A CNN–LSTM–Attention Hybrid Architecture for Real-Time Intrusion Detection at the Data Link Layer

Abstract

Data Link Layer (Layer 2) security remains one of the most underexplored areas in modern network intrusion detection research, despite its critical role as the foundation of reliable communication between networked devices. Attacks at this layer, such as ARP spoofing, MAC flooding, VLAN hopping, and DHCP starvation, can compromise entire networks before higher-layer defenses activate. Existing intrusion detection systems predominantly focus on network or transport layers, leaving a significant gap in early-stage threat prevention. To address this limitation, this thesis proposes a memory-efficient hybrid deep learning architecture that integrates Convolutional Neural Networks (CNNs), Long Short-Term Memory (LSTM) units, and an Attention mechanism for real-time detection of Layer 2 intrusions. A novel dataset, BCCC-DLLayer-IDS-2025, was developed as part of this research, comprising over 4.6 million labeled flow records collected in a controlled experimental environment. The dataset includes eleven distinct attack types spanning spoofing, flooding, and protocol manipulation scenarios, along with benign traffic, providing a comprehensive foundation for training and benchmarking Layer 2 intrusion detection systems. The proposed CNN–LSTM–Attention architecture combines spatial and temporal feature extraction with an adaptive focus mechanism, enabling effective modeling of short-term dependencies in network traffic while reducing redundancy. The model achieves an F1-score of 99.67% with only 2.1 million parameters and a latency below 100 milliseconds, offering a 60% lower computational cost than conventional deep learning models. Extensive experiments under varying traffic conditions and noise levels confirm the model’s robustness, generalizability, and suitability for real-time deployment on resource-constrained edge and IoT devices.