12445
Network Intrusion Detection System Based on Machine Learning
Kalyani Upadhyay Department of AIML [email protected]
Guided by: Dr Jayakumar k Department of Analytics
Abstract—Theperceivability to distinguish the fast development of Internet assaults turns into a significant issue in network security. Intrusion detection system (IDS) goes about as an important supplement to firewall for checking packets on the network, performing investigation and analysis response to the malicious traffic. Intrusion detection system is a sort of framework or device that save a watch on a system or framework for criminal behavior or illegal activities. Any unlawful interruption action is by and large answered to the administrator. The most recent decade has seen fast headways in machine learning techniques empowering automation and forecasts in scales never envisioned. This further prompts scientists and specialists to imagine new applications for these excellent strategies. It wasn't well before machine learning methods were utilized in strengthening network security systems. The few intrusion detection approaches are proposed so far to anticipate pernicious traffic from the computer network. In this paper, existing methods of intrusion detection are evaluated and a new methodology is indicated dependent on Machine learning algorithms for the network traffic order. where comparative study is shown with respect to the accuracy based on different machine learning models for analyzing the malicious activities going on in your system.
Keywords—Network Security; Intrusion Detection; Malicious traffic; Network Traffic Classification; Feature Extraction I. INTRODUCTION
Internet has associated the world internationally. In this Internet climate, there are numerous dangers of organization assaults. With the data thickness and worldwide come to, the danger of uprightness and secrecy has additionally expanded. Breaking the security of network has gotten so natural. Thus, the organization security improvement is brought into spotlight nowadays. Organization security is demonstration of ensuring and forestalling unapproved break in any sort of organization. It includes network intrusion detection which screen the organization. Network intrusion detection is set at some essential point in the organization to screen traffic from source to objective devices inside the organization. In a perfect world, the system would examine all inbound and outbound traffic; nonetheless, this may make a bottleneck that would impede the general speed of the system. In conclusion, these instruments are furnished with machine learning algorithm so the system turns out to be more responsive and gives preciseoutcomes.Interruption exercises leave proof in review information; thusly, the example of the ordinary and noxious exercises can be learnt and recognized with the assistance of ML algorithms.
Machine Learning algorithm can "learn" the patterns of the system and can report abnormalities with unlabeled dataset. It can recognize new kinds of interruptions however is inclined to false positive alerts. Henceforth, many Machine Learning algorithm is disused further. To diminish the false positives, we can present a label dataset and fabricate a regulated ml model by showing it the distinction between an ordinary and an assault packet in the organization. The regulated model can deal with the known assaults deftly and can likewise perceive varieties of those assaults. Machine Learning algorithm will be examined (Knn, naïve bayes, logistic regression,Decision Tree).The most significant and dull cycle of beginning with Machine learning models is getting dataset. We use network intrusion detection Data from Kaggle to construct prescient models fit for recognizing interruptions or assaults, and significant associations.
The dataset to be examined was given which comprises of a wide assortment of interruptions reproduced in a military organization climate. It established a climate to gain crude TCP/IP dump information for an organization by reproducing a normal US Air Force LAN. The LAN was engaged like a genuine climate and impacted with numerous assaults. An association is a succession of TCP parcels beginning and finishing sooner or later term between which information streams to and from a source IP address to an objective IP address under some very much characterized convention. Likewise, every association is named as one or the other typical or as an assault with precisely one explicit assault type. Every association record comprises of around 100 bytes.
For every TCP/IP association, 41 quantitative and subjective highlights are gotten from typical and assault
12446 information (3 subjective and 38 quantitative highlights). The class variable has two classifications:
• Normal
• Anomaly
Data must be prepared before it very well may be utilized inside an ml calculation. This implies that the features must be picked. A few components can be not difficult to track down; other need to establish by testing and running tests. Utilizing all the features of a dataset doesn't really ensure the best exhibitions from the IDS. It may expand the computational expense just as the mistake pace of the system. This is on the grounds that a few features are excess or are not helpful for making a differentiation between various classes. The principal commitment of this dataset is the presentation of master recommended ascribes which help to comprehend the conduct of various sorts of assault.
II Literature survey
Security is imperative to network. Intrusion Detection System are one of the significant structure squares of a safe, dependable organization and are utilized broadly alongside the other security projects and ideas. As the time passes, their significance becomes clearer. As of late, there have been some intriguing explores on organic insusceptible frameworks as a model for interruption recognition. In this article we portray IDS, including an outline of its sorts, methods, and investigate various IDS plans dependent on organically roused biologically connected idea, (AIS), which can be a future bearing in IDS planning field.
Thinking about the solid speculation capacity, high arranging exactness and such focal points the help vector machine (SVM) shows in practices includes little example, high measurement, we will mostly focus in on considering and culminating the SVM strategies in interfere recognizing. ID consistently creates immense datasets;
such crude informational collections are unequipped for being preparing because of its enormous scope and high measurement and IDS consistently has the burdens, for example, over-stacked, possessing a lot of asset, an augmentation of preparing and estimating time... thusly, the improvement of reasonable data turns out to be such a need.
As a sort of powerful data security defend measure, interruption location compensates for the deformities of customary security insurance methods. As a sort of powerful information examination strategy,information mining is brought into ids. This paper advances applying data mining innovation to interruption location frameworks and afterward plans information preprocessing module, affiliation investigation module and group module separately.
Late years have seen a developing interest in computational strategies dependent on common wonders with biologically motivated procedures. The utilization of invulnerable components in interruption recognition is an engaging idea. This paper audits and surveys the similarity between the human safe framework and interruption recognition frameworks. We show how resistant representations can be utilized proficiently to construct ids to secure system. The paper reasons that the plan of a novel ids dependent on the human immune system is promising for future ids.
The main motivation behind ids is to recognize assaults against network. It is a security strategy endeavoring to recognize different assaults. In this paper, we looked into grunt as abuse-based interruption recognition framework just as NETAD, ALAD, LERAD as peculiarity-based algorithms.
This paper advances another technique for strange interruption discovery dependent on system call. It utilizes system calls viewed as info, and makes a finite state automaton for the capacities in the program. At that point the FSA is utilized to identify the assault. Also, it can discover the spot of the weakness which exists in the program. This can assist with modifying the source program. Results are demonstrated that this technique is powerful for some interruption occasions.
System to give a viable way to interruption protection. Applying the interruption identification innovation to database a viable strategy for empowering data sets to have positive and dynamic security instruments. This paper makes a serious investigation of a database ids, particularly an abnormality recognition innovation dependent on information mining first and afterward advances a sort of acknowledgment dependent on Trie tree for the algorithm of association rules - Apriori lastly utilizes Apriori calculation to understand the extraction of client conduct rules.
ID consistently produces enormous informational indexes; such crude informational indexes are unequipped for being preparing because of its huge scope and high measurement and excess. Interruption identification framework consistently has the disservices, for example, over-stacked, possessing an excess of asset, an augmentation of
12447 preparing and gauging time... hence, the disentanglement of pragmatic data turns out to be such a need. R-SVM and Rough set were utilized for demanding fundamental highlights of crude information, and numerous sorts of characterization calculations were utilized here and it has been tried by KDDCUP1999 date set. The outcome shows that, the SVM grouping dependent on R-SVM runs magnificent, its precision is pretty much as great as the SVM characterization dependent in general highlights and extensively diminishes the preparation and testing time
Precision for Intrusion identification should be upgraded to diminish false alarm and to build the discovery rate. To improve the exhibition, various procedures have been utilized in late works. Dissecting enormous organization traffic information is the principle work of ids. An efficient characterization approach is needed to defeat this issue.
This issue is adopted in proposed strategy. AI procedures like Support Vector Machine (SVM) and Naïve Bayes are applied. These strategies are notable to tackle the order issues. For assessment of interruption recognition framework, NSL-KDD information revelation Dataset is taken. The results show that SVM works in a way that is better than Naïve Bayes. To perform near investigation, compelling characterization strategies like Support Vector Machine and Naive Bayes are taken, their precision and misclassification rate get determined
Consistently, the IDS innovation has developed immensely to stay aware of the headway of system wrongdoing.
Since the start of the innovation in mid-80's, explores have been led to upgrade the capacity of identifying assaults without endangering the organization execution. In this paper we desire to give a basic survey of the IDS innovation, gives that unfold during its usage and the limit in the IDS research attempts. Finally, we will be proposed future work while investigating development of the theme, the degree of conversation, the worth and commitment of each examination to the space talked about. Toward the finish of this paper, peruses would have the option to unmistakably recognize the hole between each sub-territory of exploration and they would value the significance of these examination territories to the business.
III Proposed Model
Data Representation Phase, to decrease data so much as conceivable with no data misfortune, and required particular arranging, preparing and testing. The issues determined from the framework investigation are.
To give an ideal and proficient figuring data for IDS.
To channel false rates and increase increasedetection_rate.
To find assault examples and show fitting Train_data size is (25192,40)
Test_data size is (22542,40)
Feature Selection is the cycle where you naturally or manually select those features which contribute most to
your prediction variable or yield in which you are keen on. Having irrelevant features in your information can diminish the precision of the models and cause your model to learn dependent on irrelevant features.
We use RFE for the feature Selection process.RFE is anfeature_selection strategy that fits a model and eliminates the most vulnerable feature (or features) until the predetermined number of features is reached
List of Feature Selected Source_bytes
Destination_bytes Logged in
Count Server_count Same_Server_count Different_server_count
Destination_Host_server_count Destination_HostSame_server count Destination_Host_Different_server_count Destination_Host_same_source_port_rate Destination_Host_Different_source_port rate
12448 Protocol_type
Service Flag
As referenced in the Introduction, this work plans to improve the exhibition of organization intrusion detection system developing a machine learning model. For the purpose of clarity, the phases of the framework structure are recorded as follows:
Select Dataset.
Cleaning Dataset.
Split Train and Test.
Applying Classification algorithms.
Prediction.
The dataset to be examined was given which comprises of a wide assortment of interruptions reproduced in a military organization climate. It established a climate to gain crude TCP/IP dump information for an organization by reproducing a normal US Air Force LAN. The LAN was engaged like a genuine climate and impacted with numerous assaults. An association is a succession of TCP parcels beginning and finishing sooner or later term between which information streams to and from a source IP address to an objective IP address under some very much characterized convention. Likewise, every association is named as one or the other typical or as an assault with precisely one explicit assault type. Every association record comprises of around 100 bytes.
For every TCP/IP association, 41 quantitative and subjective highlights are gotten from typical and assault information (3 subjective and 38 quantitative highlights). The class variable has two classifications:
• Normal
• Anomaly
Training data is split into 70% and testing data is split into 30%.
Applying classification algorithm on train and test data sets and will find which of the algorithm’s accuracy is the best.
Logistic regression is a machine learning algorithm for classification. In this algorithm, the probabilities describing the possible outcomes of a single trial are modelled using a logistic function.
For train dataset: -
Model accuracy is 0.9548599296812975 For test dataset: -
Model accuracy is 0.9551468642498016
Naive Bayes algorithm based on Bayes’ theorem with the assumption of independence between every pair of features. Naive Bayes classifiers work well in many real-world situations such as document classification and spam filtering
For train dataset: -
Model accuracy is 0.9071679709651809 For test dataset: -
Model accuracy is 0.906721354855782
12449 Neighbors based classification is a type of lazy learning as it does not attempt to construct a general internal model, but simply stores instances of the training data. Classification is computed from a simple majority vote of the k nearest neighbors of each point.
For train dataset: -
Model accuracy is 0.9937620505840989 For test dataset: -
Model accuracy is 0.9916644614977508
Given a data of attributes together with its classes, a decision tree produces a sequence of rules that can be used to classify the data.
For train dataset: - Model accuracy is 1.0 For test dataset: -
Model accuracy is 0.9947075946017465
In this the model accuracy of decision tree is the greatest for both the train and test dataset.
Prediction for test data: -
Values of predicted Logistic regression Anomaly:-9167
Normal:-13377 Total_data: -22544
Values of predicted Naive Bayes Anomaly:-8284
Normal: -14260 Total_data:-22544 Values of predicted knn Anomaly: -8930 Normal: -13614 Total_data: -22544
Values of predicted decision tree Anomaly:-11731
12450 Normal:-10813
Total_data:-22544
Fig no. 1
Fig no. 2
IV Conclusion
This system will show how ML methods are fit for decreasing malignant action going on in any system. This system utilizes ML to make a model reenacting activities and afterward contrasts new conduct and the current model.
IDS utilizing many Machine Learning Techniques were talked about in here:
● Logistic regression
● Nayesbais
● knn
● Decision Tree
Various methods perform better in different measurements. The IDS ought to give the best arrangements dependent on the prerequisites. One thing is certain, any organization neglecting to receive these strategies now or in the short term hazard trading off information or more terrible servers.
V Future Scope
Sellers are likely so as to extend the extent integrity checking programs to incorporate more than just gadget driver or ids capacities and furthermore to give ongoing runtime alerting. It would not be astounding, for instance, to adapt soon sooner rather than later that at least one merchants had joined the business Tripwire device into a working framework
VI References
1) Yunlu Gong, Shingo Mabu, C. Chen, Yifei Wang and K. Hirasawa, "Intrusion detection system combining misuse detection and anomaly detection using Genetic Network Programming," 2009 ICCAS-SICE, Fukuoka, 2009, pp.
12451 3463-3467.
2) A. Borkar, A. Donode and A. Kumari, "A survey on Intrusion Detection System (IDS) and Internal Intrusion Detection and protection system (IIDPS)," 2017 International Conference on Inventive Computing and Informatics(ICICI),Coimbatore, 2017, pp. 949-953,doi,10.1109/ICICI.2017.8365277.
3) S. OUIAZZANE, M. ADDOU and F. BARRAMOU, "A Multi- Agent Model for Network Intrusion Detection,"
2019 1st International Conference on Smart Systems and Data Science (ICSSD), Rabat, Morocco, 2019, pp. 1-5, doi: 10.1109/ICSSD47982.2019.9003119
4) L. Hong, "Immune Mechanism Based Intrusion Detection Systems," 2009 International Conference on Networks Security, WirelessCommunications and Trusted Computing, Wuhan, Hubei, 2009, pp. 568-571, doi:
10.1109/NSWCTC.2009.22.
5) S.Jayachitra, A.Prasanth, 'Multi-Feature Analysis for Automated Brain Stroke Classification Using Weighted Gaussian Naïve Baye’s Classifier', Journal of Circuits, Systems, and Computers, 2021, 1-20.
6) Yue Shen, Fei Yu, Ling-fen Zhang, Ji-yao An and Miao-liang Zhu, "An intrusion detection system based on system call," 2005 1st IEEE and IFIP International Conference in Central Asia on Internet, Bishkek, 2005, pp. 4 pp.-, doi:
10.1109/CANET.2005.1598184.
7) S. KanagaSubaRaja, S. UshaKiruthika, ‘An Energy Efficient Method for Secure and Reliable Data Transmission in Wireless Body Area Networks Using RelAODV’, International Journal of Wireless Personal Communications, ISSN 0929-6212, Volume 83, N0. 4, pp. 2975-2997,2015.
8) A. EshghiShargh, "Using Artificial Immune System on Implementation of Intrusion Detection Systems," 2009 Third UKSim European Symposium on Computer Modeling and Simulation, Athens, 2009, pp. 164-168, doi:
10.1109/EMS.2009.45.
9) G. Shang-fu and Z. Chun-lan, "Intrusion detection system based on classification," 2012 IEEE International Conference on Intelligent Control, Automatic Detection and High-End Equipment, Beijing, 2012, pp. 78-83, doi:
10.1109/ICADE.2012.6330103.
10) Xiuqiao Wang, "Intrusion Detection System based on Data Mining," 2011 International Conference on Computer Science and Service System (CSSS), Nanjing, 2011, pp. 3306-3308, doi: 10.1109/CSSS.2011.5974377
11)Chie-Hong L, Yann-Yean S, Yu-Chun L, Shie-Jue L (2017) Machine learning based network intrusion detection.
In: IEEE 2nd international conference on computational intelligence and applications, pp 79–83
12)Constantinos K, Kambourakis G (2014) Intrusion detection in wireless networks using nature inspired algorithms.
In: University of Aegean (Doctoral thesis), pp 93–96
13)Amarnath P, Jyoti V (2015) Classification rule and exception mining using nature inspired algorithms. Int J Computer SciInfTechnol 6(3):3023–3030
14)Obinna I, Ihab D, Tarek S (2016) Distributed network intrusion detection systems: an artificial immune system approach. In: IEEE first international conference on connected health: applications, systems and engineering technologies (CHASE), pp 101–106
15)Sanjay K, Ari V, Timo H (2017) Machine learning classification model for network based intrusion detection system. In: 11th international conference for internet technology and secured transactions (ICITST), pp 242–249 16)Ali M (2018) Computer network intrusion detection using various classifiers and ensemble learning. In: 26th signal
processing and communications applications conference (SIU), pp 1–4
