A Hybrid CNN-BiLSTM Model with Self-Attention for Network Intrusion Detection: Comparative Evaluation on the NSL-KDD Dataset

Network intrusion detection systems (NIDS) represent a critical line of defence in modern cybersecurity infrastructure, tasked with identifying malicious network activity from high-dimensional, high-velocity traffic data in real time. Conventional signature-based and statistical anomaly detection approaches have demonstrated limited efficacy against zero-day attacks, low-rate flooding attacks, and obfuscated intrusion patterns that exploit temporal dependencies in packet sequences. This paper proposes a hybrid deep learning architecture that combines one-dimensional convolutional neural networks (1D-CNN) for local spatial feature extraction with bidirectional long short-term memory networks (BiLSTM) for sequential temporal modelling, augmented by a self-attention mechanism that dynamically weights the contribution of each time step to the final classification decision. The proposed CNN-BiLSTM-Attention model is trained and evaluated on the NSL-KDD benchmark dataset, a widely used standard for NIDS research that addresses the class imbalance and redundancy limitations of the original KDD Cup 1999 dataset. The model is benchmarked against four baseline classifiers — logistic regression, support vector machine (SVM), random forest, and XGBoost — across four attack categories: Denial of Service (DoS), Probe, Remote-to-Local (R2L), and the benign traffic class. The proposed model achieves an overall classification accuracy of 94.7%, macro-averaged F1-score of 93.8%, and area under the ROC curve (AUC) of 0.987, outperforming all baseline models across all evaluation metrics. Ablation studies confirm that both the BiLSTM and attention components make statistically significant independent contributions to classification performance beyond the CNN baseline alone. The results demonstrate that the CNN-BiLSTM-Attention architecture provides a robust, generalisable framework for multi-class network intrusion detection that is well-suited for deployment in real-time network security monitoring systems.