A Two-Stage Hybrid Intrusion Detection Framework Based on Hierarchical Attack Mapping and Pruned CNN-GRU Models

Aseel M. Mohammed; Haider K. Hoomod

doi:10.48084/etasr.16210

Authors

Aseel M. Mohammed Ministry of Higher Education and Scientific Research, Scientific Research Commission, Iraq
Haider K. Hoomod Computer Department, College of Education, Al-Mustansiriyah University, Ministry of Higher Education and Scientific Research, Baghdad, Iraq

Volume: 16 | Issue: 1 | Pages: 32342-32347 | February 2026 | https://doi.org/10.48084/etasr.16210

Received: 11 November 2025 | Revised: 25 December 2025 and 27 December 2025 | Accepted: 29 December 2025 | Online: 9 February 2026

Corresponding author: Aseel M. Mohammed

Abstract

This study presents a realistic two-step approach to network intrusion detection that combines two established security paradigms, namely, anomaly-based and signature-based detection. The proposed hybrid architecture achieves high detection accuracy and maintains system customizability and scalability for real-world applications, even for resource-limited edge devices. The proposed method first compares all network traffic packets with a large resource of known attack signatures (data-driven signature file), which is generated from actual data from network attacks, helping in faster detection of known threats. Packets that do not match this signature verification are then processed to a more advanced analytical step, where a specialized CNN-GRU hybrid model takes over. This model was optimally pruned, significantly reducing computational costs and inference delays but still allowing it to identify attacks without adversely affecting system throughput. To ensure strict evaluation, six high-profile benchmark datasets, namely NSL-KDD, UNSW-NB15, BCCC, CIC-UNSW-NB15, NF-ToN-IoT-v3, and CICIOT2023, were aligned under a single feature schema. In addition, a hierarchical attack taxonomy was designed, where on the simplest level a binary classification (Normal or Attack) is performed, followed by the classification of general attack types and, lastly, the fine-grained classification of particular attack forms. Each dataset was used to train a dedicated and pruned CNN-GRU model. For inference, an advanced voting system is used to combine the predictions of all constituent models, producing a much-trusted determination of network activity. Across both binary and multi-class evaluations, the system achieves up to 99.99% accuracy, with high F1-scores between 94% and 100%. This high accuracy did not come at the cost of speed, as the pruning process notably reduced computational overhead and sped up analysis. Its modular architecture allows the system to be easily adapted with new datasets or even directly analyze live network traffic, making it a robust and scalable solution for modern cybersecurity challenges. Unlike existing intrusion detection approaches that suffer from critical limitations, such as dependence on a single-stage anomaly detection, training on limited data, and relying on complex designs that hinder their scalability and increase computational cost, the proposed two-stage pruned CNN-GRU architecture with hierarchical attack mapping is capable of overcoming these limitations and maintaining high detection accuracy while reducing computational overhead.

Keywords:

two-stage hybrid NIDS, pruned deep learning, CNN-GRU architecture, network cybersecurity

Downloads

Download data is not yet available.

References

X. Li, Z. Zheng, M. Zhao, Y. Zhao, L. Shi, and B. Wang, "RLFE-IDS: A framework of Intrusion Detection System based on Retrieval Augmented Generation and Large Language Model," Computer Networks, vol. 268, Aug. 2025, Art. no. 111341. DOI: https://doi.org/10.1016/j.comnet.2025.111341

C. P. R. Rani and K. Baalaji, "A graphics processing unit assisted CNN-GRU framework for the intrusion detection mechanism in the industrial internet of things," Engineering Research Express, vol. 7, no. 2, Feb. 2025, Art. no. 025240. DOI: https://doi.org/10.1088/2631-8695/adc971

A. Usman, "Enhancing Cybersecurity in IoT Healthcare Systems: A CNN-GRU Hybrid Approach for Intrusion Detection," M.S. Thesis, Dublin, National College of Ireland, 2025.

S. M. Hosseini, A. Ebrahimi, M. R. Mosavi, and H. Sh. Shahhoseini, "A novel hybrid CNN-CBAM-GRU method for intrusion detection in modern networks," Results in Engineering, vol. 28, Dec. 2025, Art. no. 107103. DOI: https://doi.org/10.1016/j.rineng.2025.107103

D. M. A. A. Afraji, J. Lloret, L. Peñalver, D. M. A. A. Afraji, J. Lloret, and L. Peñalver, "An Integrated Hybrid Deep Learning Framework for Intrusion Detection in IoT and IIoT Networks Using CNN-LSTM-GRU Architecture," Computation, vol. 13, no. 9, Sept. 2025. DOI: https://doi.org/10.3390/computation13090222

A. A. Ghani and S. A. Alasadi, "A Deep Learning Algorithm to Cybersecurity: Enhancing Intrusion Detection with a Hybrid GRU and BiLSTM Model," Engineering, Technology & Applied Science Research, vol. 15, no. 3, pp. 23605–23612, June 2025. DOI: https://doi.org/10.48084/etasr.10666

Y. Imrana, Y. Xiang, L. Ali, A. Noor, K. Sarpong, and M. A. Abdullah, "CNN-GRU-FF: a double-layer feature fusion-based network intrusion detection system using convolutional neural network and gated recurrent units," Complex & Intelligent Systems, vol. 10, no. 3, pp. 3353–3370, June 2024. DOI: https://doi.org/10.1007/s40747-023-01313-y

A. Sagu, N. S. Gill, P. Gulia, N. Alduaiji, P. K. Shukla, and M. A. Shah, "Advances to IoT security using a GRU-CNN deep learning model trained on SUCMO algorithm," Scientific Reports, vol. 15, no. 1, May 2025, Art. no. 16485. DOI: https://doi.org/10.1038/s41598-025-99574-9

W. Chen, "Intelligent Network Intrusion Detection for Advanced Measurement System Based on CNN-GRU Modeling," International Journal of Network Security, vol. 27, no. 1, Jan. 2025.

K. O. Adefemi, M. B. Mutanga, O. A. Alimi, K. O. Adefemi, M. B. Mutanga, and O. A. Alimi, "A Hybrid CNN–GRU Deep Learning Model for IoT Network Intrusion Detection," Journal of Sensor and Actuator Networks, vol. 14, no. 5, Sept. 2025. DOI: https://doi.org/10.3390/jsan14050096

A. Qaddos, M. U. Yaseen, A. S. Al-Shamayleh, M. Imran, A. Akhunzada, and S. Z. Alharthi, "A novel intrusion detection framework for optimizing IoT security," Scientific Reports, vol. 14, no. 1, Sept. 2024, Art. no. 21789. DOI: https://doi.org/10.1038/s41598-024-72049-z

B. Cao et al., "Network Intrusion Detection Model Based on CNN and GRU," Applied Sciences, vol. 12, no. 9, Apr. 2022. DOI: https://doi.org/10.3390/app12094184

L. Dhanabal and S. P. Shantharajah, "A study on NSL-KDD dataset for intrusion detection system based on classification algorithms," International Journal of Advanced Research in Computer and Communication Engineering, vol. 4, no. 6, pp. 446–452, 2015.

N. Moustafa and J. Slay, "UNSW-NB15: a comprehensive data set for network intrusion detection systems (UNSW-NB15 network data set)," in 2015 Military Communications and Information Systems Conference (MilCIS), Canberra, Australia, Nov. 2015, pp. 1–6. DOI: https://doi.org/10.1109/MilCIS.2015.7348942

"UNSW-NB15 Augmented Dataset." Canadian Institute for Cybersecurity, [Online]. Available: https://www.unb.ca/cic/datasets/cic-unsw-nb15.html.

M. Shafi et al., "Toward Generating a New Cloud-Based Distributed Denial of Service (DDoS) Dataset and Cloud Intrusion Traffic Characterization," Information, vol. 15, no. 4, Mar. 2024. DOI: https://doi.org/10.3390/info15040195

E. C. P. Neto et al., "CICIoT2023: A Real-Time Dataset and Benchmark for Large-Scale Attacks in IoT Environment," Sensors, vol. 23, no. 13, June 2023. DOI: https://doi.org/10.3390/s23135941

"NF-ToN-IoT." Kaggle, [Online]. Available: https://www.kaggle.com/datasets/dhoogla/nftoniot