A Hybrid Model for Threat Prediction and Anomaly Detection

Abstract

The sophistication and number of cyber threats in the current era have exposed the limitations of traditional intrusion detection systems (IDS), which rely on signature-based methods and struggle with high false positive rates, alert fatigue, and an inability to contextualize microscopic anomalies within broader network threat landscapes. These systems often treat traffic as independent data points, ignoring temporal dependencies and sequential patterns in multi-step attacks, leading to impractical real-world deployment in dynamic environments. This research proposes a novel hybrid framework that combines macroscopic threat prediction with microscopic anomaly detection to try to address these issues. This study implements and evaluates three core models on the CICIDS 2017 dataset. First, Facebook’s Prophet model is employed for time-series forecasting to predict hourly network threat levels. Second, a GRU-based model is developed to perform sequencebased classification of network flows, offering a bottom-up approach to anomaly detection. Finally, the core contribution of this thesis is the integration of these two models into a hybrid model, achieved through appending Prophet’s forecast as a contextual feature to the GRU’s input sequences, enabling context-aware approach. Experimental results show that the hybrid model achieves decent performance, attaining an F1-Score of 86.05% and Area Under the Receiver Operating Characteristic Curve (AUC-ROC) of 95.12%, signifying an optimal balance between precision and recall. Crucially, the hybrid model shows a significant improvement in precision, rising from 98.51% to 99.22%, which translates to a substantial reduction in false positives. This reduction directly addresses the critical problem of alert fatigue in security operations centers (SOCs). The findings conclusively validate the idea that providing a deep learning classifier with contextual intelligence leads to a more robust intrusion detection system with 83.62% accuracy overall. This research contributes a novel, implementable architecture for modern cybersecurity, paving the way for the development of more intelligent systems that can dynamically respond to the evolving threat environment.