Development of Various Stacking Ensemble-Based HIDS Using ADFA Datasets

Abstract

The rapid increase in the number of cyber attacks and the emergence of various attack variations pose significant threats to the security of computer systems and networks. Various intrusion detection systems (IDS) are developed to defend computer systems and networks in response to these threats. One type of IDS, known as a host-based intrusion detection system (HIDS), focuses on securing a single host. Numerous HIDS have been proposed in the literature, incorporating various detection methods. This study develops multiple machine learning (ML) models and stacking ensemble based HIDS that can be used as detection methods in HIDS. Initially, n-grams, standard bag-of-words (BoW), binary BoW, probability BoW, and term frequency-inverse document frequency (TF-IDF) BoW methods are applied to the ADFA-LD and ADFA-WD datasets. Mutual information and k-means methods are used together for feature selection on the resulting BoW datasets. Individual models are created using either selected features or all features. Subsequently, the outputs of these individual models are used in extreme gradient boosting (XGBoost) and adaptive boosting (AdaBoost) models to develop stacking ensemble based models. The experimental results show that the best accuracy (ACC) among models using ADFA-LD based BoW datasets is achieved by the stacking ensemble based XGBoost model, which has an ACC of 0.9747. This XGBoost model utilizes the standard BoW dataset and selected features. Among models using ADFA-WD based BoW datasets, the stacking ensemble based XGBoost is also the most successful in terms of ACC, with an ACC of 0.9163, using the standard BoW dataset and all features.