i-2NIDS Novel Intelligent Intrusion Detection Approach for a Strong Network Security

The potential of machine learning mechanisms played a key role in improving the intrusion detection task. However, other factors such as quality of data, overfitting, imbalanced problems, etc. may greatly affect the performance of an intelligent intrusion detection system (IDS). To tackle these issues, this paper proposes a novel machine learning-based IDS called i-2NIDS. The novelty of this approach lies in the application of the nested cross-validation method, which necessitates using two loops: the outer loop is for hyper-parameter selection that costs least error during the run of a small amount of training set and the inner loop for the error estimation in the test set. The experiments showed significant improvements within NSL-KDD dataset with a test accuracy rate of 99.97%, 99.79%, 99.72%, 99.96%, and 99.98% in detecting normal activities, DDoS/DoS, Probing, R2L and U2R attacks, respectively. The obtained results approve the efficiency and superiority of the approach over other recent existing experiments.


INTRoDUCTIoN
Due to the overuse of the internet and recent technologies revolution, we are drowning in a rampant growth on a massive amount of data (Behera & Bhaskari, 2017).Furthermore, people need to disclose their personal information and exchange sensitive data to be connected, communicate with each other and to benefit from other upsides of the cyberspace like e-commerce, online works, cloud storage, etc.Therefore, the safety and confidentiality of the internet user's information has become more vulnerable towards intrusions and attacks.Many research studies are well carried out to shed light on Intrusion Detection Systems (IDSs), which are a proficient software system of detecting intrusive activities by examining all traffic flow over different environments and all internet technologies (Ramdane & Chikhi, 2014;Shukla & Singh, 2019).However, its performance is still need to be updated and improved, as long as an IDS necessitates an additional maintenance effort and human intervention (Ennaji et al., 2021).Additionally, it frequently notifies the users about false positives more than it does to real intrusions (Patel et al., 2012).
To fill this void, a vast majority of researchers have been opting for machine learning algorithms.The latter are widely applied in dealing with the limitations of intrusion detection systems, since they have a high potential in terms of making better identification and prediction of security threats without any intervention from the user (Stone, 1974).However, an intelligent IDS cannot make good predictions when the parameters are incorrectly selected and also because of the classification issues, such as; underfitting, overfitting, imbalanced data, etc.
For this reason, there is a useful technique, namely; cross-validation.It is considered as a resampling procedure for the determination and the selection of the appropriate parameters, which cost least test error.It is a well-known evaluation method for machine learning models that shows how well the latter will perform to an independent test data that has not been used during the training phase of the model (Stone, 1974).This approach proceeds by splitting the cleaned dataset into k-chunks of equal size.The first partition is considered as a validation set, and the model is fitted on the remaining k-1 partitions that present the training partitions.Then, the analysis is performed on each fold.Finally, it takes the average of scores of all partitions, which presents the overall estimate error.Hence, the cross-validation technique provides a better utilization of the data and it comes in different types.The most commonly used are: • Holdout cross-validation: The simplest type of cross-validation approach.It randomly separates the data into training and test sets.The more data is used for the model's training, the better its performance will be.• K-Fold cross-validation: The dataset is equally split into k folds, then the holdout approach is repeated k-times until each fold is considered as test set and other k-1 folds as training set.• Stratified K-Fold cross-validation: The dataset is divided into k partitions, so that the validation set has an equal instance of the dependent class label, which is a good solution for imbalanced dataset.Then, it computes the final score based on the mean of scores of each partition.• Leave-P-Out cross-validation: It considers p observations as a validation set and p-1 data as a training set.This process is repeated for all p combinations.Then, it averages the accuracies from all iterations to deduce the final accuracy.• Leave one out cross-validation: A less exhaustive method, because it is considered as a simple variation of the previous cross-validation type, as the value of p is set as 1. • Repeated random sub-sampling validation: Also called Monte Carlo method; it divides the dataset randomly into k-folds for training and validation.K is number of times the model has been trained.The final score average is obtained as the mean from the number of repeats.• Nested cross-validation: It is considered as a technique to tune the parameters of an algorithm, unlike the other cross-validation methods that only aim to estimate the performance of an algorithm.
Our contribution for the cybersecurity field is strengthening the ability of an intelligent IDS in detecting anomalies and various types of cyber-attacks within the network, despite the existence of imbalanced classification issues and other security concerns.For this purpose, this study proposes a complete strategy to guarantee a powerful network IDS.It is based on three major approaches: (1) Feature selection: To minimize the number of inputs and keep only the important attributes that have a direct impact on the target variable.As a result, the computational cost of modeling is reduced and the performance of the proposed system is maximized.(2) Machine learning: Based on many comparative studies of different machine learning algorithms, considering the same aim and dataset, there are 4 classifiers that have been integrated in the proposed methodology, namely: Random Forest (RF), K-Nearest Neighbors (KNN), Multi-Layer Perceptron (MLP) and Logistic Regression (LR).Their application has a great potential in providing high-value predictions and making smart decisions without needing a human intervention.
(3) Nested cross-validation: It is considered as the most important phase.This study has been based on this type of cross-validation, because it can properly tune the parameters of a machine learning algorithm and concurrently generalizes the error estimate.Moreover, it performs well despite the existence of the imbalanced data issue.
The experiments of the fourth models were evaluated over the NSL-KDD dataset (Tavallaee et al., 2009).The obtained results approve the efficiency and superiority of our approach over other recent existing experiments.All the models achieved satisfactory results in terms of accuracy, precision, recall and f1-score.However, the model based on RF outperforms all of them and has been called RF-2NIDS.
The remaining paper is structured as follows: Section 2 briefly depicts a review of the selected algorithms for the suggested approach.Section 3 explains in details the proposed intelligent security modeling.The experimental results are presented and discussed in the Section 4. Section 5 refers to a general conclusion and future scope.

LITeRATURe ReVIew oF THe CLASSIFICATIoN ALGoRITHMS
In order to build robust intrusion detection system, several research studies have been proposed with machine learning algorithms and made important enhancements in this area.In this paper, four efficient classifiers have been selected for the development of the proposed cybersecurity modeling, namely: Random Forest (RF), K-Nearest Neighbors (KNN), Multi-Layer Perceptron (MLP) and Logistic Regression (LR).These latter are well-described in this section, which also presents some significant works done so far in this context.It presents the importance of each algorithm in improving the effectiveness of the intrusion detection systems (IDSs).

Random Forest (RF)
Based on a proposed approach of Amit et al. about recognition with randomized trees in 1997 (Amit & Geman, 1997), Breiman came out with an ensemble method, which is able to make predictions relying on the majority vote.The latter is the results of a multiple collections of decision trees that have voted for the most popular class.Each tree is dependent of the values of an independent sampled random vector, with similar distribution for the combination of trees constituting the forest (Breiman, 2001;Resende & Drummond, 2018).Random Forest can be used for the classification and also the regression.Moreover, its default hyperparameters frequently result in high accuracy prediction rate.Several researchers approved this through different comparative studies.For instance, Fedaku et al. conducted an analytical performance evaluation of this algorithm and compared it to 4 well-known classifiers, such as: Logistic Regression, Support Vector Machine Stochastic Gradient Decent and Sequential Model over NSL-KDD dataset (Yihunie et al., 2019).The obtained results validated the efficiency of Random Forest against these algorithms and showed its ability to deal with noise and over-fitting issue in data.An enhanced version of Random Forest has been proposed by Farnaz et al., confirmed the great potential of this classifier in detecting 4 types of attack (DoS/DDoS, Probe, R2L and U2R) with very low false alarms.Their experimental results show that RF performs well than other traditional machine learning algorithms (Farnaaz & Jabbar, 2016).Belavagi et al. have also approved in their comparative study the flexibility and the powerful performance of RF compared to Logistic Regression, Support Vector Machine, and Gaussian Naïve Bayes (2016).

Logistic Regression (LR)
It is a predictive analysis algorithm, which is also called Logit Regression relating to the logistic function used at the core of the technique.This classification algorithm is based on the probability estimation concept and used to allocate the observations to a specific class.It works by transforming the output using the logistic function in order to map predicted values to probabilities (Gladence et al., 2015).There are two types of classification that can be made by Logistic Regression: Binary classification, which requires classifying between only two cases (e.g., normal or abnormal activity) and there is the multiclass classification, which is about classifying between more than two cases (e.g., Dos/DDoS, Probe, R2L, U2R or normal activity).Generally, researchers apply this algorithm due to its fast classification for the unknown records.Additionally, it is known to be simple and easy to implement and train.Faizal et al. have suggested a new approach that can identify a fast attack intrusion based on the number of connections made in one second (2010), the results were evaluated using LR classifier and validated that it is an appropriate method to determine a network traffic whether it is a malicious activity or not.Belavagi et al. have also been based on LR algorithm in order to build an enhanced IDS model and it has reached a better accuracy compared to Support Vector Machine and Gaussian Naïve Bayes (2016).

Multilayer Perceptron (MLP)
It is a popular type of Artificial Neural Networks models (ANN), used for recognition, approximation, classification and prediction tasks.It is composed of interconnected nodes that are called neurons in three types of layers: input layer, hidden layer and output layer (Sheta & Alamleh, 2015).The input layer presents the input data to process.A random number of hidden layers are located between the input and output layers, the true values of their nodes are unknown in the training dataset, for this reason they are called "hidden".The requested task accomplished by the MLP algorithm is performed in the output layer.Each neuron is connected to the preceding neuron as well as the following one and the connections between them are indicated by a weight.The latter is computed based on a learning algorithm.Multilayer Perceptron has an ability to handle large amount of data.Furthermore, it works well in solving the complex non-linear issues (Khater et al., 2021).Therefore, Aurora et al. have been based on MLP neural network and other algorithms: Logistic Regression (LR), Voted Perceptron (VPP) and Radial Base Function (RBF) over the NSL-KDD dataset, in order to improve the intrusion detection task (Arora & Chauhan, 2017).The obtained results of their contribution showed that MLP outperforms all other algorithms in term of accuracy.In (Tang et al., 2020), the authors proposed an approach based on different ANN models, such as MLP and Long Short-Term Memory (LSTM), aiming to identify in real time the SQL injection attack on HTTP traffic data (Tang et al., 2020).The experimental results approved that MLP using 3 hidden layers has been the best in detecting unknown attacks and handling the incomplete blacklist filtering issue.

K-Nearest Neighbors (KNN)
The KNN is a distance-based algorithm that can be used to deal with both regression and classification problem statements.It calculates the distance from the nearest neighbors located in the proximity of the unseen data and extract those with the shortest distances to it, in order to determine what class this unknown variable belongs to.'K' is the hyperparameter for this approach and it is referred to the number of nearest neighbors to an unseen variable that has to be predicted.For the regression issue, KNN relies on the mean/average technique.It calculates the mean for the values of the closest neighbors until all the latter have been identified in a certain range of the value 'K'.Otherwise, if the problem statement is classification task, KNN employs the majority vote concept.Based on the given range of 'K' values, the class that has achieved the most votes, is selected (Lubis et al., 2020).It is a simple algorithm to interpret and it also does not require much time to build the model, Kumar et al. have approved these advantages of KNN in their contribution (2020).The authors have developed the performance of an IDS using KNN and SVM algorithms within KDD'99 dataset to select the best classifier.The obtained results show that KNN has reached the higher accuracy and performs better when it is employed with the principal component analysis (PCA).Another proposed approach by Wazirali about improving an IDS has been based on the KNN hyperparameter tuning with 5-fold cross validation (2020).The author carried out a comparative experiment on the NSL-KDD dataset with different existing methods and it is shown that it is an effective approach since it has the highest detection rate.

PRoPoSeD I-2NIDS AND MeTHoDoLoGy
To achieve the main purpose of this paper, a hyperparameter optimization methodology has been proposed.It is generally known that machine learning algorithms regularly encounter the overfitting issue, which negatively impacts the performance of the models, since it makes them fit more data than they actually necessitate.As a consequence, they capture meaningless values and noisy data in the training set.Hence, the model becomes overfitted and cannot generalize unseen data (Bilbao & Bilbao, 2017).To avoid this problem and increase the efficiency of the security models, this study is opting for the nested cross-validation method, which makes our contribution different from other existing studies.The complete strategy is presented in the figure below and well-described in the following sub-sections.

Data Preprocessing
As is shown in fig. 2. At first, the pre-processing method is applied to the whole dataset.Initially, it consists mapping the attack field to the fourth attack classes (Dos, Probe, R2L and U2R), that represent the target field.It helps organizing numerous bits of the data into a system that is capable of being handled and managed.Then, the redundant and duplicate fields have been removed to avoid biasing the fitted model and reducing the negative impact of overfitting.Afterwards, the numerical features are extracted to apply on them the scaling method, which is also known as data normalization, aiming to eliminate the mean and unit variance.Finally, to address the problem of imbalanced classification in both attack classes representing R2L and U2R; as it is shown in table 1, it is important to randomly resample the training dataset.In this case, we have applied the oversampling method, which necessitates duplicating examples from the minority class in the train dataset.This was performed on the categorical data that has been encoded beforehand.

Feature Selection
This step aims to select the most significant subset of the input variables that enhances the ability of a learner algorithm to efficiently classify patterns.It is also called dimensionality reduction method, since it minimizes the large number of attributes.Hence, it reduces the computational cost of modeling and maximizes the accuracy of the classification rate.In this work, the features of the dataset have been reduced from 42 to 10 attributes that are having a direct impact on the dependent variable (Table 2).

Data pre-processing for training dataset based on nested cross-validation
Firstly, each algorithm has to include the hyperparameters for tuning.The main idea of using the nested cross-validation is adding another loop to the cross-validation procedure.The outer loop is defined as a train/test split proceeding, whereas the inner loop is about selecting the best hyperparameters setting from the training folds, that take place in the outer loop.The latter in this suggested method is having a 5-fold cross-validation and in each fold the dataset is split into a combined training folds and a test fold, as illustrated in Fig. 1.It presents the same procedure as the k-fold cross validation method.Expect that in the latter, the model is fitted on the training folds and evaluated on the test fold.In this case, another K-fold cross-validation method is considered on the fifth training folds that are split into two partitions: Training fold and validation fold, constituting the inner loop to apply the hyperparameter tuning with the aim of finding the best settings.Finally, we can evaluate the models within the test set.

evaluation Performance
To evaluate the efficiency of the suggested method in maximizing the accuracy of IDS model and being able to compare it with other existing models, it is required to calculate the evaluation metrics, including the accuracy, false positive and true negative rates.These latter depend on a table of confusion, which is also called: confusion matrix.It is composed of 4 combinations representing predicted and actual classes, as described in the following table (3).

'src_bytes'
The sent data bytes in single connection from the source to the destination.

'dst_bytes'
The sent data bytes in single connection from the destination to the source.

'count'
Connections number to the same destination host as the current connection in the 2 previous Seconds.

'srv_count'
Connections number to the same service as the current connection in the 2 previous Seconds.

'dst_host_srv_count'
Connections that have the same port number.

'dst_host_diff_srv_rate'
Connections that were to the same service among the connections in 'dst_host_count'.

'dst_host_same_src_port_rate'
Connections that were to the same source port among the connections in 'dst_host_ srv_count'.

'service'
The used destination network service.
It is a binary classification, since it is a 2x2 matrix with 2 outputs.From the terms used in the confusion matrix, the performance of the proposed method is examined using the following measures (Table 4): In this work, we have also evaluated the results using a multi-label classification confusion matrix of 5 classes: Normal, Dos, Probe, R2L and U2R, as shown in the table (5) below.Where: True positives (TP): The positive classes correctly predicted as positive.

False Positives (FP):
The positive classes incorrectly predicted as positive.

False Negatives (FN):
The negative classes incorrectly predicted as negative.

True Negatives (TN):
The negative classes correctly predicted as negative.

Accuracy
The true positive rate, which presents the correctness of the model.

TP+TN TP+TN+FP+FN Precision (P)
The proportion of positive predictions included in the positive class.

TP TP FP +
Recall (R) The percentage of positives that was correctly identified by the model.

TP TP FN +
F1-Score The balanced mean between (P) and (R)

Predicted class
Normal Dos Probe R2L U2R

Actual class
In the case of multiclass classification, considering the example of Normal class, the TP, FP, FN, TN are calculated as follows: TP: The predicted value and actual value should match.

TP = C1
FP: The total of all values of the corresponding column, except the TP value.

FP = C6+ C11+C16+C21
FN: The total of all values of corresponding rows, except the TP value.

FN = C2+C3+C4+C5
TN: The total of all values composing the confusion matrix, expect those of all rows and columns corresponding to the class in question.

eXPeRIMeNTS AND DISCUSSIoN
In this section, firstly, the technologies, tools and the dataset used in the experimental phase are briefly described.Secondly, an analytical comparison of the evaluation of the fourth classifiers used for the proposed approach over multi-class classification strategy and binary classification, is discussed in terms of accuracy, precision, recall and f1-score.In addition, an observation study about with and without the proposed operations is shown and can clearly validate the effectiveness of the latter.Finally, the proposed model, based on the best selected classifier by the nested-cross-validation method, is compared to recent intelligent IDS models, considering the same experimental dataset.

Tools, environment and Dataset
This research was performed using a Dell Inspiron 15 3000 Series Core i5 7th Gen., and experimented on Anaconda, which is a python distribution and an open-source software that comes with more than 1400 packages needed for artificial intelligence and data science experimentations.This platform allowed us to build our proposed intelligent IDS on the Jupyter notebook, which is a flexible JSON document composed of Input/Output cells of a python script.It provides performing computations, plots and other media types within the browser of the user's system (Mendez et al., 2019).The dataset used in this work is the NSL-KDD dataset, which is an enhanced version of the KDD'99 cup, proposed by Tavallaee (2009).This new version has dealt with several limitations: • The problem of the bias encountered by the classification algorithms because of the repeated records is solved, since the meaningless records in the training dataset are eliminated.• There are no more duplicate records in the test set, which makes the training process of the machine learning classifiers more performing, because each test record is evaluated only once.Moreover, the issue of classification bias caused by the repeated records is also handled.
• The reasonable number of records within the NSL-KDD train and test sets makes the experiments run easily in the entire dataset without the necessity to randomly select a small sample of the dataset.Therefore, the comparison of the evaluation results can be clearly performed to different research studies.• The evaluation of several machine learning algorithms is more accurate, since the performance of the latter vary greatly due to the number of selected records from each difficult level group, that is inversely proportional to the percentage of records in the original dataset (Dhanabal & Shantharajah, 2015).
Many research studies approved that NSL-KDD provides better results for the comparison of the train and test performance of different intrusion detection models.For example, Revathi et al. have analyzed it and showed how it is ideal for evaluating and comparing several intrusion detection models making intelligent decisions (2013).Moreover, the authors also validated that this new version has solved the problems of KDD'99 cup.In another attempt to compare the latter with the NSL-KDD, Sapre et al. have conducted an evaluation of the performance of several machine learning algorithms using the KDD'99 cup and the NSL-KDD.Their obtained results show that the new version is more effective than its predecessor, since the latter results in biasing the trained algorithms (Sapre et al., 2019).Whereas, some researchers believe that both datasets are the same.For instance, Wutyi et al. have evaluated their proposed technique using KDD dataset and referred in their paper to the NSL-KDD dataset ( 2009) (2016).
The NSL-KDD database has clearly added some important improvements to the KDD'99 cup.Besides, there is a great availability in train and test sets for a sufficient number of records (Ravipati & Abualkibash, 2019).

Multiclass Classification
According to the obtained results in tables 6, 7, 8, 9 and 10 we can notice that RF outperforms all other algorithms in terms of all the performance indicators within the test dataset.It has reached an accuracy of 99.97%, precision, recall and f1-score of 99.96% to detect normal activities.Such a challenging outcomings are due to the optimal selection of the hyperparameter for the classification model.The best parameter considered for RF in this study is 'n_estimators' set to '500', which presents the number of trees built before taking the averages of predictions.These results approve the robustness of the model.Additionally, the latter yield the highest accuracy of 99.79% to detect DoS/DDos attacks with a precision of 99.79%, a recall of 96% and f1-measure of 99.88%.Moreover, when it comes to detect the Probing attack, RF performs better than other classifiers, since it has an accuracy of 99.94%, precision of 99.92%, recall of 94.48% and f1-score of 99.73%.Despite the imbalanced class distribution issue encountered by R2L and U2R classes, that are intrinsically rare, our proposed model based on RF has overcome this challenge and achieved the best accuracy of 99.96% to detect R2L attack class with no false positives, as it has a precision of 100%.Besides, it has the highest recall rate of 94.48% and f1-score of 97.17%.Furthermore, the RF and KNN are considered to be similar in detecting the U2R attacks.They both achieved an accuracy of 99.98%, precision of 71.43%, recall of 50% and f1-score of 58.83%.The MLP has ranked second with an accuracy of 99.92% and a precision of 99.90% in detecting normal class.The optimal parameters selected for this algorithm are: the activation function for the hidden layer set to 'tanh' (hyperbolic 'tan' function), the solver for weight optimization set to 'adam' (stochastic gradient-based optimizer), the hidden layer sizes set to '100', the learning rate schedule for weight updates is set to 'adaptive' (as long as the training loss is decreasing, this parameter keeps the learning rate constant to the initial learning rate) and the regularization term that handle the overfitting issue is set to '0.0001'.However, in most of cases the KNN performs better than MLP in detecting DoS/DDos, Probe, R2L and U2R.The best parameters considered for the KNN are the number of neighbors to use by default for k-neighbors queries, which is set to '1', and the power parameter for the Minkowski metric set to '1' (equivalent to the application of Manhattan distance).
The classifier with the low performance in predicting normal class is LR with an accuracy of 98.38%, precision of 98.39%, recall of 97.13% and f1-score of 97.78%, based on setting the penalty parameter to 'l2' (default choice) and the tradeoff parameter 'C' of the algorithm that determines the strength of regularization is fixed to '1000.0'.However, the precision of this classifier in predicting the U2R attacks is 55.56%, which is higher than the precision of MLP as it has only reached 35.30%.

Binary Classification
As is shown in fig.3, the model based on RF shows more effectiveness for the testing accuracy in detecting abnormal and normal behaviors, as it has 99.86%.Almost all the used algorithms achieved a competitive result since the latter is higher than 99% for the binary classification.Except for the model based on LR, it has the lower accuracy rate of 96.78%.
Based on the achieved outcome, it is evident that the most appropriate classifier for the proposed i-2NIDS model is RF.Thus, it will be called as: RF-2NIDS.Furthermore, it has been the fastest to make an intelligent decision compared to all other algorithms, as it takes 13.43 seconds.
The figure 4 can clearly show the improvement that our approach has achieved.For instance, the accuracy rate of RF in detecting normal and abnormal activities has increased from 82.99% to 99.86%.The results depicted below validate the efficiency of integrating our proposed operations.

Comparison with Existing Methods
In order to prove the robustness of the proposed model based on RF (RF-2NIDS), we have compared the latter to different recent studies in term of accuracy rate in distinguishing whether it is a normal or abnormal activity within a network using NSL-KDD dataset.Figure 5 depicts the performance comparison.(Keserwani et al., 2021), (Liu & Shi, 2022), (Gupta et al., 2021), (Bedi et al., 2021), (Park et al., 2022) and (Balyan et al., 2022) the accuracy of their models reached 96.12%, 99.42%, 87%, 80%, 85.5% and 98.979%, respectively.In addition, the proposed approach performs well on imbalanced data and has a better ability to identify different cyberattacks as it has been mentioned in the previous sub-sections.Therefore, RF-2NIDS can be considered as a robust model against adversarial attacks, whereby the only purpose is to trick the learnt model to make incorrect results (McCarthy et al., 2022;Sauka et al., 2022;Zhao et al., 2022).This will be proven in the next contribution.

CoNCLUSIoN AND FUTURe ReSeARCH
Enhanced and efficient Network-based IDS model, called i-2NIDS is presented in this study.The model is proposed based on a procedure that requires splitting the dataset into a train, validation and test sets over binary and 5 multi-class classification strategy (i.e., Normal class, Dos, Probe, R2L and U2R attack classes).For the train set, the models based on the 4th classifiers (RF, LR, MLP and KNN) have been trained with different parameters.Later on, they are evaluated over the validation set, to be finally tested on the test set with an unbiased estimation of its performance.The model integrated with RF (RF-2NIDS) has been selected as the best one in making accurate intelligent decisions with less false alarm rate.It has achieved an accuracy rate of 99.97% and 99.79% in detecting normal behaviors and DoS attack class, respectively.The significant improvement of this contribution is, despite the presence of imbalanced network traffic and classification issue existing in the R2L/U2R attack classes, i-2NIDS has an ability to perform well.It obtains an accuracy of 99.76% and 99.98% in identifying the R2L and U2R attack classes, respectively.Moreover, compared to other existing approaches that have been recently published, the proposed modeling obtains better results in updating and strengthening the performance of an IDS.
As a future enhancement of the presented research, we will be concentrating more on the prediction time of RF-2NIDS, in order to make decisions in real-time.Furthermore, it will be applied on another different IT environments and applications.Besides, we will demonstrate that RF-2NIDS can be an appropriate solution to overcome the current adversarial manipulations issue that aim to fool intelligent models in order to make them predict wrong results.Overall, this paper provides interesting findings for the cybersecurity domain, and can be served as a strong reference for many other contributions in this context.Sabrine Ennaji's graduate degree was conducted in the security of information systems in the National School of Applied Sciences of Ibn Tofail University in Kenitra, Morocco.She is currently a doctoral student in cybersecurity at the University of Sid Mohamed Ben Abdellah (USMBA), working under the supervision of Professors Nabil El Akkad and Khalid Haddouch.The major aim of her research thesis focuses on the concept of using machine learning and deep learning mechanisms to ensure a strong security within different internet technologies, including the network.She is also interested in the application of cryptography techniques in practical deep learning and working on the mitigating of poisoning attacks on machine learning and deep learning models.She has spoken at two conferences related to the enhancement of Network Intrusion Detection Systems based on machine learning algorithms.
Nabil El Akkad received the PhD degree in 2014 from the University of Sidi Mohamed Ben Abdellah in Fez, Morocco.He is currently a professor of computer science at the National School of Applied Sciences (ENSA) Fez, Sidi Mohammed Ben Abdellah University, Fez, Morocco.He is a member of the Engineering, Systems and Applications Laboratory (LISA).His research interests include artificial intelligence, image processing, data mining, computer vision, machine learning, pattern recognition, data classification and segmentation, real-time rendering, cryptography, and security.Khalid Haddouch obtained a PhD degree in Artificial Intelligence from the Faculty of Sciences and Technologies (FST), Sidi Mohamed Ben Abdellah in Fez, Morocco.The working title of his thesis was "Constraint programming and neural network approach applied to reels problems".He is currently a professor at the National School of Applied Sciences (ENSA).His main research topics focus on the constraint programming, machine learning and big data mining.He is also a member of the Scientific Committee for different international congress in Morocco and has participated to realize and coordinate two research projects "SmartMedina" and "SmartLaw" in the Moroccan context.Yihunie, F., Abdelfattah, E., & Regmi, A. (2019, May).Applying machine learning to anomaly-based intrusion detection systems.In 2019 IEEE Long Island Systems, Applications and Technology Conference (LISAT) (pp.1-5).IEEE. doi:10.1109/LISAT.2019.8817340 Zhao, Y., Xu, K., Li, Q., Wang, H., Wang, D., & Zhu, M. (2022).Intelligent networking in adversarial environment: Challenges and opportunities.Science China.Information Sciences, 65(7), 1-11. doi:10.1007/s11432-021-3463-9

Figure 1 .
Figure 1.Architecture design of IDS based on machine learning

Figure 2 .
Figure 2. Architecture of the proposed model

Figure 3 .
Figure 3.The accuracy rate for testing results for binary classification

Fig 5
Fig 5 shows that RF-2NIDS provides many competitive strong points, compared to other recent techniques, as it has an accuracy of 99.97%.Whereas in(Keserwani et al., 2021),(Liu & Shi, 2022),(Gupta et al., 2021),(Bedi et al., 2021),(Park et al., 2022) and(Balyan et al., 2022) the accuracy of their models reached 96.12%, 99.42%, 87%, 80%, 85.5% and 98.979%, respectively.In addition, the proposed approach performs well on imbalanced data and has a better ability to identify different cyberattacks as it has been mentioned in the previous sub-sections.Therefore, RF-2NIDS can be considered as a robust model against adversarial attacks, whereby the only purpose is to trick the learnt model to make incorrect results(McCarthy et al., 2022;Sauka et al., 2022; Zhao et al., 2022).This will be proven in the next contribution.

Figure 4 .
Figure 4.The accuracy test of the intelligent models before and after the application of the proposed strategy