Real-Time Threat Detection Using Network Flow Analysis and LSTM Networks

Abstract

With the growing complexity of modern cyberattacks and the rise of encrypted traffic, traditional rule-based
intrusion detection systems (IDS) are increasingly inadequate for detecting emerging and evasive threats. This
study proposes a real-time threat detection framework that combines network flow telemetry with deep learning—
specifically, Long Short-Term Memory (LSTM) networks. Leveraging NetFlow data features such as packet
count, byte rate, flow duration, and inter-arrival time, the model is trained to identify time-series anomalies
associated with a variety of attack vectors. Using the CICIDS2017 dataset, which includes labeled traffic for both
benign and malicious sessions (including DDoS, brute force, botnet, and port scan attacks), we evaluate detection
accuracy, latency, and false positive rates. The proposed LSTM model achieves a classification accuracy of 94.5%
with a false positive rate of 3.2%, outperforming traditional statistical methods and feedforward neural network
baselines. To validate real-time performance, the system is deployed in a hybrid cloud testbed with live traffic
emulation and integrated into a monitoring dashboard that displays alerts and anomaly trends. Our results
demonstrate the potential of LSTM-based anomaly detection to operate effectively in high-throughput
environments, offering scalable and adaptive protection. We recommend this approach as a complementary layer
to existing signature-based defenses, enhancing detection capabilities in enterprise and cloud network
environments.