Hybrid intrusion detection and signature generation using Deep Recurrent Neural Networks


Automated signature generation for Intrusion Detection Systems (IDSs) for proactive security of networks is a promising area of research. An IDS monitors a system or activities of a network for detecting any policy violations or malicious actions and produces reports to the management system. Numerous solutions have been proposed by various researchers so far for intrusion detection in networks. However, the need to efficiently identifying any intrusion in the network is on the rise as the network attacks are increasing exponentially. This research work proposes a deep learning-based system for hybrid intrusion detection and signature generation of unknown web attacks referred as D-Sign. D-Sign is capable of successfully detecting and generating attack signatures with high accuracy, sensitivity and specificity. It has been for attack detection and signature generation of web-based attacks. D-Sign has reported significantly low False Positives and False Negatives. The experimental results demonstrated that the proposed system identifies the attacks proactively than other state-of-the-art approaches and generates signatures effectively thereby causing minimum damage due to network attacks.

This is a preview of subscription content, log in to check access.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14


  1. 1.

    Kaur S, Singh M (2013) Automatic attack signature generation systems: a review. IEEE Secur Priv 11(6):54–61

    Article  Google Scholar 

  2. 2.

    Kreibich C, Crowcroft J (2004) Honeycomb: creating intrusion detection signatures using honeypots. ACM SIGCOMM Comput Commun Rev 34(1):51–56

    Article  Google Scholar 

  3. 3.

    Kim HA, Karp B (2004) Autograph: toward automated, distributed worm signature detection. In: 13th usenix security symposium (Security 2004), San Diego, CA, pp 271–286

  4. 4.

    Singh S, Eitan C, Varghese G, Savage S (2004) Automated worm fingerprinting. In: 6th conference on symposium on operating systems design and implementation (OSDI). USENIX Association, Berkeley, CA, USA, pp 45–60

  5. 5.

    Singh S, Estan C, Varghese G, Savage S (2003) Earlybird system for real-time detection of unknown worms. Department of Computer Science and Engineering, University of California, San Diego

    Google Scholar 

  6. 6.

    Wang K, Stolfo SJ (2004) Anomalous payload-based network intrusion detection. In: Jonsson E, Valdes A, Almgren M (eds) Recent advances in intrusion detection, vol 3224. Springer, Berlin, Heidelberg, pp 203–222

    Google Scholar 

  7. 7.

    Liang Z, Sekar R (2005) Automatic generation of buffer overflow attack signatures: an approach based on program behavior models. In: 21st annual computer security applications conference, Tucson, Arizona, USA, pp 1–10

  8. 8.

    Newsome J, Karp B, Song D (2005) Polygraph: automatically generating signatures for polymorphic worm. In: IEEE symposium on security and privacy. IEEE Press, Oakland, pp 226–241

  9. 9.

    Yegneswaran V, Giffin JT, Barford P, Jha S (2005) An architecture for generating semantic aware signatures. In: USENIX security symposium, pp 97–112

  10. 10.

    Tang Y, Chen S (2005) Defending against internet worms: a signature based approach. In: IEEE INFOCOM’2005. IEEE Press, Miami, pp 1384–1394

  11. 11.

    Costa M, Crowcroft J, Castro M, Rowstron A, Zhou L, Zhang L, Barham P (2005) Vigilante: end-to-end containment of Internet worms. In: 20th ACM symposium on operating systems principles (SOSP’05), New York, USA, pp 133–147

  12. 12.

    Portokalidis G, Slowinska A, Bos H (2006) Argos: an emulator for fingerprinting zero-day attack. In: International conference of ACM SIGOPS EUROSYS, Leuven, Belgium, pp 15–28

  13. 13.

    Li Z, Sanghi M, Chen Y, Kao M, Chavez B (2006) Hamsa: fast signature generation for zero-day polymorphic worms with provable attack resilience. In: IEEE symposium on security and privacy (S&P’06). IEEE Computer Society, Washington, pp 32–47

  14. 14.

    Mohammed MMZE, Chan HA, Ventura N (2008) Honeycyber: automated signature generation for zero-day polymorphic worms. In: IEEE military communications conference (MILCOM), San Diego, CA, pp 1–6

  15. 15.

    Portokalidis G, Bos H (2008) Eudaemon: involuntary and on-demand emulation against zero-day exploit. In: 3rd international conference on ACM SIGOPS/EuroSys European conference on computer systems, New York, USA, pp 287–299

  16. 16.

    Griffin K, Schneider S, Hu X, Chiueh T (2009) Automatic generation of string signatures for malware detection. In: 12th international symposium on recent advances in intrusion detection. Springer, Berlin, pp 101–120

  17. 17.

    Kim I, Kim D, Choi Y, Kang K, Oh J, Jang J (2009) Validation methods of suspicious network flows for unknown attack detection. Int J Comput 3(1):104–114

    Google Scholar 

  18. 18.

    Werner T, Fuchs C, Gerhards-Padilla E, Martini P (2009) Nebula-generating syntactical network intrusion signatures. In: 2009 4th international conference on malicious and unwanted software (MALWARE). IEEE, pp 31–38

  19. 19.

    Tahan G, Glezer C, Elovici Y, Rokach L (2010) Auto-Sign: an automatic signature generator for high-speed malware filtering devices. J Comput Virol 6(2):91–103

    Article  Google Scholar 

  20. 20.

    Shabtai A, Menahem E, Elovici Y (2011) F-sign: automatic, function-based signature generation for malware. IEEE Trans Syst Man Cybern Part C Appl Rev 41(4):494–508

    Article  Google Scholar 

  21. 21.

    Maimó LF, Gómez ÁLP, Clemente FJG, Pérez MG, Pérez GM (2018) A self-adaptive deep learning-based system for anomaly detection in 5G networks. IEEE Access 6:7700–7712

    Article  Google Scholar 

  22. 22.

    Wang W, Sheng Y, Wang J, Zeng X, Ye X, Huang Y, Zhu M (2018) HAST-IDS: learning hierarchical spatial-temporal features using deep neural networks to improve intrusion detection. IEEE Access 6:1792–1806

    Article  Google Scholar 

  23. 23.

    Yin C, Zhu Y, Fei J, He X (2017) A deep learning approach for intrusion detection using recurrent neural networks. IEEE Access 5:21954–21961

    Article  Google Scholar 

  24. 24.

    Mohammadi S, Namadchian A (2017) A new deep learning approach for anomaly base IDS using memetic classifier. Int J Comput Commun Control 12(5):677–688

    Article  Google Scholar 

  25. 25.

    Yuan X, Li C, Li X (2017) DeepDefense: identifying DDoS attack via deep learning. In: 2017 IEEE international conference on smartcomputing (SMARTCOMP). IEEE, pp 1–8

  26. 26.

    Azzouni A, Pujolle G (2017) A long short-term memory recurrent neural network framework for network traffic matrix prediction. arXiv preprint arXiv:1705.05690

  27. 27.

    Kim J, Shin N, Jo SY, Kim SH (2017) Method of intrusion detection using deep neural network. In: 2017 IEEE international conference on big data and smart computing (BigComp). IEEE, pp 313–316

  28. 28.

    Tang TA, Mhamdi L, McLernon D, Zaidi SAR, Ghogho M (2016) Deep learning approach for network intrusion detection in software defined networking. In: 2016 international conference on wireless networks and mobile communications (WINCOM). IEEE, pp 258–263

  29. 29.

    Sheikhan M, Jadidi Z, Farrokhi A (2012) Intrusion detection using reduced-size RNN based on feature grouping. Neural Comput Appl 21(6):1185–1190

    Article  Google Scholar 

  30. 30.

    Ma T, Wang F, Cheng J, Yu Y, Chen X (2016) A hybrid spectral clustering and deep neural network ensemble algorithm for intrusion detection in sensor networks. Sensors 16(10):1701

    Article  Google Scholar 

  31. 31.

    Shahriar H, Bond W (2017) Towards an attack signature generation framework for intrusion detection systems. In: Dependable, autonomic and securecomputing, 5th international conference on pervasive intelligence and computing, 3rd international conference on bigdata intelligence and computing and cyber science and technology congress(DASC/PiCom/DataCom/CyberSciTech), 2017 IEEE 15th international. IEEE, pp 597–603

  32. 32.

    Choi S, Lee J, Choi Y, Kim J, Kim I (2016) Hierarchical network signature clustering and generation. In: 2016 international conference on information and communication technology convergence (ICTC). IEEE, pp 1191–1193

  33. 33.

    Lee S, Kim S, Lee S, Yoon H, Lee D, Choi J, Lee JR (2016) LARGen: automatic signature generation for Malwares using latent Dirichlet allocation. IEEE Trans Depend Secure Comput 15(5):771–783

    Article  Google Scholar 

  34. 34.

    Wang Y, Xiang Y, Zhou W, Yu S (2012) Generating regular expression signatures for network traffic classification in trusted network management. J Netw Comput Appl 35(3):992–1000

    Article  Google Scholar 

  35. 35.

    Gallagher B, Eliassi-Rad T (2008) Classification of HTTP attacks: a study on the ECML/PKDD 2007 discovery challenge. In: Center for Advanced Signal and Image Sciences (CASIS) workshop, pp 1–8

  36. 36.

    Open Web Application Security Project (OWASP) Top 10 (2017). https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project. Accessed 15 Jul 2018

  37. 37.

    Ukkonen E (1995) On-line construction of suffix trees. Algorithmica 14(3):249–260

    MathSciNet  Article  Google Scholar 

Download references

Author information



Corresponding author

Correspondence to Sanmeet Kaur.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Kaur, S., Singh, M. Hybrid intrusion detection and signature generation using Deep Recurrent Neural Networks. Neural Comput & Applic 32, 7859–7877 (2020). https://doi.org/10.1007/s00521-019-04187-9

Download citation


  • Deep learning
  • Intrusion Detection System
  • LSTM
  • Attack detection
  • Signature generation
  • Machine learning
  • Web attacks
  • Zero-day attack