A Robust Hybrid Model Based on ANN and KNN for Multi-Class Network Attack Detection and Classification
Xusnutdin Samarov1, Zakhro Barotova2
1Assoc. Prof. Xusnutdin Samarov, Department of Information Security, Tashkent University of Information Technologies named after Muhammad al-Khwarizmi State University, Tashkent, Uzbekistan.
2Zakhro Barotova, Researcher, Department of Cybersecurity, Tashkent University of Information Technologies named after Muhammad al-Khwarizmi State University, Tashkent, Uzbekistan.
Manuscript received on 30 July 2025 | First Revised Manuscript received on 20 August 2025 | Second Revised Manuscript received on 04 September 2025 | Manuscript Accepted on 15 September 2025 | Manuscript published on 30 September 2025 | PP: 1-6 | Volume-12 Issue-9, September 2025 | Retrieval Number: 100.1/ijies.H111512080825 | DOI: 10.35940/ijies.H1115.12090925
Open Access | Editorial and Publishing Policies | Cite | Zenodo | OJS | Indexing and Abstracting
© The Authors. Blue Eyes Intelligence Engineering and Sciences Publication (BEIESP). This is an open access article under the CC-BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/)
Abstract: This paper investigates whether a lightweight hybrid approach, which combines learned representations with instancebased decisions, can improve multi-class intrusion detection under realistic class imbalance conditions. We propose A2K, which uses an Artificial Neural Network (ANN) to learn discriminative embeddings from preprocessed network-flow features and a KNearest Neighbours(KNN) classifier to make final decisions in the ANN’s latent space. The pipeline begins with min–max normalization and a feature selection routine combining mutual information, correlation analysis, and an ANN-wrapper evaluation to retain the most informative, non-redundant predictors. The ANN is a compact feed-forward model (41-d input, two hidden layers with 64 and 32 neurons, softmax output), trained to capture non-linear structures; its 32-d intermediate activations form the embedding for KNN, which exploits neighbourhood structures via Euclidean distances and majority voting. Using the NSL-KDD benchmark, we adopt a 70/30 train–test split and evaluate with Accuracy, Precision, Recall, and F1-score, alongside class-wise analyses and confusion matrices. We compare our results against strong baselines, including SVM, standalone ANN, standalone KNN, and Random Forest, all under the same preprocessing and protocol. Empirically, A2K attains 97.75% accuracy, 96.80% precision, 96.65% recall, and 96.56% F1-score, outperforming SVM (94.25% accuracy), KNN (91.25%), standalone ANN (95.80%), and Random Forest (96.20%). Classwise results demonstrate excellent performance on Normal and DoS traffic, as well as measurable gains on minority classes (U2R and R2L) compared to baselines. However, these categories remain the primary source of residual error, consistent with their rarity. Confusion-matrix patterns indicate that embedding-space distances help refine decision boundaries learned by the ANN, improving separability without heavy computation or extensive retraining. In sum, what we contribute is a modular hybrid for IDS; how we realize it is by late fusing ANN embeddings with KNN neighbourhood evidence after principled preprocessing and feature selection; and why it matters is that this design yields higher overall accuracy and more balanced class detection while preserving simplicity and near real-time feasibility—key properties for deployable network defence.
Keywords: Network Security, Hybrid Model, ANN, KNN, A2K Model, Feature Selection, Cyberattack Classification, Confusion Matrix, NSL-KDD.
Scope of the Article: Artificial Intelligence and Methods