Indonesian Journal of Electrical Engineering and Informatics (IJEEI) Vol.
No.
September 2025, pp.
ISSN: 2089-3272.
DOI: 10.
52549/ijeei.
Development of a Network Intrusion Detection Model using Hybridised Machine Learning Algorithms Ogundele Oluwafeyisayo Mary 1.
Okokpujie Kennedy2.
Maha Ojimaojo King-David2.
Adaora P.
Ijeh3.
Imhade P.
Okokpujie4,5 Department of Network and User Administration.
NigeriaUnified Payment Idowu Martins.
Victoria Island.
Lagos.
Nigeria Department of Electrical and Information Engineering.
College of Engineering.
Covenant University.
Ota.
Nigeria Department of Computer and Information Science.
College of Science and Technology.
Covenant University.
Ota.
Nigeria Department of Mechanical and Mechatronics Engineering.
Afe Babalola University.
Ado Ekiti, 360001 Nigeria Department of Mechanical and Industrial Engineering Technology.
University of Johannesburg.
Johannesburg, 2028.
South Africa Article Info Article history:
Received Sep 15, 2024 Revised May 26, 2025 Accepted Jun 24, 2025 Keywords:
Hybrid Models.
Intrusion Detection.
Network Security.
Recurrent Neural Networks.
Random Forests ABSTRACT Cyber threats continue to grow in this era since the bad actors are attempting to exploit individuals, organisations, and systems.
The latest development in artificial intelligence has unleashed strong agents at the fingertips of As open as it is, it has made more room for possible bad actors.
Systems that can successfully counter these threat actors need to be created to rescue humanity.
In this research work.
RNN and Random Forest classifiers' hybridised models are combined for the development of a Network Intrusion Detection System (NIDS) based on the benchmark dataset (CICIDS 2.
The requirement for an efficient and accurate method to detect network intrusions, both known and zero-day anomalies, is the primary problem This research aims to enhance the accuracy and reliability of intrusion detection systems through a hybrid modelling approach.
For evaluating the performance of the proposed model, various measures like accuracy, precision, recall.
F1 measure, true positive rate, and true negative rate were employed.
The hybrid model showed very good results with testing accuracy of 96.
08%, precision of 96.
0%, and recall of 96.
0%, along with an F1 measure of 96.
The result of the experiment indicates that the model is effective and, when implemented, can detect and classify cyberattacks in modern environments.
Copyright A 2025 Institute of Advanced Engineering and Science.
All rights reserved.
Corresponding Author:
Okokpujie Kennedy Department of Electrical and Information Engineering.
College of Engineering.
Covenant University.
Ota.
Nigeria okokpujie@covenantuniversity.
INTRODUCTION
As more people started using the Internet, the late 21st century, called the "Digital Age",Aimarked a critical turning point in worldwide connectedness.
Statista's internet trend statistics reveal a remarkable surge in global internet users, with a 13.
9% increase in 2015 and an average annual growth rate of 7.
18 billion individuals, or 64.
6% of the global population, were online as of April 2023.
This digital era has also seen the proliferation of devices managed via wireless networks, and the demand for reduced latency in technologies such as self-driving cars, robots, and healthcare has intensified reliance on evolving technologies to enhance job performance and efficiency across various industries.
Human lives are increasingly intertwined with the Internet, from food services to financial transactions, entertainment, communication, and health services, particularly in this AI-driven age .
However, alongside this ubiquitous connectivity and integration of digital technologies, cyberspace has evolved into a dynamic and complex landscape.
Here, the expanding capabilities of information systems coexist with the persistent threat of malicious activities.
The vastness of the web has made it an attractive target Journal homepage: http://section.
com/index.
php/IJEEI/index IJEEI
ISSN: 2089-3272
for criminals, necessitating robust measures to detect and prevent attacks on systems and individuals.
Cyberspace has significantly benefited from using intrusion detection systems (IDS), which many researchers use to combat cyber threats.
Despite significant advancements, challenges such as novel threats, zero-day attacks, and false positives persist, highlighting the need for continued innovation in cybersecurity .
Intrusion Detection Systems (IDS) are essential for cybersecurity because they can detect and stop harmful activity or unauthorized access to computer networks.
Traditional signature-based IDS have proven effective against known attacks but struggle with novel threats, false positives, and lengthy training times.
This research addresses these limitations by developing a hybrid system that combines a deep learning detector, specifically a Recurrent Neural Network (RNN), with a supervised learning algorithm, the Random Forest (RF) Both algorithms have demonstrated high accuracy and robustness in handling previous datasets.
This hybrid approach aims to enhance the detection of known and unknown attacks, reduce false positives, and improve overall system performance.
Traditionally, supervised machine learning algorithms such as Random Forest.
Decision Trees.
Nayve Bayes, and Support Vector Machines, or unsupervised learning algorithms like K-Nearest Neighbor (KNN).
Long Short-Term Memory (LSTM), and Convolutional Neural Network (CNN) have been used in the use of IDS to address cybersecurity issues.
These algorithms are trained on well-known datasets such as the CICIDS2017 and NSL-KDD datasets to identify attacks.
Research has shown that Kamil and Mohammed .
demonstrated that CNN models achieve high accuracy rates and low false positives.
Similarly, a study by Ouiazzane et al.
highlighted the effectiveness of decision tree algorithms in recognising regular network traffic with high accuracy and minimal false alarms.
These findings support the potential of hybrid models to address the limitations of traditional IDS.
The hybrid network intrusion detection system proposed in this paper combines a Random Forest algorithm with an RNN.
The RNN is used for feature extraction, leveraging its ability to detect local patterns in network traffic data.
The Random Forest algorithm will then classify these features, utilising its ensemble of Decision Trees to enhance accuracy and robustness.
This approach aims to capitalise on the strengths of both algorithms, ensuring high detection rates for both known and unknown attacks while minimising false The system is trained on the CSE-CICIDS2017 dataset, which includes numerous attack scenarios, including web attacks.
DDoS.
Heartbleed, botnets, brute force, and internal network intrusion.
Developing a hybrid network intrusion detection system holds significant promise in enhancing cybersecurity measures.
The suggested system responds to known and unexpected threats more efficiently by combining deep learning and supervised learning techniques, significantly lowering false positives.
With cyber dangers on the rise and digital ecosystems becoming more complex due to technologies like 5G and IoT, innovation like this is The hybrid model's ability to leverage labelled data to detect novel threats and minimize false alarms is a pivotal aspect of this research, addressing common challenges in obtaining extensive labelled datasets.
Furthermore, this study is in line with Sustainable Development Goals (SDG.
16 (Peace.
Justice & Strong Institution.
and 9 (Industry.
Innovation & Infrastructur.
, highlighting its broader significance in defending vital infrastructure and thwarting cybercrime.
2 Classification of Intrusion Detection Systems Intrusion Detection Systems (IDS) are classified into deployment method-based IDS and detection method-based IDS.
Deployment method-based IDS is further classified into Host-based IDS (HIDS) and Network-based IDS (NIDS).
In contrast, detection Method-based IDS is further classified into Signature-based IDS and Anomaly Detection-based IDS.
Figure 1 shows the categorisation of Intrusion Detection Systems.
One essential security tool is a HIDS, which monitors and assesses the internal conditions of a single host, such as a server or personal computer (PC).
HIDS looks at the host's internal workings and data flows instead of network-based intrusion detection systems, monitoring network traffic.
HIDS periodically takes a snapshot of the host's file system, which it then compares over time.
An essential security equipment is the NIDS, which scans network traffic for indications of hostile activity or policy infractions.
NIDS is concerned with the entire network environment, unlike Host Intrusion Detection Systems (HIDS), which concentrate on specific host NIDS examine packets as they traverse the network and analyze them in real-time to detect suspicious patterns or behaviours suggestive of cyber threats.
Typically, the system combines anomaly-based detection, which detects departures from typical network behaviour, with signature-based detection, which searches for known attack patterns .
Signature-based IDS (SIDS), or misuse or knowledge-based detection, utilizes predefined attack patterns stored in a database.
This method efficiently identifies known threats but struggles with new, unidentified attacks and requires significant resources to maintain and compare extensive databases.
Conversely.
AnomalyBased IDS (Anomaly-Based AIDS, or behaviour-based detection establishes a profile for regular network activity and flags any deviations as potential threats.
This approach is adept at detecting novel attacks due to its ability to identify abnormal behaviour.
However, it can have a high false alarm rate (FAR) because Development of a Network Intrusion Detection Model usingA (Okokpujie et a.
A ISSN: 2089-3272 distinguishing between normal and abnormal behaviour can be challenging.
To maximize the effectiveness of IDS, combining both SIDS and AIDS methods is recommended.
This hybrid approach reduces the risk of false positives and negatives, enhancing overall threat detection and response capabilities.
Regularly updating signature databases and refining anomaly detection algorithms improve IDS performance, ensuring robust protection against familiar and emerging threats.
Figure 1 shows the ategorization of Intrusion Detection Systems .
Figure 1.
Categorization of Intrusion Detection Systems RELATED WORKS In recent years, various hybrid network intrusion detection systems (IDS.
have been integrated with multiple machine learning algorithms to get the best possible results with attack detection and categorization.
Du et al.
suggested a deep learning model for network intrusion detection (DLNID), a traffic anomaly detection model.
An attention mechanism and a bidirectional long short-term memory (Bi-LSTM) network are combined in this model.
The Bi-LSTM was used to ascertain the network pattern sequence after reassigning weights and extracting the attack features using a pure Convolutional Neural Network (CNN).
However, it wasn't used to create an online intrusion detection model using an integrated network capture As a result, while the model may be effective at spotting known patterns, it will be less successful at detecting zero-day attacks.
Hussain et al.
proposed the semi-supervised one-class Support Vector Machine (OC-SVM) and Supervised Random Forest (RF) methods to create a Hybrid Network Intrusion Detection System.
It used two stages to operate: the first stage filtered malicious and benign traffic using an OC-SVM.
In the following stages, several parallel supervised models and an extra OC-SVM model were employed to distinguish between known and unknown attacks and malicious communications.
Although the model was trained on a small dataset, its performance on different types of attacks is unclear.
it performed optimally and achieved high accuracy scores 45% and 93.
99% on known and zero-day attacks, respectively.
Due to the FPR to FNR trade-off, the FNR displayed was high at 7.
28%, even if the FPR rate was shallow at 0.
Silivery et al.
, the authors created a dependable intrusion detection system to recognize malicious attempts by implementing a multi-model methodology that included Recurrent Neural Network (RNN).
LongShort Term Memory Recurrent Neural Network (LSTM-RNN), and Deep Neural Network (DNN).
As a result, the study work in our proposed model had a solid foundation due to the LSTM-RNN's high accuracy of 98.
and low FPR of 2.
Hnamte et al.
intended to identify threats using a hybrid machine-learning approach.
The Crow Search Algorithm (CSA) is used to identify critical characteristics, and the Extreme Learning Machine (ELM) is mapped to the decision tree to increase classification accuracy.
Additionally, they demonstrated through a comparative examination of test data that the model's accuracy decreases with increased features being used.
They obtained an accuracy of 97.
89% with their 11 features, 94.
23% with their 8 features, and 94.
13% with their 4 features, indicating that the number of features in the system affects the detection rate.
Pande et al.
, the NSL-KDD dataset has a precision of 99.
96%, a recall of 99.
97%, and a precision However, the UNSW NB15 detection findings using this paper's model have an overall identification accuracy rate of 90.
12%, a recall of 95.
20%, and a precision of 89.
The authors employed a CBL DDQN Model Based on an Improved Double Deep Q Network, a CNN and a BiLSTM hybrid.
performs poorly in classification prediction, such as in random forest.
SVM, and MLP.
Hybrid Network IJEEI.
Vol.
No.
September 2025: 558 Ae 568
IJEEI
ISSN: 2089-3272
Intrusion Detection Systems have been implemented in various scientific research works.
Still, the performance of zero-day attacks and the response of the developed models to false alarm rates is very low.
Summary of the related works is shown in Table 1.
Our proposed model aims to respond more effectively to known and unknown threats, drastically reducing false positives and combating cyberattacks in networks and systems.
Table 1.
Summary of Related Works S/N References .
Dataset
CICIDS2017
Models Near-autonomous Hybrid IDS comprising a Deep Neural Network (DNN) and the K-Nearest Neighbors (KNN) algorithm Performance The Port Scan attacks occur in sliding window 16.
the AUC drops from 0.
97 to less than 0.
and then resumes after learning with an AUC of around 0.
Limitations A sharp drop in the AUC measures each time a new attack is system, indicating the failure of the neural network to detect the unseen attacks.
KDDCUPAo99 CICMalMem2022 Datasets A hybrid strategy that makes use of deep learning (DL) and (ML) techniques, such as XGBoost for feature selection and SMOTE for data balancing Accuracy of 99.
99% and 100% for KDDCUPAo99 and CICMalMem-2022 Did not apply the model to novel emerging .
NSL-KDD Dataset An adaptive deep learning algorithm with data preprocessing.
A module, a neural network pre-training module, and a classifier After adding the proposed ADL to the Nayve Bayes, the accuracy of R2L is improved from 84.
the accuracy rate increased from 91.
23% to 44%, the accuracy rate of U2L increased from 28.
49% to 83%, and the accuracy rate increased from 66.
88% to 75.
The performance of the model was not verified with other datasets, such as the UNSW-NB15
NSL-KDD
UNSWNB15
data sets A CBL .
hybrid of CNN and BiLSTM) DDQN Model Based on Improved Double Deep Q Network UNSW NB15 detection results using this paperAos model has an overall identification accuracy rate of 90.
12%, recall of 95.
and a precision of 89.
NSLKDD dataset with precision at 96%, recall at 99.
97%, and precision at 99.
It performs poorly as its counterparts Ae Random Forest.
SVM, and MLP Classification Prediction.
NSL-KDD
Dataset A bidirectional long-shortterm memory (Bi-LSTM) network and an attention mechanism combined into a intrusion detection (DLNID) Accuracy of 90.
73% and F1 score Did not apply to an network capture module to implement an online .
CICIDS2017 A hybrid NIDS model combining both the use of an ADNIDS detection, integrated with an SNIDS to identify known cyber-attacks based on their The Decision Tree could recognize normal network traffic with up to 99.
9% accuracy and a very low false alarm rate.
The work does not address the problem of detecting novel attacks.
KDD CUP99
Network Intrusion Detection Using Stacked NDAE and SVM Classification in a NonSymmetric Deep AutoEncoder Algorithm The overall Accuracy of 99.
a Precision of 99.
99%, a Recall of 85%, and an F1-score of There is no mention of how the model performs on novel threats and its response to zero-day
METHODOLOGY
The research framework for developing a hostile traffic detection system is seen in Figure 2.
A typical research process is depicted in the conceptual framework diagram for this study.
An extensive literature review informs this framework on utilising hybridised models.
The stages for the development of a model include data acquisition, data preprocessing, hybridisation, training, validation, and finally testing.
Each step will be explained in the preceding sub-section.
Development of a Network Intrusion Detection Model usingA (Okokpujie et a.
A ISSN: 2089-3272 Data Acquisition.
After the problem definition phase, the next step is collating and collecting the required data.
Relevant training and testing data are needed to train the machine learning model using hybridised models.
Figure 2.
The Research Conceptual Framework The dataset was retrieved from the Canadian Institute of Cybersecurity .
, which contains many other datasets, including IoT.
DNS.
IDS.
Malware.
Operational Technology.
ISCX, and others.
The dataset identified in this work is the CICEDS2017 dataset, one of the IDS Datasets.
It was created in simulated and flow-based environments and was grouped to contain attacks in the following categories: DoS.
DDoS.
Web Attacks.
Botnet.
Brute force, and PortScan attacks .
2 Data Preprocessing and Feature Extraction.
After obtaining the datasets, pre-processing and feature extraction are the subsequent phases.
Data preprocessing makes the data suitable for carrying out model training.
The following preprocessing activities will be carried out for the datasets: data cleaning and normalisation.
We collated and concatenated the CICEDS2017 data files in the data cleaning stage.
The CICEDS2017 dataset has eight CSV files containing various attack scenarios recorded during the simulation.
The columns required for the model training were chosen based on performance, and the rows with missing values were removed.
The attacks with insufficient samples were dropped, various DoS attack types were grouped into a single "dos" label, and various bruteforce attack types were grouped into a single "brute force" label.
The various web attack types were grouped into a single "web_attack" label, and the data was merged along the same axis.
The combined data summary is shown in Table 2, and the feature summary is in Table 3.
In the subsequent step, the data was normalised by replacing the values 0 and 1 with the Min-Max Scaler normalisation function to avoid lowering the model's performance.
After that, the dataset was divided into three sets: 70% of the data for training, 20% for validation, and 10% for testing.
Table 2.
An Overview of the 2017 CICIDS Dataset
S/N
Traffic Label Number of Records Normal DDoS Web Attack Botnet Brute force Portscan DoS Table 3.
The CICIDS 2017 Dataset's features S/N Feature Name Duration Source Port Destination Port Protocol (TCP.
UDP.
ICMP.
IGMP) Packets Bytes Urgent Flag Acknowledge Flag Push Flag Reset Flag Finish Flag Attack Label IJEEI.
Vol.
No.
September 2025: 558 Ae 568
IJEEI
ISSN: 2089-3272
3 Model Configuration.
Training.
Validation, and Model Selection.
The two machine learning models used for this research are Recurrent Neural Network (RNN) and Random Forest (RF).
It is highly paramount that relevant specific parameters are used, and some of the activities carried out during the model configuration as shown in Table 4.
In this research, a hybrid approach combining RNN and RF for Network Intrusion Detection Systems (NIDS) was implemented.
This hybrid approach leverages the temporal modelling strength of RNNs and the classification strength of Random Forests.
The reason for combining the RNN and RF is that RNN has the ability to learn temporal patterns .
how a session evolves over tim.
, and RF excels at classifying based on structured features .
, flow Their combination yields a stronger and more accurate detection model, especially for advanced and stealthy attacks.
Description of Models for Hybridisation The following models were selected to be hybridised together for the development of the hybridised model for the detection of network intrusions, as seen from their impact in other literature, are Recurrent Neural Networks (RNN) and Random Forest (RF).
Table 4.
Configurational Parameters S/N Parameters Value Batch Size Number of Features Metrics Used Epochs Activation Function Loss Function Optimizer Number of units in the RNN layer Number of units in the dense layer Number of Estimators for Random Forest Accuracy.
Precision.
True Positive Rate or Recall.
False Positive Rate.
False Negative Rate ReLU Categorical Cross-Entropy AoadamAo Recurrent Neural Networks (RNN.
A neural network in which the input for the current step is provided by the output of the preceding In machine learning, inputs and outputs have historically been independent of one another, making it challenging to predict a future state from a prior one.
However.
RNN was developed with a "hidden state" feature that aids in the memory of sequence information.
In contemporary machine learning, diverse techniques are employed to manage various data types.
One particularly challenging data type to handle and predict is sequential data.
Unlike typical datasets where features are assumed to be order-independent, sequential data has inherent order dependencies that must be preserved and understood.
Recurrent Neural Networks (RNN.
were developed to manage such data An RNN comprises units with fixed activation functions, one for each time step in the sequence.
Each unit maintains an internal state, known as the hidden state, which embodies the information about the past sequence the network has processed up to that point.
This hidden state is continually updated at each time step, reflecting the evolving knowledge of the network regarding the sequence.
This mechanism enables RNNs to leverage historical information to predict future data points in the sequence.
Furthermore.
RNNs employ a training method called Back-Propagation Through Time (BPTT), an extension of the standard back-propagation algorithm.
BPTT adjusts the network's weights based on the errors propagated backwards through time, allowing the network to learn from past data points effectively.
This training approach is crucial for the network to accurately capture and utilise the temporal dependencies inherent in sequential data.
Figure 3 shows the Recurrent Neuron and Unfolding.
Figure 3.
Recurrent Neuron and Unfolding Development of a Network Intrusion Detection Model usingA (Okokpujie et a.
A ISSN: 2089-3272 Random Forest (RF) A Random Forest is an ML algorithm that leverages the collective power of an ensemble of decision During training, it constructs a multitude of decision trees, each built on a random subset of data points and using a random selection of features for splitting decisions.
Each tree uses a selection of data points generated at random and features to make predictions.
This randomness helps prevent the trees from becoming too focused on specific details in the training data, improving their ability to handle new, unseen data.
This element of randomness injects diversity into the forest, impeding any single feature from dominating the learning process and potentially introducing bias.
Furthermore, to enhance this diversification, a second layer of randomness is introduced at each node within the trees.
Here, a subset of features is randomly selected as candidates for splitting the data.
This dual approach using random data subsets and random feature subsets fosters a collection of trees with unique decision-making capabilities, ultimately strengthening the overall model's robustness.
Figure 4 shows the Random Forest Model Working algorithm.
Figure 4.
Random Forest Model Working Performance Evaluation Metrics Key performance indicators such as Accuracy.
Precision.
True Positive Rate (TPR).
True Negative Rate (TNR).
False Positive Rate (FPR).
False Negative Rate (FNR), and F1-Score are used to assess the model's performance and offer more context for its operation after it has been trained and validated as presented in Equations 1-6, .
yaycaycaycycycaycayc = ycNycE ycNycA ycNycE ycNycA yaycE yaycA ycNycE ycEycyceycaycnycycnycuycu = ya1 ycIycaycuycyce = ycNycEycI = ycNycAycI = ycNycE yaycE 2yycEycyceycaycnycycnycuycu yycIyceycaycaycoyco ycEycyceycaycnycycnycuycu ycIyceycaycaycoyco ycNycE ycNycE yaycA ycNycA yaycE ycNycA TP represents True Positive.
TN represents True Negative.
FP represents False Positive.
FN represents False Negative.
RESULTS AND DISCUSSION
Table 5 shows the modelAos training performance result and Table 6 shows the interpretation of the result for the above experimental setup.
The result of the hybridised intrusion detection system (IDS) experiment IJEEI.
Vol.
No.
September 2025: 558 Ae 568
IJEEI
ISSN: 2089-3272
demonstrated impressive performance across the training, validation, and testing phases.
The system achieved a remarkable training accuracy of 99.
76%, indicating its capability to effectively learn and model the patterns within the training data.
In the validation phase, the IDS maintained a high accuracy of 96.
14%, showcasing the potential of the model to adapt to novel threats.
A tabular representation of the performance of a machinelearning model, specifically on a set of test data, is called a confusion matrix.
In essence, it divides the examples into these four categories so that accurate and inaccurate predictions may be distinguished easily.
This tool is particularly valuable for evaluating the effectiveness of classification models, which are designed to predict categorical labels for each input instance.
By offering a comprehensive view of prediction results, the confusion matrix aids in identifying specific areas where the model excels or needs improvement, thus serving as a crucial metric for model assessment and refinement.
Figure 5 shows the multiclassification for the hybridised modelAos confusion matrix for all labels Figure 5.
Multiclassification for Hybridised ModelAos Confusion Matrix for all Labels Table 5.
Report on Classification from Hybridised Model Testing Hybridised RNN and Random Forest Precision Recall F1-Score True Negative Rate (TNR) False Positive Rate (FPR) False Negative Rate (FNR) Normal DoS PortScan Web Attack Botnet DDoS BruteForce Macro Average Weighted Average Similarly, the testing phase yielded an accuracy of 96.
08%, in contrast to other works as shown in Table 7, further affirming the system's robustness and reliability in detecting and classifying various types of network These results highlight the efficacy of combining Recurrent Neural Networks (RNN) for feature extraction with Random Forest classifiers for intrusion detection Development of a Network Intrusion Detection Model usingA (Okokpujie et a.
A ISSN: 2089-3272 Table 6.
Interpretations of classification from Hybridised Model Testing Class
Total Samples Correctly Predicted Main Misclassifications Issues Normal
Very High
220,674
Portscan.
Bot
Minor false positives DoS
12,793
10,414
Normal.
Bot
19% false negatives Portscan
15,893
14,061
Normal 11% false negatives DDoS Normal High false negative Web Attack 218 Normal Critical detection failure Bruteforce 1,384 Normal.
Bot
Moderate errors Bot
22,299
Normal.
DoS
Good, but some overlap
25,266
Table 7.
Comparison with other works S/N Authors Machine Learning Technique Hybridised Model of RNN and RF Number of Datasets Used Results Ours .
BiLSTM DNN and LSTMRNN OC-SVM and Supervised Random Forest Precision: 96.
Accuracy: 96.
F1-Score: 96.
TPR: 96.
TNR: 97.
FPR: 1.
FNR: 3.
Precision: 86.
Accuracy: 90.
F1-Score: 89.
TPR: 93.
Accuracy: 98.
F1 Score: 98.
FPR: 2.
Accuracy: 95.
Recall: 99.
FPR: 0.
FNR: 7.
CONCLUSION
The achievements of this research are significant.
The hybrid model demonstrated an impressive accuracy of 96.
08% during testing, showcasing its ability to classify most network traffic instances correctly.
With precision and recall at 96.
0%, the model effectively minimised false positives and false negatives, achieving a balance crucial for reducing unnecessary alerts and ensuring that actual threats are not overlooked.
The F1 score also agrees with this opinion at 96.
0%, indicating that the model effectively handled the tradeoff between precision and recall.
In addition, the model had maintained low FPR and FNRAi1.
4% and 3.
respectively, meaning the system was reliable and trustworthy.
The model also achieved high sensitivity and specificity with a TPR of 96.
0% and a TNR of 97.
Implementing the hybrid model combined RNNs and Random Forests, leveraging the sequential data processing strengths of RNNs and the robust classification capabilities of Random Forests.
The Random Forest model successfully classified the features that the RNN model had extracted from the data.
The system is flexible and all-encompassing because it was taught to identify several network assaults, such as DoS.
DDoS.
BruteForce.
PortScan.
Bot, and Web attacks.
There are also some limitations to this model's performance, including the fact that the model is highly dependent on the quality and quantity of the training data, and limited datasets can restrict the model's generalizability.
While effective, the hybrid model can be computationally intensive and require significant training and real-time deployment resources.
Although minimised, false positives and negatives indicate room for improvement in the model's detection capabilities.
Future implementations should aim to collect more diverse and high-quality datasets to improve the model's generalizability.
Integrating real-time data processing capabilities will enable the system to respond immediately to ongoing threats.
Ensuring that the infrastructure supporting the NIDS is scalable to handle high volumes of network traffic without compromising performance is also crucial, along with seamless integration with existing security infrastructure to provide a cohesive defence mechanism.
ACKNOWLEDGEMENTS
The authors acknowledge the Covenant University Centre for Research.
Innovation, and Discovery (CUCRID).
Ota.
Ogun State.
Nigeria.
IJEEI.
Vol.
No.
September 2025: 558 Ae 568
IJEEI
ISSN: 2089-3272
REFERENCES