2022 IEEE International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)
2022 IEEE International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom) | 978-1-6654-9425-0/22/$31.00 ©2022 IEEE | DOI: 10.1109/TrustCom56396.2022.00026
MATTER: A Multi-Level Attention-Enhanced
Representation Learning Model for Network
Intrusion Detection
1st Jinghong Lan
School of Computer Science and Engineering
Beihang University
Beijing, China
lanjh@buaa.edu.cn
3rd Bo Li∗
School of Computer Science and Engineering
Beihang University
Beijing, China
libo@act.buaa.edu.cn
Abstract—Network Intrusion Detection Systems (NIDSs) play
a crucial role in safeguarding the security of protected computer
networks. Although numerous machine learning algorithms,
especially deep learning algorithms, have achieved remarkable
results, their generalization ability is limited due to the following
critical challenges. First, most of existing methods heavily rely
on the handcrafted features extracted from packets or network
flows. Second, few studies have been devoted to adaptively
highlighting the characteristics of certain traffic features and thus
extracting discriminative representations from input network
data. In this paper, we propose a Multi-level ATTention-enhanced
rEpresentation leaRning model (MATTER) to address the afore-
mentioned challenges. Specifically, a multi-scale Convolutional
Neural Network (CNN) is employed to extracted representations
from the raw packet content of a network flow. Then, a multi-level
attention module with spatial, channel and temporal attention
mechanisms is leveraged to enhance the discrimination of the
extracted features. Extensive experiments on two benchmark
datasets demonstrate that our proposed MATTER is superior
to other state-of-the-art approaches in terms of both accuracy
and F1 score.
Index Terms—Network intrusion detection, multi-level atten-
tion, representation learning, raw packet content, Convolutional
Neural Network
I. I NTRODUCTION
With the rapid development of network technology, mod-
ern society is becoming heavily dependent on the Internet.
Meanwhile, the increasing complexity of network applications
has led to sophisticated cyberattacks, and intrusion detection
has become one of the critical issues in the cybersecurity
ecosystem. As a common security tool designed to monitor
and protect computer networks, Intrusion Detection Systems
(IDSs) have attracted widespread attention from both academy
*Corresponding author
2324-9013/22/$31.00 ©2022 IEEE
DOI 10.1109/TrustCom56396.2022.00026
Authorized licensed use limited to: UNIVERSITY OF HERTFORDSHIRE. Downloaded on June 26,2023 at 10:22:14 UTC from IEEE Xplore. Restrictions apply.
2nd Yanan Li
School of Computer and Information Security
Guilin University of Electronic Technology
Guilin, China
xxgcliyanan@163.com
4th Xudong Liu
School of Computer Science and Engineering
Beihang University
Beijing, China
liuxd@act.buaa.edu.cn
and industry [1]. Generally, IDSs can be classified into host-
based and network-based according to their implementation
scenarios and processed data [2]. In this paper, we focus on
addressing the issues in the network-based IDSs (NIDSs).
In the past few years, many machine learning algorithms
have been employed to improve the efficiency of NIDSs.
More recently, deep learning having the ability to uncover the
complex structures of network data has also been introduced to
this field [3]–[5]. However, given the increasing diversification
and sophistication of cyberattacks, the generalization ability
of existing methods is still limited due to the following two
critical challenges. First, most of existing methods heavily
rely on the handcrafted features extracted with the assist of
domain experts [6]. Second, few studies have been devoted to
adaptively highlighting the characteristics of certain traffic fea-
tures and thus extracting discriminative representations from
input network data. Therefore, since the extracted feature rep-
resentations are limited, the generalization ability of existing
approaches may be unsatisfactory when applied to complex
and dynamic network scenarios.
In this paper, we propose a Multi-level ATTention-enhanced
rEpresentation leaRning model (MATTER) to improve the
generalization ability of flow-level intrusion detection task by
addressing the aforementioned two challenges. First, instead
of leveraging feature-ready Comma Separated Value (CSV)
files, we employ multi-scale convolutional layers to extract
basic features from the raw packet content of a network flow.
Afterward, a multi-level attention module with spatial, channel
and temporal attention mechanisms is introduced to refine
and enhance the extracted representations. Consequently, the
informative features of a network flow are strengthened while
the less important ones are suppressed. Overall, The main
contributions of this paper are summarized as follows.
111
 • A multi-level attention-enhanced representation learning
model is proposed for the task of network intrusion
detection based on deep learning. This model can extract
discriminative flow-level features with the assist of three
attention blocks simultaneously.
• Spatial, channel and temporal attention mechanisms are
incorporated to highlight the informative traffic features
and weaken the useless ones adaptively. To the best of
our knowledge, we are the first to use multi-level attention
mechanisms for the common intrusion detection task.
• Extensive experiments conducted on two benchmark
datasets show that our proposed MATTER is superior to
other state-of-the-art approaches, yielding better results
in terms of both accuracy and F1 score.
The rest of this paper is organized as follows. Section 2
reviews the related work of predecessors. Then, section 3
presents the detailed design of MATTER. The experimental
results are discussed in section 4, and we conclude this paper
in section 5.
II. R ELATED WORK
A. Deep learning-based network intrusion detection
Currently, many deep learning algorithms are widely used
to identify suspicious intrusion attacks in network traffic. For
instance, Qiu et al. [2] employed the Dempster Shafer Theory
(DST) to fuse the results of a packet-based and a flow-based
approaches to build a hybrid intrusion detection model. Zhong
et al. [7] proposed a network anomaly detection model based
on the heterogeneous integration of an auto-encoder (AE) and
a Long Short-Term Memory (LSTM) network. Li et al. [8]
proposed a hierarchical and dynamic feature extraction frame-
work to efficiently distinguish between normal and malicious
network patterns. Ashraf et al. [9] proposed an LSTM-based
anomaly detection framework to preserve the normal patterns
of the network traffic passing through a central gateway of
autonomous vehicles and identify cyberattacks by calculating
their deviations from the latent representations learned from
normal network traffic. Hassan et al. [10] proposed a hybrid
deep learning framework to identify intrusions attacks in
big data environments by leveraging a CNN and a weight-
dropped LSTM (WDLSTM) network. Lin et al. [11] proposed
a multi-level feature fusion model with data timing, payload
content, and statistical features to build a malicious traffic
detection system, in which a one-dimensional CNN and two
Bi-LSTM networks are deployed in parallel to learn traffic
representations from multiple perspectives.
B. Attention mechanism
Attention mechanism simulating the information process
of human visual selectivity is to highlight meaningful fea-
tures and suppress less important ones adaptively. Recently,
researchers have begun to employ attention mechanism to
the application scenario of network traffic classification. For
instance, Xiao et al. [12] proposed a hierarchical attention
network to perform application identification by leveraging
the payload content and side-channel features of a network
112
Authorized licensed use limited to: UNIVERSITY OF HERTFORDSHIRE. Downloaded on June 26,2023 at 10:22:14 UTC from IEEE Xplore. Restrictions apply.
packet simultaneously. Lan et al. [13] proposed Darknetsec,
a darknet traffic classification approach with spatial-temporal
representation learning and self-attention-based data fusion. Li
et al. [14] trained a multi-head self-attention model as a feature
learning module for the anomaly detection in the intelligent
vehicle charging and station power supply systems. Liu et
al. [15] proposed to detect anomalies in packet payload with
the combination of an LSTM network, a CNN and a multi-
head self attention mechanism.
III. M ETHODOLOGY
In this section, we first present the network structure of
MATTER. Afterward, the process of data preprocessing is
described briefly. Finally, the core components of MATTER,
i.e., the three attention blocks, are elaborated.
A. Network structure
Figure 1 shows the detailed network structure of the pro-
posed MATTER, which consists of several cascaded MA-
MCNN modules, a Global Average Pooling (GAP) layer, a
fully connected layer and a softmax layer. In the data prepro-
cessing stage, raw network packets are first split into network
flows, each of which is converted into a sample matrix.
Subsequently, the sample matrix is fed into the cascaded MA-
MCNN modules to extract a high-level feature representation.
Specifically, for each of the MA-MCNN modules, as shown
in Figure 2, we leverage multi-scale convolutional layers to
capture basic spatial features. Afterward, three attention blocks
are added after the multi-scale convolutional layers to refine
and enhance the features from different aspects. Then, the
achieved feature representation is fed into the last three layers
to obtain the final prediction. The well-known cross entropy
loss is adopted to train the entire model via backpropagation.
B. Data preprocessing
In this paper, MATTER takes the raw packet content of each
network flow as input to reduce the reliance on domain experts,
which has been proven to be effective for intrusion detection
tasks in previous studies such as [6], [8], [15]. A network flow
is defined as a set of network packets that belong to a transport
communication with the same five-tuples (source/destination
IP addresses, source/destination ports and protocol type) in
both directions.
Regarding each network flow, we select the first N packets
and retain only the first M bytes for each packet. We use
a truncation/zero padding approach to obtain a fixed size for
each network flow. The packet content features of a network
flow can be formalized as:
X f l = [p1 , p2 , · · · , pN ], N ∈ Z+ (1)
pi = [bi1 , bi2 , · · · , biM ], i ∈ [1, N ] (2)
where matrix X f l represents the packet content features of a
network flow, pi is the i-th packet without the data link layer,
and bij ∈ [0,0xff], i ∈ [1, N ], j ∈ [1, M ] denotes the j-th byte
of the i-th packet.
Then, data normalization is performed to map the numeric
packet bytes to [0,1] by dividing all byte values by 255.
 Multi-level attention module
Grouped self-attention

Qi = Gˆ iWi Q
Matmul Softmax
Gˆ i Output
K i = Gˆ iWi K Concat

Vi = Gˆ iWiV Matmul
Grouped self-attention

Grouped self-attention

Excitation
1x1 conv

1x1 conv

Sigmoid
GAP

FC

FC
Output
Input

Output
Input
Spatial attention Channel attention

t1
MA-MCNN MA-MCNN

softmax
GAP

FC
Input Multi-scale Multi-level Multi-scale Multi-level t2
CNN attention CNN attention
tT

Fig. 1. Network structure of the proposed MATTER.

× ×
sigmoid function to obtain a weight matrix, with which each
Input
channel is dot-multiplied to get the output feature maps.
× ×4
Since every item of the weight matrix corresponds to a local
× ×4
1x1 conv
str=1 padding 1x1 conv
patch of the input feature maps, more important local regions
str=1 padding
× ×
× × 1x1 conv
are assigned with larger weights and less informative ones are
3x3 conv str=1 padding
str=1 padding × ×2 suppressed to have smaller weights. Since the spatial attention
× × 3x3 conv
block does not change the dimensions of the input feature
3x3 conv str=1 padding
str=1 padding maps, it can be easily embedded into various types of CNNs.
× ×4 2) Channel attention: The channel attention block consist-
BN ing of squeeze and excitation operations is proposed to explore
inter-channel attention to automatically emphasize significant
Output
channels. As shown in Figure 1, the squeeze operation is
leveraged to squeeze the input feature maps of multiple
Fig. 2. Detailed composition of a multi-scale CNN, in which ReLU function is channels into a single channel with a GAP layer. The excitation
leveraged for each convolutional layer and BN denotes a Batch Normalization
(BN) layer. operation following the squeeze operation aims to model the
channel-wise dependencies adaptively. Two fully connected
layers and a sigmoid function are employed to obtain the
C. Multi-level attention module channel attention weights as:
1) Spatial attention: To exploit the inter-spatial relationship s t
1 
of features, the spatial attention block, shown in Figure 1, fi = Fsq (M i ) = Mi (j, k), 1 ≤ i ≤ c (3)
is proposed. Two cascaded 1 × 1 convolutional layers are s × t j=1
k=1
first used to compress the input feature maps from multiple a = Fex (f , W 1 , W 2 ) = σ(W 2 δ(W 1 f )) (4)
channels into one channel. Specifically, the first convolutional
M̂ i = Fscale (M i , ai ) = ai M i , 1 ≤ i ≤ c (5)
layer takes Rectified Linear Unit (ReLU) as the activation
function and generates c/r channels (c denotes the number where M i (1 ≤ i ≤ c) denotes the input feature map of chan-
of input channels and r denotes the reduction ratio), while nel i, f is the output vector of the GAP layer, W 1 and W 2 are
the second convolutional layer outputs a single channel with a trainable parameters, and δ(·) and σ(·) denote the ReLU and

113

Authorized licensed use limited to: UNIVERSITY OF HERTFORDSHIRE. Downloaded on June 26,2023 at 10:22:14 UTC from IEEE Xplore. Restrictions apply.
 sigmoid functions, respectively. a is the calculated attention TABLE I
M AIN CHARACTERISTICS OF THE TWO USED DATASETS .
vector, M̂ i (1 ≤ i ≤ c) denotes the out feature map of channel
i, and Fscale (·) denotes channel-wise multiplication. Attributes CICIDS2017 UNSW-NB15
3) Temporal attention: The spatial and channel attention Year 2017 2015
mechanisms aim to strengthen the useful information in dif- Data format pcap/csv pcap/csv
ferent regions. However, the features of the time dimension Feature size 80 49
need also be considered. Owing to the widespread application Protocol number 5 6
of self-attention mechanism in the Transformer network, we Attack number 14 9
propose to use a set of grouped self-attention blocks to achieve Labeled class 7 10
temporal attention and learn the global dependencies of the Normal 76,000 96,000
packet sequence in a network flow. Training set Attacks 74,867 89,595
To reduce computation overhead while learning temporal Total 150,867 185,595
dependencies effectively, the input feature maps M ∈ Rs×t×c Normal 35,000 32,000
are aggregated into h groups Gi ∈ Rr×t×c (h = s/r, i = Test set Attacks 32,086 29,746
1, · · · , h) along the spatial dimension. Afterward, as shown in Total 67,086 61,746
Eq. 6, each group Gi ∈ Rr×t×c is compressed into a matrix
Ĝi ∈ R1×t×c along the spatial axes and corresponds to the
input of a grouped self-attention block. B. Baseline methods
r To fully verify the effectiveness of MATTER, we compare it
1
(Ĝi )jk = (Gi )ljk (6) with five state-of-the-art methods, which are briefly described
r as follows.
l=1
• MSCNN [18] takes the statistical features of network
For each of the grouped self-attention blocks, we first map flows as inputs and uses a multi-scale CNN to build an
its corresponding Ĝi ∈ R1×t×c to three linear subspaces to IDS for network security communication. Batch normal-
obtain a query matrix Qi , a key matrix K i and a value matrix ization is introduced to improve the convergence speed
V i . The calculation process is formalized as: of the neural network.
• IE-DBN [19] uses information gain to reduce the dimen-
K i = Ĝi W K
i ∈R
t×DK
(7)
sion of the input data and remove redundant features.
Qi = Ĝi W Q
i ∈R t×DK
(8) Then, a Deep Belief Network (DBN)-based classifier is
Vi= Ĝi W Vi ∈R t×DV
(9) built to realize an intrusion detection model.
• CNN-WDLSTM [10] utilizes a CNN and a weight-
Q KT
headi = Attention(K i , Qi , V i ) = Softmax( √i i V i ) dropped LSTM network to extract meaningful spatial-
DK temporal features for the classification of cyberattacks in
(10) big data environments. The input statistical features of
each network flow are extracted by using the Bro-IDS
where W K i ∈ Rc×DK , W Q i ∈ Rc×DK , and W Vi ∈ and Argus tools.
c×DV
R are trainable parameters. Softmax(·) is a column-wise- • LeNet-5-LSTM [20] designs a network intrusion detec-
normalized function. tion model that integrates the improved Le-Net5 (a CNN
After that, multi-head attention is employed to enable the model) and an LSTM network to capture the spatial-
feature extraction network to capture discriminative feature temporal features of input network flows. LeNet-5-LSTM
representations from different embedding subspaces. The cal- takes the raw traffic data as inputs to build a classifier.
culation process is formalized as: • PBCNN [6] proposes a hierarchical packet byte-based
CNN (PBCNN) and takes the raw packet bytes of pcap
MHead(Q, K, V ) = concat(head1 , · · · , headh )W a (11) files as inputs to build a network intrusion detection
Q
where headi = Attention(Ĝi W K V
i , Ĝi W i , Ĝi W i ) (12) model.

IV. E XPERIMENTAL EVALUATION C. Evaluation metrics

A. Datasets
In this section, we evaluate the effectiveness of our method
on two benchmark datasets, namely CICIDS2017 [16] and
UNSW-NB15 [17]. Specifically, each dataset is divided into
two disjoint subsets. One subset is selected as the training set,
and the other is used as the test set. Table I presents the main
characteristics of the two datasets used in this paper.
In this paper, we leverage four well-known evaluation
metrics, i.e., accuracy (Acc), precision (P re), recall (Rec),
and F1 score (F 1), which are based on four basic indicators,
namely True Positives (T P s), True Negatives (T N s), False
Positives (F P s) and False Negatives (F N s). P re and Rec
are defined P re = T PT+FP TP
P and Rec = T P +F N , respectively.
T P +T N
Acc is calculated by Acc = T P +T N +F P +F N and F 1 equals
to 2×P re×Rec
P re+Rec , Additionally, the multi-class labels are directly

114

Authorized licensed use limited to: UNIVERSITY OF HERTFORDSHIRE. Downloaded on June 26,2023 at 10:22:14 UTC from IEEE Xplore. Restrictions apply.
 (a) CICIDS2017
(b) UNSW-NB15
Fig. 3. The overall performance comparison with different methods.
taken into consideration. M acro − P re, M acro − Rec and
M acro − F 1 are used to calculate the average values of
precision, recall, and F1 score for each class, respectively.
D. Performance comparison
In this subsection, we evaluate the effectiveness of our
proposed MATTER against the aforementioned five baseline
methods. We use the Acc, M acro − P re, M acro − Rec
and M acro − F 1 metrics to evaluate the performance of all
the tested methods on the CICIDS2017 and UNSW-NB15
datasets. Figure 3 provides the experimental results, which
show that MATTER outperforms other methods in terms of
all the metrics. In addition, as shown in Figure 4, MATTER
achieves the best F 1 results for all the attack types on the two
datasets. From the above comparison results, we can observe
the following two major conclusions.
• MATTER outperforms all of the other methods with
the highest Acc and M acro − F 1 results. For in-
stance, compared with the second-place approach on
the UNSW-NB15 dataset, i.e., PBCNN, the Acc and
M acro − F 1 results of MATTER are 2.46% and 2.32%
higher, respectively. This shows that our proposed MAT-
TER extracts more discriminative feature representations
and has better adaptability than other state-of-the-art
methods.
115
Authorized licensed use limited to: UNIVERSITY OF HERTFORDSHIRE. Downloaded on June 26,2023 at 10:22:14 UTC from IEEE Xplore. Restrictions apply.
(a) CICIDS2017
(b) UNSW-NB15
Fig. 4. The F 1 results of each attack type obtained with different methods.
• The proposed multi-level attention mechanisms have
a positive effect on the performance of the entire de-
tection model. The comprehensive utilization of the three
attention mechanisms helps MATTER pay more attention
to informative features and suppress the useless ones, thus
improving the discrimination and representation ability of
the extracted features.
E. Ablation study
In this subsection, we conduct an ablation study to explore
the effectiveness of each component in the multi-level attention
module. We first introduce the four MATTER variants as
follows.
• MCNN: Only the multi-scale convolutional layers are
used.
• SA-MCNN: The multi-scale convolutional layers and
spatial attention block are used.
• CA-MCNN: The multi-scale convolutional layers and
channel attention block are used.
• SCA-MCNN: The multi-scale convolutional layers, spa-
tial attention block and channel attention block are used.
As shown in Table II, since the results obtained on the two
datasets are similar, we take the experimental results of the
CICIDS2017 dataset as an example to discuss the contribution
of each attention block to the entire model performance. By
 TABLE II [2] Qiu W, Ma Y, Chen X, et al. Hybrid intrusion detection system based
P ERFORMANCE COMPARISON OF DIFFERENT MATTER STRUCTURES (%). on Dempster-Shafer evidence theory[J]. Computers & Security, 2022,
117: 102709.
Dataset Structure Acc M arco − F 1 [3] Lan J, Liu X, Li B, et al. A novel hierarchical attention-based triplet
network with unsupervised domain adaptation for network intrusion
MCNN 89.34 85.71 detection[J]. Applied Intelligence, 2022: 1-22.
SA-MCNN 90.87 87.53 [4] Li Z, Wang Y, Wang P, et al. PGAN: A Generative Adversarial Network
CICIDS2017 CA-MCNN 91.33 87.92 based Anomaly Detection Method for Network Intrusion Detection
System[C]//2021 IEEE 20th International Conference on Trust, Security
SCA-MCNN 94.12 90.41 and Privacy in Computing and Communications (TrustCom). IEEE,
MATTER 95.22 91.69 2021: 734-741.
MCNN 87.43 82.81 [5] Han X, Yin R, Lu Z, et al. STIDM: A spatial and temporal aware
intrusion detection model[C]//2020 IEEE 19th International Conference
SA-MCNN 88.29 83.98 on Trust, Security and Privacy in Computing and Communications
UNSW-NB15 CA-MCNN 88.56 84.15 (TrustCom). IEEE, 2020: 370-377.
SCA-MCNN 90.56 86.05 [6] Yu L, Dong J, Chen L, et al. PBCNN: packet bytes-based convolutional
neural network for network intrusion detection[J]. Computer Networks,
MATTER 92.20 88.20 2021, 194: 108117.
[7] Zhong Y, Chen W, Wang Z, et al. HELAD: A novel network anomaly
detection model based on heterogeneous ensemble learning[J]. Computer
Networks, 2020, 169: 107049.
introducing the multi-scale convolutional layers only, we can [8] Li Y, Qin T, Huang Y, et al. HDFEF: A hierarchical and dynamic feature
obtain an Acc of 89.34% and a M acro − F 1 of 85.71%. extraction framework for intrusion detection systems[J]. Computers &
By adding the spatial attention block and channel attention Security, 2022, 121: 102842.
[9] Ashraf J, Bakhshi A D, Moustafa N, et al. Novel deep learning-enabled
block, the M acro−F 1 can be improved by 1.82% and 2.21%, LSTM autoencoder architecture for discovering anomalous events from
respectively. These results demonstrate the effectiveness of the intelligent transportation systems[J]. IEEE Transactions on Intelligent
spatial and channel attention mechanisms for extracting more Transportation Systems, 2020, 22(7): 4507-4518.
[10] Hassan M M, Gumaei A, Alsanad A, et al. A hybrid deep learning model
discriminative feature representations. for efficient intrusion detection in big data environment[J]. Information
We next analyze the influence of the temporal attention Sciences, 2020, 513: 386-396.
block on the whole performance. On the basis of SCA-MCNN [11] Lin K, Xu X, Xiao F. MFFusion: A Multi-level Features Fusion Model
for Malicious Traffic Detection based on Deep Learning[J]. Computer
(with an Acc of 94.12% and a M acro−F 1 of 90.41%), the ap- Networks, 2022, 202: 108658.
plication of the temporal attention block effectively increases [12] Xiao X, Xiao W, Li R, et al. EBSNN: Extended Byte Segment Neural
the Acc and M acro − F 1 by 1.10% and 1.28%, respectively. Network for Network Traffic Classification[J]. IEEE Transactions on
Dependable and Secure Computing, 2021.
The experimental results show that the temporal attention [13] Lan J, Liu X, Li B, et al. DarknetSec: A novel self-attentive deep
block can also improve the accuracy significantly. Finally, learning method for darknet traffic classification and application identi-
we obtain similar conclusions on the experimental results of fication[J]. Computers & Security, 2022, 116: 102663.
[14] Li Y, Zhang L, Lv Z, et al. Detecting anomalies in intelligent vehicle
the UNSW-NB15 dataset, demonstrating the superiority of the charging and station power supply systems with multi-head attention
proposed multi-level attention module. models[J]. IEEE Transactions on Intelligent Transportation Systems,
2020, 22(1): 555-564.
V. C ONCLUSION AND FUTURE WORK [15] Liu J, Song X, Zhou Y, et al. Deep anomaly detection in packet
payload[J]. Neurocomputing, 2022, 485: 205-218.
In this paper, we propose a multi-level attention-enhanced [16] Sharafaldin I, Lashkari A H, Ghorbani A A. Toward generating a
representation learning model (MATTER) for the common new intrusion detection dataset and intrusion traffic characterization[J].
ICISSp, 2018, 1: 108-116.
network intrusion detection task to adaptively capture discrim- [17] Moustafa N, Slay J. UNSW-NB15: a comprehensive data set for network
inative features. To the best of our knowledge, we are the first intrusion detection systems (UNSW-NB15 network data set)[C]//2015
to introduce three attention mechanisms (i.e., spatial, channel military communications and information systems conference (MilCIS).
IEEE, 2015: 1-6.
and temporal attention mechanisms) simultaneously in the [18] Yu J, Ye X, Li H. A high precision intrusion detection system for
network intrusion detection field. The experimental results on network security communication based on multi-scale convolutional
two benchmark datasets (i.e., CICIDS2017 and UNSW-NB15) neural network[J]. Future Generation Computer Systems, 2022, 129:
399-406.
show that MATTER has better accuracy than other state-of- [19] Jia H, Liu J, Zhang M, et al. Network intrusion detection based on
the-art methods. As the future work, we plan to evaluate the IE-DBN model[J]. Computer Communications, 2021, 178: 131-140.
impact of adversarial attacks on MATTER and incorporate [20] Zhang Y, Chen X, Jin L, et al. Network intrusion detection: Based on
deep hierarchical network and original flow data[J]. IEEE Access, 2019,
related techniques to enhance the robustness of our approach. 7: 37004-37016.
ACKNOWLEDGMENTS
This work was supported by the Opening Project of Shang-
hai Trusted Industrial Control Platform (TICPSH202003020-
ZC) and Beijing Advanced Innovation Center for Future Block
chain and Privacy Computing.
R EFERENCES
[1] Chou D, Jiang M. A survey on data-driven network intrusion detec-
tion[J]. ACM Computing Surveys (CSUR), 2021, 54(9): 1-36.

116

Authorized licensed use limited to: UNIVERSITY OF HERTFORDSHIRE. Downloaded on June 26,2023 at 10:22:14 UTC from IEEE Xplore. Restrictions apply.