An intrusion detection system based on machine learning using a least square support vector machine. Scientific Reports 15, 12066 (2025). DOI: https://doi.org/10.1038/s41598-025-95621-7
Bao, H. and J. Gao. Network intrusion detection based on an improved KNN algorithm. Scientific Reports 15, 29842 (2025).