ArticlePDF Available

A Review of Enhancing Intrusion Detection Systems for Cybersecurity Using Artificial Intelligence (AI)

Authors:

Abstract and Figures

The escalating complexity of cyber attacks demands innovative intrusion detection systems (IDS) to safeguard critical assets and data. The study aims to explore the potential of Artificial Intelligence (AI) in enhancing the IDS's ability to identify and classify network traffic and detect anomalous behavior. The paper offers a concise overview of IDS and AI and examines the existing literature on the subject, highlighting the significance of integrating advanced language models for cybersecurity enhancement. The research outlines the methodology employed to assess the efficacy of AI within IDS. Furthermore, the study considers key performance metrics such as detection accuracy, false positive rate, and response time to ensure a comprehensive evaluation. Findings indicate that AI is a valuable asset in enhancing the accuracy of AI for detecting and responding to cyber attacks. Nonetheless, the study also brings to light certain limitations and challenges associated with incorporating AI into IDS, such as computational complexity and potential biases in training data. This research emphasizes the potential of advanced language models like ChatGPT in augmenting cybersecurity solutions and offers insights into overcoming associated challenges for a more robust and effective defense against sophisticated cyber attacks.
Content may be subject to copyright.
International Conference KNOWLEDGE-BASED ORGANIZATION
Vol. XXIX No 3 2023
A REVIEW OF ENHANCING INTRUSION DETECTION SYSTEMS
FOR CYBERSECURITY USING ARTIFICIAL INTELLIGENCE (AI)
Michal MARKEVYCH, Maurice DAWSON
Illinois Institute of Technology, Chicago, USA
mmarkevych@hawk.iit.edu
Abstract: The escalating complexity of cyber attacks demands innovative intrusion detection systems
(IDS) to safeguard critical assets and data. The study aims to explore the potential of Artificial
Intelligence (AI) in enhancing the IDS's ability to identify and classify network traffic and detect
anomalous behavior. The paper offers a concise overview of IDS and AI and examines the existing
literature on the subject, highlighting the significance of integrating advanced language models for
cybersecurity enhancement. The research outlines the methodology employed to assess the efficacy of
AI within IDS. Furthermore, the study considers key performance metrics such as detection accuracy,
false positive rate, and response time to ensure a comprehensive evaluation. Findings indicate that AI
is a valuable asset in enhancing the accuracy of AI for detecting and responding to cyber attacks.
Nonetheless, the study also brings to light certain limitations and challenges associated with
incorporating AI into IDS, such as computational complexity and potential biases in training data.
This research emphasizes the potential of advanced language models like ChatGPT in augmenting
cybersecurity solutions and offers insights into overcoming associated challenges for a more robust
and effective defense against sophisticated cyber attacks.
Keywords: ChatGPT, Intrusion Detection Systems, Cybersecurity, AI
1. Introduction
Intrusion Detection Systems (IDS) serve as
vital security safeguards, shielding
network infrastructures from cyber attacks
by identifying unauthorized access and
harmful actions. Since their emergence in
the mid-80s, they have undergone
substantial advancements to stay on par
with the growing complexity of computer-
related crimes [1]. IDS can be categorized
into network intrusion detection (NIDS)
and prevention (IPS) systems, which
analyze network traffic for signs of
malicious activity using signature and
statistical anomaly detection as well as
heuristic behavioral analysis [2]. Such
systems have the capability to identify and
potentially avert attacks and malicious
actions that conventional security measures
like firewalls may miss [3].
The need for improved accuracy in
detecting and responding to cyber attacks
is paramount due to the growing number of
advanced threats that can compromise the
confidentiality, integrity, and availability
of network systems. According to
Pietraszek's estimation, nearly 99% of the
intrusion detection alerts are unrelated to
cybersecurity concerns, as there are only
slight discrepancies observed between
regular and malevolent activities [4].
Researchers have proposed various
techniques to enhance IDS capabilities,
such as using fuzzy logic [1], neural
networks (NNs), and support vector
machines (SVMs) [2]. These approaches
have shown promise in reducing false
DOI: 10.2478/kbo-2023-0072
© 2023 Michal Markevych et al. This work is licensed under the Creative Commons Attribution-Non Commercial-No
Derivatives 3.0 License.
30
positives and improving detection rates for
different types of attacks, including
Distributed Denial of Service (DDoS)
attacks [2].
The potential of ChatGPT or similar AI
models to enhance IDS capabilities is an
area of interest as these models can
leverage natural language processing and
machine learning techniques to understand
complex patterns and behaviors in network
traffic. By integrating AI models into IDS,
it may be possible to improve the detection
of sophisticated attacks, reduce false
positives, and enable more efficient
response mechanisms. By using ChatGPT
or similar AI models, IDS can improve the
detection of sophisticated attacks, reduce
false positives, and enable more efficient
response mechanisms. This paper explores
the potential of ChatGPT to improve the
accuracy of IDS and enhance their
capabilities for cybersecurity.
2. Background
IDS have been an essential component of
cybersecurity since the late 1980s. Since
then, the field has evolved rapidly in
response to the growing complexity and
variety of cyber threats. Early intrusion
detection systems were primarily focused
on securing large, centralized mainframe
systems; however, as computer networks
became more widespread, IDS expanded to
protect these increasingly interconnected
systems.
2.1 Traditional Methods of Intrusion
Detection Systems
Traditional IDS consist of signature-based
detection (SD), anomaly based detection
(AD) [5]. Signature Detection (SD) is a
method of identifying patterns or
sequences in network traffic that match
pre-identified attack signatures. This
technique is highly effective in detecting
known attacks and results in a low false
positive rate for such incidents [5].
However, it may not be able to detect
emerging or unknown threats, which is a
limitation of this approach. Moreover, the
signature database needs to be updated
continuously to ensure the SD system's
efficiency.
Anomaly-based Detection (AD) is a
technique that observes network traffic for
deviations from regular behavior, which
could indicate a potential attack [5]. AD
employs machine learning algorithms,
statistical analysis, or other methods to
establish a standard baseline of normal
behavior and identify anomalies. This
approach has the ability to detect unknown
or novel attacks and is adaptable to
evolving network behavior. However, AD
has a higher false positive rate compared to
Signature Detection (SD), and it requires a
training period to establish the baseline of
normal behavior. A hybrid approach can
be used to address the high false positive
and low false negative rates associated
with AD.
2.2 Limitations of Traditional Methods
in the Face of Evolving Cyber Threats
Traditional intrusion detection methods
have served as the backbone of
cybersecurity for decades, but their
effectiveness has diminished in the face of
rapidly evolving and increasingly
sophisticated cyber threats such as AI
generated attacks [12]. Signature-based
detection relies on a database of known
threats, which requires constant updates to
remain effective. As new threats emerge,
traditional IDS may struggle to keep pace,
leaving systems vulnerable to novel
attacks. Anomaly-based detection methods
are prone to false positives, as benign
activities that deviate from the norm can
trigger alerts. This can lead to an
overwhelming number of alerts, which can
distract security personnel and reduce
overall efficiency. Traditional methods
also face scalability issues. As networks
and systems grow in size and complexity,
traditional IDS may struggle to scale and
maintain performance. This can result in
slower detection and response times, which
can be exploited by attackers.
31
3. Overview of AI-based IDS
Intrusion Detection Systems (IDS) are
essential components of modern network
security infrastructure, designed to detect
and prevent unauthorized access, misuse,
and attacks on computer systems and
networks [13]. Traditional IDS rely on
signature-based and rule-based methods to
detect known threats. However, as the cyber
threat landscape evolves, it is becoming
increasingly difficult for these traditional
approaches to keep up with the rapid
proliferation of sophisticated and novel
attack techniques [14]. Artificial Intelligence
(AI)-based IDS, which leverage machine
learning and other AI techniques, have
emerged as a promising solution to address
these challenges, offering significant
advantages over traditional methods in terms
of adaptability, pattern recognition, and real-
time detection and response capabilities [13].
3.1 Advantages of AI-based IDS over
Traditional Methods
One of the key advantages of AI-based
IDS is their inherent adaptability. While
traditional IDS rely on a fixed set of
signatures and rules to detect known
threats, AI-based IDS can learn and adapt
to new threats and the changing network
behavior over time. This enables them to
detect previously unseen attacks and
anomalies, offering a more robust and
proactive defense against ever-evolving
cyber threats.
3.2 Pattern Recognition
Another advantage of AI-based IDS is
their ability to recognize patterns in large
volumes of network data. By using
machine learning algorithms, these
systems can effectively identify patterns
indicative of malicious activity, even when
the specific attack vector or method is
unknown. This allows AI-based IDS to
detect a wide range of threats, including
zero-day attacks and advanced persistent
threats (APTs), which often go undetected
by traditional signature-based IDS [15].
3.3 Real-time Detection and Response
AI-based IDS also excel in real-time
detection and response capabilities.
Through the use of advanced algorithms
and efficient data processing techniques,
AI-based IDS can analyze network traffic
and detect malicious activity in real-time,
allowing organizations to respond to
potential security incidents more rapidly
and effectively [15]. This significantly
reduces the window of opportunity for
attackers and minimizes the potential
impact of security breaches.
3.4 Challenges and Limitations of AI-
based IDS
Despite their numerous advantages, AI-
based IDS are not without challenges and
limitations [8]. One significant issue is the
occurrence of false positives and false
negatives, which can lead to an increased
workload for security analysts and
potential gaps in security coverage [9].
While AI-based IDS are designed to
improve detection accuracy, it is essential
to continuously refine their algorithms and
fine-tune system parameters to minimize
these errors.
The computational complexity of AI-based
IDS can also pose challenges, particularly
for organizations with limited resources
[10]. Machine learning algorithms and
other AI techniques often require
substantial computational power and
memory, which may necessitate the
deployment of specialized hardware and
infrastructure. As such, the cost and
resource implications of implementing AI-
based IDS must be carefully considered.
Finally, using AI-based IDS raises data
privacy concerns, as these systems
typically rely on analyzing large volumes
of sensitive network data [11]. Ensuring
the privacy and security of this data is
critical, and organizations must carefully
evaluate the potential risks associated with
implementing AI-based IDS, including
data storage, transmission, and processing
practices. Compliance with relevant data
protection regulations and implementing
appropriate security measures are essential
to mitigating these risks.
32
4. Literature Review
MIT is also working on methods to use
machine learning to defend against cyber
attacks. Their paper “AI2: Training a big
data machine to defend” presents a new
method. Their system has four
components. A big data processing system,
an outlier detection engine, a mechanism
to obtain feedback from security analysts,
and a supervised learning module. Their
system tries to combine the expertise of
security experts, and the speed and ability
to detect new attacks of machine learning.
More specifically, they use unsupervised
machine learning. They preferred
unsupervised machine learning since
labeled data is rare and attacks constantly
evolve. In the system, they generate their
labels and use a supervised learning
algorithm with these labels. The big data
processing system is a system that can
extract features of different entities from
raw data [7]. The outlier detection engine
is a system that uses unsupervised
learning. It uses the features found in the
big data processing system. They use three
methods: density, matrix decomposition, or
replicator neural networks. The output of
this unsupervised system is processed and
shown to a security analyst. The security
analyst can verify or refute the output. The
feedback is fed to a supervised learning
algorithm. The supervised learning
algorithm learns a model that can use this
feedback to predict better whether any new
event is normal or abnormal. With more
feedback, the system becomes more and
more correct.
5. Role of ChatGPT and Similar AI
Models in Enhancing IDS
AI-based anomaly detection involves using
machine learning techniques, such as
unsupervised learning or semi-supervised
learning, to identify unusual patterns in
network traffic data. Unsupervised
learning algorithms, like clustering, can be
employed to group similar data points
together, thus allowing the AI model to
distinguish between normal and abnormal
behavior. Semi-supervised learning
algorithms, on the other hand, use a
combination of labeled (known) and
unlabeled (unknown) data to improve their
accuracy in identifying anomalies.
Pattern recognition in the context of IDS
involves analyzing network traffic data to
identify signatures or patterns indicative of
malicious activities. AI models, especially
deep learning models like Convolutional
Neural Networks (CNN) and Recurrent
Neural Networks (RNN), excel at
identifying patterns in complex and large
datasets. These models can be trained on
historical data containing various types of
cyber-attacks and intrusion attempts [16].
As the AI learns the signatures of known
attack vectors, it can recognize similar
patterns in real-time network traffic data,
alerting security teams to potential threats.
Furthermore, AI models can also
generalize patterns learned from historical
data to identify new, previously unseen
attack vectors that share similarities with
known threats.
The most impactful role that these AI
models can have is reducing false positives
through advanced data analysis and
correlation techniques. Moreover, AI
models can be retrained and fine-tuned
over time using feedback from security
analysts, continually improving their
ability to identify genuine threats and
further reducing the number of false
positives [17].
6. Case Studies and Empirical Evidence
In this analysis, we explored successful
AI-powered intrusion detection system
(IDS) applications across various sectors,
emphasizing using artificial intelligence
methods, such as neural networks and
machine learning, to boost the
identification and deterrence of cyber
attacks.
6.1 Banking and Financial Services
A remarkable instance of efficient AI-
driven IDS deployment is observed in
banking and financial services. Kanimozhi
and Dr. T. Prem Jacob conducted a study
33
[18] suggesting an Artificial Neural
Network-oriented system for identifying
botnet attacks, a significant risk to these
sectors. The system was trained using the
CSE-CIC-IDS2018 dataset, supplied by
the Canadian Institute for Cybersecurity,
and implemented on Amazon Web
Services (AWS). The outcomes showed an
unprecedented accuracy rate of 99.97%, an
average ROC curve area of 0.999, and a
minimal false positive rate of 0.03%. The
success of this system emphasizes AI-
driven IDS's potential to scrutinize
network traffic and spot cyber threats in
real time.
6.2 AI-Enhanced Honeypots
Scientists at the University of Texas at
Dallas created DeepDig, an AI-integrated
honeypot system that learns from assaults
and morphs genuine network resources
into lures [19]. This method addresses
static deception technology limitations,
which do not learn from previous attacks,
leaving them vulnerable to AI-capable
opponents. DeepDig employs machine
learning approaches to gain a deeper
insight into attackers' actions, improving
the system's adaptability and defense
against evolving hazards. By incorporating
real assets into the honeypot, even the most
skilled adversaries cannot escape
interaction with the trap, enabling the IDS
to learn and strengthen its defenses over
time
6.3 Deep Learning in Network Intrusion
Detection
Xu et al.'s case study, cspecc.utsa.edu,
examined deep learning techniques'
application for supervised network
intrusion detection and unsupervised
network anomaly detection [20]. The
research methodically assessed deep
learning's effectiveness in network
intrusion detection, showcasing AI-
powered techniques' potential in analyzing
and pinpointing malicious traffic in real-
time. This investigation adds to the
expanding knowledge base on AI-driven
IDS and encourages the creation of more
advanced systems for protection against
cyber threats.
7. Future Directions
Steps were taken in the initial direction of
this paper to implement a ChatGPT-based
intrusion detection system. This was done
using OpenAI’s GPT-4 API [21]. An
explanation of the theorized design, theory,
and limitations will be addressed.
7.1 ChatGPT IDS Design
In making an AI IDS, GPT-4 was decided
to be used as the model. This is due to its
broad knowledge of domains, accurate
problem-solving skills, and ability to
complete complicated instructions. An
existing network traffic capture tool or IDS
can be used: in this research case, it was
decided to use tcpdump. Tcpdump is a
low-profile command-line packet analyzer
that can export network traffic in pcap and
CSV format [22]. The next step is to
integrate GPT-4 into the existing network
traffic capture tool or run it independently
to analyze network traffic. GPT-4 would
then analyze the incoming packet data and
scan it for malicious activity. Because this
language model is connected to the
internet, it can scrape current websites for
current threats and payloads for
comparison with the incoming network
traffic. This gives the AI intrusion
detection program the added benefit of
detecting newer threats that need to be
constantly patched in existing IDS. The
flow and analysis of data is shown in
Figure 1.
34
Figure 1: Data flow of proposed GPT-4 based IDS
Source: Michal Markevych
7.2 Design Limitations
The design in Figure 1 was constructed
using a small model which sampled small
amounts of data (under 50 packets). In
order to analyze more packets, a large-
language model must be used, to convert
the data from the packets into a vector
database. Vector databases store data and
export it to be analyzed by programs such
as AI models. This constrained the
construction of this design as vector
databases prices scale with the amount of
data analyzed.
Another challenge came with GPT-4 API
pricing, which is priced at .03 cents per
1000 tokens. Let us consider a regular
network receiving 50 packets per second,
and each packet requires 75 tokens to
analyze (found using data to token
calculator). Implementing this design costs
$6.75 per minute of running the IDS
system. This constraint could be mitigated
by receiving access to OpenAI’s GPT-4
API waitlist, which allows users to get
more access to GPT-4 queries.
8. Conclusions
ChatGPT or similar AI models offer
immense potential in significantly
upgrading IDS. By incorporating AI
algorithms, these enhanced systems provide
heightened adaptability, superior pattern
recognition, and precise real-time detection
and response capabilities. This allows IDS
to stay ahead of the constantly evolving
threat landscape and deliver a more robust,
proactive defense against cyber threats.
However, despite these benefits, challenges,
and areas still require further research.
Enhancing the accuracy of AI-powered IDS
and minimizing false positives remain
crucial concerns.
As the field of AI and machine learning
continues to advance, IDS is anticipated to
become increasingly effective and efficient,
further strengthening their ability to
safeguard networks and computer systems
from a broad spectrum of cyberthreats.
Rising cybersecurity threats require modern
solutions to protect critical infrastructure;
this is a model to accomplish this task [23].
35
References List
[1] Delamore B., Ko R.K.L. Chapter 9 - Security as a service (SecaaS)An overview
[Internet]. Ko R, Choo KKR, editors. ScienceDirect. Boston: Syngress; 2015 [cited
2023 May 15]. p. 187–203. Available from:
https://www.sciencedirect.com/science/article/abs/pii/B9780128015957000094
[2] Niksefat S., Kaghazgaran P., Sadeghiyan B. Privacy issues in intrusion detection systems: A
taxonomy, survey and future directions. Computer Science Review. 2017 Aug;25:6978.
[3] Aljanabi M., Ismail M.A., Ali A.H. Intrusion Detection Systems, Issues, Challenges, and
Needs. International Journal of Computational Intelligence Systems. 2021;
[4] Aljanabi M., Ismail M.A., Ali A.H. Intrusion Detection Systems, Issues, Challenges, and
Needs. International Journal of Computational Intelligence Systems. 2021;
[5] Liao H.J., Richard Lin C.H., Lin Y.C., Tung K.Y. Intrusion detection system: A
comprehensive review. Journal of Network and Computer Applications [Internet]. 2013
Jan;36(1):16–24. Available from:
https://www.sciencedirect.com/science/article/pii/S1084804512001944
[6] Cybersecurity Spotlight Signature-Based vs Anomaly-Based Detection [Internet]. CIS.
Available from: https://www.cisecurity.org/insights/spotlight/cybersecurity-spotlight-
signature-based-vs-anomaly-based-detection
[7] Repalle S, Ratnam Kolluru V. Intrusion Detection System using AI and Machine
Learning Algorithm. International Research Journal of Engineering and Technology.
[8] Li W., Yi P., Wu Y., Pan L., Li J. A New Intrusion Detection System Based on KNN
Classification Algorithm in Wireless Sensor Network. Journal of Electrical and
Computer Engineering [Internet]. 2014 [cited 2019 Nov 24];2014:1–8. Available from:
https://www.hindawi.com/journals/jece/2014/240217/
[9] Sommer R., Paxson V. Outside the Closed World: On Using Machine Learning for
Network Intrusion Detection. 2010 IEEE Symposium on Security and Privacy
[Internet]. 2010 [cited 2019 Dec 6]; Available from:
https://ieeexplore.ieee.org/abstract/document/5504793/
[10] Nobakht M., Sivaraman V., Boreli R. A Host-Based Intrusion Detection and Mitigation
Framework for Smart Home IoT Using OpenFlow. 2016 11th International Conference
on Availability, Reliability and Security (ARES). 2016 Aug;
[11] Jagadish H.V., Gehrke J., Labrinidis A., Papakonstantinou Y., Patel J.M., Ramakrishnan
R., et al. Big data and its technical challenges. Communications of the ACM. 2014 Jul
1;57(7):86–94.
[12] Valdovinos I., Perez-Diaz J., Choo K.K., Botero J. Emerging DDoS attack detection and
mitigation strategies in software-defined networks: Taxonomy, challenges and future
directions. Journal of Network and Computer Applications [Internet]. 2021 Aug 1 [cited
2021 Sep 23];187:103093. Available from:
https://www.sciencedirect.com/science/article/pii/S1084804521001156
[13] Drewek-Ossowicka A., Pietrołaj M., Rumiński J. A survey of neural networks usage for
intrusion detection systems. Journal of Ambient Intelligence and Humanized
Computing. 2020 May 12;12(1):497–514.
[14] Laghrissi F., Douzi S., Douzi K., Hssina B. IDS-attention: an efficient algorithm for intrusion
detection systems using attention mechanism. Journal of Big Data. 2021 Nov 29;8(1).
[15] Khraisat A., Gondal I., Vamplew P., Kamruzzaman J. Survey of intrusion detection
systems: techniques, datasets and challenges. Cybersecurity [Internet]. 2019 Jul 17;2(1).
Available from: https://cybersecurity.springeropen.com/articles/10.1186/s42400-019-
0038-7
36
[16] Otoum Y., Nayak A. AS-IDS: Anomaly and Signature Based IDS for the Internet of
Things. Journal of Network and Systems Management. 2021 Mar 4;29(3).
[17] Kim A., Park M., Lee D.H. AI-IDS: Application of Deep Learning to Real-Time Web
Intrusion Detection. IEEE Access. 2020;8:70245–61.
[18] Kanimozhi V., Jacob T.P. Artificial Intelligence based Network Intrusion Detection
with hyper-parameter optimization tuning on the realistic cyber dataset CSE-CIC-
IDS2018 using cloud computing. ICT Express. 2019 Apr;
[19] William D. How AI can help improve intrusion detection systems [Internet]. GCN.
Available from: https://gcn.com/cybersecurity/2020/04/how-ai-can-help-improve-
intrusion-detection-systems/291266/
[20] Fernández G., Xu S. A Case Study on Using Deep Learning for Network Intrusion
Detection [Internet]. [cited 2023 May 15]. Available from:
https://cspecc.utsa.edu/publications/files/Xu_2019_Case_Study_Deep_Learning_Net_I
ntr_Detect.pdf
[21] OpenAI. OpenAI [Internet]. OpenAI. 2019. Available from: https://openai.com/
[22] tcpdump. TCPDUMP/LIBPCAP public repository. Tcpdumporg [Internet]. 2017;
Available from: https://www.tcpdump.org
[23] Dawson M., Bacius R., Gouveia L.B., & Vassilakos A. (2021). Understanding the
challenge of cybersecurity in critical infrastructure sectors. Land Forces Academy
Review, 26(1), 69-75.
37
... These systems can achieve up to 98% accuracy [75], enabling highly effective detection and preventing intrusions that could otherwise go unnoticed [76]. The integration of NLP with traditional IDS methods allows for a more comprehensive approach to security, as it enhances the system's ability to understand the context of various network events [77]. ...
... As cyber threats become more sophisticated, traditional security measures are often insufficient to detect and mitigate emerging risks [73]. AI technologies, particularly machine learning algorithms, can continuously analyze network traffic and identify suspicious patterns that might indicate an attack [74,77]. These systems can adapt to new and evolving threats, improving the ability to detect zero-day vulnerabilities and preventing unauthorized access [62,79]. ...
... AI-based intrusion detection systems (IDSs) utilize advanced machine learning techniques such as neural networks and decision trees to analyze network traffic and detect anomalous behaviors indicative of cyberattacks. Models like Transformers can process large volumes of network data, achieving detection accuracies of up to 98% [75,77]. These models are particularly effective in detecting sophisticated attack patterns and zero-day threats, where traditional methods may fail due to the dynamic and evolving nature of cyberattacks. ...
Article
Full-text available
Artificial intelligence (AI) transforms communication networks by enabling more efficient data management, enhanced security, and optimized performance across diverse environments, from dense urban 5G/6G networks to expansive IoT and cloud-based systems. Motivated by the increasing need for reliable, high-speed, and secure connectivity, this study explores key AI applications, including traffic prediction, load balancing, intrusion detection, and self-organizing network capabilities. Through detailed case studies, I illustrate AI’s effectiveness in managing bandwidth in high-density urban networks, securing IoT devices and edge networks, and enhancing security in cloud-based communications through real-time intrusion and anomaly detection. The findings demonstrate AI’s substantial impact on creating adaptive, secure, and efficient communication networks, addressing current and future challenges. Key directions for future work include advancing AI-driven network resilience, refining predictive models, and exploring ethical considerations for AI deployment in network management.
... Conclusions give the contribution of AI to making IDS more precise tools against hostile penetration through cyberspace; however, they are not risk-free. It can refer to drawbacks such as computational complexity, false positives/negatives, or even privacy issues that would become a research rationale later on [79]. ...
Article
Full-text available
The use of artificial intelligence (AI) technology signifies a significant milestone in the swiftly evolving domain of cybersecurity. This study offers a comprehensive literature review on the role, effect, and future prospects of AI across five critical areas of cybersecurity: threat detection, endpoint security, phishing and fraud detection, network security, and adaptive authentication. The study examines contemporary developments in AI for cybersecurity, highlighting the use of these technologies to enhance security protocols. We examine cutting-edge AI methodologies and principal models across many domains, including machine learning algorithms, deep learning architectures, natural language processing techniques, and anomaly detection algorithms, emphasizing their distinct contributions to enhancing security. Essential comparisons of AI models are presented for each area, outlining their main applications, advantages, and drawbacks. The article examines the assessment criteria and performance outcomes of AI-driven cybersecurity solutions. This report synthesizes previous research while identifying gaps and future prospects, including the integration of emerging AI approaches, the enhancement of real-time threat detection capabilities, and the addressing of changing attack vectors. By providing a holistic view of the current state and future potential of AI in cybersecurity, this paper aims to serve as a foundational reference for researchers and practitioners seeking to leverage AI for robust and adaptive security solutions.
... Typically, a security information and event management (SIEM) system is used to collect data centrally or to report any harmful activity or violation to an administrator. An SIEM system utilizes alarm filtering algorithms and aggregates outputs from several sources to differentiate between hostile activity and false warnings [2] [3]. IDSs are categorized based on their location within a system and the kind of activity they monitor. ...
Article
Full-text available
Due to the quick development of network technology, assaults have become more sophisticated and dangerous. Numerous strategies have been put out to target different types of attacks and conduct trials using various approaches. In order to maintain network integrity and ensure network security, intrusion detection systems, or IDSs, are necessary. In this work, we investigate the effects of several feature extraction methods on IDS performance. We analyze the performance of various feature extraction techniques on two well-known intrusion detection datasets, NSL-KDD and CICIDS2017. Two datasets are used to test these approaches. By lowering dimensionality, enhancing data quality, and enabling visualization, principal component analysis (PCA) is a useful preprocessing method. But it's crucial to take into account its drawbacks and use it in conjunction with other preprocessing methods as necessary. The results are classified using the Decision Tree (DT), Random Forest (RF), Extreme Gradient Boosting (XGBoost), and Naive Bayes algorithms. This study aims to compare the final intrusion detection accuracy of each model in order to assess the performance of these approaches and gain a better understanding of the robustness and generalizability of each strategy across different dataset features. The experimental findings showed that the RF method reached a maximum accuracy of 98.57% on the NSL-KDD dataset and 97.10% on the CICIDS2017 dataset when conventional preprocessing was applied. However, with an accuracy of 97.85%, the RF model proved to be the most dependable model when used on the NSL-KDD dataset with both standard and fusion preprocessing.With standard and fusion preprocessing, the RF model achieved the best accuracy of 98.56% in the instance of the CICIDS2017 dataset. The findings demonstrated that PCA-based fusion preprocessing is not always the best option.
... Despite advances in AI-based intrusion detection systems, difficulties persist. There is a need for improvement in detecting unexpected data properties and handling open-set settings when new threats develop [8]. Improved AI model training and testing datasets may assist, but the real difficulty is the model's capacity to react to changing threats. ...
Article
Full-text available
The increasing threat of Distributed DDoS attacks necessitates robust, big data-driven methods to detect and mitigate complex Network and Transport Layer (NTL) attacks. This paper proposes EffiGRU-GhostNet, a deep-learning ensemble model for high-accuracy DDoS detection with minimal resource consumption. EffiGRU-GhostNet integrates Gated Recurrent Units (GRU) with the GhostNet architecture, optimized through Principal Component Analysis with Locality Preserving Projections (PCA-LLP) to handle large-scale data effectively. Our ensemble was tested on IoT-23, APA-DDoS, and additional datasets created from popular DDoS attack tools. Simulations demonstrate a recognition rate of 98.99% on IoT-23 with a 0.11% false positive rate and 99.05% accuracy with a 0.01% error on APA-DDoS, outperforming SVM, ANN-GWO, GRU-RNN, CNN, LSTM, and DBN baselines. Statistical validation through Wilcoxon and Spearman’s tests further verifies EffiGRU-GhostNet’s effectiveness across datasets, with a Wilcoxon F-statistic of 7.632 (p = 0.022) and a Spearman correlation of 0.822 (p = 0.005). This study demonstrates that EffiGRU-GhostNet is a reliable, scalable solution for dynamic DDoS detection, advancing the field of big data-driven cybersecurity.
... Advanced algorithms and efficient data processing techniques enable these systems to analyze network traffic and detect malicious activities in real-time [39], [40]. This rapid detection allows organizations to respond to potential security incidents more quickly and effectively [41]. As a result, the window of opportunity for attackers is greatly reduced, and the potential impact of security breaches is minimized. ...
Article
Full-text available
Recently, the growing popularity of the Internet of Things (IoT) presents a promising opportunity not only for the expansion of various home automation systems but also for diverse industrial applications. By leveraging these benefits, automation is being implemented in industries, leading to the Industrial Internet of Things (IIoT). Although IoT simplifies daily activities that benefit human operations, it poses significant security challenges that warrant attention. Consequently, implementing an Intrusion Detection System (IDS) is a vital and effective solution. IDS aims to address the security and privacy challenges by detecting various IoT attacks. Various IDS methodologies, including those using Machine Learning (ML), Deep Learning (DL) and Large Language Models (LLMs), are employed to identify intrusions within the data; however, improvements to the detection systems are still needed. A literature survey on IDS in the IoT domain is provided, focusing primarily on the recent approaches used in the field. The survey aims to evaluate the literature, identify current trends, retest these approaches on recent data, and highlight open problems and future directions.
... The efficiency of integrating LLMs in IDS was also shown in a study by Markevych et al. [195], which highlights successful applications in sectors like banking and financial services, where AI-driven IDS have demonstrated high efficacy. However, challenges related to computational complexity, data privacy, and scalability remain. ...
Article
Full-text available
The emergence of Large Language Models (LLMs) is currently creating a major paradigm shift in societies and businesses in the way digital technologies are used. While the disruptive effect is especially observable in the information and communication technology field, there is a clear lack of systematic studies focusing on the application and impact of LLMs in cybersecurity holistically. This article presents an exhaustive systematic literature review of 177 articles published in 2018-2024 on the application of LLMs and the use of Artificial Intelligence (AI) as a defensive measure in cybersecurity. This article contributes an analytical compendium of the recent research on the application of LLMs in offensive and defensive cybersecurity as well as in research on cyberethics, current legal frameworks, and research regarding the use of LLMs for cybersecurity governance. It also contributes a statistical summary of global research trends in the field. Of the reviewed literature, 68%was published in 2023. Nearly 30% of the articles originate from the USA and 11% from China, with other countries currently having significantly lower contributions to recent research. Most attention in recent research has been given to AI as a defensive measure, accounting for 27% of the reviewed literature. It was observed that LLMs have proven highly effective in phishing attack simulations and in managing cybersecurity administrative aspects, including defending against advanced exploits. Furthermore, LLMs show significant potential in the development of security software, further cementing their role as a powerful tool in cybersecurity innovation.
Chapter
This chapter explores the essential organizational and cultural prerequisites for successfully integrating Artificial Intelligence (AI) into network security. This research employs a qualitative methodology, including a comprehensive literature review, to analyze internal needs and address ethical considerations such as bias, privacy, and fairness. This study examines the impact of organizational culture on the acceptance and effectiveness of AI-based solutions. It emphasizes the significance of end-user trust in AI-driven security alerts. The findings highlight the necessity of organizational readiness and cultural adaptation for the effective implementation of AI in network security, concluding that a comprehensive approach is essential for maximizing AI's potential in enhancing security measures. This research will benefit cybersecurity professionals, organizational leaders, and policymakers seeking to understand and navigate the complexities of AI integration in network security.
Article
Full-text available
Network attacks are illegal activities on digital resources within an organizational network with the express intention of compromising systems. A cyber attack can be directed by individuals, communities, states or even from an anonymous source. Hackers commonly conduct network attacks to alter, damage, or steal private data. Intrusion detection systems (IDS) are the best and most effective techniques when it comes to tackle these threats. An IDS is a software application or hardware device that monitors traffic to search for malevolent activity or policy breaches. Moreover, IDSs are designed to be deployed in different environments, and they can either be host-based or network-based. A host-based intrusion detection system is installed on the client computer, while a network-based intrusion detection system is located on the network. IDSs based on deep learning have been used in the past few years and proved their effectiveness. However, these approaches produce a big false negative rate, which impacts the performance and potency of network security. In this paper, a detection model based on long short-term memory (LSTM) and Attention mechanism is proposed. Furthermore, we used four reduction algorithms, namely: Chi-Square, UMAP, Principal Components Analysis (PCA), and Mutual information. In addition, we evaluated the proposed approaches on the NSL-KDD dataset. The experimental results demonstrate that using Attention with all features and using PCA with 03 components had the best performance, reaching an accuracy of 99.09% and 98.49% for binary and multiclass classification, respectively.
Article
Full-text available
The cybersecurity of critical infrastructures is an essential topic within national and international security as 16 critical infrastructure sectors touch various aspects of American society. Because the failure to provide adequate cybersecurity controls within the critical infrastructure sectors renders the country open to an attack that could have a debilitating effect on security, national public health, safety, and economic security, this matter is so vital that there is the Presidential Policy Directive (PPD) 21 Critical Infrastructure Security and Resilience advances a national policy to strengthen and maintain secure, functioning and resilient critical infrastructure. An organization identified as the Cybersecurity and Infrastructure Security Agency (CISA) at the Department of Homeland Security (DHS) has the mission to be the risk advisor for the United States (US). Other organizations, such as the National Security Agency (NSA), have approved a specific Knowledge Unit (KU) to address cybersecurity for critical infrastructures associated with doctoral-level granting programs. To address this challenge, it is necessary to identify threats better and defend against them while mitigating risks to an acceptable level. Only then can a nation build a more secure and resilient infrastructure for the future while defending against present-day bad actors as cyberwarfare, cyber espionage, and cybersecurity attacks are the modern-day threats that need to be addressed in planning, designing, implementation, and maintenance. Therefore, the researchers developed a case study reviewing threats against different sectors defined in the PPD.
Article
Full-text available
The Internet of Things (IoT) is a massively extensive environment that can manage many diverse applications. Security is critical due to potential malicious threats and the diversity of the connectivity. Devices can protect themselves and detect threats with the Intrusion Detection System (IDS). IDS typically uses one of two approaches: anomaly-based or signature-based. This paper proposes a model (known as “AS-IDS”) that combines these two approaches to detect known and unknown attacks in IoT networks. The proposed model has three phases: traffic filtering, preprocessing and the hybrid IDS. In the first phase, the arrival traffic is filtered at the IoT gateway by matching packet features, after which the preprocessing phase applies a Target Encoder, Z-score and Discrete Hessian Eigenmap (DHE) to encode, normalize and eliminate redundancy, respectively. In the final phase, the hybrid IDS integrates signatures and anomalies. The signature-based IDS subsystem investigates packets with Lightweight Neural Network (LightNet), which uses Human Mental Search (HMS) for traffic clustering in the hidden layer and Boyer Moore is used to search for a particular signature in the output layer that is accelerated by using the Generalized Suffix Tree (GST) algorithm and by matching the signatures it classifies the attacks as intruder, normal or unknown. The anomaly-based IDS subsystem employs Deep Q-learning to identify unknown attacks, and uses Signal to Noise Ratio (SNR) and bandwidth to classify the attacks into five classes: Denial of Service (DoS), Probe, User-to-Root (U2R), Remote-to-Local (R2L), and normal traffic. Detected packets are then generated with new signatures, using the Position Aware Distribution Signature (PADS) algorithm. The proposed AS-IDS is implemented in real-time traffic with the NSL-KDD dataset, and the results are evaluated in terms of Detection Rate (DR), False Alarm Rate (FAR), Specificity, F-measure and computation time.
Article
Full-text available
Intrusion detection systems (IDSs) are one of the promising tools for protecting data and networks; many classification algorithms, such as neural network (NN), Naive Bayes (NB), decision tree (DT), and support vector machine (SVM) have been used for IDS in the last decades. However, these classifiers is not working well if they applied alone without any other algorithms that can tune the parameters of these classifiers or choose the best sub set features of the problem. Such parameters are C in SVM and gamma which effect the performance of SVM if not tuned well. Optimization algorithms such as genetic algorithm (GA), particle swarm optimization (PSO) algorithm , ant colony algorithm, and many other algorithms are used along with classifiers to improve the work of these classifiers in detecting intrusion and to increase the performance of these classifiers. However, these algorithms suffer from many lacks especially when apply to detect new type of attacks, and need for new algorithms such as JAYA algorithm, teaching learning-based optimization algorithm (TLBO) algorithm is arise. In this paper, we review the classifiers and optimization algorithms used in IDS, state their strength and weaknesses, and provide the researchers with alternative algorithms that could be use in the field of IDS in future works.
Article
Full-text available
In recent years, advancements in the field of the artificial intelligence (AI) gained a huge momentum due to the worldwide appliance of this technology by the industry. One of the crucial areas of AI are neural networks (NN), which enable commercial utilization of functionalities previously not accessible by usage of computers. Intrusion detection system (IDS) presents one of the domains in which neural networks are widely tested for improving overall computer network security and data privacy. This article gives a thorough overview of recent literature regarding neural networks usage in intrusion detection system area, including surveys and new method proposals. Short tutorial descriptions of neural network architectures, intrusion detection system types and training datasets are also provided.
Article
Full-text available
Deep Learning has been widely applied to problems in detecting various network attacks. However, no cases on network security have shown applications of various deep learning algorithms in realtime services beyond experimental conditions. Moreover, owing to the integration of high-performance computing, it is necessary to apply systems that can handle large-scale traffic. Given the rapid evolution of web-attacks, we implemented and applied our Artificial Intelligence-based Intrusion Detection System (AIIDS). We propose an optimal convolutional neural network and long short-term memory network (CNNLSTM) model, normalized UTF-8 character encoding for Spatial Feature Learning (SFL) to adequately extract the characteristics of real-time HTTP traffic without encryption, calculating entropy, and compression. We demonstrated its excellence through repeated experiments on two public datasets (CSIC-2010, CICIDS2017) and fixed real-time data. By training payloads that analyzed true or false positives with a labeling tool, AI-IDS distinguishes sophisticated attacks, such as unknown patterns, encoded or obfuscated attacks from benign traffic. It is a flexible and scalable system that is implemented based on Docker images, separating user-defined functions by independent images. It also helps to write and improve Snort rules for signature-based IDS based on newly identified patterns. As the model calculates the malicious probability by continuous training, it could accurately analyze unknown web-attacks.
Article
Full-text available
Cyber-attacks are becoming more sophisticated and thereby presenting increasing challenges in accurately detecting intrusions. Failure to prevent the intrusions could degrade the credibility of security services, e.g. data confidentiality, integrity, and availability. Numerous intrusion detection methods have been proposed in the literature to tackle computer security threats, which can be broadly classified into Signature-based Intrusion Detection Systems (SIDS) and Anomaly-based Intrusion Detection Systems (AIDS). This survey paper presents a taxonomy of contemporary IDS, a comprehensive review of notable recent works, and an overview of the datasets commonly used for evaluation purposes. It also presents evasion techniques used by attackers to avoid detection and discusses future research challenges to counter such techniques so as to make computer systems more secure.
Article
Software-defined networking (SDN) is a network paradigm that decouples control and data planes from network devices and places them into separate entities. In SDN, the controller is responsible for controlling the logic of the entire network while network switches become forwarding elements that follow rules to dispatch flows. There are, however, several limitations in such a paradigm, as compared to conventional networking. For example, the controller is sensitive to a broad range of attacks, being DDoS attacks especially important due to the centralized nature of the controller and to their huge increment during 2020, since the number of DDoS attacks during Q2 increased three-fold to the same period compared to 2019. In this paper, we provide a systematic survey of existing DDoS detection and mitigation strategies in SDN. Based on the review of articles published between 2013 and May 2020, we provide an original taxonomy that includes well-known strategies to DDoS detection like statistical, SDN architecture, machine learning, and we also include in the taxonomy emerging technologies like network function virtualization, blockchain, honeynet, network slicing, and moving target defense-based strategies for DDoS detection and mitigation. We also discuss existing challenges associated with SDN security and with the implementation of these emerging technologies and finally, we identify several future research opportunities.