From University Research to Production: Network Intrusion Detection with ML

The Research Question

Can deep learning outperform traditional machine learning for network intrusion detection? And if so, by how much?

This was the core question driving my research at the University of Florida. Traditional signature-based IDS systems miss zero-day exploits, and the volume of modern network traffic — millions of packets per second — makes manual analysis impossible. Security operations centers need AI that classifies traffic in real-time. This research later informed my work on Phantom, the cybersecurity automation framework deployed for India’s Ministry of Defence.

The Benchmarking Framework

The network intrusion detection benchmarking framework compares 8 distinct ML/DL algorithms — including Autoencoders, LSTM, MLP, KNN, LDA, QDA, and Linear/Quadratic SVM — enabling head-to-head comparison across binary and multi-class classification tasks on the NSL-KDD dataset.

Deep Learning Models

• Autoencoder — unsupervised feature learning for anomaly detection. The model learns to reconstruct “normal” traffic; anything it cannot reconstruct well is flagged as anomalous.
• LSTM — recurrent network capturing temporal sequential patterns in network flows. Particularly effective at detecting slow, distributed attacks that unfold over time.
• MLP/DNN — deep feedforward network for high-dimensional feature classification. The workhorse of the ensemble.

Traditional ML Models

• K-Nearest Neighbors (KNN) — instance-based learning providing interpretable baselines
• Linear Discriminant Analysis (LDA) — statistical classification with strong mathematical guarantees
• Quadratic Discriminant Analysis (QDA) — non-linear decision boundaries for complex separations
• Support Vector Machines (Linear and Quadratic) — kernel methods for maximum-margin classification

The Dataset: NSL-KDD

NSL-KDD is a curated network intrusion detection benchmark containing 125,973 training records with 41 network traffic features, published by the Canadian Institute for Cybersecurity, and is the de facto standard for evaluating ML-based intrusion detection systems. It classifies traffic into:

• Normal — legitimate network activity
• DoS — Denial of Service attacks
• Probe — surveillance and reconnaissance
• R2L — Remote-to-Local unauthorized access
• U2R — User-to-Root privilege escalation

Results: Deep Learning Wins, But Not Always

The Practical Takeaway

The LSTM model’s ability to capture temporal patterns made it the best choice for detecting distributed attacks — the kind that unfold over minutes or hours across multiple network sessions. But for real-time inline monitoring where latency matters more than catching every slow attack, the MLP offered the best speed-accuracy tradeoff.

From Research to Kitsune

This research directly informed my implementation of Kitsune-py — an online unsupervised NIDS using ensemble autoencoders. Where this project compared models offline, Kitsune operates in real-time on live network traffic without any labeled training data.

The progression from academic benchmarking to production-ready detection is the bridge that most ML research never crosses. Building both sides gave me a perspective that pure researchers or pure engineers rarely have.

Research conducted at the University of Florida, Department of Computer Science. Based on the NSL-KDD benchmark framework referenced in IEEE Neurocomputing (2019).

Explore More:

• View the Network Intrusion Detection Case Study — full project narrative
• View the Kitsune-py Case Study — the unsupervised NIDS that this research informed
• Read about building Phantom for defence — applying ML to real-world cybersecurity
• See my cybersecurity certifications — CCNA, EC-Council, ISO 27001, and more