DUAL-CHANNEL INTELLIGENT NETWORK INTRUSION DETECTION SYSTEM BASED ON DEEP LEARNING

Abstract

The article proposes a dual-channel intelligent system for detecting network intrusions based on a hybrid deep learning architecture and an active honeypot mechanism. The system treats intrusion detection as a classification problem with two independent sources of evidence: a network traffic analysis subsystem and a behavioral honeypot subsystem, whose results are aggregated into a unified conclusion about the network state. The traffic analysis subsystem is implemented as an ensemble of two parallel channels: a CNN+LSTM neural network that captures complex temporal dependencies in network flow sequences, and a Random Forest algorithm that ensures stable classification of isolated anomalies. The final probability vector is formed as a weighted combination of the outputs from both channels. The honeypot subsystem generates a scalar threat confidence signal based on the state of deployed honeypot agents in the network and asymmetrically adjusts the classifier results: a honeypot trigger significantly increases the probabilities of attack classes, while its absence introduces only a minor corrective effect. The input feature space is formed from aggregated network flow data based on the NetFlow, sFlow, and IPFIX protocols. Recursive feature elimination based on Random Forest, combined with Spearman correlation analysis, is used to select the most informative attributes. The system was trained and tested on the CIC-IDS-2017 dataset. The obtained results showed that the proposed hybrid system achieved an accuracy of 99%, as well as precision and recall of 98%, outperforming the standalone CNN+LSTM (97%) and Random Forest (96%) models. It was established that integrating the honeypot subsystem signal enables the escalation of hidden threats initially classified as uncertain by the traffic classifier and significantly reduces the number of false negatives in cases of targeted attacks on internal network segments.