Introduction

Unraveling cyber security insights: background and objectives

The realm of cybersecurity has taken on paramount importance in today’s digital world, where technology permeates every facet of modern life. As the proliferation of cyber threats continues unabated, safeguarding sensitive information and protecting crucial systems has become an urgent imperative for both organizations and individuals alike1. To effectively tackle these challenges head-on, cyber security data analytics has emerged as a formidable strategy, capitalizing on advanced data analysis techniques to identify, thwart, and mitigate cyber-attacks. This research paper delves deeply into the fascinating realm of cyber security data analytics, placing special emphasis on harnessing the power of Convolutional Neural Networks (CNN)2. Originally designed for image recognition, CNNs have displayed astonishing potential in handling intricate patterns and interconnections found within cyber security data. By adapting CNNs for cyber security tasks, the objective is to explore their effectiveness and potential applicability in fortifying defenses against cyber threats3. Our primary objectives in this study are twofold:

  1. 1.

    To Investigate CNNs in Cyber Security: Our focus lies in exploring the application of CNNs for cyber security data analytics. We aim to understand how these networks can effectively identify intricate patterns and anomalies within extensive datasets relevant to cyber security. Through an exhaustive examination of CNN architectures, components, and features, we seek to gain insights into their potential in analyzing cyber security-related data4.

  2. 2.

    To Evaluate CNN Performance with Synthetic Data: Obtaining comprehensive real-world cyber security datasets can be challenging due to their sensitive nature. To overcome this hurdle, we opt for a synthetic data generation approach, allowing us to create diverse cyber security scenarios. By utilizing this artificially generated dataset, we will assess the performance of CNNs and determine their viability as a valuable tool for cyber security practitioners5.

This research explores the application of Convolutional Neural Networks (CNNs) in cyber security data analytics, with the goal of unraveling their strengths and limitations within the field. Our objective is to provide a solid foundation for practitioners and researchers to effectively apply state-of-the-art data analytics techniques to safeguard digital ecosystems6. By leveraging the capabilities of CNNs, we aim to enhance the understanding of cyber security data analytics and contribute practical insights for developing robust defense mechanisms against cyber threats7. The novelty of this study lies in its investigation of CNNs for cyber security, offering an innovative approach to recognizing and addressing cyber threats in the dynamic digital environment8. The gap identified highlights the need for connecting synthetic data testing with real-world validation to ensure a more comprehensive and applicable approach in cybersecurity contexts.

Literature review

Empowering defense with cyber security data analytics

Cyber Security Data Analytics leverages advanced techniques to improve the detection, prevention, and mitigation of cyber threats. With the growing complexity and speed of attacks, traditional security measures are no longer sufficient8. The core of Cyber Security Data Analytics involves real-time collection and analysis of security-related data, including network logs, system events, user behavior, and threat intelligence from sources such as firewalls, intrusion detection systems, and antivirus tools9. The primary objective is to uncover hidden patterns and anomalies that may indicate potential threats. A central approach is Machine Learning, with a focus on Deep Learning models such as Convolutional Neural Networks (CNNs) and Recurrent Neural Networks (RNNs), which automatically identify patterns associated with both normal and malicious activities10. These models not only help in preemptively addressing security breaches, such as unauthorized access and malware infections, but also play a critical role in predicting future attack trends, thereby allowing organizations to strengthen their defenses against emerging threats11,12.

Cyber Security Data Analytics plays a crucial role in Incident Response and Forensics, enabling analysts to trace attack trajectories and uncover the root cause, damage, and adversarial techniques. This analysis strengthens cyber resilience and refines security strategies. However, challenges such as data privacy and maintaining analysis integrity remain critical. Organizations must balance sharing threat intelligence with protecting sensitive data13. The evolving nature of cyber threats requires continuous updates to models and dynamic adaptation. Ethical concerns and data privacy, especially regarding the use of CNNs, are vital areas of focus. Further exploration of strategies to manage these challenges, particularly with real-world datasets, would add valuable depth to the discussion14.

To enhance the technical rigor of the paper, the author could benefit from incorporating methodologies presented in research such as “An Intrusion Detection System Based on Normalized Mutual Information Antibodies Feature Selection and Adaptive Quantum Artificial Immune System” and “Intrusion Detection Using Normalized Mutual Information Feature Selection and Parallel Quantum Genetic Algorithm.” These studies propose advanced techniques for intrusion detection, utilizing feature selection and adaptive algorithms. By integrating concepts from these sources, the paper could improve its approach to identifying and classifying cyber threats, fostering a more resilient and efficient cybersecurity framework. The use of normalized mutual information and quantum genetic algorithms offers a sophisticated method for optimizing feature selection and model performance, thereby enhancing the overall technical sophistication and dependability of the proposed methodology.

The literature review in this study synthesizes a broad range of research to provide a comprehensive overview of cybersecurity and deep learning methodologies. Key contributions include Sarker et al.’s “Deep cybersecurity: a comprehensive overview from neural network and deep learning perspective,” which offers a broad perspective on cybersecurity1, and Ferrag et al.’s “Deep learning for cyber security intrusion detection: Approaches, datasets, and comparative study,” which delves into specific techniques and comparative evaluations2. Other surveys, such as Gümüşbaş et al.’s “A comprehensive survey of databases and deep learning methods for cybersecurity and intrusion detection systems” and Mijwil et al.’s “The Significance of Machine Learning and Deep Learning Techniques in Cybersecurity: A Comprehensive Review,” emphasize the importance of databases and machine learning methodologies in cybersecurity3,4. Additionally, practical applications and case studies, such as Chen et al.’s “Cyber security in smart cities: a review of deep learning-based applications and case studies,” highlight real-world scenarios8. Integrating insights from these sources, the literature review provides a solid foundation for this study, identifying gaps and opportunities for future research and improvement15.

Table 1 Literature Review on Cybersecurity Incidents.
Full size table

Table 1 offers a thorough literature review on cyber security incidents, laying the groundwork for the research. However, it lacks a critical analysis of limitations within existing studies, missing the opportunity to identify gaps that could strengthen the rationale and significance of the present study. Notable articles, such as “Identity Threads in the Cloud Tapestry: A Comprehensive Study of Federated Identity Management and Its Role in Ensuring Cloud Security”16 and “Defense mechanisms against DDoS attack based on entropy in SDN-cloud using POX controller”17, provide key defense mechanisms against DDoS attacks in SDN-cloud environments. Another important contribution, “Cat-squirrel optimization algorithm for VM migration in a cloud computing platform”18, introduces an optimization algorithm for virtual machine migration. To enhance the technical rigor, the related work section should compare the proposed CNN approach with traditional machine learning algorithms, emphasizing CNNs’ advantages in feature extraction and accuracy for cyber security data, while citing studies that highlight both successful applications and limitations of CNNs in similar contexts.

Unleashing the potential of CNNs in safeguarding cyberspace

AI and ML have significantly transformed numerous fields by enabling automation, predictive analytics, and intelligent decision-making19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35. CNNs, initially developed for image recognition, have proven to be a powerful tool in cyber security36,37. Their unique architecture and advanced feature extraction capabilities make them highly effective for analyzing complex cyber security data, including network traffic, malware samples, and log files. CNNs excel in network traffic analysis by identifying unusual behaviors indicative of cyber-attacks, such as denial-of-service attacks, port scanning, and intrusions. This proactive approach significantly enhances threat detection, enabling the prevention of breaches before they escalate.

CNNs are increasingly applied in detecting phishing websites, a prevalent attack vector where cyber criminals continually develop new techniques to deceive users. CNNs analyze web page content and identify patterns indicative of phishing attempts, thereby protecting users from fraudulent websites and safeguarding sensitive information. However, the effectiveness of CNNs in cyber security depends on a robust training dataset that includes both normal and malicious instances to ensure accurate predictions. Continuous model updates are necessary to address emerging threats and maintain efficacy in an evolving cyber landscape. This research builds upon existing literature by enhancing CNN feature extraction capabilities to analyze and categorize diverse cyber security data, including network traffic, malware samples, and log files, improving the detection of threats such as denial-of-service attacks, port scanning, intrusion attempts, and phishing websites. The novelty of this study lies in its innovative use of CNNs on a synthetic dataset designed to represent a range of cyber security incidents, demonstrating the model’s high accuracy in threat detection and its potential for real-world application despite the initial lack of real-world data.

Data generation and preprocessing

Data generation and preprocessing are critical steps in any data analytics study, including cyber security data analysis using CNNs. This section focuses on how synthetic data is generated for the research and the essential preprocessing steps performed to prepare the data for training the CNN model.

  • Data generation: This study uses synthetic data to simulate cybersecurity incidents and attacks. Synthetic data generation involves creating artificial data that mimics the characteristics and patterns of real-world cybersecurity data. By using synthetic data, we can perform controlled experiments on various scenarios without relying on sensitive or restricted data. The ‘make_classification‘ function from the ‘scikit_learn‘ library is employed to generate random samples with specified features and labels. The generated synthetic data includes key attributes such as network traffic patterns, attack types, and anomaly indicators, effectively representing cybersecurity events.

  • Data preprocessing: Data preprocessing plays a pivotal role in guaranteeing that the data is appropriately structured and purified prior to being fed into the CNN model. The main goals of data preprocessing encompass elevating the model’s performance, addressing any missing or incongruent data, and mitigating noise38,39. The fundamental stages of data preprocessing employed in this research are as follows:

    1. 1.

      Data splitting: The fabricated data is partitioned into two distinct sets: the training set and the testing set. The purpose of the training set is to facilitate the teaching of the CNN model, enabling it to learn and gain proficiency. Conversely, the testing set serves the critical role of evaluating the model’s performance, providing a reliable measure of its capabilities and effectiveness.

    2. 2.

      Reshaping: Given that CNNs are specifically tailored to process data resembling images, any synthetic data used in the context of CNNs must be transformed into a compatible format. For instance, if the original data is in the form of sequences, it undergoes a restructuring process to be converted into a 2D matrix, effectively representing images. This restructuring allows the CNN to efficiently process and extract meaningful features from the data, enhancing its ability to comprehend and interpret visual information.

    3. 3.

      Feature scaling: Feature scaling is a crucial procedure undertaken to ensure that all characteristics possess a uniform scale. This is accomplished through the application of common scaling techniques like normalization or standardization. By undertaking this step, we enable the CNN model to achieve swifter convergence and, equally significant, averts any single feature from exerting undue influence over the entire model.

    4. 4.

      One-hot encoding: In the realm of machine learning, categorical labels undergo a transformation called one-hot encoding, which essentially converts them into binary vectors. This sophisticated encoding technique is employed to enable the CNN model to adeptly decipher and make accurate predictions for multi-class classifications. By representing each class as a unique binary pattern, the CNN can grasp the intricate relationships among the classes and achieve superior performance in tackling complex classification tasks with multiple possible outcomes.

    5. 5.

      Data augmentation: Various data augmentation techniques, including rotation, flipping, and zooming, can be employed to augment the training data, thereby enhancing the model’s capacity to generalize effectively.

Through the implementation of these preprocessing procedures, the synthetic data undergoes meticulous preparation, rendering it in a format highly compatible with CNN model training. This meticulous preparation of data significantly bolsters the CNN model’s capacity to assimilate pertinent features and intricate patterns concealed within the dataset, thereby empowering more advanced cyber security data analysis and remarkably precise predictions. In essence, the crucial steps of data generation and preprocessing play a decisive and pivotal role in guaranteeing the CNN model’s accuracy and efficacy in the realm of cyber security data analytics40. Logistic regression is a widely used classification algorithm in cybersecurity for binary classification tasks, such as detecting malicious activities41,42,43,44. The logistic regression hypothesis function is defined as:

$$\begin{aligned} h_{\theta }(x) = \frac{1}{1 + e^{-\theta ^T x}} \end{aligned}$$
(1)

where:

  • \(h_{\theta }(x)\) represents the predicted probability that input \(x\) belongs to the positive class.

  • \(\theta\) is the vector of parameters (weights) that the algorithm learns during training.

  • \(x\) is the input feature vector.

Deep learning models, especially neural networks, are capable of learning complex patterns and relationships in cybersecurity data. The forward propagation equations for a neural network are given by:

$$\begin{aligned} z^{[l]}&= W^{[l]} a^{[l-1]} + b^{[l]} \end{aligned}$$
(2)
$$\begin{aligned} a^{[l]}&= g^{[l]}(z^{[l]}) \end{aligned}$$
(3)

where:

  • \(z^{[l]}\) represents the pre-activation output of layer \(l\).

  • \(W^{[l]}\) and \(b^{[l]}\) are the weight matrix and bias vector of layer \(l\).

  • \(a^{[l]}\) is the activation output of layer \(l\).

  • \(g^{[l]}\) is the activation function, such as ReLU, sigmoid, or tanh.

The equations introduced are critical components underlying the design and optimization of the CNN model for cyber security data analytics, yet a more detailed explanation of their relevance to the study’s objectives would enhance clarity and understanding. The inclusion of Equation 1, which explains Logistic Regression, highlights its role as a foundational method for binary classification tasks in cybersecurity, serving as a comparison to demonstrate the enhanced capabilities of the CNN model used in this study for more complex pattern recognition and advanced cyber threat detection.

Synthetic data

The synthetic dataset crafted for this research serves as a fundamental representation of cyber security incidents, intricately designed to replicate real-world scenarios found in the realm of cyber threats. Each feature vector captures essential attributes and patterns that signify various cyber threats, presenting a diverse range of data points suitable for analysis. With meticulous design and adjustment, the synthetic dataset reflects the intricacies and subtleties encountered in genuine cyber security environments, providing a robust platform for assessing the effectiveness of CNN technology in identifying and categorizing threats. Utilizing this synthetic data enables researchers to methodically investigate CNNs’ capabilities in accurately detecting cyber security threats, thus establishing a foundation for further experimentation and validation in subsequent stages of the study.

Fig. 1
Fig. 1
Full size image

Input Data for synthetic feature vectors represent cyber security incidents.

Figure 1 demonstrates the input data comprising synthetic feature vectors representing cyber security incidents, showcasing the dataset’s capability to mimic real-world cyber threats in its initial stage. The section provides a detailed explanation of the synthetic dataset’s construction and its representation of cyber security incidents, yet it lacks a thorough justification for why synthetic data adequately substitutes real-world data, necessitating further discussion on the limitations and potential biases inherent in synthetic data. The proposed approach addresses various cyber security incidents, including anomaly detection and classification of both normal and malicious activities within network traffic data. The use of synthetic data is justified by its ability to meticulously replicate real-world cyber security incidents, allowing for controlled experimentation and detailed analysis of CNN capabilities in threat detection, while real-world data may be limited or unavailable for comprehensive initial testing.

CNN model design and implementation

The design and implementation of the CNN model are pivotal for achieving accurate and efficient cybersecurity data analytics. CNNs are renowned for their ability to extract complex patterns from data, making them ideal for cybersecurity analysis. This study applies CNNs to cybersecurity data using a synthetic dataset, incorporating essential components for effective learning and representation45,46,47. The architecture begins with a 1D Convolutional layer using 32 filters to detect crucial features, balancing model complexity and performance. The following MaxPooling 2D layer performs spatial down-sampling, reducing computational load and overfitting, with a pool size of (1, 2) to retain key information. The model achieves an impressive average accuracy of 85% on the test set, showcasing CNNs’ effectiveness in cybersecurity data analysis.

Fig. 2
Fig. 2
Full size image

Calculating the test cases of 10 epochs.

Figure 2 depicts the process of determining the test cases over 10 epochs, utilizing synthetic data created to investigate the capabilities of CNNs in effectively identifying and categorizing cyber security threats, thereby highlighting the thorough methodological approach adopted for cyber security data analysis in this research. To prepare the extracted features for classification, we use a Flatten layer to reshape the 2D output into a 1D vector. The flattened features are then passed through a dense layer with 128 neurons activated by the Rectified Linear Unit (ReLU) function, which introduces non-linearity and enhances the model’s ability to learn complex relationships48,49,50,51. The final classification layer is a Dense layer with two neurons, utilizing the Softmax activation function to generate a probability distribution over the two classes, enabling accurate predictions for cybersecurity incidents. The model is implemented using the Keras framework, with the categorical cross-entropy loss function and Adam optimizer for efficient training. The model is trained over several epochs, optimizing its weights and biases to minimize loss and improve performance on both training and validation sets. Its performance is evaluated on the test set, providing insights into its generalization ability for real-world cybersecurity applications.

Fig. 3
Fig. 3
Full size image

Schematic architecture of proposed data analytics technique.

To prepare extracted features for classification, as shown in Figure 3, we use a Flatten layer to convert the 2D output into a 1D vector, facilitating further processing. The flattened features are then passed to a dense layer with 128 neurons activated by the ReLU function, enabling the model to capture complex relationships and enhance pattern representation. The final classification output is produced by a Dense layer with 2 neurons and Softmax activation, generating a probability distribution over the two classes. This approach enables precise predictions regarding cybersecurity incidents. We implement the model using the Keras framework, known for its simplicity and versatility.

For training, we use the categorical cross-entropy loss function, suitable for multi-class classification tasks52,53,54, and the Adam optimizer, which adapts the learning rate for faster convergence and improved robustness against noisy gradients55,56,57,58. Through training epochs, the model adjusts its weights and biases to minimize the loss function, improving accuracy on training and validation datasets. The model is evaluated on a test set to assess its generalization ability and potential for real-world cybersecurity applications. This approach ensures the model is capable of providing reliable and robust predictions, strengthening cyber defense mechanisms. The cell state \(C_t\) is updated as follows:

$$\begin{aligned} C_t = C_{t-1} + i_t * C_t. \end{aligned}$$
(4)

The output gate \(o_t\) is calculated by applying a sigmoid activation function:

$$\begin{aligned} o_t = \sigma (W_0[h_{t-1}, x_t] + b_0). \end{aligned}$$
(5)

The final hidden state \(h_t\) is obtained by combining the output gate with the cell state:

$$\begin{aligned} h_t = o_t * \tanh (C_t). \end{aligned}$$
(6)

The complete item is computed as shown in Equation 4 and becomes the new candidate value. These values are compared to the requirements before deciding whether to update each state. The solution, based entirely on self-state, is filtered to generate the cell state, powered by a sigmoid neural network layer. This layer determines what contributions the cell state probes should make. The output of the sigmoid gate layer is passed through the \(\tanh\) function, resulting in a value between -1 and 1, as shown in Equations 5 and 6. These equations are critical to the design and optimization of the CNN model, directly influencing its performance in cybersecurity data analytics. Further elaboration on these equations would enhance the clarity of the CNN’s implementation and its relevance to the study’s objectives.

Results and analysis

The primary goal of this study was to explore the application of CNNs in identifying and classifying cybersecurity incidents using synthetic data, assessing their practicality in real-world scenarios. Upon training the CNN model, we achieved an impressive average accuracy of around 85% on the test set, demonstrating its ability to effectively distinguish between cybersecurity classes. The precision and recall scores indicated a good balance between false positives and negatives. These results suggest that CNNs are highly capable of identifying cybersecurity threats, even with synthetic data. Regularization techniques, such as dropout and early stopping, were employed to prevent overfitting, ensuring stable convergence and generalization to unseen data.

Additionally, we compared the CNN approach with traditional machine learning algorithms commonly used in cybersecurity data analysis. The CNN model outperformed these methods in both accuracy and robustness, particularly due to its ability to automatically learn relevant features from raw data, like network traffic patterns. Despite these promising results, we acknowledge the limitations of using synthetic data, as real-world cybersecurity data may present challenges like class imbalances and noisy samples. Further research with authentic datasets is necessary to validate these findings, and model fine-tuning may be required for optimal performance. This research highlights the potential of CNNs in enhancing early detection and response to cyber threats, ultimately strengthening network defenses and reducing potential damages.

Discussion

Decoding intelligence: interpreting the impact of findings

The CNN model demonstrated impressive performance, achieving high accuracy in classifying synthetic data. Training and validation accuracy graphs showed remarkable convergence, indicating the model’s ability to generalize effectively. This convergence suggests that the CNN successfully learned relevant features from the synthetic data, enabling precise predictions. When evaluated on an independent test set, the model continued to display strong accuracy, confirming its ability to generalize to unseen samples. However, these results should be interpreted with caution due to the limitations of synthetic data, which may not fully reflect the complexity of real-world cybersecurity datasets. As such, the CNN’s performance may vary when applied to actual data, necessitating further evaluation on real-world cybersecurity data for practical use.

The outstanding performance on the synthetic dataset also raises concerns about potential overfitting. Although regularization techniques were not explicitly explored in this study, future research should address overfitting when applying CNNs to real-world data. Given the dynamic nature of cybersecurity data, further optimization of the model’s architecture and hyperparameters will be essential to ensure its robustness and generalizability in real-world applications. Continued exploration in this area will enhance the CNN’s reliability and effectiveness in practical cybersecurity tasks.

Navigating the frontier: limitations and strategic implications

Limitations: While our study on cybersecurity data analytics using CNNs has shown promising results, certain limitations must be acknowledged. First, the synthetic data used may not fully capture the complexities of real-world cybersecurity datasets, meaning the CNN’s performance could differ when applied to actual data, warranting further investigation. Additionally, the relatively small size of the synthetic dataset limits the model’s robustness. A larger and more diverse dataset would enhance the model’s ability to detect intricate patterns and improve its performance on unseen data. Furthermore, the CNN’s architecture may not be optimal for all cybersecurity scenarios, and adjusting the model’s design and hyperparameters to better suit real-world data is crucial for achieving optimal performance.

Implications: Our findings highlight the promising potential of CNNs in cybersecurity data analytics. The CNN model’s ability to effectively learn features and accurately classify data has significant implications for real-world cybersecurity applications. CNNs enable cybersecurity professionals to enhance their threat detection and mitigation capabilities with greater precision and efficiency. The model’s capacity to autonomously identify meaningful patterns aids in the early detection of cyber-attacks, potentially preventing major security breaches. Moreover, the study underscores the critical importance of data preparation and preprocessing in cybersecurity analytics. Well-curated and augmented datasets significantly influence CNN performance, making high-quality data collection and preparation essential for the successful application of CNN-based approaches in this field.

Graph analysis: The charts illustrating the training process highlight the CNN’s performance across multiple epochs, showing how well the model learns from the training data and generalizes to unseen data. Ideally, both training and validation accuracy curves should rise in tandem, indicating successful learning and generalization. After training on a synthetic dataset, the CNN demonstrated strong performance on the test set, accurately detecting anomalies and classifying cybersecurity events. Minimal overfitting was observed, confirming the model’s ability to generalize to new data. The learning curves illustrated steady convergence, underscoring the model’s generalization capabilities. This study also emphasizes the importance of addressing ethical issues and data privacy concerns in cybersecurity analysis, particularly when using CNNs. Further exploration of strategies to manage these challenges, especially with real-world datasets, would enhance the paper’s scope. A deeper examination of how these findings can be applied to cybersecurity practice would enrich the study’s practical relevance.

Fig. 4
Fig. 4
Full size image

Training and validation accuracy versus epochs for the CNN model.

Figure 4 shows how the training and validation accuracy of the proposed CNN model improved steadily over multiple epochs, eventually stabilizing as the model learned effectively. The close match between the two curves highlights the model’s strong ability to generalize, with little evidence of overfitting during training.

Fig. 5
Fig. 5
Full size image

Epoch-wise accuracy progression on synthetic and real-world datasets.

Figure 5 shows how the CNN model’s accuracy improves over epochs for both synthetic and real-world datasets, with the real-world data achieving higher accuracy levels more quickly. These findings suggest that the model learns and adapts better when trained on actual cybersecurity datasets compared to synthetic ones.

Fig. 6
Fig. 6
Full size image

Model accuracy vs model loss for proposed system.

Figure 6 depicts how the proposed system’s accuracy and loss evolve during training. Over the epochs, the model’s accuracy steadily rises, achieving a peak of 95%, while the loss gradually declines to 0.1541, reflecting the model’s effective learning and enhanced performance on the validation data.

Fig. 7
Fig. 7
Full size image

Time complexity vs. epochs for proposed system.

Figure 7 illustrates the time complexity of the proposed system over various epochs. The training time consistently decreases, demonstrating the model’s efficiency in rapidly reaching optimal performance within a smaller number of epochs.

Performance evaluation

To evaluate the effectiveness of our CNN-based cybersecurity threat detection system, we tested it on both synthetic and real-world datasets. Initially, the model achieved 85% accuracy on the synthetic dataset, demonstrating its ability to detect and classify cybersecurity threats. To assess real-world applicability, we integrated actual cybersecurity datasets and used metrics such as accuracy, precision, recall, F1-score, and AUC-ROC curves. Confusion matrices provided deeper insights into classification performance across different threat categories. Comparative analysis with traditional machine learning methods (SVM and Random Forest) showed that CNN outperformed these models in accuracy and feature extraction. The model’s robustness was enhanced by dropout layers and batch normalization, reducing overfitting and ensuring adaptability in practical scenarios. The CNN demonstrated excellent learning stability, with converging training and validation accuracy curves and a consistently declining loss function, indicating effective optimization. Computational efficiency analysis revealed faster convergence and fewer iterations to reach optimal performance, making it suitable for real-time applications. A comparative study showed the CNN model achieving 95% accuracy on the test set, with lower losses, and resilience against adversarial attacks. This research highlights the CNN’s potential for real-world cybersecurity applications, advancing anomaly detection and cyber defense strategies.

Accuracy: Determines the proportion of correctly classified cyber threats in relation to total predictions, ensuring overall model reliability.

$$\begin{aligned} \text {Accuracy} = \frac{\text {TP} + \text {TN}}{\text {TP+TN+FN+FP}}. \end{aligned}$$
(7)

The proposed CNN model achieved an accuracy of 95%, demonstrating its ability to accurately classify cybersecurity threats.

Precision: Assesses the proportion of correctly identified cyber threats among all predicted positive cases, reducing false alarms. A high precision score ensures that the model minimizes false positives, increasing detection reliability.

$$\begin{aligned} \text {Precision} = \frac{\text {TP}}{\text {TP} + \text {FP}}. \end{aligned}$$
(8)

Recall: Evaluates the model’s ability to correctly identify actual cyber threats, reducing missed detections. The high recall score confirms the CNN model’s efficiency in detecting a broad range of cyber threats while minimizing false negatives.

$$\begin{aligned} \text {Recall} = \frac{\text {TP}}{\text {TP} + \text {FN}}. \end{aligned}$$
(9)

F1 Score: F1 Score represents a harmonic mean between precision and recall, ensuring a balance between false positives and false negatives. The F1-score confirms that the model effectively balances precision and recall, making it suitable for cybersecurity applications.

$$\begin{aligned} \text {F1 Score} = 2 \times \frac{\text {Precision} \times \text {Recall}}{\text {Precision} + \text {Recall}}. \end{aligned}$$
(10)

AUC-ROC (Area under the receiver operating characteristic curve): Measures the model’s ability to differentiate between cyber threats and normal activities at various threshold levels. A high AUC score signifies that the CNN model effectively distinguishes between legitimate network traffic and malicious activities.

$$\begin{aligned} AUC = \int _{-\infty }^{\infty } TPR(FPR) \, d(FPR) \end{aligned}$$
(11)

where \(TPR(FPR)\) represents the true positive rate as a function of the false positive rate.

Confusion matrix: Provides a detailed analysis of the model’s classification performance across cyber threat categories. The matrix is typically represented as:

$$\begin{aligned} \begin{bmatrix} TP & FP \\ FN & TN \end{bmatrix} \end{aligned}$$
(12)

The confusion matrix enables deeper insight into false positives, false negatives, and overall model accuracy.

Log loss (Cross-entropy loss): Measures prediction confidence, penalizing incorrect classifications more heavily. A low log loss value confirms that the CNN model produces highly confident and accurate predictions for cybersecurity threats. The Log Loss formula is expressed as:

$$\begin{aligned} LogLoss = -\frac{1}{N} \sum _{i=1}^{N} \left[ y_i \log (p_i) + (1 - y_i) \log (1 - p_i) \right] \end{aligned}$$
(13)

Mean squared error (MSE) for model convergence: Calculates the variance between predicted and actual classification probabilities, assessing model optimization efficiency. A decreasing MSE value across training epochs validates the CNN model’s ability to learn and optimize effectively. The MSE formula is expressed as:

$$\begin{aligned} MSE = \frac{1}{N} \sum _{i=1}^{N} (y_i - \hat{y}_i)^2 \end{aligned}$$
(14)

Matthews correlation coefficient (MCC): Measures overall classification performance, particularly for imbalanced datasets. A high MCC score indicates that the model performs well across all classification categories, even in imbalanced datasets. The MCC formula is expressed as:

$$\begin{aligned} MCC = \frac{(TP \times TN) - (FP \times FN)}{\sqrt{(TP + FP)(TP + FN)(TN + FP)(TN + FN)}} \end{aligned}$$
(15)

G-mean (geometric mean for imbalanced data): Evaluates the model’s ability to maintain classification performance for both majority and minority classes in cybersecurity threats. The G-Mean formula is expressed as:

$$\begin{aligned} G-Mean = \sqrt{\text {Recall} \times \text {Specificity}} \end{aligned}$$
(16)

The G-Mean score ensures that the model maintains balanced classification accuracy across various cyber threats, avoiding bias. By leveraging these validation metrics, the CNN model’s performance in cybersecurity threat detection is thoroughly assessed, ensuring accuracy, reliability, robustness, and practical applicability.

Comparative analysis

Table 2 Comparison of Existing and Proposed System.
Full size table

Table 2 shows significant improvements with the proposed CNN-RNN architecture. The model achieved 95% accuracy on the test set, surpassing the existing system. With a training loss of 0.1832 and validation loss of 0.1541, the model demonstrates excellent fit and generalization, minimizing overfitting. The system also reduces time complexity, making it suitable for real-time applications, and converges faster, reaching optimal performance in 10 epochs. The use of structured layers and dropout layers improves interpretability and robustness. Overall, the system offers greater generalization, making it a resilient and reliable solution for cybersecurity data analytics.

Table 3 Comparison of synthetic dataset vs. real-world dataset (NSL-KDD/CICIDS2017).
Full size table

Table 3 gives us a side-by-side look at how well the CNN model performs when trained on synthetic data versus real-world cybersecurity datasets like NSL-KDD and CICIDS2017. The improvement is clear–accuracy jumps from 85% to 95% when real-world data is used. Other key metrics like precision, recall, and F1-score also see a solid boost, showing the model does a better job recognizing real threats versus normal behavior. The AUC-ROC score improves too, suggesting more reliable performance in different classification scenarios. Not only does the model learn faster on real data–with fewer epochs and lower time complexity–but it also becomes more stable, thanks to techniques like dropout that reduce overfitting. Overall, using real-world data makes the model smarter, faster, and more resilient, making it a strong candidate for use in real-time cybersecurity applications.

Conclusion

This research explored the potential of CNNs in cybersecurity data analytics, focusing on anomaly and threat detection using a synthetic dataset. The literature review highlighted CNNs’ success in image-based tasks, but their application in cybersecurity remained underexplored. To bridge this gap, we adapted CNNs to a synthetic cybersecurity dataset, providing valuable insights into their performance. We meticulously crafted the synthetic dataset to simulate cybersecurity events and network traffic, applying standard data preprocessing techniques for compatibility with CNNs. The CNN model was designed with convolutional layers, max-pooling layers, and fully connected layers, enabling it to autonomously learn relevant features and classify cybersecurity incidents. After training the model on the synthetic dataset, we evaluated its performance on the test set, achieving impressive results with high accuracy in detecting anomalies and classifying cybersecurity events. The learning curves demonstrated minimal overfitting, indicating the model’s ability to generalize effectively. Loss curves showed steady improvement over epochs, confirming strong learning capabilities. However, we acknowledge that synthetic data may not fully capture the complexities of real-world cybersecurity incidents. The study suggests that future research should focus on incorporating real-world datasets to validate CNN performance and enhance applicability. Further elaboration on potential model biases and the importance of diverse datasets is recommended to improve model resilience. Future research should aim to integrate authentic and diverse datasets to assess CNN performance in real-world conditions. In conclusion, the successful adaptation of CNNs to synthetic cybersecurity data demonstrates their potential for anomaly detection and system fortification, laying a strong foundation for future work in real-world cybersecurity applications.