Content uploaded by Mohammed H. Ali Al-Hayani
Author content
All content in this area was uploaded by Mohammed H. Ali Al-Hayani on Mar 08, 2023
Content may be subject to copyright.
3rd International Conference of Engineering Sciences (ICES' 2022) Proceeding
123
Intrusion Detection System Based On Machine Learning And Deep Learning
Techniques: A Review
Shaimaa A. Sharafali1*, Noor H. Fallooh2, Mohammed H. Ali3
Electronic Computer Center. Al-Nahrain University, Al-Jadriyah, Baghdad, Iraq
Dept. of Physiology/Support Science Unit , College of Medicine, Al-Nahrain University, Kadhimiya, Baghdad, Iraq
Electronics and Communication Eng. Dept., College of Engineering, Al-Nahrain University Al- Jadriyah, Baghdad,
Iraq
shaimaa@nahrainuniv.edu.iq, anoornhf87@nahrainuniv.edu.iq, mohammed.hussein.1@nahrainuniv.edu.iq
Keywords: Intrusion Detection Systems, Machine Learning, Deep Learning, Network Traffic, Cyber-
Attacks, Dataset.
Abstract. Because of the rapid development of modern computer networks, many new challenges
and threats to information security have appeared, such as attacks, digital intrusion, data theft, and so
on. The effectiveness of intrusion detection systems (IDS) in ensuring information security has
increased in significance with the expansion of artificial intelligence technologies. This survey
presents a classification of modern intrusion detection systems using machine and deep learning
technologies, including: support vector machine (SVM), and recurrent neural network (RNN), long-
term memory (LSTM), convolutional neural network (CNN), deep neural network
(DNN), Boltzmann machine (BM), decision tree (DT), stack autoencoder (SAE), and random forest
(RF). A general evaluation of some of the network-based datasets are also provided. This review also
emphasizes the advantages within each dataset.
1.Introduction
With all the advancement of computer networks, Information Technology (IT) has really become
increasingly Important in daily life. Several external and internal intruder attacks targeting sensitive
data created, handled, and transferred have occurred [1, 2]. As the growth of Internet of Things (IoT)
devices, smart cities, and power infrastructures has grown, so has the risk of cybercriminal attacks
[3]. Cyberattacks are estimated to cause trillions of dollars in losses [4]. Many different types of
cyberattacks are becoming more widely known. As a result, hackers devise new methods to avoid
detection [5]. The National Institute of Standards and Technology defines an intrusion as a try to pose
a threat to security policies or to circumvent mechanisms of security in hosts or networks [6].
Network traffic flow is categorized as normal or malicious traffic [7]. There are numerous types of
malicious traffic, including web attacks, User to Root (U2R), infiltration or probing, Remote to Local
(R2L) attacks, Distributed Denial of service (DDoS), and Denial of service (DoS) attack [8]. The
main issue is determining the types of malicious traffic, particularly unknown malicious traffic [9].
Traditionally, intrusion detection approaches relied on a regularly updated threat collection and only
protected specific areas of the networks, which including prioritized hosts or centralized nodes. As a
result, the system revealed that the attackers used other parts of the same network to infiltrate
the target segment. [8]. The majority of consumer security products rely on threshold, signature,
heuristic, or statistically measured characteristics [10]. These techniques work well for detecting
known threats. They do not, however, detect different variations of new or existing attacks.
Furthermore, domain expertise and ongoing upgrades are required for these methods [3]. Utilizing
intrusion detection systems that learn cyberattack actions through data modeling and
analysis, network security can be improved [9]. As little more than a result of the inclusion of
Machine Learning ML-based methods [11] and Deep Learning DL-based methods, the tendency of
creating and utilizing new approaches and techniques to detect intrusion attacks is heavily
3rd International Conference of Engineering Sciences (ICES' 2022) Proceeding
124
influencing. Attackers are creating new advanced threats, and attacks on IT processes are increasing
as the online world rises in popularity. As a result, a new, dependable, and adaptable intrusion
detection system (IDS) is required to deal with cyberattacks such as malware attacks, which can affect
a network of processes that attackers are able to perform different threats using control servers
and command [12].
IDS are divided into: network-based and host-based Intrusion detection systems (HIDS), Some
IDS are classified as HIDS and network-based (NIDS), Some software (for example, virus protection
plugins) is installed on a specific host, and its process has been reactive, in that it needs to wait for a
cyberattack to access the field before neutralizing it. NIDS is similar, but it is executed through
networking devices such as firewalls, enabling for examination of data traffic originating from or
terminating at different servers [13]. On the level of functional, IDS could discover anomalies in
regular network traffic or actively identify threats based on prior training. The benefit of IDS, which
depend on regular network traffic patterns, would be that previously unknown intrusions could be
discovered (such as they are unidentified during the training phase). Even so, this may reduce the
model's effectiveness by increasing the total number of false positives while irregular actions is
generated by regular network traffic. Regardless, an attack classifier based on a training bench is
useless against unidentified malicious activities [14].
The general classification of rule-based NIDS is or signature-based (SNIDS) or anomaly-based
(ANIDS) or ensemble methods and misuse-based. SNIDS hardcode threat signers and use pattern
recognition on traffic to identify abnormal network traffic. While Attack traffic is flagged by ANIDS,
which is well-designed for recognizing new shapes of unusual traffic. It is one of the most effective
methods for detecting zero-day threats that SNIDS do not fully support. In terms of FP percentage
the ANIDS' efficiency is extremely low [15].
Numerous researchers have suggested ML-based solutions to address the shortcomings of traditional
methods [16]. ML abilities have been observed in a variety of areas, most notably in the detection of
zero-day attacks. [17,18]. Because intrusion detection is a classification problem, several ML and DL
classifiers are widely used [12]. ML methods including RF [19], DT [20], and SVM [21] choose
features initially and then employ classifiers to detect attacks. In intrusion detection, ML techniques
are frequently utilized [22,23]. Nonetheless, in ML techniques, feature selection is highly
emphasized. When dealing with complex data, feature selection becomes difficult, making solving
the massive intrusion data classification problem effectively impossible. As a result, recognition
accuracy is low, and other issues arise [9].
DL techniques, aided by the presence of big data and hardware processing, do not need lot as human
knowledge or ML need to implement; the complexities of data could be segmented from row input
data [24]. DL, that is an upgraded form of classical neural nets, does not require feature engineering
because it can extract the best features from raw data instantly. Many cyber security problems have
been solved successfully using DL architecture, for example, botnet detection, intrusion detection,
malware detection [25-29], and so on. DL frameworks have been used to enhance the detection of
IoT botnets [30,31]. DL offers a convenient facility for learning features from raw data automatically.
This benefit allows researchers to be using DL methods in a wide range of areas, such as intrusion
detection systems, image and voice recognition, natural language processing (NLP), and computer
networks. DNN, LSTM, Recurrent Neural Network (RNN), BM, CNN, and SAE are some of the DL
models that have been produced [32]. Traditional ML technique has reduced computational
complexity considering the amount, high dimension, and complicated system of data transfer, yet
there are deficits in having to learn complicated nonlinearities in huge data sets [9]. Numerous
3rd International Conference of Engineering Sciences (ICES' 2022) Proceeding
125
different protocols are employed in network traffic transmitting, as well as the field values of such
protocols frequently consist of several categorical variables, causing data transmission will become
nonlinear and high-dimensional. Whether such high-dimensional data have been straight recognized,
a large amount of computational resources is also lavished, with a relatively low efficiency of
detection. Numerous research findings have used techniques that integrate DL and traditional ML to
address the aforementioned issues. Such that, for unsupervised extract, the DNN is applied. by that
the high-dimensional data decrease to the low-dimensional data by extracting the key features of the
distribution data. Thereafter developed a classification algorithm for IDS that use traditional ML
techniques. In contrast to traditional feature selection, feature extraction creates additional features
which are much more indicative than the original features of the initial data [33].
2.Methodology
Predictive Models for Data such as cyber security information, social media information, business
information, IoT data, mobile data information, health information, and much more. Understanding
of artificial intelligence (AI), particularly ML, is required to smartly analysis such data and build the
corresponding automated and intelligent apps. There are various ML methodologies within the field,
including supervised, unsupervised, semi-supervised, and reinforcement learning. Furthermore, DL,
that is a subset of ML techniques could really smartly analyze large amounts of data. This article
present a comprehensive summary of ML methods that can be used to enhance an app's intellect and
capabilities[34]. ML generally provides frameworks with the ability to improve and learn based on
experiment with not programming, it is largely viewed as among the most well-known 4th advance
techniques. Economy is frequently defined as the continuing automating of conventional industrial
and manufacturing practices such as explorative data processing using modern digital techniques
which including ML automated processes.
2.1 Real-World Data Types and Techniques for ML
ML techniques typically consume and process data to learn analysis and recognition concerning
individuals, business operations, transaction data, events, and so on. The sections that follow discuss
multiple kinds of real-world data along with ML algorithm categories. Types of real world data
typically, the most essential aspect of creating a model for ML and other real-world systems is data
availability. Structured, semi-structured, and unstructured data are all examples of data. Moreover,
another type of data that contains significant data about the main data is called "metadata" [34]. These
types of data are discussed briefly as:
• Structured: It is used by a computer program or an entity and it has a clearly-defined structure,
direst a standardized data template, is highly structured, and it can be obtained easily. It is typically
saved in tabular format using well-structured schemes including relational database systems. It
includes items like names, dates, addresses, stock information, geolocation, credit card numbers, and
so on [34].
• Unstructured: Data, on the other hand, has no pre-defined format nor organization, making it much
more challenging to detect, operation, and analyze the data because it primarily contains audio-visual
data and text. Sensor data, emails, documents, presentations, audio files, videos, blog entries, PDF
files, images, web pages, and other records are examples of unstructured raw data [34].
• Semi-structured: Although semi-structured data is not stored in a DB system, It has organization's
overall qualities that make analysis easier. Examples include XML, JSON docs, HTML, No-SQL
dbs, and other semi-structured data types [34].
3rd International Conference of Engineering Sciences (ICES' 2022) Proceeding
126
• Metadata: This is "data about data," not regular data. The major distinction with both "data" &
"metadata" would be that data were also merely materials that can be used to classify, assess, or even
report something about the information qualities of an organization. Metadata, on the other hand,
describes the necessary data information, making it much more meaningful to data clients. Metadata
includes the creator, file size, keywords that describe the document, the date the file was created, and
so on [34].
2.2 ML Techniques Types
There are four types of ML algorithms: supervised learning, unsupervised learning, semi-supervised
learning, and reinforcement learning. Below is a brief explanation of each type of learning method
and how it can be used to solve real world problems.
• Supervised: It is generally the ML job for learn a function that links an input to with an output
using pattern input output sets. To infer a function, it utilizes trained data with labels and a catalogue
of training sample. Supervised learning occurs when strategic goals are identified as being achievable
with a limited inputs number, namely, job-driven strategy.
• Unsupervised: It is a data driven process that evaluates unlabeled data sets without the use of a
human. This is commonly utilized for extracting generative features, recognize impactful and
structural features, group findings, as well as to exploratory purpose. Estimation of density, learning
of features, clustering, reduction of dimension, discovering association rules, detecting anomalies, as
well as other unsupervised learning tasks are indeed popular [34].
• Semi-supervised: which works including both unlabeled and labeled data, is a hybrid of the
unsupervised and supervised strategies discussed above. As a result, it drops somewhere in the middle
of with and without supervision. Labeled data may be limited in some situations in the actual world,
so while unlabeled data is abundant, making semi-supervised learning beneficial. The eventual aim
of the semi-supervised learning method is really to produce a more accurate prediction than a model
that only uses labeled data. It is used for many apps such as translation software, detection of fraud,
labeling of data, and classification of text [34].
• Reinforcement: Also known as an environment-driven strategy, is a form of ML method that
enables application programs and machines to instantly analyze active action in a particular manner
or context in order to increase its effectiveness. It is based on a penalty or a reward, and the ultimate
goal is to use environmental activists' additional knowledge to take steps to boost the benefit or reduce
the risks [36]. It's an effective training tool for intelligent systems. which could really aid in the
automated processes or optimization of a process improvement of advanced systems
including systems of robotic, automated driving jobs, industrialization, and logistics of chain
supplement; even so, it is not recommended for solving simple or straightforward problems. Thus,
depending on the details of the data and the intended results, various types of ML algorithms could
indeed use for playing a vital role in developing successful systems in a variety of application areas
[34]. Table 1 summarizes and illustrates various ML techniques. The following is an in-depth look at
ML algorithms that have the potential to improve the intelligence and capabilities of a data-driven
implementation.
3rd International Conference of Engineering Sciences (ICES' 2022) Proceeding
127
Table 1: ML techniques of different kinds [34]
Type of
Learning
Model Construction
Example
‘Supervised’
Models or techniques that gain knowledge
from labeled data (task-drive approach)
Regression,
Classification
‘Unsupervised’
Unlabeled data is used to train algorithms or
models
(D-drive approach)
Association,
Dimensionality
reduction, Clustering
‘Semi-
supervised’
Approaches are created by combining
labeled and unlabeled data.
Clustering, Classification
‘Reinforcement’
Approaches are either based on a penalty
or reward. (An environmentally conscious
approach)
Control, Classification
2.3 Sets Of Data
The type of data required and whether labels are required are determined by the IDs technique
(unsupervised or supervised) (flow, flow and other). As a result, table 2 categorizes a few key
network-based datasets according to that two attributes.
Botnet [37]. This dataset is a compilation of freely available existing datasets. The botnet's
creators merged (sections of) CTU-13 [41], ISOT [39],and ISCX 2012 [40] datasets. using the
overlay technique [38]. The final dataset includes botnets and regular user actions. In packet-
based format, the Botnet data set is divided into two subsets: 5.3 GB for training and 8.5 GB
for testing.
CICIDS 2017 [42]. CICIDS 2017 has been built in a virtualized enviro over five days as well
as includes online activity traffic in both bidirectional flow based and packet based formats.
Each flow yielded and over eighty attributes, and the creators added extra metadata about IP-
addrs and threats. Scripts are used to simulate typical user behavior. The data set includes
botnet, SSH brute force, web, DDoS, Heartbleed, DoS, and intrusion threats. CICIDS 2017 is
now available for download.
CTU-13 [41]. Data from CTU-13 were collected in 2013 and are accessible in three formats:
unidirectional flow, packet, and bidirectional flow. This was discovered in a network traffic
of university and can differentiate between 13 different cyberattacks. Additional information
about infected machines can be found on the website all traffic to and from infected machines
is marked as botnet traffic in the 1st phase.
Regular traffic is marked in the 2nd phase when it fits particular filtration.
Back - ground traffic is the remainder traffic.
KDD CUP 99 [43]. The DARPA dataset, which is one of the most widely used intrusion
detection data sets, serves as the foundation for KDD CUP 99. It is classified as other because
3rd International Conference of Engineering Sciences (ICES' 2022) Proceeding
128
it is neither a standard packet-based nor a flow-based format. The data set includes both basic
TCP connection attributes and high-level qualities like the number of unsuccessful logins,
however no IP addresses. KDD CUP 99 contains an explicit test subset as well as over twenty
different kinds of threats (like, buffer overflow or DoS). The dataset contains five millions data
points and can be downloaded for free.
NSL-KDD [44]. This dataset improves the KDDCUP99. The high level of redundancy in the
KDDCUP99 dataset is a big complaint [44]. As a result, the NSL-KDD authors removed
redundant records in KDDCUP99 dataset and generated extra advanced groupings. The set of
resulting contains approximately 150 thousand of data points divided into predetermined testing
and training subsets for techniques for intrusion detection. This dataset is the same
characteristics as KDDCUP99 and is classified as other. However, it should be mentioned that
NSL-underlying KDD's network traffic dates back to 1998. The dataset is open to the public.
Table 3 shows a specific attack information of network-based datasets.
Table 2: A look at some network-based datasets [34].
General Info
Nature of the Data
Data volume
Recording Environment
Evaluation
Datasets
Year of
traffic
creation
Public
Available
Normal
traffic
Attack
traffic
Metadata
Format
Anonymity
Count
Duration
Kind of
traffic
Type of
network
Complete
network
Predefine
splits
Balanced
Labeled
Botnet
2010
/201
4
✔
✔
✔
✔
‘packet’
✖
14GB
packets
Not
specified
emulated
Diverse
networ
ks
✔
✔
✖
✔
CICIDS
2017
2017
✔
✔
✔
✔
‘Packet,
bi, flow’
✖
3.1M
flows
5 day
emulated
Small
networ
k
✔
✖
✖
✔
CTU-13
2013
✔
✔
✔
✔
‘Uni
and bi
flow,
packet’
✔
‘payl
oad’
81M
flows
125 hr
real
Univers
ity
networ
k
✔
✖
✖
✔’
with
Bac
kgro
und
labe
ls’
KDD
CUP 99
1998
✔
✔
✔
✖
other
✖
5M
points
Not
specified
emulated
Small
networ
k
✔
✔
✖
✔
NSL-
KDD
1998
✔
✔
✔
✖
other
✖
150k
points
Not
specified
emulated
Small
networ
k
✔
✔
✖
✔
Table 3: Specific Attack Information Of Network-Based Datasets [34]
Data set
Attacks
botnet
Zeus, Rbot, Menti, Virut, Murlo, Strom, Neris, NSIS, Sogou.
CICIDS
2017
DDoS (performed via LOIC), heartbleed, SSH brute force, SQL injection,
botnet (Ares), XSS, infiltration
CTU-13
Virut, Menti, Rbot, Murlo, Sogou, NSIS, Neris.
KDD
CUP 99
DoS, privilege escalation (remote-to-local and user-to-root), probing
3rd International Conference of Engineering Sciences (ICES' 2022) Proceeding
129
NSL-
KDD
DoS, privilege escalation (remote-to-local and user-to-root), probing
3.Performance Metrics
To accurately determine the efficiency of the IDS, the number of performance metrics are used
is four namely: F1-score, accuracy, recall, and precision. These performance measures,
according to table 4, are determined by using a network attack classification confusion matrix.
TP is the number of entries in which threat traffic has been classified correctly such a malicious
traffic; TN is the amount of entries wherein regular traffic is correctly classified as regular
traffic. FP is the number of entries wherein regular traffic is mistakenly identified as malicious
traffic; FN is the number of entries wherein malicious traffic is classified as regular traffic.
– Accuracy: This definition emphasizes the model's total amount of valid predictions (TP and
TN) divided by the total number of predictions..
Accuracy =
!"#$#!%#
&'$&($)($)'
(1)
– Precision: This definition emphasizes the proportion of correct positive results to the total
number of positive results predicted by the model.
Precision =
&'
&'$)'
(2)
– Recall: The total amount of valid positive outcomes divided by total of relevant samples is
referred to as this term.
Recall =
&'
&'$)(
(3)
– F1-score: This term is used to describe both recall and precision by taking the inverse mean
of the two.
F1-score = 2 ×
*+,-./.01#×#+,-344#
*+,-./.01#$#+,-344
(4)
Table 4: Confusing Matrix
Predicted Attack
Predicted Normal
Actual attack
TP
FN
Actual normal
FP
TN
4. Related work
Rawat, S., Srinivasan, A., Ravi, V., & Ghosh, U. In [15] the DNN algorithm outperforms all
other classifiers in terms of model fit and accuracy in the test set, with an accuracy of 0.793. In
the test set with subtle intrusions, the DL model achieves an accuracy of 0.759 using only six
of the 41 features. The researchers ran experiments to determine the ML models'
hyperparameters and network configurations.
Sriram, S., Vinayakumar, R., Alazab, M., & Soman, K. P. In [3] the researchers propose a
DL-based botnet detection system based on network traffic flows in their paper, and the botnet
discovery framework collects network traffic flows, converts them into connection logs, and
3rd International Conference of Engineering Sciences (ICES' 2022) Proceeding
130
uses the DL model to detect attacks from compromised IoT devices. Experiments were run on
known data sets to determine the best DL model. According to the findings of their study, the
proposed DL model outperformed traditional ML models. Use two datasets to categorize the
traffic as normal or offensive, and then categorize the offensive traffic as well.
Sriram, S., Shashank, A., Vinayakumar, R., & Soman, K. P. In [12] by modeling network
traffic data, the researchers in this article examined the efficacy of a CNN model for IDS.
According to the researchers, 1D-CNN outperforms other modeling techniques such as LSTM
and DNN. The model developed by the researchers has 425,989 parameters and doesn't employ
complex preprocessing strategies. The researchers also proposed for IDS the DCNN, which
was received training on the KDDCUP99 dataset. The DCNN-IDS model also outperforms the
other comparison algorithms, as demonstrated in their paper.
D. F. Rueda, J. C. Caviedes, and W. Y. C. Muoz [8] CNN was used in their study to extract
features from traffic patterns, and SVM was used to classify the attack type. The study's findings
showed that image processing techniques can be used to classify internet traffic and detect
patterns associated with intrusion attacks. Each piece of data in the data set has been
transformed through an image in this paper's proposal, afterwards CNN was employed to
extract the features. An SVM-based algorithm was also used to determine the type of attack.
A. S. A. ISSA and Z. ALBAYRAK [45]. CLSTMNet was a compact DL architecture
comprised of CNN and LSMT in this article. The researchers used the NSL-KDD datasets to
implement and test the proposed model. The results of various ML algorithms such as Multi-
layer Perceptron, RT, RF, Naive Bayes, NB Tree, and J48 were compared. The researchers used
various algorithms that were fully trained and tested for all features. CLSTMNet's proposed
accuracy is 99.28%.
Z. Gu, L. Wang, C. Liu, and Z. Wang in [47] used ANDAE feature extraction technique in
their article to create an network IDS, and the RF algorithm employed to classify the significant
data after feature extraction. AE proposed for feature extraction, and it integrated with the ML
algorithm RF to build a network IDS. On the NSL-KDD dataset, the model had a high recall
rate and F1 score for the four types of attack detection. When compared to the SNDAE model,
the ANDAE model improves detection accuracy while decreasing feature extraction time.
M. H. Haghighat and J. Li [52] This researchers’ paper proposed VNN, a new voting-based
DL approach, to fix false alarms identified from other DL systems as well as optimize system
performance. It proposed utilizing the benefits of every type of DL framework. VNN combines
the best models developed by various aspects of data and several DL structures to produce extra
accurate and reliable results. As a result of this research, VNN can help security professionals
detect more complex attacks.
Tang, C., Luktarhan, N., and Zhao, Y. [9] SAAE-DNN, an IDS that integrates SAE, DNN
and the attention mechanism was proposed in their study. the NSL-KDD dataset was used , the
IDS behavior of SAAE-DNN is evaluated and compared to six algorithms: DT, XGBoost,
LightGBM, GBDT, LR, and RF. SAAE-DNN outperforms existing classifiers such as RNN,
CNN, ResNet, GoogLeNet, MDPCA-DBN, and SAE-SVM in terms of accuracy. They put
SAAE-DNN to the test in binary and multi-classification. The SAAE-DNN model outperforms
ML methods like RF and DT, with accuracy of 87.74% and 82.14%, respectively.
3rd International Conference of Engineering Sciences (ICES' 2022) Proceeding
131
The most important results of the related works, mentioned above, are summarized in the table
5 and Fig. 1.
Table 5: Summary Of Related Works
ref
year
Strategy
Features
extractio
n
classif
ier
Classificat
ion type
dataset
Tools
Accuracy %
Traini
ng
testi
ng
[15]
2020
ML,
DL, DNN
DNN
DNN
Binary
NSL-KDD
TensorFlow,
Keras
96.7
79.3
[3]
2020
ML, DL,
LR, NB,
KNN, DT,
AB, RF,
RSVM,
LSVM,
DNN
DNN
D
T
Binary
And
Multi
N-BaIoT,
BoT-IoT
TensorFlow,
Keras,
Scikit-learn
---
100
DT
[12]
2020
DL,
CNN,
LSTM,
DNN
CNN
CNN
Multi
KDDCUP99
TensorFlow,
Keras
---
94.1
[8]
2022
ML,
DL,
CNN,
SVM
CNN
SVM
Multi
CIC-IDS2017
MatlabR2020b
96.53
--
[45]
2021
DL,
CNN,
LSTM,
CLSTMN
et
CNN
LST
M
Multi
NSL-KDD,
KDDCUP99
---
99.28
--
[47]
2021
SNDAE,
ANDAE,
RF
ANDAE
RF
Multi
NSL-KDD,
KDDCUP99
TensorFlow
ANDAE better
than SNDAE in
increasing
accuracy and
reducing time of
features
extraction
[52]
2021
CNN,
LSTM,
GRU
DNN,
VNN
SAWAN
ET
VNN
Binary
KDDCUP99,
CTU-13
---
99.8
6
Multi
95.6
3
[9]
2020
DT,
XGBoost
LightGB
M,
GBMDT,
LR,
RF,
DNN,
SAA-
DNN
SAAE
DNN
Binary
NSL-KDD
test+
---
87.7
4
Multi
82.1
4
3rd International Conference of Engineering Sciences (ICES' 2022) Proceeding
132
Fig. 1 Testing Accuracy for Binary and Multi Traffic Classification for related works
5. Conclusion and Suggestions
In this paper, the provided analysis of prior researches revealed that, when dealing with
vast amounts of data, deep learning outperforms machine learning in terms of accuracy of
outcomes. In regards to time required for training the model, the SVM method required the
longest time to train as compared to the other algorithms. The DT algorithm requires less time
than the rest of the algorithms. Also, noticed that employing a hybrid model based on deep
learning and machine learning, in which deep learning is applied to extract features and machine
learning is employed for classification, greatly enhances both performance and results.
Based on the result of the analyses provided, some suggestions can be made to increase the
efficiency of the Intrusion Detection Systems: Improving execution by leveraging ongoing real-
time model training as opposed to training the model on static data. Hybrid models from ML
and DL can be used to further increase performance, where the features are taken from hidden
layers of DL models and fed into other ML or DL models for additional development.
Launching various assaults, such as zero-day attacks, on the hybrid model in a real-world or
simulated network field. Provide a mechanism for zero-day attacks and retrain the models to
look for them. Combining ANDAE with other anomaly detection methods to improve the
detection of unusual traffic behavior. Verifying that using tools like Spark useful to enhance
the training and detection ability of the model.
References
[1] Liu, C.; Liu, Y.; Yan, Y.; Wang, J. An Intrusion Detection Model With Hierarchical
Attention Mechanism. IEEE Access 2020, 8, 67542–67554.
[2] Mukherjee, B., Heberlein, L. T., & Levitt, K. N. (1994). Network intrusion detection.
IEEE network, 8(3), 26-41.
[3] Sriram, S., Vinayakumar, R., Alazab, M., & Soman, K. P. (2020, July). Network flow
based IoT botnet attack detection using deep learning. In IEEE INFOCOM 2020-IEEE
conference on computer communications workshops (INFOCOM WKSHPS) (pp. 189-
194). IEEE.
0.00%
10.00%
20.00%
30.00%
40.00%
50.00%
60.00%
70.00%
80.00%
90.00%
100.00%
DNN + PCA
ET
Light GBM
LR
KNN
AB
RSVM
DNN
CNN + SVM
VNN
DNN
LSTM
SAAE + DNN
CH12 + DNN
XGBoost
GBDT
RF
[15][15][15][15][15][15][3][3] [3][3] [3][3][3] [3][3][12][8][45][52][52][52][52][52][52][9][9][9] [9][9][9] [9][9][9]
Te st in g A cc ur ac y fo r Bi na r y an d Mu lt i Tra ff ic C la ss if ic at i on
Binary-calssification ACC Multi-calssification ACC
3rd International Conference of Engineering Sciences (ICES' 2022) Proceeding
133
[4] Rafter, D.: Cyberthreat trends: 2019 cybersecurity threat review (2019)
[5] O. M. Ahmed and A. B. Sallow, “Android Security: A Review,” Acad. J. Nawroz Univ.
Vol 6 No 3, 2017, doi: 10.25007/ajnu.v6n3a99.
[6] Mell, P., Grance, T.: The NIST Definition of Cloud Computing (2011),
https://csrc.nist.gov/publications/detail/sp/800-145/final
[7] Su, T.; Sun, H.; Zhu, J.; Wang, S.; Li, Y. BAT: Deep Learning Methods on Network
Intrusion Detection Using NSL-KDD Dataset. IEEE Access 2020, 8, 29575–29585.
[8] Rueda, D. F., Caviedes, J. C., & Muñoz, W. Y. C. (2022). A Hybrid Intrusion Detection
Approach Based on Deep Learning Techniques. In Computer Networks, Big Data and
IoT (pp. 863-878). Springer, Singapore.
[9] Tang, C., Luktarhan, N., & Zhao, Y. (2020). SAAE-DNN: Deep learning method on
intrusion detection. Symmetry, 12(10), 1695.
[10] Vinayakumar R, Mamoun Alazab, Soman KP, Prabaharan Poornachandran, Ameer Al-
Nemrat, and Sitalakshmi Venkatraman. ”Deep Learning Approach for Intelligent
Intrusion Detection System.” IEEEAccess
[11] Stallings, W.: Network security essentials: applications and standards. Pearson
Education, 6 edn. (2017)
[12] Sriram, S., Shashank, A., Vinayakumar, R., & Soman, K. P. (2019, December). DCNN-
IDS: deep convolutional neural network based intrusion detection system.
In International Conference on Computational Intelligence, Cyber Security, and
Computational Models (pp. 85-92). Springer, Singapore.
[13] Mohammed, M., Pathan, A.S.K.: Intrusion Detection and Prevention Systems (IDPSs).
In: Automatic Defense Against Zero-day Polymorphic Worms in Communication
Networks, chap. 3, pp. 47-84. Auerbach Publications, 2 edn. (2013)
[14] Yin, C., et al.: A Deep Learning Approach for Intrusion Detection Using Recurrent
Neural Networks. IEEE Access 5, 21954-21961 (2017)
[15] Rawat, S., Srinivasan, A., Ravi, V., & Ghosh, U. (2022). Intrusion detection systems
using classical machine learning techniques vs integrated unsupervised feature learning
and deep neural network. Internet Technology Letters, 5(1), e232.
[16] Koroniotis, Nickolaos, Nour Moustafa, Elena Sitnikova, and Benjamin Turnbull.
”Towards the Development of Realistic Botnet Dataset in the Internet of Things for
Network Forensic Analytics: Bot-IoT Dataset.” arXiv preprint arXiv:1811.00701(2018).
[17] Vinayakumar R, Soman KP, Poornachandran P. A comparative analysis of deep learning
approaches for network intrusion detection systems (N-IDSs): deep learning for N-IDSs.
Int J Dig Crime Foren. 2019;11(3):65-89
[18] Vinayakumar R, Soman KP, Poornachandran P. Evaluation of recurrent neural network
and its variants for intrusion detection system (IDS). Int J Inform Syst Model Des.
2017;8(3):43-63.
[19] Alagrash, Y.; Drebee, A.; Zirjawi, N. Comparing the Area of Data Mining Algorithms
in Network Intrusion Detection. J. Inf. Secur. 2020, 11, 1–18.
3rd International Conference of Engineering Sciences (ICES' 2022) Proceeding
134
[20] Khammassi, C.; Krichen, S. A NSGA2-LR wrapper approach for feature selection in
network intrusion detection. Comput. Netw. 2020, 172, 107183.
[21] Gauthama Raman, M.R.; Somu, N.; Jagarapu, S.; Manghnani, T.; Selvam, T.;
Krithivasan, K.; Shankar Sriram, V.S. An efficient intrusion detection technique based
on support vector machine and improved binary gravitational search algorithm. Artif.
Intell. Rev. 2020, 53, 3255-–3286.
[22] Amouri, A.; Alaparthy, V.T.; Morgera, S.D. A Machine Learning Based Intrusion
Detection System for Mobile Internet of Things. Sensors 2020, 20, 461.
[23] Wongsuphasawat, K.; Smilkov, D.; Wexler, J.; Wilson, J.; Mané, D.; Fritz, D.; Krishnan,
D.; Viégas, F.B.; Wattenberg, M. Visualizing dataflow graphs of deep learning models in
TensorFlow. IEEE Trans. Vis. Comput. Graph. 2018, 24, 1–12.
[24] O. Ahmed and A. Brifcani, “Gene Expression Classification Based on Deep Learning,”
in 2019 4th Scientific International Conference Najaf (SICN), 2019, pp. 145–149, doi:
10.1109/SICN47020.2019.9019357.
[25] Vinayakumar R., Soman K.P., Poornachandran P., Alazab M., Jolfaei A. (2019) DBD:
Deep Learning DGA-Based Botnet Detection. In: Alazab M., Tang M. (eds) Deep
Learning Applications for Cyber Security. Advanced Sciences and Technologies for
Security Applications. Springer, Cham
[26] S. Akarsh, S. Sriram, P. Poornachandran, V. K. Menon and K. P. Soman, ”Deep Learning
Framework for Domain Generation Algorithms Prediction Using Long Short-term
Memory,” 2019 5th International Conference on Advanced Computing &
Communication Systems (ICACCS), Coimbatore, India, 2019, pp. 666-671.
[27] Vinayakumar R, Mamoun Alazab, Soman KP, Prabaharan Poornachandran, Ameer Al-
Nemrat, and Sitalakshmi Venkatraman. ”Deep Learning Approach for Intelligent
Intrusion Detection System.” IEEEAccess.
[28] V. R., M. Alazab, A. Jolfaei, S. K.P. and P. Poornachandran, ”Ransomware Triage Using
Deep Learning: Twitter as a Case Study,” 2019 Cybersecurity and Cyberforensics
Conference (CCC), Melbourne, Australia, 2019, pp. 67-73.
[29] R. Vinayakumar, M. Alazab, K. P. Soman, P. Poornachandran and S. Venkatraman,
”Robust Intelligent Malware Detection Using Deep Learning,” in IEEE Access, vol. 7,
pp. 46717-46738, 2019.
[30] Meidan, Yair, Michael Bohadana, Yael Mathov, Yisroel Mirsky, Asaf Shabtai, Dominik
Breitenbacher, and Yuval Elovici. ”NBaIoT—Network-Based Detection of IoT Botnet
Attacks Using Deep Autoencoders.” IEEE Pervasive Computing 17, no. 3 (2018): 12-22.
[31] Koroniotis, Nickolaos, Nour Moustafa, Elena Sitnikova, and Benjamin Turnbull.
”Towards the Development of Realistic Botnet Dataset in the Internet of Things for
Network Forensic Analytics: Bot-IoT Dataset.” arXiv preprint arXiv:1811.00701(2018).
[32] Haghighat, M. H., & Li, J. (2021). Intrusion detection system using voting-based neural
network. Tsinghua Science and Technology, 26(4), 484-495.
[33] S. Hou, A. Saas, L. Chen, and Y. Ye, “Deep4maldroid: a deep learning framework for
android malware detection based on linux kernel system call graphs,” in Proceedings of
3rd International Conference of Engineering Sciences (ICES' 2022) Proceeding
135
the 2016 IEEE/WIC/ACM International Conference on Web Intelligence Workshops
(WIW), pp. 104–111, Omaha, NE, USA, October 2016.
[34] Chaurasia, N., Farooqui, A., Ansari, S. K., & Kalim, A. (2021). Artificial Intelligence And
Machine Learning Techniques For Data Science Using Predictive Models System.
Vidyabharati International Interdisciplinary Research Journal - Special Issue, 13(ISSN
2319-4979), 143–151.
[35] Cic-ddos2019 [online]. available: https:// www. unb. ca/ cic/ datas ets/ ddos- 2019. html/
(Accessed on 28 March 2020)
[36] De Amorim RC. Constrained clustering with minkowski weightedk-means. In: 2012
IEEE 13th International Symposium on Computational Intelligence and Informatics
(CINTI), pages 13–17. IEEE, 2012.
[37] E. B. Beigi, H. H. Jazi, N. Stakhanova, A. A. Ghorbani, Towards Effective Feature
Selection in Machine Learning-Based Botnet Detection Approaches, in: IEEE
Conference on Communications and Network Security, IEEE, 2014, pp. 247–255.
[38] A. J. Aviv, A. Haeberlen, Challenges in Experimenting with Botnet Detection Systems,
in: Conference on Cyber Security Experimentation and Test (CEST), USENIX
Association, Berkeley, CA, USA, 2011.
[39] S. Saad, I. Traore, A. Ghorbani, B. Sayed, D. Zhao, W. Lu, J. Felix, P. Hakimian,
Detecting P2P Botnets through Network Behavior Analysis and Machine Learning, in:
International Conference on Privacy, Security and Trust (PST), IEEE, 2011, pp. 174–180.
[40] A. Shiravi, H. Shiravi, M. Tavallaee, A. A. Ghorbani, Toward developing a systematic
approach to generate benchmark datasets for 16 intrusion detection, Computers &
Security 31 (3) (2012) 357–374.
[41] S. Garcia, M. Grill, J. Stiborek, A. Zunino, An empirical comparison of botnet detection
methods, Computers & Security 45 (2014) 100–123.
[42] I. Sharafaldin, A. H. Lashkari, A. A. Ghorbani, Toward Generating a New Intrusion
Detection Dataset and Intrusion Traffic Characterization, in: International Conference on
Information Systems Security and Privacy (ICISSP), 2018, pp. 108–116.
[43] S. Stolfo, (Date last accessed 22-June-2018). [link]. URL
http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html
[44] M. Tavallaee, E. Bagheri, W. Lu, A. A. Ghorbani, A detailed analysis of the KDD CUP
99 data set, in: IEEE Symposium on Computational Intelligence for Security and Defense
Applications, 2009, pp. 1–6.
[45] ISSA, A. S. A., & ALBAYRAK, Z. (2021, August). CLSTMNet: A Deep Learning
Model for Intrusion Detection. In Journal of Physics: Conference Series (Vol. 1973, No.
1, p. 012244). IOP Publishing.
[46] M. Tavallaee, E. Bagheri, W. Lu, and A. A. Ghorbani, “A detailed analysis of the KDD
CUP 99 data set,” in 2009 IEEE symposium on computational intelligence for security
and defense applications, 2009, pp. 1–6.
[47] Gu, Z., Wang, L., Liu, C., & Wang, Z. (2021). Network Intrusion Detection with
Nonsymmetric Deep Autoencoding Feature Extraction. Security and Communication
Networks, 2021.
3rd International Conference of Engineering Sciences (ICES' 2022) Proceeding
136
[48] D. P. Kingma and J. Ba, “Adam: a method for stochastic optimization,” December 2014,
https://www.arxiv-vanity. com/papers/1412.6980/
[49] L. Breiman, “Random forests,” Machine Learning, vol. 45, no. 1, pp. 5–32, 2001.
[50] M. Tavallaee, E. Bagheri, W. Lu, and A. A. Ghorbani, “A Detailed Analysis of the KDD
CUP 99 Data Set,” in Proceedings of the 2009 IEEE Symposium on Computational
Intelligence for Security and Defense Applications, pp. 1–6, Ottawa, ON, Canada, July
2009.
[51] I. Sharafaldin, A. H. Lashkari, and A. A. Ghorbani, “Toward generating a new intrusion
detection dataset and intrusion traffic characterization,” in Proceedings of the 4th
International Conference on Information Systems Security and Privacy - ICISSP, vol. 1,
pp. 108–116, Funchal, Madeira, Portugal, January 2018.
[52] Haghighat, M. H., & Li, J. (2021). Intrusion detection system using voting-based neural
network. Tsinghua Science and Technology, 26(4), 484-495.
[53] Tharwat, A. Classification assessment methods. Appl. Comput. Inform. 2018, 10, 1–13.
