Towards a Serverless Intelligent Firewall:
AI-Driven Security, and Zero-Trust Architectures
Md Anisur Rahman Chowdhury
Student ID: 3195493  ·  chowdhur014@gannon.edu  ·  Master's of Information Technology
Aishwarya
Student ID: 3214245  ·  aishwary001@gannon.edu  ·  Master's of Software Engineering
Professor: Ronny C. Bazan-Antequera, Ph.D.  ·  bazanant001@gannon.edu  ·  Department of Computer and Information Science, College of Engineering & Business, Gannon University
CG 2026 Gannon University
Abstract

The ephemeral, stateless nature of serverless computing presents unprecedented challenges to traditional network security. Conventional perimeter-based defenses and rule-based IDS are ill-equipped to protect transient, event-driven functions lacking persistent state.

This research presents a Serverless Intelligent Firewall (SIF) combining LSTM-based deep learning intrusion detection with Zero-Trust Architecture (ZTA) enforcement for adaptive, real-time threat detection in cloud-native environments.

The 3-layer LSTM achieved 98% accuracy, precision, recall, and F1-score on CICIDS2017, outperforming SVM (88.4%), Decision Tree (90.2%), and CNN (93%).

Keywords: Serverless · LSTM · Zero-Trust · IDS · CICIDS2017 · AWS Lambda

Research Objectives / Purpose of the Study
  • Design a deep learning IDS optimized for stateless serverless cloud environments
  • Develop an LSTM architecture capturing temporal flow dependencies for coordinated attack detection
  • Implement strategic undersampling to resolve class imbalance across 2.8M CICIDS2017 records
  • Benchmark against SVM, Decision Tree, and CNN using standardized evaluation metrics
  • Integrate NIST SP 800-207 Zero-Trust — continuous verification, least-privilege, breach assumption
  • Deploy on AWS Lambda demonstrating <100 ms real-time inference latency
Research Questions
  • RQ1: Can serverless architectures maintain <100 ms inference latency for real-time IDS?
  • RQ2: Does LSTM provide superior accuracy over CNN/SVM/DT on CICIDS2017?
  • RQ3: Can ZTA be integrated without significant operational overhead?
All three answered affirmatively — statistically significant (p < 0.05).
Dataset — CICIDS2017
Total Records2,830,540 flow records
Features78 numerical traffic features
ClassesBENIGN · DDoS · DoS · PortScan · Other
BalancingUndersampled to 50,000 / class
Split80% train / 20% test (stratified)
Methodology (An Overview)
📊CICIDS2017
2.8M+ flows · 78 features · 5 classes
Preprocess
Clean · Undersample · Normalise
🧠LSTM Train
128→64→32 units · Dropout 0.3 · Adam
AWS Lambda
<15 ms warm · <100 ms cold start
🔒ZTA Enforce
ALLOW/BLOCK · mTLS · IAM · SNS Alert
Architecture Diagram
Fig. 1 — Serverless Intelligent Firewall system architecture
LSTM ParameterValue
Input features78 numerical flow features
Hidden units3 layers: 128 → 64 → 32
Dropout0.3 after each LSTM layer
Optimizer / LRAdam · 0.001
Epochs / Patience120 epochs · Early stop = 10
Lambda latency<15 ms warm · <100 ms cold
Accuracy Curves
Fig. 2 — Training & Validation Accuracy
Loss Curves
Fig. 3 — Training & Validation Loss
Results & Evaluation
98%Accuracy
98%Precision
98%Recall
98%F1-Score
SVM
88.4%
Dec.Tree
90.2%
CNN
93.0%
LSTM ★
98.0%
ModelPrec.RecallF1
SVM84.1%77.8%80.8%
Dec.Tree87.6%81.3%84.3%
CNN95.1%85.4%89.9%
LSTM98.0%98.0%98.0%
Confusion Matrix
Fig. 4 — Confusion Matrix
Class-wise Performance
Fig. 5 — Class-wise Performance
ClassPrecisionRecallF1Correct/Total
BENIGN0.990.940.969,446 / ~10,000
DDoS0.991.000.999,989 / 10,000
DoS0.980.990.989,909 / ~10,000
PortScan0.991.000.999,982 / 10,000
Other0.940.990.963,556 / 3,606
Macro Avg0.9780.9840.976
Research Contributions
  • Novel SIF Framework: First integration of LSTM-based IDS with serverless AWS Lambda deployment enforcing NIST SP 800-207 ZTA in a unified, production-viable architecture
  • State-of-the-Art Accuracy: 98% across all metrics, surpassing federated IDS (97%), hybrid CNN-LSTM (95%), and all classical baselines
  • Scalable & Zero-Cost Idle: Lambda scales to zero — eliminates persistent attack surfaces; cost-per-invocation model superior to always-on EC2
  • Temporal Feature Exploitation: LSTM memory gates capture flow evolution patterns inaccessible to CNN convolutions or SVM kernels
  • Sub-100ms Latency: 15 ms warm execution; 1.1 s cold-start via TorchScript + provisioned concurrency
  • ZTA with Minimal Overhead: mTLS + IAM adds ~8 ms (5%) while providing per-flow continuous verification
  • Open Reproducibility: Full code, trained model (.pth), Docker config, Lambda scripts on GitHub
Zero-Trust Architecture
  • Identity: mTLS via AWS Cognito on every flow
  • Classify: LSTM inference · confidence >0.85
  • Policy: IAM least-privilege condition evaluation
  • Enforce: ALLOW (BENIGN) / BLOCK + SNS alert
  • Re-verify: Every 5 min or 500 flows
~8 ms overhead per decision (5% of total execution time)
Conclusion & Future Work

The SIF framework proves serverless + LSTM + ZTA are synergistic: serverless eliminates persistent attack surfaces; LSTM captures temporal threat patterns; ZTA converts ML predictions into auditable security decisions.

Future directions:

  • Federated learning across multi-tenant environments
  • Adversarial robustness evaluation & hardening
  • Transformer-based traffic classifiers
  • Encrypted TLS traffic analysis
  • XAI (SHAP/LIME) for analyst dashboards
SOTA Comparison
ReferenceModelAccuracy
Proposed (2025)3-Layer LSTM98.0%
Neto et al. 2022Federated IDS97.0%
Bamber et al. 2025CNN-LSTM95.0%
Altunay et al. 2023CNN+LSTM93.2%
References
  • Sharafaldin et al. (2018). CICIDS2017. ICISSP
  • Rose et al. (2020). NIST SP 800-207 Zero Trust Architecture
  • Hochreiter & Schmidhuber (1997). LSTM. Neural Computation
  • Altunay & Albayrak (2023). CNN+LSTM. ESTIJ
  • Bamber et al. (2025). CNN-LSTM IDS. arXiv
  • Kingma & Ba (2015). Adam Optimizer. ICLR
  • AWS (2024). Lambda Developer Guide
© 2025 Md Anisur Rahman Chowdhury et al.  |  Gannon University, Erie, PA 16541  |  Department of Computer and Information Science
🔗 github.com/ANIS151993/Serverless-Intelligent-Firewall-Research-1 ▶ youtu.be/K04bOFbv204 ✉ engr.aanis@gmail.com