On the Evaluation of Spiking Neural Network Configurations for Network Intrusion Detection
This paper systematically evaluates 9 neuron models and 3 spike encoding schemes in SNN-based network intrusion detection, revealing latency encoding as the most effective approach, achieving 92.11% accuracy.
Key Findings
Methodology
This study employs a controlled ablation framework, systematically comparing nine neuron models—including Leaky, Synaptic, SLSTM—and three spike encoding schemes—rate, latency, delta—across four benchmark datasets (NSL-KDD, KDDCup99, CIC-IDS2017, CTU-13). All models are trained under identical conditions using the snntorch framework, with fixed network architecture (two-layer SNN perceptron), hyperparameters, and training procedures, ensuring that only the neuron model and encoding scheme vary. Each configuration is evaluated over five random seeds to account for stochastic variability. Performance metrics include accuracy, macro-F1, MCC, false alarm rate, detection rate, and inference latency, providing a comprehensive assessment of detection quality and computational efficiency. Results consistently show that latency encoding outperforms rate and delta encodings in detection accuracy, with an average macro-F1 of 0.80 and false alarm rate of 0.80%. The top configuration, LeakyParallel neuron with latency encoding, achieves near-perfect accuracy on CIC-IDS2017 and CTU-13, with inference latency around 73 ms per sample, demonstrating its suitability for real-time edge deployment.
Key Results
- Latency encoding consistently surpasses rate and delta encodings across all neuron models, with an average macro-F1 of 0.80, false alarm rate of 0.80%, and near-perfect detection on CIC-IDS2017 and CTU-13 datasets. The configuration combining LeakyParallel neurons with latency encoding achieves 92.11% accuracy, macro-F1 of 0.80, and inference latency of approximately 73 milliseconds per sample, outperforming other variants in both detection performance and speed.
- The study finds that the choice of encoding scheme has a more significant impact on detection quality than the specific neuron model. Latency encoding yields the highest detection metrics across datasets, indicating that temporal coding of spike timing effectively captures the temporal dynamics of network traffic features. The LeakyParallel neuron model with latency encoding demonstrates the best trade-off between accuracy and inference speed, making it ideal for resource-constrained environments.
- Ablation results reveal that while neuron model differences are minor in terms of detection metrics, they significantly influence inference latency and computational cost. The vectorized temporal unrolling of latency-encoded models reduces inference time by over 50% compared to other configurations, confirming the efficiency advantage of temporal coding strategies in SNNs for intrusion detection.
Significance
This research underscores the critical role of spike encoding strategies in SNN performance for cybersecurity applications. By systematically demonstrating that latency encoding significantly enhances detection accuracy and reduces inference latency, the study provides a clear guideline for designing lightweight, real-time intrusion detection systems suitable for edge deployment. The findings address the longstanding challenge of balancing detection efficacy with computational efficiency, positioning SNNs as a promising alternative to traditional deep neural networks in resource-limited environments. The comprehensive evaluation across multiple datasets and metrics also establishes a robust benchmark framework, facilitating future research in neuromorphic cybersecurity. Ultimately, this work advances the understanding of how temporal coding mechanisms can be harnessed to improve the practicality and scalability of SNN-based security solutions.
Technical Contribution
The paper makes several key technical contributions: (1) It introduces a systematic comparison of nine neuron models and three spike encoding schemes within a unified experimental pipeline, ensuring fair and reproducible evaluation. (2) It highlights the dominance of encoding strategy over neuron model choice in determining detection performance, with latency encoding consistently outperforming others across datasets. (3) It develops a multi-metric evaluation framework that balances detection accuracy, false alarm rate, inference latency, and computational cost, providing a comprehensive performance profile. (4) It demonstrates that vectorized temporal unrolling of latency-encoded SNNs significantly reduces inference latency, making them suitable for real-time deployment. (5) The study establishes a set of actionable design guidelines for neuromorphic intrusion detection systems, emphasizing the importance of temporal encoding for achieving high accuracy and efficiency.
Novelty
This work is the first comprehensive, systematic evaluation of the joint effects of neuron model and spike encoding scheme on SNN-based intrusion detection across multiple datasets. While previous studies explored individual configurations—such as Zhou and Li (2021) using temporal-coded neurons or Wang et al. (2024) with convolutional SNNs—none provided a direct comparison of encoding strategies within a unified framework. The key novelty lies in revealing that encoding choice, particularly latency coding, has a more profound impact on detection performance than the neuron model itself. This insight shifts the focus of SNN design from neuron dynamics to temporal encoding, providing a new perspective for optimizing neuromorphic cybersecurity systems.
Limitations
- The current experiments assume a static threat landscape with known attack categories, lacking evaluation against adaptive adversaries or unseen attack types. This limits understanding of the model’s robustness in real-world adversarial scenarios.
- The models are trained and tested on datasets with inherent class imbalance, which may influence the generalizability of results. Although metrics like MCC mitigate this, real deployment may encounter more severe imbalance or concept drift.
- Inference latency measurements are conducted on GPU hardware, which may not directly translate to neuromorphic chips or edge devices. Hardware-specific optimizations could further improve performance but are not explored here.
Future Work
Future research will focus on enhancing model robustness against adversarial attacks, including evasion and poisoning strategies. Exploring hybrid architectures that combine the strengths of SNNs and traditional deep neural networks could further improve detection of rare or sophisticated threats. Deployment on neuromorphic hardware platforms like Intel Loihi or IBM TrueNorth is planned to validate real-world performance and energy efficiency. Additionally, adaptive encoding schemes that dynamically adjust based on network traffic patterns could improve detection under varying conditions. Extending the framework to unsupervised or semi-supervised learning scenarios will also be a key direction, aiming to reduce reliance on labeled data and improve scalability.
AI Executive Summary
The rapid expansion of the Internet of Things (IoT) and cyber-physical systems has dramatically increased the attack surface for malicious actors, posing significant challenges for cybersecurity. Traditional deep neural networks (DNNs) have demonstrated high accuracy in intrusion detection but are computationally intensive, making them unsuitable for deployment on resource-constrained edge devices. As a promising alternative, Spiking Neural Networks (SNNs) emulate biological neurons' event-driven processing, offering low-power operation and inherent temporal coding capabilities.
This study systematically investigates the design space of SNNs for network intrusion detection, focusing on two critical factors: neuron model selection and spike encoding scheme. Using a controlled ablation methodology, nine neuron models—including Leaky Integrate-and-Fire, Synaptic, and SLSTM variants—are evaluated across four benchmark datasets (NSL-KDD, KDDCup99, CIC-IDS2017, CTU-13). Three encoding schemes—rate, latency, and delta—are tested to understand their impact on detection performance and efficiency. All experiments are conducted under a unified training pipeline, with fixed network architecture and hyperparameters, ensuring that observed differences are attributable solely to the design choices.
Results reveal that the spike encoding strategy exerts a dominant influence on detection quality, with latency encoding consistently outperforming rate and delta schemes. The best configuration, combining latency encoding with LeakyParallel neurons, achieves an average macro-F1 of 0.80 and accuracy of 92.11%, with false alarm rates below 1% across datasets. Notably, this configuration also exhibits the fastest inference speed, with an average latency of 73 milliseconds per sample, confirming its suitability for real-time edge deployment.
These findings have significant implications for cybersecurity, demonstrating that carefully designed SNNs can serve as efficient, high-performing intrusion detection systems in resource-limited environments. The emphasis on temporal encoding aligns well with the bursty, time-sensitive nature of network traffic, enabling more natural and effective anomaly detection. The comprehensive evaluation framework and clear performance benchmarks set a foundation for future research and practical implementations.
Despite these advances, challenges remain. The current models assume static attack patterns and do not address adversarial robustness or concept drift. Hardware-specific deployment and energy efficiency on neuromorphic chips require further validation. Future work will explore hybrid architectures, adaptive encoding, and robustness against sophisticated threats, aiming to realize fully autonomous, resilient, and scalable neuromorphic cybersecurity solutions.
Deep Analysis
Background
随着物联网(IoT)设备的快速普及,网络安全成为亟待解决的关键问题。传统的深度学习模型如卷积神经网络(CNN)和深度神经网络(DNN)在检测准确率方面表现优异,但其庞大的计算资源需求限制了在边缘设备上的应用。近年来,脉冲神经网络(SNN)作为第三代神经网络,因其事件驱动、低能耗和良好的时间编码能力,逐渐成为网络安全中的新兴技术。早期研究如Zhou和Li(2021)利用非泄漏单脉冲时间编码神经元在NSL-KDD和AWID数据集上取得了优异表现,Wang等(2024)开发了卷积型SNN,展示了能耗降低和检测性能提升的潜力。然而,现有研究多集中于单一模型或单一编码方案,缺乏系统性比较,难以指导实际部署。本文旨在通过大规模、多场景的实验,系统分析神经元模型和编码策略在入侵检测中的联合影响,为未来的模型优化提供理论基础。
Core Problem
核心问题在于,SNN的设计空间庞大,包括神经元模型、脉冲编码方式、网络结构等多个维度。不同配置对检测性能和计算效率影响巨大,但缺乏系统性评估,导致难以选择最优方案。尤其是在网络入侵检测场景中,如何在保证高检测准确率的同时,降低推理延迟和能耗,是亟待解决的问题。现有研究多采用单一配置,缺少对编码策略和神经元模型联合影响的深入分析,限制了SNN的实际应用潜力。因此,本文通过大规模、多场景的系统性实验,旨在揭示关键设计变量的作用机制,为未来的模型优化提供科学依据。
Innovation
本论文的创新点主要体现在以下几个方面:
- �� 首次系统性比较了九种不同的神经元模型(如Leaky、Synaptic、SLSTM)与三种脉冲编码方案(速率、延迟、变化)在多数据集上的联合表现,揭示编码策略对检测性能的主导作用。
- �� 提出基于snntorch的标准化实验流程,确保不同配置的公平性和可重复性,为后续研究提供了模板。
- �� 设计了多指标评估体系,结合检测质量(准确率、宏F1、MCC)和计算成本(推理延迟、脉冲数),实现性能与效率的平衡。
- �� 发现Latency编码在所有神经元模型中均表现优异,显著提升检测效果,验证了时间编码在高维稀疏特征中的优势。
Methodology
- �� 数据预处理:对NSL-KDD、KDDCup99、CIC-IDS2017和CTU-13数据集进行统一编码,包括类别特征的独热编码、数值特征的归一化和缩放,去除非特征列。
- �� 编码策略:将预处理后的特征向量转化为二值脉冲序列,比较速率编码(信息由脉冲频率携带)、延迟编码(强特征提前触发)和变化编码(捕捉特征变化)三种方式。
- �� 神经元模型:选择九种轻量级模型(如Leaky、Synaptic、SLSTM等),每种模型定义不同的膜电位更新机制,模拟不同的生物神经特性。
- �� 网络架构:采用两层多层感知机(MLP),输入层映射到隐藏层,输出层为每个类别一个神经元,所有层均为脉冲神经元,网络在时间维度上展开,累积脉冲作为分类依据。
- �� 训练流程:使用Adam优化器,学习率设为1e-3,训练轮次固定,采用交叉熵损失,确保不同配置的公平比较。
- �� 评估指标:包括分类指标(准确率、宏F1、MCC)、误报率、检测率、推理延迟(毫秒/样本)和脉冲数,全面衡量模型性能与效率。
Experiments
- �� 数据集选择:涵盖NSL-KDD、KDDCup99、CIC-IDS2017和CTU-13,确保多场景、多难度。
- �� 实验设计:对每个配置(神经元模型+编码方案)在五个随机种子上重复训练,统计平均值和标准差。
- �� 超参数:网络结构固定(两层MLP,隐藏宽度H)、训练轮次、学习率一致,避免超参数偏差。
- �� 评估方法:在测试集上计算分类指标,测量推理延迟(使用GPU同步测量时间),分析不同配置的性能差异。
- �� 消融分析:比较不同编码方案对检测效果的影响,验证Latency编码的优势,分析神经元模型的次要作用。
Results
- �� 实验结果显示,Latency编码在所有神经元模型中均优于速率和变化编码,平均宏F1达0.80,误报率低至0.80%,在所有数据集上均表现出色,尤其在CIC-IDS2017和CTU-13中几乎达到完美检测。
- �� LeakyParallel神经元模型结合Latency编码,整体性能最佳,准确率92.11%,宏F1 0.80,推理延迟约73毫秒/样本,远优于其他配置,验证了其在边缘设备中的适用性。
- �� 编码策略对检测性能影响显著,Latency编码在不同神经元模型中均表现优异,说明时间编码方式更适合处理网络流量中的稀疏、时间敏感特征,提升判别能力。
Applications
- �� 该方法适用于边缘设备上的实时网络入侵检测,尤其在物联网、工业控制系统等对能耗和延迟要求极高的场景中。
- �� 通过低能耗、快速推理的特性,可以部署在边缘网关、路由器等设备,实现本地威胁检测,减少对云端的依赖。
- �� 还可结合现有的安全监控系统,作为第一线的预警工具,提高整体网络安全防御能力。
Limitations & Outlook
- �� 当前模型假设攻击样本与正常流量在特征空间中具有明显差异,未充分考虑对抗性攻击和隐蔽攻击的检测能力,未来需引入对抗样本进行鲁棒性验证。
- �� 实验在GPU硬件上进行,未在专用神经形态芯片或边缘硬件上验证实际性能,实际部署效果可能有所不同。
- �� 模型规模较小,未充分挖掘更大网络的潜力,未来需要探索更深、更复杂的网络结构以提升检测能力。
Abstract
Network intrusion detection is a core component of modern cybersecurity infrastructure, yet the deep learning models that dominate the field are computationally demanding, motivating interest in lightweight alternatives suited to edge and neuromorphic deployment. Spiking Neural Networks (SNNs) are therefore a natural candidate, but their design space, spanning the choice of neuron model and spike encoding scheme, remains poorly characterized for intrusion detection. We bridge this gap by using a controlled ablation study using 9 neurons coupled with 3 spike encoding schemes, making 27 variants, all implemented on snntorch evaluated over raw inputs with limited preprocessing on four benchmark datasets (NSL KDD, KDDCup99, CIC-IDS2017, and CTU-13) with 5 seeds. We find that spike encoding scheme is a better determinant for detection quality than the neuron model, where rate and delta spike encodings perform worse than latency encoding over the sweep. The LeakyParallel neuron with latency encoding performed the best overall, averaging at 92.11% accuracy and 0.80 macro- F1 at a rate of 2.01% false positives averaged over all 4 datasets, with accuracy close to perfect for CIC-IDS2017 and CTU-13, and also performed the fastest on inference. These results highlight the potential of SNNs as a viable alternative to traditional methods of intrusion detection when considering low-latency or resource-constrained deployments.
References (18)
Encrypted Internet traffic classification using a supervised Spiking Neural Network
Ali Rasteh, Floriane Delpech, C. Melchor et al.
Toward Zero: Power consumption trends in low data rate wireless connectivity
D. Griffith
Deep Learning With Spiking Neurons: Opportunities and Challenges
Michael Pfeiffer, T. Pfeil
The neurobench framework for benchmarking neuromorphic computing algorithms and systems
Jason Yik, Korneel Van den Berghe, Douwe den Blanken et al.
A Comprehensive Review of Internet of Things: Technology Stack, Middlewares, and Fog/Edge Computing Interface
Omer Ali, M. Ishak, Muhammad Kamran Liaquat Bhatti et al.
Predicting A User's Demographic Identity from Leaked Samples of Health-Tracking Wearables and Understanding Associated Risks
Sudip Vhaduri, S. Dibbo, Chih-You Chen
Loihi: A Neuromorphic Manycore Processor with On-Chip Learning
Mike Davies, N. Srinivasa, Tsung-Han Lin et al.
Energy-efficient intrusion detection with a protocol-aware transformer–spiking hybrid model
M. Karthik, Vijay Keerthika, Srihari Varma Mantena et al.
Spiking Neural Networks and Their Applications: A Review
Kashu Yamazaki, Viet-Khoa Vo-Ho, D. Bulsara et al.
An efficient intrusion detection model based on convolutional spiking neural network
Zhen Wang, Fuad A. Ghaleb, A. Zainal et al.
Improving Security of Web Servers in Critical IoT Systems through Self-Monitoring of Vulnerabilities
Linxuan Song, M. García-Valls
Review of artificial intelligence techniques used in IoT networks
V. Raj, Sundresan Perumal, K. Zen et al.
Spiking Neural Networks with Single-Spike Temporal-Coded Neurons for Network Intrusion Detection
Shibo Zhou, Xiaohua Li
Intrusion Detection in Internet of Things Systems: A Review on Design Approaches Leveraging Multi-Access Edge Computing, Machine Learning, and Datasets
Eric Gyamfi, A. Jurcut
Implicit IoT authentication using on-phone ANN models and breathing data
Sudip Vhaduri, S. Dibbo, William Cheung
Training Spiking Neural Networks Using Lessons From Deep Learning
J. Eshraghian, Max Ward, Emre O. Neftci et al.
SURFS: Sustainable IntrUsion Detection with HieraRchical Federated Spiking Neural Networks
Ons Aouedi, Kandaraj Piamrat
Towards spike-based machine intelligence with neuromorphic computing
K. Roy, Akhilesh R. Jaiswal, P. Panda