Cascaded intrusion detection system using machine learning

Abstract

Cybercrime is becoming an increasing concern these days. In response to the growing cyberthreat, various intrusion detection systems have been developed and proposed to detect anomalies. However, most detection systems suffer from some common issues, such as a high number of false positives that cause regular behaviors to be detected as intrusions, as well as the system’s excessive complexity. Many single classifier models have accuracy issues since they are unable to detect certain anomalies caused by the attack’s polymorphic and zero-day behavior. The signature-based intrusion detection system (SIDS) is unable to identify zero-day intrusions. On the other side, the anomaly-based intrusion detection system (AIDS) generates a significant number of false-positive alarms. In this research, a cascaded intrusion detection system (CIDS) is proposed by combining the one-class support vector machine (OC-SVM)-based AIDS and the decision tree-based SIDS. OC-SVM is used in conjunction with the newly built Distance-Based Intrusion Classification System (DICS). SIDS that use decision trees can discover and classify anomalies. Because OC-SVM is a binary classifier, the intrusion type is determined by DICS. The suggested method aims to detect both popular and well-known zero-day attacks, as well as their type. The CIDS is evaluated using publicly available benchmark datasets, such as the Knowledge Discovery in Databases (KDD) Cup 1999 and the NSL-KDD dataset. The results of the proposed study show that CIDS outperformed both traditional SIDS and AIDS in terms of performance. Both anomalies and their types are detected with high accuracy.