Machine Learning Techniques for Intrusion Detection

Machine Learning Techniques for Intrusion Detection

Tameem Ahmad (Department of Computer Engineering, Z. H. College of Engineering and Technology, Aligarh Muslim University, Aligarh, India), Mohd Asad Anwar (Department of Computer Engineering, Z. H. College of Engineering and Technology, Aligarh Muslim University, Aligarh, India) and Misbahul Haque (Department of Computer Engineering, Z. H. College of Engineering and Technology, Aligarh Muslim University, Aligarh, India)
Copyright: © 2020 |Pages: 19
DOI: 10.4018/978-1-7998-2242-4.ch003


This chapter proposes a hybrid classifier technique for network Intrusion Detection System by implementing a method that combines Random Forest classification technique with K-Means and Gaussian Mixture clustering algorithms. Random-forest will build patterns of intrusion over a training data in misuse-detection, while anomaly-detection intrusions will be identiðed by the outlier-detection mechanism. The implementation and simulation of the proposed method for various metrics are carried out under varying threshold values. The effectiveness of the proposed method has been carried out for metrics such as precision, recall, accuracy rate, false alarm rate, and detection rate. The various existing algorithms are analyzed extensively. It is observed experimentally that the proposed method gives superior results compared to the existing simpler classifiers as well as existing hybrid classifier techniques. The proposed hybrid classifier technique outperforms other common existing classifiers with an accuracy of 99.84%, false alarm rate as 0.09% and the detection rate as 99.7%.
Chapter Preview


Intrusion detection, a very important aspect from security point of view, can be said to be the process of monitoring the events that occur in an individual computer system or over a computer network and investigating for any intrusions taking into account the confidentiality, integrity and availability of a computer system or other network infrastructure security properties (Chahal & Kaur, 2016). An intrusion causes the confidentiality violation, if it allows intruders to access system information without authorization (password authentication). If an intruder changes the system date or any data residing on or passing through the system, it causes the integrity violation. An availability violation will occur if an intrusion keeps an authorized user from accessing the particular service or system resource when he needs it. The major task of intrusion detection is to gather data that may contain evidences of intrusions, from target system, processing and analyzing the data to identify the potential intrusions thereafter generating the specified responses for every intrusion either manually or automatically.

Intrusion Detection System

Main function of Intrusion Detection System (IDS) is to monitor network traffic for any doubtful activity and if any, then alerts the system or network administrator. In some cases, IDS can take active action (i.e. it may discard the packet incompatible) or passive action (i.e. to alert the system) for malicious traffic by imposing action such as blocking users or source IP addresses from reaching the network. As soon as a new computer searches for a security vulnerability, a crowd of crackers starts knocking on the doors of computers around the world so that they can see whether they can enter their security or not. Many sites employ a combination of boundary router firewalls and host-based packet filters and wrappers to protect themselves, but what is the vulnerability in many systems used to secure the service? How do system administrators know that their machines are being attacked and/or compromised? The best way to catch crackers is to use IDS. Figure 1 shows a Computer Network with Network Intrusion Detection System.

Figure 1.

Computer network with network intrusion detection system


Need for Intrusion Detection System

A computer system should provide confidentiality, integrity and assurance against various types of attacks. However, due to the increasing connectivity especially on the Internet and the huge open spectrum of financial prospects, more and more systems are under attack by intruders. The presence of IDS allows preventing subversion by building a completely secure system. It, for example, requires all users to identify and authenticate themselves. Further, the data can be protected by employing various cryptographic methods and very tight access control mechanisms. However this is not really feasible because:

  • Practically, building a completely secure system is not possible (Kumar, Mangathayaru, & Narsimha, 2016).

  • Even Cryptographic methods possess certain kind of problems. User passwords can be cracked, users can lose their passwords, and there are ways to break the entire crypto-systems.

  • Even a truly secure system is vulnerable to abuse by insiders who misuse their privileges.

  • It has been seen that there is an inverse relationship between the levels of access control to the user efficiency, which implies that the stricter the mechanisms are, the lower will be the efficiency.

So, using cryptography method or simply putting a firewall may not be enough to solve problem of vulnerabilities. If there is an attack on the system, they should be identified as soon as possible and appropriate action must be taken.

Complete Chapter List

Search this Book: