Evaluation of Machine Learning Model for Network Anomaly Detection: Support Vector Machine

Abstract

Effective network anomaly detection plays a pivotal role in safeguarding digital assets against evolving cyber threats in cybersecurity. In this study, the NSL-KDD dataset was used to investigate anomaly detection using support Vector Machines (SVM) with various kernels: linear, polynomial, radial basis function (RBF), and sigmoid. The linear kernel SVM achieved a high accuracy of 99.47% and an F-score of 99.47%. Despite its strong overall performance, indicated by a weighted average F-score of 0.99, the macro average F-score of 0.79 suggested variability in class performance. Several classes, such as 0, 11, 12, 13, and 20, achieved perfect precision and recall, while classes 1, 7, 8, 16, and 19 had zero recall and F-scores. The Polynomial Kernel SVM demonstrated an accuracy of 99.55% and an F-score of 99.53%. It also showed high precision and recall for many classes, achieving a weighted average F-score of 1.00. However, the macro average F-score of 0.72 indicated notable variation, with poor performance in classes 1, 7, 8, 16, 19, and 22. The RBF Kernel SVM also recorded an accuracy of 99.55% and an F-score of 99.53%, with a macro and weighted average of 0.48 and 0.92 respectively. While several classes achieved perfect scores, significant performance drops were observed in classes 1, 7, 8, 16, 19, and 22. The Sigmoid Kernel SVM showed a lower overall effectiveness with an accuracy of 92.11% and an F-score of 91.80%. The macro and the weighted average of 0.79 and 0.99 respectively and exhibited considerable inconsistency, with some classes achieving high precision and recall while 1, 8, 12, 13, 16, 19, and 22, performed poorly. While the Linear and Poly Kernels showed strong overall performance, the RBF and Sigmoid Kernels exhibited greater variability across different classes, with the Sigmoid Kernel being the least effective for anomaly detection in this dataset.