Hybrid Ensemble and Deep Learning Architectures for Advanced Persistent Threat Detection

Saleem Ishaq Tijjani; Bogdan Ghita; Nathan Clarke; Matthew Craven

doi:10.1109/IEMCON67450.2025.11381046

Hybrid Ensemble and Deep Learning Architectures for Advanced Persistent Threat Detection

Saleem Ishaq Tijjani^*
, Bogdan Ghita
, Nathan Clarke
, Matthew Craven

^*Corresponding author for this work

University of Plymouth

Research output: Chapter in Book/Report/Conference proceeding › Conference proceedings published in a book › peer-review

Abstract

This paper examines classical machine learning (ML) and deep learning (DL) models for advanced persistent threat (APT) detection, with a focus on hybrid ensemble configurations. We propose multi-stage hybrid ensemble ML models. Simulation results demonstrate that hybrid ensemble models outperform single classifiers by leveraging model diversity and complementary decision-making to capture complex attack patterns. DL architectures, particularly convolutional long short-term memory (CNN-LSTM), further surpass traditional ML models by learning hierarchical features and temporal dependencies in the network traffic. To address the scarcity of real-world APT datasets, we constructed an APT-aware dataset from UNSW-NB15 and evaluated it across multiple learning paradigms. The results highlight improved adaptability to evolving APT tactics and bridge the gap between generic intrusion detection and specialized APT detection through life-cycle-aware modeling.

Original language	English
Title of host publication	2025 IEEE 16th Annual Information Technology, Electronics and Mobile Communication Conference (IEMCON)
Publisher	IEEE
Pages	34-40
Number of pages	7
ISBN (Print)	979-8-3315-6506-0
DOIs	https://doi.org/10.1109/IEMCON67450.2025.11381046
Publication status	Published - 14 Feb 2026
Event	2025 IEEE 16th Annual Information Technology, Electronics and Mobile Communication Conference (IEMCON) - Berkeley, CA, USA Duration: 29 Oct 2025 → 31 Oct 2025

Conference

Conference	2025 IEEE 16th Annual Information Technology, Electronics and Mobile Communication Conference (IEMCON)
Period	29/10/25 → 31/10/25

Keywords

Deep learning
Adaptation models
Simulation
Telecommunication traffic
Mobile communication
Threat assessment
Robustness
Convolutional neural networks
Ensemble learning
Long short term memory

Access to Document

10.1109/IEMCON67450.2025.11381046

https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=11381046

Cite this

@inproceedings{36d7d4e64da74ea9b483a70ca0309e00,

title = "Hybrid Ensemble and Deep Learning Architectures for Advanced Persistent Threat Detection",

abstract = "This paper examines classical machine learning (ML) and deep learning (DL) models for advanced persistent threat (APT) detection, with a focus on hybrid ensemble configurations. We propose multi-stage hybrid ensemble ML models. Simulation results demonstrate that hybrid ensemble models outperform single classifiers by leveraging model diversity and complementary decision-making to capture complex attack patterns. DL architectures, particularly convolutional long short-term memory (CNN-LSTM), further surpass traditional ML models by learning hierarchical features and temporal dependencies in the network traffic. To address the scarcity of real-world APT datasets, we constructed an APT-aware dataset from UNSW-NB15 and evaluated it across multiple learning paradigms. The results highlight improved adaptability to evolving APT tactics and bridge the gap between generic intrusion detection and specialized APT detection through life-cycle-aware modeling.",

keywords = "Deep learning, Adaptation models, Simulation, Telecommunication traffic, Mobile communication, Threat assessment, Robustness, Convolutional neural networks, Ensemble learning, Long short term memory",

author = "Tijjani, \{Saleem Ishaq\} and Bogdan Ghita and Nathan Clarke and Matthew Craven",

year = "2026",

month = feb,

day = "14",

doi = "10.1109/IEMCON67450.2025.11381046",

language = "English",

isbn = "979-8-3315-6506-0",

pages = "34--40",

booktitle = "2025 IEEE 16th Annual Information Technology, Electronics and Mobile Communication Conference (IEMCON)",

publisher = "IEEE",

note = "2025 IEEE 16th Annual Information Technology, Electronics and Mobile Communication Conference (IEMCON) ; Conference date: 29-10-2025 Through 31-10-2025",

}

Tijjani, SI, Ghita, B , Clarke, N & Craven, M 2026, Hybrid Ensemble and Deep Learning Architectures for Advanced Persistent Threat Detection. in 2025 IEEE 16th Annual Information Technology, Electronics and Mobile Communication Conference (IEMCON)., 11381046, IEEE, pp. 34-40, 2025 IEEE 16th Annual Information Technology, Electronics and Mobile Communication Conference (IEMCON), 29/10/25. https://doi.org/10.1109/IEMCON67450.2025.11381046

Hybrid Ensemble and Deep Learning Architectures for Advanced Persistent Threat Detection. / Tijjani, Saleem Ishaq; Ghita, Bogdan ; Clarke, Nathan et al.
2025 IEEE 16th Annual Information Technology, Electronics and Mobile Communication Conference (IEMCON). IEEE, 2026. p. 34-40 11381046.

Research output: Chapter in Book/Report/Conference proceeding › Conference proceedings published in a book › peer-review

TY - GEN

T1 - Hybrid Ensemble and Deep Learning Architectures for Advanced Persistent Threat Detection

AU - Tijjani, Saleem Ishaq

AU - Ghita, Bogdan

AU - Clarke, Nathan

AU - Craven, Matthew

PY - 2026/2/14

Y1 - 2026/2/14

N2 - This paper examines classical machine learning (ML) and deep learning (DL) models for advanced persistent threat (APT) detection, with a focus on hybrid ensemble configurations. We propose multi-stage hybrid ensemble ML models. Simulation results demonstrate that hybrid ensemble models outperform single classifiers by leveraging model diversity and complementary decision-making to capture complex attack patterns. DL architectures, particularly convolutional long short-term memory (CNN-LSTM), further surpass traditional ML models by learning hierarchical features and temporal dependencies in the network traffic. To address the scarcity of real-world APT datasets, we constructed an APT-aware dataset from UNSW-NB15 and evaluated it across multiple learning paradigms. The results highlight improved adaptability to evolving APT tactics and bridge the gap between generic intrusion detection and specialized APT detection through life-cycle-aware modeling.

AB - This paper examines classical machine learning (ML) and deep learning (DL) models for advanced persistent threat (APT) detection, with a focus on hybrid ensemble configurations. We propose multi-stage hybrid ensemble ML models. Simulation results demonstrate that hybrid ensemble models outperform single classifiers by leveraging model diversity and complementary decision-making to capture complex attack patterns. DL architectures, particularly convolutional long short-term memory (CNN-LSTM), further surpass traditional ML models by learning hierarchical features and temporal dependencies in the network traffic. To address the scarcity of real-world APT datasets, we constructed an APT-aware dataset from UNSW-NB15 and evaluated it across multiple learning paradigms. The results highlight improved adaptability to evolving APT tactics and bridge the gap between generic intrusion detection and specialized APT detection through life-cycle-aware modeling.

KW - Deep learning

KW - Adaptation models

KW - Simulation

KW - Telecommunication traffic

KW - Mobile communication

KW - Threat assessment

KW - Robustness

KW - Convolutional neural networks

KW - Ensemble learning

KW - Long short term memory

U2 - 10.1109/IEMCON67450.2025.11381046

DO - 10.1109/IEMCON67450.2025.11381046

M3 - Conference proceedings published in a book

SN - 979-8-3315-6506-0

SP - 34

EP - 40

BT - 2025 IEEE 16th Annual Information Technology, Electronics and Mobile Communication Conference (IEMCON)

PB - IEEE

T2 - 2025 IEEE 16th Annual Information Technology, Electronics and Mobile Communication Conference (IEMCON)

Y2 - 29 October 2025 through 31 October 2025

ER -

Hybrid Ensemble and Deep Learning Architectures for Advanced Persistent Threat Detection

Abstract

Conference

Keywords

Access to Document

Fingerprint

Cite this