International Research Journal of Engineering and Technology (IRJET) e-ISSN: 2395-0056
Volume: 12 Issue: 10 | Oct 2025 www.irjet.net p-ISSN: 2395-0072
Attention Mechanism in CNN-LSTM for Improved Cloud Intrusion Detection
Neethu B1 , Dr. Sheena Mathew2
1Research Scholar, School of Engineering, CUSAT, Kerala, India 2Professor, School of Engineering, CUSAT, Kerala, India
Abstract - Cloud computing becomes backbone of today’s digital ecosystembyofferingscalable,flexibleandcostefficient computing resources to users. But, this rapid development has also increased its exposure to sophisticated cyber-attacks. Though Intrusion Detection Systems (IDS) can offer a critical line of defense, but existing solutions often fails to distinguish between normal fluctuations and actual malicious behavior, leadingtoreduceddetectionaccuracyand higher false alarm rates.[1]. Traditional machine learning models depends mainly on manually framed features, while deep learning techniques such as CNN and LSTM, though they are more superior, still lack the ability to selectively focus on the most relevant features.
This paper presents an Attention-Enhanced CNN-LSTM framework for cloudintrusiondetection. The CNNcomponent extracts spatial traffic patterns, the LSTM captures temporal dependencies, and the attention layer highlights the most critical features influencing model decisions. Experiments are conducted on NSL-KDD and CICIDS2017 datasets which are popularly used. The experiments demonstrate that the proposed framework achieves higher detection accuracy, lower false alarm rates,andgreaterinterpretabilitycompared to conventional CNN-LSTM models. These findings show that integrating attention mechanisms into deep hybrid architectures is a promising direction toward reliable, realtime, and explainable cloud security systems.
Key Words: Cloud Computing, Deep Learning, Cloud Security, CNN, LSTM, Attention Mechanism, Intrusion Detection.
1. INTRODUCTION
NowadaysCloudcomputinghasemergedasatechnology thatisundergoingcontinuousrevolutionsintoday’sworld acrossindustriesbyofferingscalableandon-demandaccess tothecomputingresources.Cloudisnowsupportingwide rangeofserviceswhichincludesstoringpersonaldataand enterpriseshostingapplications.However,itisexposedtoa growing number of security threats like Denial of Service(DDoS) attacks, insider attacks and zero-day vulnerabilitiesduetoitsopenanddistributednature.
Aconventionalsignature-basedintrusiondetectionsystem are efficient in detecting known attack patterns but often failstoidentifynewevolvingattacks.Butanomaly-detection
systems,thoughitiscapableofdetectingunknownattacks, but it often generates excessive false alarm rates due to dynamicbehaviorofcloudenvironments.Sotoreducethis disadvantagesmachinelearninganddeeplearningmodels are considered to build adaptive and intelligent intrusion detectionsystems.
MachineLearningalgorithmslikeSupportVectorMachines, RandomForestandk-nearestalgorithmshasshownbetter performance but these models rely on manual feature selection and it cannot quickly adapt to complex traffic patterns in cloud. Deep Learning models in contrast successfully extract meaningful features from raw traffic data. Convolutional Neural Network (CNN) can effectively identifyspatialrelationshipswhileLongShortTermMemory (LSTM)capturestemporal dependenciesacross thetraffic sequences.WhenthesetwomodelsarecombinedCNN-LSTM hybridmodelsoffersmorecomprehensivefeaturelearning.
Oneofthemajorlimitationswithallthesemodelsaremost models treats all features uniformly. This will lead to suboptimalperformanceespeciallywhenthereisnoisyor overlappingtrafficpatternsareavailable.Foraddressingthis disadvantage,attentionmechanismshavebeenintroduced whichallowsmodelstofocusonmostimportantfeaturesor timestepssoastoimproveprecisionandinterpretabilityof thecloudsecurityapplications.
Themaincontributionsofthispaperare:
• AnovelCNN-LSTM-Attentionarchitecturedesigned specificallyforcloudintrusiondetection.
• Evaluationofthemodelusingbenchmarkdatasets (NSL-KDDandCICIDS2017)toassessdetectionaccuracyand falsealarmrate.
• A comparative performance study against CNN, LSTM,andCNN-LSTMbaselines.
Inshort,thispaperdemonstrateshowintegratingattention mechanisms within hybrid deep learning models can enhance both the performanceand explainabilityof cloud intrusiondetectionsystems.
Finally, complete content and organizational editing before formatting. Please take note of the following items whenproofreadingspellingandgrammar:
International Research Journal of Engineering and Technology (IRJET) e-ISSN: 2395-0056
Volume: 12 Issue: 10 | Oct 2025 www.irjet.net p-ISSN: 2395-0072
2. RELATED WORKS
Thesuddenexpansionofcloudcomputinghasattracted many sophisticated cyber-attacks also, which forces the researcherstodevelopmoreintelligentintrusiondetection systems. Signature based systems depends on pre-defined rulesandpatterns,soitisnotcapableofdetectingemerging and evolving trends[1][5] Thisconstraints encouraged to usedeeplearningmethodssuchasCNN,RNNandLSTMfor anomalydetectionincloudenvironments[3][4].
CNN-based approaches shows high performance in identifyingspatialcorrelationsindata.Wuetal.[1]proposed a CNN-based intrusion detection system which enhanced detection accuracy for DDoS and probing attacks. Tang et al.[2] proposed a lightweight CNN model for IoT-Cloud systems,achievingefficientreal-timedetection.Despiteofall theseadvantagesCNNislesscapableofdetectinglong-term dependenciesthatunfoldovertime.
LSTM–basedapproacheshaveabilitytohandlesequential data is used to model temporal dependencies in network traffic.Alshamranietal[3]proposedanLSTMbasedIntrusion detectionsystemthatcandetectlow-rateattacksbylearning long-termbehavioraltrends.AsanenhancementtothisKim etal[4]proposedsameideausingabidirectionalLSTMwhich improveddetectionratesacrossmultipleattackclasses.But LSTM basedsystems often struggle with high-dimensional trafficdataandlacksspatialcontext.
HybridCNN–LSTMmodelshavebeenwidelyrecognized toprovidebothtemporalandspatiallearning.Zhouetal[5] developed a CNN-LSTM hybrid model which has superior detectionratesagainstbrute-forceandDDoSattacks.Wanget al[6] proposed a hybrid model integrating Bi-LSTM which shows improvement in precision and recall on certain benchmark datasets like CICIDS2017 and UNSW-NB15. Howeverthesemodelsprocessallfeaturesuniformlydiluting thekeyattackindicators.
In order to overcome this researchers introduced attention modules to highlight significant temporal and spatial features. Lin et al.[7] proposed a system which includesattentionintoCNN-LSTMmodeltodetectbotnets and insider threats in edge-cloud networks , the results clearlyindicatesanimprovementinprecision.Zhaoetal.[8] proposed a system that uses temporal attention in LSTM based IDS which give significant attention to most critical timeintervals.ThisideaisfurtherextendedbyLietal.[9]to federatedlearningsetupswhichwillhelptomaintainhigh accuracywithoutcentralizingsensitivedata.
Withgrowingconcernsaboutdataprivacycombinationof federated learning and attention enhanced deep learning models has emerged as a viable solution. Xu et al.[10] proposedthatintegratingfederatedlearningtoCNN-LSTM models can achieve strong performance. Explainable AI
methods[11]canfurtherenhancetrusttovisualizeandjustify modeldecisions.
In summary though CNN and LSTM models are widely adoptedinintrusiondetectionattention-drivenmodelsoffer high performance, interpretability and scalability. But challengesstillremainintermsofreal-timeadaptabilityand computational efficiency which motivates the study to optimized attention-based CNN-LSTM modes for cloud environments.Donotuseabbreviationsinthetitleorheads unlesstheyareunavoidable.
3. PROPOSED METHODOLOGY
TheproposedsystemintroducesanAttention-DrivenCNNLSTMIntrusionDetectionFrameworktoenhanceaccuracy, interpretability and adaptability of IDS in cloud environments. This framework integrates three deep learningmodelslikeConvolutionalNeuralNetworks(CNN) for learning of spatial features, Long Short-term Memory (LSTM)networksformodelingthetemporalfeaturesandan attentionmechanismtofocusonmostcriticalfeaturesinthe cloudnetworktraffic.
Fig
-1:ProposedArchitecture
The orkflow of proposed system is shown in Fig-1.The architecture isdividedintofivemajorstages:
1. DataCollectionandPreprocessing
2. FeatureExtractionusingCNN
3. TemporalDependencyModelingusingLSTM
4. AttentionMechanismforFeatureWeighting
International Research Journal of Engineering and Technology (IRJET) e-ISSN: 2395-0056
Volume: 12 Issue: 10 | Oct 2025 www.irjet.net p-ISSN: 2395-0072
5. ClassificationLayerforAttackDetection
Each module contributes uniquely to enhance detection accuracy and reduce false positives, ensuring efficiency of the model to operate in high traffic and diverse cloud environments.
1. Data Collection and Preprocessing
Thismoduleplaysacrucialrolewhichincludescollectionof raw network data and preprocessing the raw data for effectivedeeplearning.Modelwastestedusingbenchmark datasets such as CICIDS2017, UNSW-NB15 and NSL-KDD whichiscontainingmixofbenignandattackflowsincluding DDoS,brute-force,infiltrationandbotnet.[6][10].
Thepreprocessinginvolvesseveralsteps:
1.1 Data Cleaning
Rawdatasetscontainsmissingvalues,inconsistentrecords or redundant entries. Cleaning of the data will remove incomplete rows and resolve anomalies to ensure highqualityinput.
1.2 Feature Normalization
Since network traffic vary in magnitude like packet size, duration,andbytecount.Min-maxnormalizationisapplied toensurethateachattributecontributesequallytomodel learningandrescalingallfeaturestoanuniformrange.
1.3 Categorical Encoding
Certainattributessuchasprotocol,type,connectionstate,or name are encoded using one-hot encoding which will convert textual categories to numeric form for model compatibility.
1.4 Sequence Construction
Traffic analysis requires temporal context so flows are groupedintofixed-lengthsequencesthatcancapturepacket behaviorovertime.ThisenablesLSTMcomponenttotern patternsthatevolveacrosstime.
Thepreprocessingmadethedata,structured,balancedand suitablehybriddeeplearningprocessing.
2. Spatial Feature Extraction using CNN
ThepreprocessedtrafficdataispassedtoCNNblockwhich is responsible for extracting spatial dependencies among features. Spatial relationships refer to patterns that exist betweenfeaturesetswithinasingletimeframe.
2.1 Convolutional Layers
Convolutionallayersapplyslidingfeaturestotheinputdata todetectlocalizedfeatureinteractions.Specificcombination
of port number, packet count and flag bit sequences may correspondtoattackpattern.
2.2
Activation and Pooling
Non-linear activation functions re used to introduce complexityforenablingthenetworktocapturenon-linear featurerelationships.Poolinglayerslikemax-poolingdown sample the output retaining the most critical information, reducingdimensionalityandcomputationtime.
Thisblockwillproduceafeaturemapasoutput.Thisfeature map captures spatial correlations within traffic samples which act as a foundation for temporal modeling in next stage.
3. Temporal Dependency Modeling using LSTM
Though CNN is excellent in spatial feature extraction, it cannotunderstandhowthesepatternschangeovertime.An LSTM network captures temporal dependencies across trafficdatafromtheCNNoutput.
LSTM network is designed to handle sequential data by preserving relevant information over long time periods, filtering out irrelevant context using memory cells and gating mechanisms. This is effective for detecting attacks that develop gradually like port scans, slow brute-force attempts,ormulti-stageintrusions
BidirectionalLSTMcanalsobeusedinthesameplacewhich will process the sequence both forward and backward so thatthemodeltolearndependenciesfrompastandfuture trafficstates.Thistypeofduallearningenhancesaccuracy forsmallandcomplexattacks.
TheoutputofLSTMblockisatemporalfeaturevectorthat describeshownetworkbehaviorchangesovertime,formsa deeperunderstandingofattackpatterns.
4. Attention Mechanism forFeature Weighting
ThoughCNN-LSTMmodelscapturetemporalandspatial dependencies, they often treat all features equally. This methodisnotidealforanintrusiondetectionsystemwhere only certain time steps or feature combinations are significant. The attention mechanism overcomes this limitation by making the model to focus on most relevant features.Theimportantstepsunderattentionmoduleare:
4.1 Attention Scoring
Thismechanismcomputesasetofattentionscoresforeach hiddenstateofLSTM,whichdescribeshowimportantisthat timestepsforfinaldecision.
International Research Journal of Engineering and Technology (IRJET) e-ISSN: 2395-0056
Volume: 12 Issue: 10 | Oct 2025 www.irjet.net p-ISSN: 2395-0072
4.2 Weight Normalization.
A softmax function is used to normalize these scores to attention weights that sum to one, ensuring proportional influence.
4.3 Context Vector Formation
Finalrepresentationfeatureoutputisaweightedsumofall hidden states which emphasize crucial segments of traffic sequence like sudden packet bursts or irregular communicationintervals.
Thistypeofmechanismcanboostnotonlyitsperformance but also enhances its interpretability as the attention weightsvisuallyhighlightthepartofinputtrafficstrategies thattriggermodeldecision.
5. Classification
The attention-weighted context vector is fed in to classificationlayerwhichconsistsoffullyconnecteddense layer followed by softmax classifier which will output probability distribution across different attack categories. The classifier has the capability to distinguish between normaltrafficandmultipleintrusiontypessuchas:
• DenialofService(DoS)
• DistributedDenialofService(DDoS)
• Probe
• RemotetoLocal(R2L)
• UsertoRoot(U2R)
Model is trained using categorical cross-entropy loss with Adamoptimizerwhichcanensureefficientconvergence.
For performance evaluation following metrics are used: Accuracy, precision, recall, F1-score and False Alarm rate (FAR) to access how effectively model balances detection sensitivityandspecificity.
4. RESULTS AND DISCUSSIONS
TheproposedAttention-DrivenCNN-LSTMframeworkwas tested using three widely used benchmark datasets, CICIDS2017,UNSW-NB15andNSL-KDD.Thesedatasetswere chosen because each is capable of representing heterogeneoustypesof networkintrusionsandcloudtraffic behaviorsAlldatasetsweredividedinto80%trainingdata and20%ofdatafortestingtherebyensuringbalancedclass distributions.Theexperimentswereconductedona GPUbasedenvironmentusingTensorFlow.Theperformancewas evaluated using standard metrics like accuracy, precision, recall, F1-score, and false alarm rate (FAR), which collectivelymeasurethesystem’sabilityto identifyattacks whileminimizingfalsealarmrates.
Table-1:PerformanceMetricsoftheProposedAttentionDrivenCNN–LSTM
The proposed Attention Driven CNN-LSTM Model performed well on all the datasets. On CICIDS2017, it can achieveanaccuracyof9778%,precisionof9735%,recallof 9692%, and a low FAR of 215%. On UNSW-NB15, the accuracyachievedas9542%withanF1-scoreof9458%. And on NSL-KDD, the proposed model can achieve an accuracyof96.11%andanF1-scoreof95.21%.Theseresults shows that the model outperforms traditional machine learning models such as Random Forest (91.7%) and standalonedeeplearningmodelslikeLSTM(94.2%)orCNNLSTM without attention (96.5%). The enhancement in accuracy and reduction in false alarms rate clearly shows that the integration the attention mechanism enables the modeltofocusonthemostcriticalspatial-temporalpatterns withinthetrafficdata.
Integratingattentionmechanismimprovedbothdetection accuracy and interpretability. Conventional CNN-LSTM architecturestreatallfeaturesuniformly,whichcandiffuse importantsignalsincomplexornoisytraffic.Theattention layer dynamically assigns weights to more important featuresortimesteps,allowingthemodeltoconcentrateon abnormal behaviors like sudden bursts in packet rates or irregularportusage.Forexample,whendetectingDDoSand brute-forceattacks,theattentionmechanismalwaysfocused on areas of interest where traffic volume and connection attemptsroseincreasedsharply.Thisselectivefocusingnot onlyimprovedthemodel’sprecisionbutalsoofferedinsights toidentifywhichpatternscontributedmosttothedetection, helpingaddressthe“black-box”issueofdeepIDSmodels.
Beyond high accuracy, the proposed model shows strong generalizationcapabilityalso.Theconsistentperformance acrossbothdatasetsshowsthattheframeworkeffectively adapts to different types of network behaviors and attack categories. The CICIDS2017 dataset primarily contains modernthreatslikeinfiltrationandbrute-forceattacksand UNSW-NB15 includes a broader range of low-profile and stealthy attacks. The attention-driven method allows the systemtoadaptwithfeaturesuniquetoeachdataset,which ensuresreliableperformanceevenundervaryingnetwork conditions.Themodelhasreal-timedetectionefficiencyso that it processes each traffic flow in less than 50 milliseconds,whichmakesitsuitablefordeploymentinrealtimecloudenvironments.
International Research Journal of Engineering and Technology (IRJET) e-ISSN: 2395-0056
Volume: 12 Issue: 10 | Oct 2025 www.irjet.net p-ISSN: 2395-0072
Comparisonwithrelated studies showsthattheproposed modelotperformsexistingmodels.Forexample,Zhouetal. [5] achieved 96.5% accuracy using a CNN-LSTM model, whileLinetal.[7]obtained97.1%withanattention-based hybridnetwork.Incontrast,theproposedCNN-LSTMwith attentionachieved97.78%,reflectingbothhigherprecision and better generalization across datasets. The key differentiator lies in the integration of CNN, LSTM, and attention layers, which collectively enhance the model’s ability to capture spatial, temporal, and contextual relationshipsincloudtraffic.
In summary, the experimental outcome shows that the attention-drivenCNN-LSTMframeworkprovidesarobust, accurate, and interpretable solution for cloud intrusion detection. It combines deep learning’s predictive strength withtheinterpretabilityofattentionmechanisms,resulting inamodelthatnotonlydetectsawiderangeofattacksbut alsoexplainsitsreasoninanunderstandableway.Thelow falsealarmrate,real-timeprocessingcapabilityandstrong cross-dataset performance demonstrates the model is practicallyviabilityforlarge-scalecloudsecuritysystems.
Theabovechartillustratestheperformancecomparisonof different intrusion detection models in terms of Accuracy and False Alarm Rate (FAR). The results demonstrate the improvementachievedinaccuracyasthemodelarchitecture evolvesfromtraditionalmachinelearning(RandomForest) todeeplearning(LSTMandCNN-LSTM),andfinallytothe proposedAttention-DrivenCNN-LSTMframework.
FromthefigureitisevidentthattheRandomForestmodel exhibitsthelowestaccuracyandthehighestfalsealarmrate, which indicates its limited ability to detect complex and evolving cloud attacks. The LSTM model achieves some improvementbycapturingtemporalpatternsbutstillitfails toidentifyspatialrelationshipsintrafficfeatures.TheCNNLSTM hybrid model significantly enhances accuracy by learningbothspatialandtemporalcorrelations;however,it stillassignsequalimportancetoallfeatures,whichcancause misclassificationinnoisydataenvironments.
The proposed attention-based CNN-LSTM model clearly outperformsallothermodels,achievingthehighestaccuracy (97.78%)andthelowestFAR(2.15%).Thisillustratesthe effectiveness of the attention mechanism in selectively focusingoncriticalfeatureswhileminimizingtheinfluence of irrelevant data. From the chart-1 it is evident that incorporatingattentionnotonlyboostsdetectionaccuracy but also enhances the model’s stability and reliability for real-timecloudintrusiondetection.
5. CONCLUSIONS
This paper presented an Attention-Driven CNN-LSTM frameworkfordetectionofintrusion incloudenvironments. BycombiningthepowerofspatialfeatureextractionofCNN, thetemporalsequencelearningofLSTM,andtheadaptive focus of an attention mechanism, the proposed model is effective in detecting complex and evolving cyber threats. Experimental evaluations on benchmark datasets, like CICIDS2017,UNSW-NB15 and NSL-KDD shows that the framework achieves higher accuracy up to 9778%, lower false alarm rates, and better interpretability compared to traditionaldeeplearningandmachinelearningmethods.
Theresultsconfirmthattheattentionmechanismplaysakey role in improving both the precision and transparency of hybriddeeplearningmodels.Bylettingthesystemtofocus on the most important traffic features, which boosts the reliability and it also provides valuable insights into why certaineventsareclassifiedasattacks.Thisinterpretability makes the model more practical and trustworthy for deploymentinreal-timecloudsecuritysystems.
Although the proposed framework performs well, it introducesamoderateincreaseincomputationaloverhead duetotheadditionalattentionlayer.Infuturework,ourplan is to optimize this by developing lightweight attention mechanismsthatmaintainaccuracywhilereducingresource usage.Furtherresearchwillalsoexplorefederatedlearning integration to enable distributed and privacy-preserving intrusiondetectionacrossmultipleclouddomains.
Additionally, future studies will aim to incorporate explainableAItechniquestoboostmodeltransparencyand usertrust.Anotherareaoffocuswillbereal-timeadaptation to zero-day attacks through online learning approaches, allowingthemodeltocontinuouslyupdatewithnewtraffic data.
Inconclusion,theattention-enhancedCNN-LSTMframework servesasasolidbasefordevelopingintelligent,scalable,and explainable intrusion detection systems in cloud environments. With more improvements in efficiency, privacy, and adaptability, such models can significantly influencethenextgenerationofsecureandresilientcloud infrastructures.
Chart -1:Performancecomparisonofvariousintrusion detectionmodels
International Research Journal of Engineering and Technology (IRJET) e-ISSN: 2395-0056
Volume: 12 Issue: 10 | Oct 2025 www.irjet.net p-ISSN: 2395-0072
REFERENCES
[1]J.Wu,Y.Ding,andL.Sun,“CNN-basedintrusiondetection for cloud computing,” IEEE Access, vol. 9, pp. 112431–112442,2021.
[2]H.Tang,X.Li,andJ.Zhao,“LightweightCNNframework for IoT-cloud intrusion detection,” Future Generation ComputerSystems,vol.122,pp.45–56,2021.
[3]A.Alshamrani,M.Anwar,andT.Alghamdi,“LSTM-driven intrusion detection for cloud-based services,” Journal of Network and Computer Applications, vol. 180, p. 103023, 2021.
[4]S.Kim,D.Kim,andH.Kang,“BidirectionalLSTMnetwork foranomalydetectioninmulti-cloudenvironments,”Applied SoftComputing,vol.115,p.108177,2022.
[5]Y.Zhou,J.Li,andQ.Xu,“ACNN-LSTMhybridmodelfor intrusion detection in cloud data centers,” Computers & Security,vol.113,p.102545,2022.
[6] K. Wang, Z. Yang, and M. Guo, “Hybrid deep IDS using CNN and Bi-LSTM for cloud traffic analysis,” IEEE TransactionsonInformationForensicsandSecurity,vol.17, pp.2781–2793,2022.
[7]H.Lin,W.Xu,andP.Wang,“Attention-basedCNN-LSTM for real-time intrusion detection in edge-cloud networks,” FutureInternet,vol.14,no.8,p.231,2022.
[8] Y. Zhao, J. Liu, and F. Zhang, “Temporal attentionaugmented LSTM for anomaly detection in cloud traffic,” Neurocomputing,vol.503,pp.309–320,2022.
[9]J.Li,H.Chen,andX.Wu,“Federatedattention-basedCNNLSTM for distributed cloud intrusion detection,” IEEE TransactionsonNetworkandServiceManagement,vol.19, no.4,pp.5120–5132,2022.
[10] L. Xu, Z. Ren, and D. He, “Federated deep intrusion detection with attention-enhanced CNN-LSTM,” IEEE Internet of Things Journal, vol. 10, no. 6, pp. 5259–5271, 2023.
[11]M.Ahmed,S.Latif,andA.Qayyum,“ExplainableAIfor cloudintrusiondetection:Challengesandfuturedirections,” ACMComputingSurveys,vol.55,no.12,pp.1–32,2023.