Figure 1:
Figure 2:
Figure 3:
Figure 4:
Overall detection performance comparison across 15 enterprise environments
| Method | Accuracy (%) | Precision (%) | Recall (%) | F1-Score (%) | AUC-ROC | FPR (%) |
|---|---|---|---|---|---|---|
| C-AMLAFA (proposed) | 94.7 ± 1.2 | 92.3 ± 1.4 | 91.8 ± 1.6 | 92.0 ± 1.3 | 0.961 | 2.4 |
| BiLSTM | 85.6 | 83.2 | 84.7 | 83.9 | 0.892 | 4.8 |
| LSTM | 84.3 | 81.8 | 83.4 | 82.6 | 0.881 | 5.2 |
| CNN | 82.7 | 80.4 | 81.9 | 81.1 | 0.872 | 5.7 |
| XGBoost | 80.1 | 78.6 | 79.2 | 78.9 | 0.858 | 6.3 |
| Random forest | 78.4 | 76.8 | 77.3 | 77.0 | 0.841 | 7.1 |
| SVM | 76.2 | 74.9 | 75.4 | 75.1 | 0.829 | 7.8 |
| MLP | 74.8 | 72.3 | 74.1 | 73.2 | 0.817 | 8.4 |
| IF | 71.2 | 68.9 | 72.6 | 70.7 | 0.798 | 9.2 |
Simulation setup for C-AMLAFA
| Parameter | Description/configuration |
|---|---|
| Simulation environment | Python 3.10, TensorFlow 2.13, PyTorch 2.1, Scikit-Learn 1.3, MATLAB R2025a; Digital Twin emulation for network traffic and SOC operations |
| Hardware specifications | CPU: Intel Xeon Gold 6248R (48 cores), GPU: NVIDIA A100, RAM: 256 GB; Storage: 10 TB SSD; Multi-node virtualized environment for federated experiments |
| Network configuration | Enterprise-scale virtual network with multiple subnets; Simulated encrypted traffic (TLS 1.2 & 1.3) at 1–10 Gbps; QoS: Low-latency & burst scenarios; 15 virtual network nodes |
| Dataset | 2,346,892 encrypted flows over 6 months from 15 organizations (financial, healthcare, tech, manufacturing, education); Public datasets: CICIDS2017, UNSW-NB15,CSE-CIC-IDS2018 (re-encrypted TLS 1.3) |
| Data preprocessing | Feature extraction from Layer 1: 42 behavioral features; Normalization (Z-score), categorical encoding, train-test split 70-30, class balancing using SMOTE |
| Federated learning setup | 15 network nodes, local training with privacy-preserving aggregation; Global model updated via FedAvg; Differential privacy with ɛ = 0.1 |
| C-AMLAFA AI/ML models | Layer 3: RF, XGBoost, BiLSTM, CNN, SVM; Dynamic context-aware weighting for ensemble selection; Online adaptation via UCB algorithm |
| Attack scenarios | Encrypted malware, lateral movement, data exfiltration, command-and-control, zero-day anomalies; behavioral mimicry attacks simulated for evasion tests |
| Evaluation metrics | Detection Accuracy, Precision, Recall, F1-Score, False Positive Rate, Detection Latency, Throughput (Mbps), Resource Utilization (CPU/RAM) |
| Privacy & security enforcement | Layer 2 quantum-resilient feature transformation; Federated aggregation ensures no raw traffic sharing; Formal information-theoretic privacy guarantees |
| Simulation duration | 24–72 hr per experimental run with dynamic traffic conditions, attack injection, and federated learning rounds |
| Software tools for monitoring | MATLAB Simulink, TensorBoard, Grafana dashboards, pfSense GUI for traffic capture and visualization |
| IDS/IPS integration | Suricata 7.0.1 with custom ET Open ruleset for signature-based baseline comparison; Snort 3.× for hybrid detection testing |
Computational performance metrics
| Metric | AMLAFA | BiLSTM | RF | Baseline Avg |
|---|---|---|---|---|
| Mean latency | 285 ms | 450 ms | 200 ms | 305 ms |
| 95th percentile | 420 ms | 680 ms | 310 ms | 465 ms |
| 99th percentile | 580 ms | 920 ms | 450 ms | 670 ms |
| Throughput | 3,500 conn/s | 2,200 conn/s | 5,000 conn/s | 3,300 conn/s |
| CPU overhead | 20% | 35% | 12% | 22% |
| Memory (10 K conn) | 210 MB | 180 MB | 120 MB | 150 MB |
F1-Scores by attack category
| Attack category | C-AMLAFA (%) | BiLSTM (%) | RF (%) | SVM (%) |
|---|---|---|---|---|
| Data exfiltration | 96.2 | 88.4 | 79.1 | 75.3 |
| Lateral movement | 93.8 | 84.2 | 78.6 | 76.8 |
| C&C communication | 95.1 | 86.7 | 77.9 | 74.2 |
| Encrypted malware | 92.4 | 83.5 | 76.3 | 73.9 |
| Cryptomining | 94.7 | 85.1 | 80.4 | 77.5 |
| Ransomware comms | 96.8 | 87.9 | 79.8 | 76.1 |
| DNS tunneling | 91.3 | 82.8 | 75.7 | 72.4 |
C-AMLAFA components and functions
| Component/layer | Purpose in C-AMLAFA | Design characteristics | Operational outcome |
|---|---|---|---|
| Layer 1: Cognitive behavioral analysis | Extract behavior-driven traffic patterns from encrypted flows | Flow statistics, packet timing patterns, session behavior profiling | Early discrimination between benign and suspicious traffic |
| Layer 2: Quantum-resilient feature transformation | Protect extracted behavioral features against future cryptanalytic attacks | Lattice-inspired feature transformation with privacy preservation | Long-term security against quantum-enabled adversaries |
| Layer 3: Adaptive intelligence layer | Dynamically select optimal detection model based on context | Context-aware model weighting using recent performance feedback | Improved detection accuracy under evolving attack patterns |
| Federated learning engine | Enable collaborative learning without raw data sharing | Decentralized training with secure aggregation | Privacy-preserving global intelligence sharing |
| Cognitive feedback loop | Enable cross-layer learning and self-optimization | Performance-driven feedback from detection outcomes | Continuous system adaptation and reduced false positives |
| Digital twin environment | Simulate real-time network behavior and policy validation | Virtual replica of enterprise network states | Safe validation of policies before live deployment |
| Threat intelligence context module | Incorporate external and internal threat signals | Indicators of compromise, attack trends, vulnerability alerts | Context-enhanced decision making |
| Privacy preservation mechanism | Prevent sensitive data leakage during analysis | Local feature processing and noise-aware aggregation | Compliance with enterprise privacy requirements |
| Policy enforcement module | Automate firewall rule validation and deployment | Predictive risk scoring and policy recommendation | Faster and safer security policy updates |
| Scalability design | Support high-throughput enterprise traffic | Modular architecture with distributed processing support | Stable performance at multi-gigabit traffic rates |
Research gaps and C-AMLAFA solutions
| Research gap | Prior work limitation | C-AMLAFA solution |
|---|---|---|
| Quantum threat integration | No framework incorporates quantum-resistant mechanisms based on rigorous cryptographic foundations | Lattice-based feature extraction with formal security proofs (Ring-LWE hardness, 256-bit quantum security) |
| Theoretical foundation | Systems presented as engineering solutions without formal security analysis or complexity bounds | Information-theoretic security analysis (I(C;F) ≤ ɛ), formal complexity analysis (O(n) behavioral extraction, O(n log n) lattice operations) |
| Multi-domain evaluation | Most studies evaluate on single network type (enterprise OR IoT OR cloud) | 15 diverse enterprise environments spanning five sectors with 2.3 M connections over 6 months |
| Adversarial robustness | Few works test against sophisticated adversarial traffic or behavioral mimicry | 2,000 mimicry attacks per category (timing, size, protocol) with 89.2% detection maintained |
| Practical deployment | Proof-of-concept implementations without addressing scalability and operational challenges | Detailed deployment framework with three modes (inline, passive, hybrid), computational cost analysis, SOC integration guidelines |
| Architectural integration | Simple ensemble methods combining classifiers without theoretical justification | Three layers with specific theoretical roles: Layer 1 (behavioral distinguishability), Layer 2 (quantum resistance), Layer 3 (adaptive optimization) |