A Hybrid CNN-LSTM Intrusion Detection Framework for Cybersecurity in Smart Renewable Energy Grids
Pith reviewed 2026-06-25 23:32 UTC · model grok-4.3
The pith
A hybrid CNN-LSTM model detects multi-step cyberattacks in smart renewable energy grids at 98.2 percent precision on NSL-KDD while supporting real-time inference on small devices.
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
The Hybrid CNN-LSTM IDS jointly exploits CNN-based spatial feature extraction and LSTM-based temporal sequence modeling, enabling the detection of instantaneous volumetric anomalies and gradually evolving low and slow-attack campaigns in real time. Trained on a seven-step preprocessing workflow that includes missing-value imputation, min-max normalization, one-hot encoding, SMOTE class balancing, mutual-information feature selection, causal temporal sequence construction with T=10, and stratified partitioning, the model reaches 98.2 percent precision on NSL-KDD versus 96.4 percent for LSTM alone and 95.2 percent for CNN alone, with ablation confirming SMOTE as the most influential step. It a
What carries the argument
The hybrid CNN-LSTM architecture that pairs convolutional layers for spatial feature extraction from traffic records with LSTM layers for modeling temporal progressions across constructed sequences of length 10.
If this is right
- SMOTE balancing contributes the largest performance gain, with its removal dropping F1 score by 3.7 percentage points.
- The model maintains usable accuracy after INT8 quantization while gaining a 3.1 times inference speedup, enabling operation on memory-constrained industrial equipment.
- Real-time throughput of 27,800 flows per second on GPU and 0.082 ms per sample on CPU meets the demands of high-volume grid monitoring.
- The architecture improves detection of both sudden volumetric attacks and slowly progressing campaigns compared with single-architecture baselines.
Where Pith is reading between the lines
- Direct evaluation on proprietary smart-grid traffic would be needed to confirm whether benchmark improvements translate outside controlled datasets.
- Varying the sequence length beyond the fixed T=10 could reveal whether longer attack progressions require additional temporal context.
- Coupling the model with domain-specific features from AMI or SCADA logs might strengthen detection of false data injection attacks that the current flow-based input does not explicitly target.
Load-bearing premise
The seven-step preprocessing pipeline and the chosen benchmark datasets produce attack distributions representative of real smart renewable energy grid traffic and multi-step campaigns.
What would settle it
Testing the trained model on live traffic logs collected from an operational renewable energy smart grid and finding precision substantially below the reported 98.2 percent on NSL-KDD.
Figures
read the original abstract
The accelerated digitalization of renewable energy smart grids through IoT sensors, AMI, and SCADA systems has significantly expanded the attack surface for sophisticated cyberattacks, FDI attacks that stealthily distort state estimation and DoS/DDoS attacks that flood communication channels. Current IDS, however, exhibit three inherent limitations: inadequate modeling of the temporal progression of multi-step attacks, degraded scalability under extremely skewed class distributions of standard benchmark datasets, and restricted generalization across heterogeneous network environments. In this study, we present a Hybrid CNN-LSTM IDS that jointly exploits CNN-based spatial feature extraction and LSTM-based temporal sequence modeling, enabling the detection of instantaneous volumetric anomalies and gradually evolving low and slow-attack campaigns in real time. The model was trained using a seven-step preprocessing workflow comprising missing-value imputation, min-max normalization, one-hot encoding, SMOTE class balancing, mutual-information feature selection, causal temporal sequence construction (T=10), and stratified partitioning. LSTM (96.1%), Random Forest (93.5%), SVM (91.2%) and KNN (89.7%); in NSL-KDD, it reaches 98.2% precision versus 96.4% (LSTM), 95.2% (CNN), 92.7% (Random Forest) and 90.8% (SVM), with margins of 2-9 percentage points in all measures. An ablation analysis identified SMOTE balancing as the most influential design choice (-3.7~pp F1 without it). The model achieves a real-time inference throughput of 27,800 flows/s on GPU and 0.082 ms/sample CPU latency in FP32,, with INT8 quantization providing an additional 3.1 x speedup at 0.3% accuracy loss, confirming deployment feasibility on resource-constrained IEDs with <128MB memory and establishing a deployable deep-learning framework for securing next-generation renewable energy smart grid infrastructure.
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. The paper proposes a Hybrid CNN-LSTM intrusion detection framework for smart renewable energy grids. It uses a seven-step preprocessing pipeline (imputation, min-max normalization, one-hot encoding, SMOTE, mutual-information selection, T=10 causal sequences, stratified split) and reports 98.2% precision on NSL-KDD (outperforming LSTM at 96.4%, CNN at 95.2%, and other baselines), an ablation showing SMOTE contributes +3.7 pp F1, and real-time throughput of 27,800 flows/s on GPU with INT8 quantization enabling deployment on <128 MB devices.
Significance. If the generalization to smart-grid FDI and low-and-slow DoS traffic holds, the work would supply a practical, quantized deep-learning IDS with explicit ablation evidence and deployment metrics. The throughput and quantization results, together with the SMOTE ablation, constitute reproducible empirical strengths that could support resource-constrained IED deployment.
major comments (2)
- [Abstract] Abstract: the central claim that the model secures 'next-generation renewable energy smart grid infrastructure' rests on results obtained exclusively on NSL-KDD and unspecified legacy datasets; no domain-specific validation set, FDI attack simulation with state-estimation residuals, or cross-grid transfer experiment is described, rendering the transfer assumption untested.
- [Abstract] Abstract (seven-step pipeline): SMOTE explicitly alters the class prior, yet the manuscript provides no experiment on imbalanced data whose joint distribution matches real AMI/SCADA traffic; consequently the reported -3.7 pp F1 ablation and the 2-9 pp margins over baselines cannot be assumed to persist under the target attack-class ratios.
minor comments (2)
- [Abstract] Abstract contains an incomplete sentence fragment ('LSTM (96.1%), Random Forest (93.5%), SVM (91.2%) and KNN (89.7%); in NSL-KDD...') that should be clarified.
- [Abstract] No error bars, cross-validation fold counts, or statistical significance tests accompany the reported precision/F1 numbers.
Simulated Author's Rebuttal
We thank the referee for the constructive critique. The two major comments correctly identify that our evaluation is confined to NSL-KDD and that the effects of SMOTE are reported only under that dataset's distribution. We will revise the abstract, introduction, and discussion to remove overstatements about smart-grid deployment and to explicitly qualify all performance claims as benchmark-specific.
read point-by-point responses
-
Referee: [Abstract] Abstract: the central claim that the model secures 'next-generation renewable energy smart grid infrastructure' rests on results obtained exclusively on NSL-KDD and unspecified legacy datasets; no domain-specific validation set, FDI attack simulation with state-estimation residuals, or cross-grid transfer experiment is described, rendering the transfer assumption untested.
Authors: We agree. All reported metrics (98.2 % precision, ablation results, throughput) were obtained exclusively on NSL-KDD; no FDI residuals, AMI/SCADA traces, or cross-grid transfer experiments appear in the manuscript. In revision we will (i) replace the phrase 'securing next-generation renewable energy smart grid infrastructure' with 'evaluated on the NSL-KDD benchmark with potential applicability to smart-grid IDS', (ii) add an explicit limitations paragraph stating the absence of domain-specific validation, and (iii) move the deployment claims to a 'future work' subsection. These changes will be made throughout the abstract and Section 1. revision: yes
-
Referee: [Abstract] Abstract (seven-step pipeline): SMOTE explicitly alters the class prior, yet the manuscript provides no experiment on imbalanced data whose joint distribution matches real AMI/SCADA traffic; consequently the reported -3.7 pp F1 ablation and the 2-9 pp margins over baselines cannot be assumed to persist under the target attack-class ratios.
Authors: We concur. The -3.7 pp F1 ablation and the 2-9 pp margins are measured after SMOTE on NSL-KDD; we performed no ablation or comparison on an imbalanced corpus whose attack ratios reflect real AMI/SCADA traffic. The revised manuscript will (i) state in the abstract and Section 3.2 that SMOTE results are specific to the NSL-KDD prior, (ii) add a sentence noting that performance under realistic smart-grid class ratios remains untested, and (iii) qualify the ablation contribution accordingly. No new experiments will be added at this stage. revision: yes
Circularity Check
No circularity: empirical results on public datasets with no self-referential derivations
full rationale
The paper reports an empirical ML evaluation of a hybrid CNN-LSTM model on NSL-KDD and similar public benchmarks. Performance numbers (98.2% precision, throughput figures) are obtained by direct training and testing after a standard seven-step preprocessing pipeline; no equations, fitted parameters, or predictions are shown to reduce to the reported metrics by construction. Baseline comparisons use off-the-shelf models (LSTM, CNN, RF, SVM) rather than self-citations. No uniqueness theorems, ansatzes, or renamings of known results appear. The derivation chain consists entirely of standard supervised learning steps whose outputs are falsifiable on the held-out test splits.
Axiom & Free-Parameter Ledger
free parameters (2)
- sequence length T =
10
- SMOTE sampling strategy
axioms (1)
- domain assumption NSL-KDD and similar benchmark datasets exhibit the same class imbalance and attack progression statistics as real renewable-energy-grid traffic
Reference graph
Works this paper leans on
-
[1]
Renewables 2023: Analysis and Forecast to 2028,
International Energy Agency, “Renewables 2023: Analysis and Forecast to 2028,” IEA, Paris, France, 2023
2023
-
[2]
A deep learning and IoT-driven framework for real-time adaptive resource allocation and grid optimization in smart energy systems,
A. R. Singh, M. S. Sujatha, A. D. Kadu, M. Bajaj, H. K. Addis, and K. Sarada, “A deep learning and IoT-driven framework for real-time adaptive resource allocation and grid optimization in smart energy systems,”Scientific Reports, vol. 15, p. 19309, 2025
2025
-
[3]
Deep learning for cybersecurity in smart grids: Review and perspectives,
J. Ruanet al., “Deep learning for cybersecurity in smart grids: Review and perspectives,”Energy Conversion and Economics, vol. 4, no. 4, pp. 233–251, 2023
2023
-
[4]
N. Abdi, A. Albaseer, and M. Abdallah, “The role of deep learning in advancing proactive cybersecurity measures for smart grid networks: A survey,” arXiv:2401.05896, 2024
-
[5]
A detailed analysis of the KDD Cup 1999 data set,
M. Tavallaee, E. Bagheri, W. Lu, and A. A. Ghorbani, “A detailed analysis of the KDD Cup 1999 data set,” in Proc. IEEE CISDA, Ottawa, Canada, 2009, pp. 1–6
1999
-
[6]
Deep learning approach for intelligent intrusion detection system,
R. Vinayakumaret al., “Deep learning approach for intelligent intrusion detection system,”IEEE Access, vol. 7, pp. 41525–41550, 2019
2019
-
[7]
Analysis of the Cyber Attack on the Ukrainian Power Grid,
E-ISAC and SANS ICS, “Analysis of the Cyber Attack on the Ukrainian Power Grid,” Electricity Information Sharing and Analysis Center, Washington, DC, USA, Mar. 2016. [Online]. Available: https://www.nerc.com/ pa/CI/ESISAC/Documents/E-ISAC_SANS_Ukraine_DUC_18Mar2016.pdf
2016
-
[8]
Alert (AA21-131A): DarkSide Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks,
Cybersecurity and Infrastructure Security Agency (CISA), “Alert (AA21-131A): DarkSide Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks,” CISA, Washington, DC, USA, May 2021. [Online]. Available:https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-131a
2021
-
[9]
TRITON: The First ICS Cyberattack on Safety Instrument Systems,
J. E. Larsenet al., “TRITON: The First ICS Cyberattack on Safety Instrument Systems,”IEEE Security & Privacy, vol. 17, no. 5, pp. 72–81, 2019, doi: 10.1109/MSEC.2019.2921121
-
[10]
Toward generating a new intrusion detection dataset and intrusion traffic characterization,
I. Sharafaldin, A. H. Lashkari, and A. A. Ghorbani, “Toward generating a new intrusion detection dataset and intrusion traffic characterization,” inProc. ICISSP, 2018, pp. 108–116
2018
-
[11]
SMOTE: Synthetic minority over-sampling technique,
N. V . Chawlaet al., “SMOTE: Synthetic minority over-sampling technique,”J. Artif. Intell. Res., vol. 16, pp. 321–357, 2002
2002
-
[12]
Adam: A method for stochastic optimization,
D. P. Kingma and J. Ba, “Adam: A method for stochastic optimization,” inProc. ICLR, 2015
2015
-
[13]
False data injection attacks against state estimation in electric power grids,
Y . Liu, P. Ning, and M. K. Reiter, “False data injection attacks against state estimation in electric power grids,” ACM TISSEC, vol. 14, no. 1, pp. 1–33, 2011
2011
-
[14]
Deep learning,
Y . LeCun, Y . Bengio, and G. Hinton, “Deep learning,”Nature, vol. 521, pp. 436–444, 2015
2015
-
[15]
Long short-term memory,
S. Hochreiter and J. Schmidhuber, “Long short-term memory,”Neural Computation, vol. 9, no. 8, pp. 1735–1780, 1997
1997
-
[16]
Malicious data attacks on the smart grid,
O. Kosutet al., “Malicious data attacks on the smart grid,”IEEE Trans. Smart Grid, vol. 2, no. 4, pp. 645–658, 2011. 22 A Hybrid CNN-LSTM Intrusion Detection Framework for Cybersecurity in Smart Renewable Energy Grids
2011
-
[17]
A review of false data injection attacks against modern power systems,
G. Lianget al., “A review of false data injection attacks against modern power systems,”IEEE Trans. Smart Grid, vol. 8, no. 4, pp. 1630–1638, 2017
2017
-
[18]
A survey on detection algorithms for false data injection attacks in smart grids,
A. S. Muslehet al., “A survey on detection algorithms for false data injection attacks in smart grids,”IEEE Trans. Smart Grid, vol. 11, no. 3, pp. 2218–2234, 2020
2020
-
[19]
Real-time detection of false data injection attacks in smart grid,
Y . He, G. J. Mendis, and J. Wei, “Real-time detection of false data injection attacks in smart grid,”IEEE Trans. Smart Grid, vol. 8, no. 5, pp. 2505–2516, 2017
2017
-
[20]
A framework for constructing features and models for intrusion detection systems,
W. Lee and S. J. Stolfo, “A framework for constructing features and models for intrusion detection systems,”ACM TISSEC, vol. 3, no. 4, pp. 227–261, 2000
2000
-
[21]
Support-vector networks,
C. Cortes and V . Vapnik, “Support-vector networks,”Machine Learning, vol. 20, pp. 273–297, 1995
1995
-
[22]
Random forests,
L. Breiman, “Random forests,”Machine Learning, vol. 45, pp. 5–32, 2001
2001
-
[23]
RDTIDS: Rules and decision tree-based intrusion detection for IoT networks,
M. A. Ferraget al., “RDTIDS: Rules and decision tree-based intrusion detection for IoT networks,”Future Internet, vol. 12, no. 3, p. 44, 2020
2020
-
[24]
Detecting cyberattacks in industrial control systems using convolutional neural networks,
M. Kravchik and A. Shabtai, “Detecting cyberattacks in industrial control systems using convolutional neural networks,” inProc. CPS-SPC, 2018, pp. 72–83
2018
-
[25]
Joint cyberattack detection and safe state recovery of SCADA systems using graph neural networks,
O. Boyaciet al., “Joint cyberattack detection and safe state recovery of SCADA systems using graph neural networks,”Sustainable Energy, Grids and Networks, vol. 31, p. 100710, 2022
2022
-
[26]
S. Debnathet al., “AI-driven cybersecurity for renewable energy systems: Detecting anomalies with energy- integrated defense data,”International Journal of Applied Mathematics, vol. 38, no. 5s, pp. 1002–1032, Oct. 2025, doi: 10.12732/ijam.v38i5s.367
-
[27]
Ransomware and intrusion detection based on Transformer model,
L. Yang and H. Chen, “Ransomware and intrusion detection based on Transformer model,”IEEE Access, vol. 10, pp. 46030–46040, 2022
2022
-
[28]
Feature fusion-based bearing fault diagnosis using a convolutional long short-term memory network,
D. Zhao, T. Wang, and F. Chu, "Feature fusion-based bearing fault diagnosis using a convolutional long short-term memory network,"J. Vib. Control, vol. 27, no. 1–2, pp. 27–38, 2021, doi: 10.1177/1077546320907396
-
[29]
Robust moving target defence against false data injection attacks in power grids,
W. Xu, I. M. Jaimoukha, and F. Teng, “Robust moving target defence against false data injection attacks in power grids,”IEEE TIFS, vol. 18, pp. 29–40, 2022
2022
-
[30]
Distributed attack detection using deep learning for IoT,
A. A. Diro and N. Chilamkurti, “Distributed attack detection using deep learning for IoT,”Future Generation Computer Systems, vol. 82, pp. 761–768, 2018
2018
-
[31]
Multi-dimensional feature fusion and stacking ensemble mechanism for intrusion detection,
H. Zhanget al., “Multi-dimensional feature fusion and stacking ensemble mechanism for intrusion detection,” Future Generation Computer Systems, vol. 122, pp. 130–143, 2021
2021
-
[32]
A review of the advancement in intrusion detection datasets,
A. Thakkar and R. Lohiya, “A review of the advancement in intrusion detection datasets,”Procedia Computer Science, vol. 167, pp. 636–645, 2020
2020
-
[33]
Machine learning-based network vulnerability analysis of IIoT,
M. Zolanvariet al., “Machine learning-based network vulnerability analysis of IIoT,”IEEE Internet of Things Journal, vol. 6, no. 4, pp. 6822–6834, 2019
2019
-
[34]
DeepFed: Federated deep learning for intrusion detection,
B. Liet al., “DeepFed: Federated deep learning for intrusion detection,”IEEE Trans. Industrial Informatics, vol. 17, no. 8, pp. 5615–5624, 2021
2021
-
[35]
A survey on security and privacy of federated learning,
V . Mothukuriet al., “A survey on security and privacy of federated learning,”Future Generation Computer Systems, vol. 115, pp. 619–640, 2021
2021
-
[36]
Kitsune: An ensemble of autoencoders for online network intrusion detection,
Y . Mirskyet al., “Kitsune: An ensemble of autoencoders for online network intrusion detection,” inProc. NDSS, 2018
2018
-
[37]
Proceedings of the Thirty-Second International Joint Conference on Artificial Intelligence,
Q. Wen, T. Zhou, C. Zhang, W. Chen, Z. Ma, J. Yan, and L. Sun, "Transformers in time series: A survey," inProc. 32nd Int. Joint Conf. Artif. Intell. (IJCAI), Macao, China, 2023, pp. 6778–6786, doi: 10.24963/ijcai.2023/759
-
[38]
Attention-aware deep reinforcement learning for detecting false data injection attacks in smart grids,
R. Huanget al., “Attention-aware deep reinforcement learning for detecting false data injection attacks in smart grids,”Int. J. Electr. Power Energy Syst., vol. 147, p. 108815, 2023
2023
-
[39]
RDTIDS: Rules and decision tree-based intrusion detection system for Internet-of-Things networks,
M. A. Ferrag, L. Maglaras, A. Ahmim, and H. Janicke, "RDTIDS: Rules and decision tree-based intrusion detection system for Internet-of-Things networks,"Future Internet, vol. 12, no. 3, p. 44, 2020, doi: 10.3390/fi12030044
-
[40]
An explainable machine learning framework for intrusion detection systems,
M. Wang, K. Zheng, Y . Yang, and X. Wang, “An explainable machine learning framework for intrusion detection systems,”IEEE Access, vol. 8, pp. 73127–73141, 2020, doi: 10.1109/ACCESS.2020.2988359
-
[41]
M. Usama, M. Asim, S. Latif, J. Qadir and Ala-Al-Fuqaha, “Generative adversarial networks for launching and thwarting adversarial attacks on network intrusion detection systems,” inProc. 15th Int. Wireless Commun. Mobile Comput. Conf. (IWCMC), 2019, pp. 78–83, doi: 10.1109/IWCMC.2019.8766353. 23 A Hybrid CNN-LSTM Intrusion Detection Framework for Cybersec...
-
[42]
R. Abdulhammed, M. Faezipour, A. Abuzneid, and A. AbuMallouh, “Deep and machine learning approaches for anomaly-based intrusion detection of imbalanced network traffic,”IEEE Sensors Letters, vol. 3, no. 1, pp. 1–4, Jan. 2019, doi: 10.1109/LSENS.2018.2879990. 24
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.