IEEE RELIABILITY SOCIETY SECTION

Received February 25, 2020, accepted March 16, 2020, date of publication March 30, 2020, date of current version April 22, 2020.
Digital Object Identifier 10.1109/ACCESS.2020.2983568

An Intrusion Detection Model With Hierarchical

Attention Mechanism
CHANG LIU 1, (Member, IEEE), YANG LIU2 , YU YAN3 , (Student Member, IEEE), AND JI WANG4
1 Instituteof Electronics and Information Engineering, Guangdong Ocean University, Guangdong 524088, China
2 Beijing Institute of Astronautical Systems Engineering, Beijing 100076, China
3 College of Information and Communication Engineering, Harbin Engineering University, Harbin 150001, China
4 College of Information and Communication Engineering, Guangdong Ocean University, Guangdong 524088, China

Corresponding author: Ji Wang (zjouwangji@163.com)

This work was supported by the Program for Scientific Research Start-Up Funds of Guangdong Ocean University.

ABSTRACT Network security has always been a hot topic as security and reliability are vital to software
and hardware. Network intrusion detection system (NIDS) is an effective solution to the identification of
attacks in computer and communication systems. A necessary condition for high-quality intrusion detection
is the gathering of useful and precise intrusion information. Machine learning, particularly deep learning,
has achieved a lot of success in various fields of industry and academic due to its good ability of feature
representation and extraction. In this paper, deep learning methods are integrated into the NIDS. The intrusion
activity is regarded as a time-series event and a bidirectional gated recurrent unit (GRU) based network
intrusion detection model with hierarchical attention mechanism is presented. The influence of different
lengths of previous traffic on the performance is then studied. Some experiments are performed on the dataset
UNSW-NB15, in which the proposed hierarchical attention model achieves satisfactory detection accuracy
of more than 98.76% and a false alarm rate (FAR) of lower than 1.2%. An attention probability map to reflect
the importance of features is then visualized using the attention mechanism. The visualization ability assists
in providing an understanding of the varied importance of the same features for different traffic classes and
to determine feature selection in the future.

INDEX TERMS Intrusion detection system, recurrent neural network, attention mechanism, visualization.

I. INTRODUCTION network intrusion detection system (NIDS) and host-based

Vast amounts of data are generated, processed, and
exchanged in the use and interaction process of numer-
ous devices. Such data has become the target of illegal
activity, which has caused significant damage to network
systems [1], [2]. Research into advanced security methods
has become increasingly important in both industry and
academia in order to consistently improve and update security
threat detection [3]. The basic general components of network
security mechanisms include firewall, user authentication
technology, anti-virus software, and an intrusion detection
system (IDS) [4], [5]. As a proactive security technology,
IDS monitors a host or network and alerts when an attack
is detected. Cybersecurity can be further guaranteed through
intrusion detection methods in which network attack behavior
can be obtained and learned by data analysis and modeling.
According to the location of the deployment and the scope
of monitoring, IDS products can be loosely divided into
The associate editor coordinating the review of this manuscript and
approving it for publication was Zhaojun Li . ance distribution of different attack types results in weak
intrusion detection system (HIDS) [6]. The NIDS works at
the network layer to detect network threats by taking all traffic
from the target network as its data source to protect the entire
network segment [7]–[9]. The HIDS serves as a monitor and
analyzer of a computer system that does not act on the exter-
nal interface, but focuses on the internal system [10], [11].
This framework commonly analyzes system logs, processes,
or files to monitor the dynamic behavior of all or part of the
system and the state of the entire computer system. In the
network system, many devices or components require IDS
support such as web server, file server, and workstations [12].
A scenario illustrating how IDS works at different sites in the
network system is provided in Fig. 1.
The development of network technology and hardware
devices creates issues for the application and upgrade of
IDS [13]–[15]. Current challenges include the following:
1) Diversity: An increase in the type of network protocols
makes it increasingly hard to distinguish between normal
and abnormal data. 2) Low-frequency attacks: The imbal-

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
67542 VOLUME 8, 2020
C. Liu et al.: Intrusion Detection Model With Hierarchical Attention Mechanism
FIGURE 1. Intrusion detection system works at different place of the network system.
detection precision of the IDSs, particularly for data-driven
methods. 3) Adaptability: The diverse and flexible charac-
teristic of the network causes a significant reduction in the
lifespan of detection models because IDS requires updating to
adapt to the evolving environment. 4) Placement: Distributed,
centralized, and hybrid methods must be adopted accord-
ing to specific considerations of financial, computational,
and time costs. 5) Accuracy: Existing traditional techniques
cannot achieve the required high-level accuracy due to the
aforementioned challenges. To ensure the performance of
IDS, a deeper, more granular and increasingly comprehensive
understanding of the nature of the intrusion events is required.
Around the issue of intrusion detection, some scholars
have done a lot of work, using methods including expert
knowledge, data mining, and machine learning [16]–[18].
Among them, the deep learning method is unique, providing
a high level of detection performance. Deep neural network
mimics human nerves and uses a large number of non-linear
processing units to deal with complex problems [19]–[21].
It can automatically learn features and extract core data infor-
mation. Due to the improvement of hardware and optimiza-
tion of the algorithm, recurrent neural network (RNN) has
received widespread acclaim. RNN has become a star model
in applications including natural language processing (NLP),
semantic understanding, and speech recognition [13], [22].
VOLUME 8, 2020
Learning to identify whether the network traffic is normal or
anomaly can be understood as learning to perform sentiment
analysis or document classification given several sentences.
From this perspective, network intrusion detection is partly
similar to sentiment analysis tasks, for which RNN-based
methods have been suitable.
In this study, network traffic activity is treated as a
time-series event, meaning that the assessment of traffic type
at the current time depends not only on the current data
but also on data at the previous moments. To provide the
ability to process such data, an RNN-based method is used
as a benchmark approach for intrusion detection. In reality,
the traffic information at different moments or features in a
sample of traffic contributes differently to the judgment of the
current traffic type. To take full advantage of this character-
istic, attention mechanism is adopted to enhance the model,
with two kinds of attention mechanism respectively applied
to the feature and traffic slice. The attention mechanism
provides the ability of visualization to discern which feature
or traffic slice is important. The proposed attention-based
models are then evaluated on the benchmark dataset UNSW-
NB15, which has been used frequently in various recent stud-
ies. The experiments prove that the proposed attention-based
model demonstrates superior performance compared with
other models. The main contributions of this paper include:
67543

1) Different feature or traffic slices contribute uniquely
to the classification of the current traffic. To account
for sensitivity, the proposed model includes two lev-
els of attention mechanisms, feature-based and slice-
based. The attention mechanism guides the model to
provide increased attention to some individual features
or traffic slices when constructing the representation of
traffic information. Based on the above, an attention map
is visualized, contributing to an understanding of the
importance of features or slices of traffic.
2) Three RNN-based detection models are individually
compared with the different attention mechanisms of no-
attention, one-layer attention, and hierarchical attention.
It is observed that the attention mechanism contributes to
improved model performance. The influence of timestep
on the performance of IDS is also studied and the con-
cept of cost-performance is applied to determine if the
value of timestep must be increased.
3) The entire UNSW-NB15 dataset is utilized in this study,
rather than partial data. The results show that when
the timestep equals 10, the hierarchical attention model
achieves the highest detection accuracy of over 98.76%
and the false alarm rate (FAR) is as low as 1.49%.
The rest of this paper is organized as follows. Section II
details existing NIDS works, mainly using RNN as the base
model. In Section III, a number of basic methods of RNN
and attention mechanism are introduced. Section IV details
the proposed work, and Section V presents the results and
analysis of experiments. Finally, Section VI describes the
conclusion of this paper and the direction of future work.
II. RELATED WORKS
The three predominant types of NIDS are misuse-based,
anomaly-based, and hybrid. Among them, the misuse-based
method works by constructing a pattern matching template to
detect intrusion. The constructed template is built on artificial
knowledge and the analysis of existing data. The template
is fixed, so the benefit of this method exists in detecting
known attack types with high accuracy [23]. However, this
feature also leads to an inherent disadvantage of this method
as in a dynamic network environment, new attack types or
variations may appear at any time. It is thus difficult for the
misuse-based approach to perform adequately in the static
background [24], [25]. Another kind of intrusion detection
method is the anomaly-based approach, which operates by
only utilizing normal data so that samples with different
behaviors may all be judged as anomaly [26]. When an attack
occurs in a real device where the misuse-based method is
deployed, the NIDS will alert the alarm, but provide no
information about the exact attack type. However, the disad-
vantage of this method is poor accuracy performance as some
attacks behave like normal data or it is difficult to separate the
attack data and the normal data in the extracted features.
Several machine learning based approaches proposed in
previous studies have achieved success in intrusion detection
systems.In [27], Hebatallah et al. presented a framework for
67544
C. Liu et al.: Intrusion Detection Model With Hierarchical Attention Mechanism
feature selection considering irrelevant and redundant fea-
tures. In their model, five different kinds of feature selection
strategies are used and the J48 decision tree classifier with
gain ratio filter is determined to have the best performance.
In [28], Tian et al. proposed a robust and sparse method using
one-class support vector machine (OSVM), which aimed to
locate samples that are different from the majority of data.
However, the anomaly method is limited by the outliers and
noise during the training phase. To improve the performance
of this model, the Ramp loss function is adopted resulting in
the algorithm more robust and sparse.
Deep learning has become an important branch of machine
learning and has become the preferred solution to many
problems. This method has been applied in intrusion detec-
tion filed, achieving remarkable results. In [29], Khan et al.
presented a two-stage intrusion detection model based on the
stacked autoencoder network. In the initial phase, the traffic is
judged as normal or abnormal by the value of classification
probability. In the second stage, the result of the first stage
is regarded as an extra feature for the following multi-class
classification process. However, the detection accuracy could
only reach 89.134% on the UNSW-NB15 dataset. In [30],
Tian et al. presented a hybrid method of shallow and deep
learning using a stacked autoencoder to reduce the dimension
of features. The SVM is then combined with the artificial bee
colony algorithm for classification. The experiments were
also conducted with accuracy reaching beyond 89.62%.
Many scholars have explored works using RNN to
solve network intrusion detection problems. In 2012,
Sheikhan et al. presented a three-layer RNN model to solve
the misuse-based intrusion detection problems [31]. The
input features in their experiment are divided into four cat-
egories according to the feature attribute. However, the RNN
model is reduced in this method, meaning that the connec-
tion between the neural layers is partial and diminishes the
performance. In 2016, Kim et al. explored the possibility of
applying RNN to intrusion detection using a variant of RNN
to build an intrusion detection model [32]. Instances from
the KDD Cup99 dataset were extracted in their experiment
which focused on locating the super parameters and evalu-
ating model performance. In 2017, Yin et al. used standard
RNN to build an IDS, and evaluated their approach with
benchmark dataset NSL-KDD [33]. In their work, the number
of hidden nodes, the number of layers, and the learning rate
have become the main variables. Unfortunately, the accuracy
of their proposed model is not adequate. In 2018, Xu et al.
constructed a new DNN model that applied gated recurrent
unit (GRU) and multilayer perceptron (MLP) to extract data
information [34]. Their simulation results show that the GRU
cell can be more effective than the long short-term mem-
ory (LSTM) cell for intrusion detection problem. In [35],
Anani et al. used the full KDD Cup99 dataset to compare
the model detection performance based on LSTM, bidirec-
tional long short-term memory (BiLSTM), skip-LSTM, and
GRU. The results illustrate that the GRU achieves superior
performance compared to other models. In [36], Agarap et al.
VOLUME 8, 2020
C. Liu et al.: Intrusion Detection Model With Hierarchical Attention Mechanism
FIGURE 2. Structure of gated recurrent unit.
sought to enhance the ability of classification by building a
GRU model and introducing linear SVM to replace the soft-
max classifier. Similarly, L2-SVM loss function was adopted
to replace the cross-entropy function. In [37], Roy et al.
selected samples from the UNSW-NB15 dataset and build a
BiLSTM network. Five features were selected, reaching an
accuracy of over 95%. However, only part of the dataset is
utilized in this approach, which may cause some bias in the
results. In [38], the authors used the unsupervised version of
different variants of RNN cells to construct an autoencoder
for intrusion detection. In [39], an end-to-end intrusion detec-
tion approach was proposed. Network packets were adopted
as the input and processed sequentially. There exists noth-
ing about feature engineering or domain knowledge in this
method and instead, the payloads are divided into characters
and train the RNN model to identify specific sequences.
However, the drawback of this end-to-end approach is that
there are too many parameters which make the model overly
complex.
III. BASIC THEORY
A. GRU-BASED METHOD
The RNN is unique as the neural unit is self connection,
meaning that when the cycle unfolds, the data flow over
time is preserved in the neurons [40]. The cyclic structure of
neurons enables them to preserve historical information and
provide sequence modeling capabilities. The RNN calculates
a mapping from the input x = (x1 , x2 , . . . , xT ) to the hidden
state h = (h1 , h2 , . . . , hT ) as follows:
ht = σ (Wxh xt + Whh ht−1 + bh )
where σ is a non-linear function and t ∈ [1, T ]. Wxh and Whh
are corresponding weight matrices, b is a bias term.
As we all know, the gradient descent method is often used
to train the deep learning model. And Back Propagation(BP)
is a way to obtain the gradient. In particular, back propagation
training time (BPTT) is an algorithm that specifically solves
the computation of parameters in RNN models. However, as it
is limited by structure, the gradient in RNN can easily explode
or vanish due to the product of W [41].
VOLUME 8, 2020
As traditional RNN is limited by gradient vanishing or
exploding, variants of RNN are proposed. Gated recurrent
unit(GRU) was proposed to address such issues by introduc-
ing the gating mechanism [42]. There are two kinds of gates:
the reset gate rt and the update gate zt . They work together to
decide the information update process.
Suppose the current input is xt and the new state ht in
time t contains two part: the candidate state h̃t and the past
state ht−1 .
ht = (1 − zt )ht−1 + zt h̃t (2)
The reset gate rt works in the process to derive the candidate
state. The way to obtain the candidate state is similar to that
in traditional RNN except for the gate mechanism.
h̃t = tanh(xt Wxh + Whh (rt ht−1 ) + bh ) (3)
where stands for the Hadamard Product, W is weight
matrix, and b is the bias.
Here, rt helps to control how much information from the
past state can be added into the candidate state. rt is updated
as follow:
rt = σ (xt Wxr + ht−1 Whr + br ) (4)
According to the equation to obtain new state ht , update
gate zt plays a role to balance the previous state ht−1 and the
current candidate state h̃t . zt can then be regarded as a valve
for distributing the past information and the new information.
The update of zt is similar to that of rt :
zt = σ (xt Wxz + ht−1 Whz + bz ) (5)
Former experiments have shown that the BiGRU cell per-
forms better than other three cells including LSTM, GRU, and
BiLSTM. A Bidirectional GRU (BiGRU) is an enhanced ver-
sion of the GRU that works in two directions. It summarizes
−
→ ←−
the forward information h and the backward information h
to enhance feature extraction abilities.
−
→ −−→
h t = GRU (xt ), t ∈ [1, T ]
←− ←−−
h t = GRU (xt ), t ∈ [1, T ] (6)
B. ATTENTION MECHANISM
The generation of attention mechanism is inspired by the
behavior of humans. Human attention happens, to some
extent, when humans predominantly focus on particular local
(1) regions of an image or special words in one sentence. The
attention mechanism assists to fully utilize limited resources.
The regular process of attention mechanism is illustrated
in Fig. 3. The attention value can be obtained by the pair
of key and query. The attention mechanism is not a specific
method, but a mode of thinking which contains the two
important components of addressing and calculating.
Using an attention model, an input can be written in X =
[x1 , x2 , . . . , xn ], where n can be treated as different timestep
for a 3-D data or the number of features for a 1-D vector.
Addressing is also called alignment score function, and is
67545

FIGURE 3. The regular pipeline of attention mechanism.
FIGURE 4. The illustration of location-based attention.
used to obtain the attention probability. The attention prob-
ability represents how much weight should be given to the
hidden state of each input. There are numerous addressing
methods available. In this paper, a location-based attention
and dot-product attention method is utilized.
Location-based attention was initially proposed in [43].
It computes the alignment from the generator state and the
previous alignment only in such a simple way:
αt = softmax(Wa ht )
where Wa is the weight matrix and ht is the current hidden
state.
Dot-product attention consists of three parts: a learned key
matrix K , a value matrix V , and a query vector q. The process
to obtain the attention vector is illustrated in Fig. 5.
FIGURE 5. The illustration of dot-product attention.
First, the key matrix is obtained:
K = tanh(VW a )
67546
C. Liu et al.: Intrusion Detection Model With Hierarchical Attention Mechanism
where W a is a randomly initialized weight matrix. After
determining the current key matrix, the similarity between
each query value and the current key value is calculated to
obtain a normalized probability vector d, which is the weight
vector.
d = softmax(qK T ) (9)
Finally, the attention vector can be obtained by:
a = dV (10)
After deriving the probability vector, the final attention
representation, that is context vector, can be calculated.
Depending on the range of hidden states used, the attention
mechanism can be divided into global attention and local
attention [44]. In this paper, we used the global attention
shown in Fig.6. The global attention model absorbs all the
hidden states when deriving the context vector ct . Due to this
calculating way, ct can capture relevant source-side features.
(7)
FIGURE 6. Global attention model.
IV. PROPOSED MODEL
The proposed model is introduced in this section. The hier-
archical attention mechanism of feature-based attention and
slice-based attention is applied respectively into the IDS.
The overall architecture of the hierarchical attention intru-
sion detection model is shown in Fig. 7. This model con-
sists of three main steps. To begin with, data preprocessing
is required. The main operations at this stage include the
missing value process, feature transformation, and feature
normalization. Feature-based attention is then utilized for
enhancing the expression ability of the traffic features, then
the slice-based attention is applied to several pieces of traffic
data.
A. FEATURE-BASED ATTENTION
Not all features have the same importance in the represen-
tation of single traffic information. Thus, to fully release the
(8) energy of some features and capture the features that are truly
VOLUME 8, 2020
C. Liu et al.: Intrusion Detection Model With Hierarchical Attention Mechanism

So in this part, a fully-connected layer with softmax acti-

vation is then adopted to determine the weight vector α. Input
Xi is then multiplied by α to derive the output hi .

B. SLICE-BASED ATTENTION
We believe the traffic data is time-related. Traffic information
for multiple adjacent moments helps significantly to judge the
type of current traffic. Thus, several pieces of traffic infor-
mation are grouped together, which is called slice traffic. The
dot-product attention is adopted due to the optimized matrix
multiplication operation in the program that can reduce the
resource consumption during calculation.
For each timestep, the corresponding hidden state hi is fed
through a single-layer perception to obtain ui as a hidden
representation of hi .
ui = tanh(Ww hi + bw ) (13)
The importance of each piece of traffic at different moment
i is then evaluated using the similarity of ui with uw . A nor-
malized importance vector α, also called attention weight, can
be computed through a softmax function.
exp(uTi us )
αi = P T
(14)
i exp(ui us )
The output of slice-based attention is then computed as a
weighted sum. The context vector v can be regarded as a high
level representation of the slice traffic.
X
v= αi hi (15)
i

A summary of the algorithmic phases of the proposed hier-

archical attention intrusion detection model in Algorithm 1 is
provided below.
FIGURE 7. Proposed model for intrusion detection.
V. EXPERIMENT
A. DATASET
significant to the representation of traffic, the feature-based A modern dataset that can represent actual situations in the
attention mechanism is adopted to determine which feature real network is required to build and evaluate the perfor-
should be the focus. Besides, the location-based attention mance of NIDS. The KDDCUP’99, NSL-KDD, and UNSW-
mechanism has no additional objects of interest, and is only NB15 datasets are compared in this paper, considering mul-
relevant to each input in the data source itself. So it is very tiple factors such as dataset size, number of types, and data
suitable to deal with the input features. distribution.
Given a sample with N dimensions, Xi = [xi0 , xi1 , . . . , Referring to Table 1 and Table 2, it can be determined
N −1 that UNSW-NB15 is an ideal candidate dataset for intrusion
xi ], the softmax function is adopted to get the probability
vector, that is the weight for each feature. The normalized detection. UNSW-NB15 was created by Moustafa et al. to
weight of j-th feature in time i can be computed by:
j
TABLE 1. Comparison of several training dataset for intrusion detection.
j j exi
αi = softmax(xi ) = P (11)
N −1 xik
k=0 e
j
The value of αi shows the importance of feature j.
j
Based on the above definition, the final output hi with
location-attention can be derived as:
j j j
hi = xi × αi (12)

VOLUME 8, 2020 67547

 C. Liu et al.: Intrusion Detection Model With Hierarchical Attention Mechanism

Algorithm 1 Algorithm for the Hierarchical Attention Intru- Each sample in UNSW-NB15 contains 49 features, which
sion Detection Model can be divided into the five sections of flow features. The
Input: The training dataset X is input with n pieces of detailed descriptions of every feature are listed in Table 3.
samples. Each sample is x (i) , where i ∈ (1, . . . , n). The The official website provides a pair of training and testing
weight matrix of GRU cells W are initialized along with datasets and there exist 82,332 records in the testing set,
attention layer matrix Wa , learning rate l, number of where the normal accounts for 45% and anomaly is 55%.
timesteps Nt , epochs K ; The training set is comprised of 175,341 samples, where
Output: The classification category y is output with the the ratio of normal records to the abnormal is 32% to 68%.
feature-based attention probability α1 and the slice-based In this research, the entire UNSW-NB15 dataset is adopted
attention probability α2 ; for model evaluation and analysis.
1: Data Preprocessing: Missing value filling is conducted To meet the input requirements of deep learning, data
by transforming the nominal features into numerical data preprocessing is needed which mainly includes feature trans-
and then normalizing the numerical data into the range formation, and feature normalization.
of 0 and 1;; To meet the requirements of the input format in neu-
2: The current data xt is merged with the history data xt , ral network, data preprocessing is required and mainly
where the length of history data is determined by Nt ; includes feature transformation and normalization. Feature
3: for k = 1 : K do transformation is used to transform the symbolic features into
4: The feature-based attention probability is obtained: numerical data such as service, state, and proto. This step
α1t = softmax(xt ); is necessary because neural network calculations only allow
5: st1 = α1t xt ; numerical operations. Several feature transformation tech-
6: The BiGRU cells are fed with st1 and the output [h0t , ht ] niques exist, among which one-hot encoding is frequently
is obtained; adopted, especially in the case of attributes that are not seri-
7: ut = tanh(Ww ht + bw ); alizable and cannot be compared in value. After encoding,
8: α2 =Psoftmax(ut ); the dimension of the samples is changed from 42 to 196.
9: v = i αi hi ; Feature normalization is highly useful in deep learning
10: The BPTT algorithm with learning rate l is used to methods and is utilized in most neural network calculation
train the model ; works. This is related to the activation feature of neurons and
11: The output ot of the model is obtained; updating of the weight [46]. In several partitions, the response
12: if ot > 0.5 then of neurons is stronger than other parts which will accelerate
13: yt = 1 the speed of training. In this paper, the min-max technique is
14: else adopted as follows:
15: yt = 0
end if x − min
16: x∗ = (16)
17: end for max − min
18: return yt , α1 , α2
B. EVALUATION
To evaluate the performance of a classifier, the confusion
TABLE 2. Comparison of several testing dataset for intrusion detection. matrix is defined in Table 4. True Negative (TN) means the
total number of normal examples correctly classified. False
Negative (FN), contrary to TN, represents the amount of
normal data wrongly judged. True Positive (TP) stands for
the number of attack correctly classified. False Positive (FP)
is the amount of attack samples that are wrongly divided into
normal parts.
Based on the above definition, other advanced matrices can
be obtained. Accuracy is a good measure when the classes are
balanced.
overcome the shortcomings of KDDCUP’99, and has grad- TP + TN
Accuracy = (17)
ually become one of the benchmark datasets in the filed of TP + FP + FN + TN
IDS [45]. UNSW-NB15 includes rich traffic types so that The FAR is a traditional metric and reflects the situation in
it can more accurately reflect the characteristics of modern which records are misclassified. The definition is as follow:
network traffic data. Ten types of traffic data exist which are
1 FP FN
Normal, Dos, Fuzzers, Analysis, Exploits, Reconnaissance, FAR = ( + ) (18)
Worm, Backdoors, Generic, and Shellcode. Besides, the dis- 2 FP + TP FN + TN
tribution of normal and anomaly data is balanced both in The Precision is the ratio of records correctly classified as
training and testing datasets. attacks to the number of attacks and Recall is the fraction of

67548 VOLUME 8, 2020

C. Liu et al.: Intrusion Detection Model With Hierarchical Attention Mechanism

TABLE 3. UNSW-NB15 dataset.

TABLE 4. Confusion matrix for binary classification. dropped in order to make the total number an integer multiple
of the batch size. Thus, the final training dataset has a shape of
(175340, timestep, 196) and the shape of the testing dataset is
(825340, timestep, 196), where timestep is a hyper-parameter
representing the length of historical events. To create such
correctly classified attacks to all records that are detected to data, the TimeseriesGenerator in Keras is adopted.
be anomaly. In the proposed model, to build the feature-based attention
mechanism, a Dense layer with softmax activation is con-
TP
Precision = (19) nected to the input layer. The number of hidden units in this
TP + FN dense layer is equal to that of the input layer. Two BiGRU
TP layers with 32 and 12 units respectively are then stacked
Recall = (20)
TP + FP together for processing time-series data. Each timestep cre-
ates an output, and the dot-product attention is applied to all
C. MODEL CONFIGURATION AND TRAINING the steps. Finally, Dense layers are connected to the output
In this paper, Keras with Tensorflow is used as the backend of the attention layer and the output layer has only one
to build the model. To meet the requirement of the input unit. In the training phase, a batch of 1024 is used and the
dimension for BiGRU, the dataset is reorganized into a 3D Adam optimizer is adopted. The parameters of Adam are
shape. All 196 features are then arranged in a single piece of set to be lr = 0.1, beta_1 = 0.9, beta_2 = 0.999. The
data into a vector. Some samples at the end of the dataset are binary_crossentropy is adopted as the loss function.

VOLUME 8, 2020 67549

 C. Liu et al.: Intrusion Detection Model With Hierarchical Attention Mechanism

D. RESULT AND ANALYSIS

The three different structures of no attention, single attention,
and hierarchical attention were individually explored in this
research (other components were kept the same except the
attention module). The influence of timestep on the conver-
gence performance was first explored. Corresponding exper-
iments were then conducted on the hierarchical attention
model and several timesteps were randomly selected.
The convergence curves plotted in Fig. 8 illustrate how
the loss function changes with iterations during the training
phase.It can be observed that even though timestep is differ-
ent, the model will finally converge. Additionally, the larger
the timestep, the lower the loss value, meaning that model
performance is improved when the timestep is larger. Con-
sidering the speed of convergence, it appears that the value of
timestep has no effect on this condition.

FIGURE 8. Convergence curve of the hierarchical attention model during FIGURE 9. The experiment results on training and testing dataset.
the training phase with different timestep.

The influence of timestep on accuracy and false alarm

rate was also studied, and the results are provided in Fig.9.
As illustrated in Fig.9(a), as the value of timestep increases,
the accuracy also increases gradually on the testing dataset.
Impressively, the promotion of performance due to timestep
growth is clearly evident (detection accuracy can reach
91.69% and 98.88% when timestep = 1 and timestep = 11
respectively).
To better characterize the impact of timestep, a gain ratio is
introduced that is the value of accuracy improvement for each
timestep. Starting from timestep = 2, a vertical line serves as
the indicator of the increase of accuracy: the longer the line, FIGURE 10. The detection process on testing dataset using BiGRU with
10 timestep.
the greater the increase of accuracy. Generally, the develop-
ment of the model experiences a fast-ascension period and
a slow-convergence period which is evident in the proposed retained at a relatively low level when timestep = 10, again
model. Although the length of the black line reaches its max indicating the optimal value of timestep being 10.
value when timestep equals 2, the actual detection rate can It can also be concluded that the hierarchical attention-
improve further and is therefore still considered to be in the based model performs the best, and the single-level attention-
fast-ascension period. When timestep = 11, the accuracy based model has a better performance than the model with no
improves to a relatively high level due to its smallest gain ratio attention mechanism. When the value of timestep is small,
and there is little room for further improvement. At the same for example, timestep equals 2 or 3, attention mechanism has
time, the black line looks as if it will disappear. In summary, a significant impact on the performance improvement of the
10 is determined as an optimized candidate value for the model. As the timestep increases, the effect of the attention
parameter of timestep. Fig.9(b) shows a comparison of false mechanism is gradually reduced. This is likely because the
alarm rate under different timestep values, where FAR is features extracted by the BiGRU with a high timestep value

67550 VOLUME 8, 2020

C. Liu et al.: Intrusion Detection Model With Hierarchical Attention Mechanism

FIGURE 11. Attention map for a case of normal traffic.

are sufficient to characterize the data and is illustrated by the TABLE 5. Running time comparison of different models on the testing
dataset (/second).
performance of the model without attention mechanism.
We also compare the running time of different models
on the testing dataset. And the result is shown in Table.5.
It can be seen that the time cost gradually increases along
with the increase of timesteps for each model. And the model
with multi-level attention costs larger than other two models.
And the larger the timestep is, the larger the value of time
difference between every two models.
The detecting phase on the testing dataset using the hier-
archical attention model with timestep = 10 value of 10 is
shown in Fig. 10. The blue bold dots represent the real label
of testing samples, orange middle dots denote the correct the performance of the model is reduced, roughly beginning
predictions, and the red small dots are incorrectly classi- at sample 40,000th. This may be attributed to the emergence
fied samples. In the beginning, despite the fluctuation in the of new types of attacks as time goes on. For some features,
classified data (orange dots), a satisfying performance can certain values exist in the testing dataset that are not available
still be achieved. However, with increased time and samples, in the training dataset.Another reason may be the fluctuation

VOLUME 8, 2020 67551


FIGURE 12. Attention map for a case of anomaly traffic.
TABLE 6. Comparison between our proposed model with other machine
learning algorithms.
of Normal data, especially in features like proto and state.
Online learning could provide a solution to these problems.
In future research, the inclusion of online operations to this
model will be considered.
The proposed method was also compared with other works
using the UNSW-NB15 dataset, as shown in Table.6. The
comparison results further illustrate the effectiveness and
improvement of the proposed hierarchical attention model.
67552
C. Liu et al.: Intrusion Detection Model With Hierarchical Attention Mechanism
E. VISUALIZATION OF ATTENTION
To validate that attention effectively helps to select infor-
mative features or pieces of traffic, two pieces of traffic
were randomly selected, representing normal and anomaly.
The attention probability was then visualized separately,
using both slice-based attention and feature-based attention.
To classify the current traffic, several previous traffic data
points were also considered.
Attention maps for a case of normal traffic and anomaly
events are respectively illustrated in Fig. 11 and 12.
The x-axis is the value of timestep and the y-axis is the feature
number or feature name. There are two different ways to
illustrate attention probability. A bar chart is used to represent
the slice-based attention, and the color block is adopted for
the illustration of feature-based attention. The darker the
color, the greater the probability.
In Fig. 11(a) and Fig. 11(b), the lower section in the
subgraph displays the slice-based attention probability for
VOLUME 8, 2020
C. Liu et al.: Intrusion Detection Model With Hierarchical Attention Mechanism
10 timesteps. The value of slice-based attention probability
at varying timestep is close which is reasonable because the
10 traffic data points all belong to normal classes which are
similar to each other. As can be seen from the dark areas
of the attention map, the features extracted are similar at
varying timestep. This occurrence is also reasonable as sim-
ilar features have a similar effect on the final classification.
Figure 11(a) also illustrates that the dload may be the most
important feature for this kind of normal traffic.
An example of the attention map for anomaly traffic is
provided in Fig. 12. The probability distribution is completely
different from that in the normal case in Fig. 11. First, the fea-
tures with strong responses at each timestep are different from
each other, that is, they are all different data types. Further
evidence that the data is of different types is provided by the
assigning of attention probability. Therefore, when classify-
ing the current data, data at other timestep contributes noth-
ing, which is reasonable. Additionally, features including sttl,
dttl, dload, and cts rvd st, play an important role in judging
this kind of attack data. The attention mechanism strengthens
the existence of this feature resulting in the improvement of
model performance.
The hierarchical attention mechanism proposed in this
work not only enhances the detection ability, but also helps
to determine which feature plays a substantial role in the
detection process. Feature selection can thus be conducted
based on attention probability, which will be the focus of
future work.
VI. CONCLUSION
This paper presented an intrusion detection model with hier-
archical attention mechanism. Several traffic data are merged
in order and the influence of the different number of previous
traffic on performance was also investigated. The proposed
model was demonstrated to achieve satisfactory performance
on the UNSW-NB15 dataset, with accuracy of more than
98.76% and FAR lower than 1.2%. As for the detection
accuracy, our attention-based intrusion detection model is
better than some state-of-art approaches such as autoencoder,
deep feedforward neural networks, and single-class support
vector machines. And compared with the bidirectional long
short-term memory model, our method has an improve-
ment of 3.05%. With the assistance of attention mecha-
nism, an attention map was presented. The visualization may
provide assistance for feature selection and contributes to
the understanding of the differences between varied traffic
classes in the future. However, our model is lack of fast
calculation. Future developments will be focused on the
evolution of attention mechanism and attempts of parallel
computing. Besides, in our method, only anomaly traffic has
been detected. But information about specific attack type can
not be obtained. So future work will also be conducted on
classifying specific types of attacks using the attention mech-
anism. And the current version of proposed can not provide
second-phase detection function. As for the misclassified,
VOLUME 8, 2020
in the future, the model can be lighten and support the further
detection.
ACKNOWLEDGMENT
The authors declare that there is no conflict of interests
regarding the publication of this article. They gratefully thank
of very useful discussions of reviewers.
REFERENCES
[1] C. Alcaraz, R. Roman, P. Najera, and J. Lopez, ‘‘Security of industrial
sensor network-based remote substations in the context of the Internet of
Things,’’ Ad Hoc Netw., vol. 11, no. 3, pp. 1091–1104, May 2013.
[2] H. Huang, J. Yang, H. Huang, Y. Song, and G. Gui, ‘‘Deep learning for
super-resolution channel estimation and DOA estimation based massive
MIMO system,’’ IEEE Trans. Veh. Technol., vol. 67, no. 9, pp. 8549–8560,
Sep. 2018.
[3] F. Salo, A. B. Nassif, and A. Essex, ‘‘Dimensionality reduction with IG-
PCA and ensemble classifier for network intrusion detection,’’ Comput.
Netw., vol. 148, pp. 164–175, Jan. 2019.
[4] A.-R. Sadeghi, C. Wachsmann, and M. Waidner, ‘‘Security and pri-
vacy challenges in industrial Internet of Things,’’ in Proc. 52nd
ACM/EDAC/IEEE Design Autom. Conf. (DAC), Jun. 2015, pp. 1–6.
[5] Y. Lin, M. Wang, X. Zhou, G. Ding, and S. Mao, ‘‘Dynamic spectrum
interaction of UAV flight formation communication with priority: A deep
reinforcement learning approach,’’ IEEE Trans. Cognit. Commun. Netw.,
early access, Feb. 12, 2020, doi: 10.1109/TCCN.2020.2973376.
[6] S. Agrawal and J. Agrawal, ‘‘Survey on anomaly detection using data min-
ing techniques,’’ Procedia Comput. Sci., vol. 60, pp. 708–713, Jan. 2015.
[7] P. Mishra, E. S. Pilli, V. Varadharajan, and U. Tupakula, ‘‘Intrusion detec-
tion techniques in cloud environment: A survey,’’ J. Netw. Comput. Appl.,
vol. 77, pp. 18–47, Jan. 2017.
[8] T. Liu, Y. Guan, and Y. Lin, ‘‘Research on modulation recognition with
ensemble learning,’’ EURASIP J. Wireless Commun. Netw., vol. 2017,
no. 1, p. 179, Dec. 2017.
[9] Y. Lin, C. Wang, J. Wang, and Z. Dou, ‘‘A novel dynamic spectrum access
framework based on reinforcement learning for cognitive radio sensor
networks,’’ Sensors, vol. 16, no. 10, p. 1675, 2016.
[10] Z. Zhang, X. Guo, and Y. Lin, ‘‘Trust management method of D2D com-
munication based on RF fingerprint identification,’’ IEEE Access, vol. 6,
pp. 66082–66087, 2018.
[11] H. Wang, L. Guo, Z. Dou, and Y. Lin, ‘‘A new method of cognitive
signal recognition based on hybrid information entropy and D-S evidence
theory,’’ Mobile Netw. Appl., vol. 23, no. 4, pp. 677–685, Aug. 2018.
[12] R. Zuech, T. M. Khoshgoftaar, and R. Wald, ‘‘Intrusion detection and big
heterogeneous data: A survey,’’ J. Big Data, vol. 2, no. 1, p. 3, Dec. 2015.
[13] Y. Lin, X. Zhu, Z. Zheng, Z. Dou, and R. Zhou, ‘‘The individual iden-
tification method of wireless device based on dimensionality reduction
and machine learning,’’ J. Supercomput., vol. 75, no. 6, pp. 3010–3027,
Jun. 2019.
[14] C. Shi, Z. Dou, Y. Lin, and W. Li, ‘‘Dynamic threshold-setting for RF-
powered cognitive radio networks in non-Gaussian noise,’’ Phys. Com-
mun., vol. 27, pp. 99–105, Apr. 2018.
[15] Y. Xiao, C. Xing, T. Zhang, and Z. Zhao, ‘‘An intrusion detection model
based on feature reduction and convolutional neural networks,’’ IEEE
Access, vol. 7, pp. 42210–42219, 2019.
[16] M. Ahmed, A. Naser Mahmood, and J. Hu, ‘‘A survey of network
anomaly detection techniques,’’ J. Netw. Comput. Appl., vol. 60, pp. 19–31,
Jan. 2016.
[17] Y. Tu, Y. Lin, J. Wang, and J.-U. Kim, ‘‘Semi-supervised learning with gen-
erative adversarial networks on digital signal modulation classification,’’
Comput. Mater. Continua, vol. 55, no. 2, pp. 243–254, 2018.
[18] Q. Shi, J. Kang, R. Wang, H. Yi, Y. Lin, and J. Wang, ‘‘A framework
of intrusion detection system based on Bayesian network in IoT,’’ Int. J.
Performability Eng., vol. 14, no. 10, pp. 2280–2288, 2018.
[19] Y. LeCun, Y. Bengio, and G. Hinton, ‘‘Deep learning,’’ Nature, vol. 521,
no. 7553, p. 436, 2015.
[20] D. Kwon, H. Kim, J. Kim, S. C. Suh, I. Kim, and K. J. Kim, ‘‘A survey
of deep learning-based network anomaly detection,’’ Cluster Comput.,
vol. 22, no. S1, pp. 949–961, Jan. 2019.
67553

[21] R. Wu, X. Chen, H. Han, H. Zhao, and Y. Lin, ‘‘Abnormal information
identification and elimination in cognitive networks,’’ Int. J. Performability
Eng., vol. 14, no. 10, pp. 2271–2279, 2018.
[22] J. K. Chorowski, D. Bahdanau, D. Serdyuk, K. Cho, and Y. Bengio,
‘‘Attention-based models for speech recognition,’’ in Proc. Adv. Neural Inf.
Process. Syst., 2015, pp. 577–585.
[23] S. T. Ikram, ‘‘Improving accuracy of intrusion detection model using PCA
and optimized SVM,’’ J. Comput. Inf. Technol., vol. 24, no. 2, pp. 133–148,
Jun. 2016.
[24] N. Shone, T. N. Ngoc, V. D. Phai, and Q. Shi, ‘‘A deep learning approach to
network intrusion detection,’’ IEEE Trans. Emerg. Topics Comput. Intell.,
vol. 2, no. 1, pp. 41–50, Feb. 2018.
[25] F. Farahnakian and J. Heikkonen, ‘‘A deep auto-encoder based approach
for intrusion detection system,’’ in Proc. 20th Int. Conf. Adv. Commun.
Technol. (ICACT), Feb. 2018, pp. 178–183.
[26] M. S. Islam, W. Khreich, and A. Hamou-Lhadj, ‘‘Anomaly detection
techniques based on kappa-pruned ensembles,’’ IEEE Trans. Rel., vol. 67,
no. 1, pp. 212–229, Mar. 2018.
[27] H. M. Anwer, M. Farouk, and A. Abdel-Hamid, ‘‘A framework for efficient
network anomaly intrusion detection with features selection,’’ in Proc. 9th
Int. Conf. Inf. Commun. Syst. (ICICS), Apr. 2018, pp. 157–162.
[28] Y. Tian, M. Mirzabagheri, S. M. H. Bamakan, H. Wang, and Q. Qu, ‘‘Ramp
loss one-class support vector machine; a robust and effective approach
to anomaly detection problems,’’ Neurocomputing, vol. 310, pp. 223–235,
Oct. 2018.
[29] F. A. Khan, A. Gumaei, A. Derhab, and A. Hussain, ‘‘A novel two-
stage deep learning model for efficient network intrusion detection,’’ IEEE
Access, vol. 7, pp. 30373–30385, 2019.
[30] Q. Tian, J. Li, and H. Liu, ‘‘A method for guaranteeing wireless communi-
cation based on a combination of deep and shallow learning,’’ IEEE Access,
vol. 7, pp. 38688–38695, 2019.
[31] M. Sheikhan, Z. Jadidi, and A. Farrokhi, ‘‘Intrusion detection using
reduced-size RNN based on feature grouping,’’ Neural Comput. Appl.,
vol. 21, no. 6, pp. 1185–1190, Sep. 2012.
[32] J. Kim, J. Kim, H. L. T. Thu, and H. Kim, ‘‘Long short term memory
recurrent neural network classifier for intrusion detection,’’ in Proc. Int.
Conf. Platform Technol. Service (PlatCon), Feb. 2016, pp. 1–5.
[33] C. Yin, Y. Zhu, J. Fei, and X. He, ‘‘A deep learning approach for intru-
sion detection using recurrent neural networks,’’ IEEE Access, vol. 5,
pp. 21954–21961, 2017.
[34] C. Xu, J. Shen, X. Du, and F. Zhang, ‘‘An intrusion detection system using
a deep neural network with gated recurrent units,’’ IEEE Access, vol. 6,
pp. 48697–48707, 2018.
[35] W. Anani and J. Samarabandu, ‘‘Comparison of recurrent neural network
algorithms for intrusion detection based on predicting packet sequences,’’
in Proc. IEEE Can. Conf. Electr. Comput. Eng. (CCECE), May 2018,
pp. 1–4.
[36] A. F. M. Agarap, ‘‘A neural network architecture combining gated recurrent
unit (GRU) and support vector machine (SVM) for intrusion detection
in network traffic data,’’ in Proc. 10th Int. Conf. Mach. Learn. Comput.
(ICMLC), 2018, pp. 26–30.
[37] B. Roy and H. Cheung, ‘‘A deep learning approach for intrusion detection
in Internet of Things using bi-directional long short-term memory recur-
rent neural network,’’ in Proc. 28th Int. Telecommun. Netw. Appl. Conf.
(ITNAC), Nov. 2018, pp. 1–6.
[38] A. H. Mirza and S. Cosan, ‘‘Computer network intrusion detection using
sequential LSTM neural networks autoencoders,’’ in Proc. IEEE 26th
Signal Process. Commun. Appl. Conf. (SIU), May 2018, pp. 1–4.
[39] H. Liu, B. Lang, M. Liu, and H. Yan, ‘‘CNN and RNN based payload
classification methods for attack detection,’’ Knowl.-Based Syst., vol. 163,
pp. 332–341, Jan. 2019.
[40] M. Schuster and K. K. Paliwal, ‘‘Bidirectional recurrent neural networks,’’
IEEE Trans. Signal Process., vol. 45, no. 11, pp. 2673–2681, Nov. 1997.
[41] J. Schmidhuber, ‘‘Deep learning in neural networks: An overview,’’ Neural
Netw., vol. 61, pp. 85–117, Jan. 2015.
[42] T. A. Tang, L. Mhamdi, D. McLernon, S. A. R. Zaidi, and M. Ghogho,
‘‘Deep recurrent neural network for intrusion detection in SDN-based
networks,’’ in Proc. 4th IEEE Conf. Netw. Softwarization Workshops (Net-
Soft), Jun. 2018, pp. 202–206.
[43] M.-T. Luong, H. Pham, and C. D. Manning, ‘‘Effective approaches to
attention-based neural machine translation,’’ 2015, arXiv:1508.04025.
[Online]. Available: http://arxiv.org/abs/1508.04025
67554
C. Liu et al.: Intrusion Detection Model With Hierarchical Attention Mechanism
[44] Y. Guo, J. Ji, X. Lu, H. Huo, T. Fang, and D. Li, ‘‘Global-local
attention network for aerial scene classification,’’ IEEE Access, vol. 7,
pp. 67200–67212, 2019.
[45] N. Moustafa and J. Slay, ‘‘The evaluation of network anomaly detection
systems: Statistical analysis of the UNSW-NB15 data set and the compar-
ison with the KDD99 data set,’’ Inf. Secur. J., Global Perspective, vol. 25,
nos. 1–3, pp. 18–31, Apr. 2016.
[46] B. Recht, C. Re, S. Wright, and F. Niu, ‘‘Hogwild: A lock-free approach
to parallelizing stochastic gradient descent,’’ in Proc. Adv. Neural Inf.
Process. Syst., 2011, pp. 693–701.
[47] M. Al-Hawawreh, N. Moustafa, and E. Sitnikova, ‘‘Identification of mali-
cious activities in industrial Internet of Things based on deep learning
models,’’ J. Inf. Secur. Appl., vol. 41, pp. 1–11, Aug. 2018.
[48] Y. Zhou, M. Han, L. Liu, J. S. He, and Y. Wang, ‘‘Deep learning approach
for cyberattack detection,’’ in Proc. IEEE Conf. Comput. Commun. Work-
shops (INFOCOM WKSHPS), Apr. 2018, pp. 262–267.
CHANG LIU (Member, IEEE) received the B.S.
and M.S. degrees in computer science and tech-
nology from the Kharkiv National University of
Ukraine, in 2008 and 2009, respectively, and the
Ph.D. degree in radio technology and television
systems from the Kharkiv National University
of Radio Electronics, Kharkiv, Ukraine, in 2013.
He has been a Teacher with the Heilongjiang
Agricultural University of China, since 2011, and
became an Associated Professor, in 2018. He is
currently an Associated Professor with the Institute of Electronics and Infor-
mation Engineering, Guangdong Ocean University. His main studying areas
are signal processing and artificial intelligence.
YANG LIU received the B.S. degree in elec-
tronic information engineering from the College
of Electronic Information, Northwestern Polytech-
nical University, Xian, China, in 2015, and the
M.S. degree with China Aerospace Science and
Technology Corporation, in 2018. He is currently
working with the Beijing Institute of Astronau-
tical Systems Engineering. His research interest
includes command and control, and information
security.
YU YAN (Student Member, IEEE) received the
B.S. degree from the College of Information and
Communication Engineering, Harbin Engineering
University, Harbin, China, in 2019, where she is
currently pursuing the master’s degree with the
College of Information and Communication Engi-
neering. Her current research interests include net-
work intrusion detection, machine learning, and
data analysis.
JI WANG received the B.S. degree in electron-
ics and communication technology from Liaoning
University, China, in 1994, and the M.S. degree
in engineering from the Guangdong University of
Technology, in 2010. He is currently a Professor
with the Institute of Electronics and Information
Engineering, Guangdong Ocean University. He is
also the Director of the Guangdong Intelligent
Ocean Sensor Network and its Equipment Engi-
neering Technology Research Center, a Senior
Member of the China Electronics Society, and a member of the Guang-
dong Electronic Information Education and Reference Committee. His main
studying areas are wireless sensor network and ocean Internet of Things,
information processing, and communication systems.
VOLUME 8, 2020