Experimental analysis of intrusion detection systems using machine learning algorithms and artificial neural networks

ABSTRACT


INTRODUCTION
Access to the internet is very crucial to every business and individual in the 21 st century [1], [2].It is nearly impossible to compete in today's business world without staying connected to the world and customers.Staying connected to the internet is advantageous in the business world, but these advantages are not equipped to eliminate the accompanying threats, and it would be a disaster in this 21 st century cyber-age and cyberspace if the power of a single click on the internet is ever underestimated [3], [4].The possibility of these threats gave rise to the need for protective measures on the internet [5], [6].Many confidential transactions occur every second.These exchanges on the web give an approach to unfrosted gatherings outside to obtain entrance into an organization's private organization and mess with the inside climate, data, assets, and structure.Network security helps us maintain the authorized access of data from hackers and authenticated data transfers, and we achieve the security of the network when a firewall is installed and turned ON.
With the rise in internet and network use [7], the need for security has become tantamount to user's convictions and interest to perform sensitive functions and activities on the internet or any cloud-based network system [8]- [10].As the internet evolves, likewise the various malicious software hosted on the network and the attacks have become increasingly sophisticated [11].In a 2017 report released by Symantec,  ISSN: 2088-8708 Int J Elec & Comp Eng, Vol.14, No. 1, February 2024: 983-992 984 on internet security threat, it recorded over three billion zero-day assaults in 2016, this implied that the assaults were gaining popularity and becoming increasingly common unlike before [12].The 2017 data breach statistics recorded around nine billion lost or hijacked information records since 2013.A Symantec report tracked down that the quantity of safety penetrate occurrences is rising rapidly [13].Various malicious software that penetrates internal company networks have become more sophisticated, directly affecting the severity of attacks companies experience, even as security measures evolve with time [14].Several reports have revealed that security breaches are consistently on the rise.Tactics of cybercriminals have begun to change with the times, and as some researchers would describe it, more ambitious [15], [16].Previously these attackers targeted "smaller fish" like credit cards, bank customers, bank accounts, whereas these days, they target the banks themselves [17]- [20].All these are possible because of the evolution of malicious software [21]- [23].Malicious Software (Malware) is intentionally designed to take advantage of any compromise, or weakness however minute, in the firewall to gain access to the inside network.
A survey carried out by Kaspersky in 2013 revealed that 91% of companies had experienced at least one security threat from outside the company network, 35% of these companies encountered data leakage due to these attacks [24].61% of these companies were attacked by spam, while another 66% of the companies were affected by viruses, spyware, malware, worms, and other malicious programs.Even though the attack rate is this high, the discovery rate for malware and intrusions is still low [25], [26].In Panda Lab's 2015 annual report, the following discoveries were made; 34% of all malwares were produced in 2014.65% of attacked systems were intruded on by Trojans, making Trojans the major contributor of security threats.This report concludes that despite the depth of research and development of network security infrastructure, online inform action will still be exploited by new forms of attack [27].
Cloud infrastructure utilizes integrated technologies, virtualization techniques, and it moves according to standard internet protocols, which may attract unauthorized users due to the weaknesses present in the cloud infrastructure.Distributed computing experiences different conventional assaults that include protocol spoofing, address resolution, internet protocol (IP) spoofing, flooding, distributed denial of service (DDoS), domain name system (DNS), poisoning, denial of service (DoS), and routing information protocol attack.A genuine model is the DoS assault on the fundamental Amazon Cloud framework that caused BitBucket.org,a site facilitated on Amazon web services (AWS), to stay inaccessible for a couple of hours [28].Firewalls can be an effective method to protect a network from external attacks, but it is not applicable for internal attacks; therefore, an efficient intrusion detection system (IDS) should be fused with Cloud infrastructure to alleviate these attacks.In this study, authors seek to find out the cause for the attacks on the networks and investigate ways to identify and curb these attacks.Also, to discover and recommend better security measures for the protection of networks and network-based systems from security attacks/threats.

MATERIAL AND METHOD
In this study, the Network Security Laboratory-knowledge discovery in databases (NSL-KDD) dataset is used instead of the original KDD Cup 99 dataset, because it gives a good understanding of intrusion behaviors.Six processes were involved in the approach followed in this study which are data collection, data pre-processing, feature scaling, feature selection, model development, accuracy evaluation.
The NSL-KDD dataset, which comprises network packets with 42 attributes is used for data collection.The data is thereafter pre-processed into a suitable form to be utilized by the algorithm.Pre-processing involves cleaning the algorithm to remove duplicate and redundant entries.Every feature is transformed to a numerical value/feature by "one-Hot encoding," which converts objects/string values into categorical data and is then converted to numerical data using label Encoder in-built in Python.To avoid features with large values that may weigh too much in the results and eventually lead to overfitting, the features must be scaled.After the conversion, the dataset is split into 4 different datasets, each representing the different attack categories.Attack categories are shown in Table 1.The attack categories are renamed as 0=normal, 1=DoS, 2=Probe, 3=R2L, 4=U2R.StandardScaler() library is used to scale the data frames and ensure the standard deviation is 1.The univariate feature selection using analysis of variance (ANOVA) F-test (second percentile method) is first used, followed by the recursive feature elimination (RFE) method, to get the best features for each dataset.The formula for each classifier is already built-in to Python, so each attack dataset goes through all the different classification algorithms before producing results.

Decision tree classifier
A decision tree (DT) classifier is a popular machine learning algorithm used for both classification and regression tasks.It recursively partitions a dataset into subsets based on the most significant features, effectively creating a tree-like structure of decisions.These splits are determined by various criteria, with one common measure being Gini impurity, which quantifies the randomness or impurity in each subset.Subset is determined using (1).
where   is the frequency of labels at a node, and c is the number of unique labels.

Support vector machine classifier
A support vector machine (SVM) classifier aims to find the optimal hyperplane that best separates different classes in the feature space.By maximizing the margin between data points and the hyperplane, SVM enhances its generalization performance, proving especially effective in high-dimensional spaces commonly encountered in image and text analysis.The hyperplane position is determined by support vectors, which are the data points closest to the decision boundary, playing a crucial role in defining the classification boundary accurately.

K-nearest neighbors algorithm
Unlike some others, the k-nearest neighbors (KNN) is non-parametric, which implies that it makes no assumptions about the underlying data.It can be used for both regression and classification problems but primarily for classification.This algorithm stores data such that when a new data entry is made, it quickly classifies it based on its similarity to already existing data points.Classification algorithm; given a query instance  q to be classified, let   ,…,   denote the k instances from the training examples.
Return ( q ) ← arg max ∑ (, (  )) k =1 for the discrete-valued target function where (, ) = 1 if a=b and where (, ) = 0, otherwise.The weights of neighbors are taken into consideration relative to their distance to the query point such that: where

Artificial neutral network classifier
Artificial neutral network (ANN) is a supervised machine learning (ML) algorithm that is based on the human brain.The advantage of using this algorithm is its performance ability in nonlinear modelling.Also, because of it is various layers, it provides a more accurate representation of the predictions.In developing this model, the dataset is fed into the model 5 times to make provisions for the system memory and improve the accuracy metric for each attack type.

Ensemble classifier
The dataset is run through the different classification algorithms that have been previously used.it goes through the DT, KNN, and SVM classifiers one after the other.This is also done to measure for an improved accuracy compared to the individual testing and training carried out on the dataset by each classification algorithm.

RESULT AND DISCUSSION
This section discusses the implementation of the machine learning algorithms discussed in section 2. Furthermore, it explains commonly used evaluation metrics for machine learning methods for IDS.The

DoS attack
After running our DoS attack dataset through this decision tree, SVM, and KNN classifiers, the results are shown in Tables 3 and 4. Table 3 shows the confusion matrix for DoS attacks, classified using the three stated classifiers algorithm, while Table 4 shows other metrics tested for by the classifiers.Metrics such as precision, recall, accuracy, and F-measure.The classifier resulted in 9,602 correctly predicted attacks from the 12,821 data entries/input.Only 485 out of the 3,110 standard entries were accurately predicted as regular attacks by this classifier.This is shown in Table 3. From this result, we can see that this decision tree classifier produces better attack predictions compared to typical network behavior.The accuracy of this method is 0.84 but can be improved on.This will be revealed in the results of the ANN and ensemble classifier.
After running the DoS attack dataset through the SVM classifier, which uses a subset of training points in the decision function.The accuracy of the classification algorithm is measured using the metrics recorded is 0.79.The KNN classifiers is a simple algorithm that stores and classifies cases based on similarity measures such as distance functions.The confusion matrix for this classifier shows a more robust prediction for the regular network behavior compared to that of the decision tree and strongly predicts the DoS attacks.The accuracy for this classifier is 0.84, like that of the decision tree classifier.
The results from the ANN classifier for the DoS attacks using the tensor flow framework in Python is a loss metric of 0.0602, and an accuracy of 0.975.The graphs Figure 1 compares the three classifiers with ANN.In Figure 1, all precision metrics for the DoS attacks are mapped out, and the DT algorithm has a more precise measure for DoS attacks.The accuracy of predicting DoS attacks using all the different classification algorithms is compared in Figure 1, and it is evident that the ANN has higher accuracy.This can result from the deep neural networks utilized in developing the ANN model, unlike the other machine learning algorithms where the dataset is fed into the classifier only once.

Probe attacks
These attacks are deliberately crafted so that the legitimate users of the network recognize the intrusion and report it.After reporting the attack, the attacker uses recognizable fingerprints to learn more about the network capabilities.After running the dataset through the decision tree, SVM, and KNN classifiers, the results from the confusion matrix are shown in Table 5.It shows the ability of the classifier to predict attacks accurately.The results signify that the decision tree classifier may not be the best for predicting probe attacks.Inasmuch as the false negative and false positives are less than the true negative and true positive, the values are still relatively large.The accuracy of this classification algorithm is found to be 84% as shown in Table 6.SVM can be used for regression and classification.Since this is a classification problem, it is used here for classification.It works by finding an optimal boundary between two outputs.Accuracy of this classifier is 87%.
The results gotten from the KNN classifier are shown in Tables 5 and 6.There is a significantly high prediction possibility, evident in the true negative and true positive values.The accuracy of this classification algorithm is measured to be 87% and given as the output of the code in Python.
The ANN classifier evaluated in the tensor flow framework of the Python IDE gives an accuracy of 88.7%, with a loss measure of 0.321.The loss in this classification algorithm is high.The accuracy measure is not as high as expected because information security must be optimal enough to predict over 90% of attacks.From Figure 2, it is clear that the ANN classifier has the highest accuracy, which the presence of more layers can explain unlike the single layers of the other machine learning algorithms.

R2L attack
The R2L attack type represents a scenario where a user without remote network access attempts to send packets to gain unauthorized entry.In the context of our analysis, the decision tree classifier's performance in detecting these R2L attacks is depicted in the confusion matrix displayed in Table 7.This matrix reveals a remarkably high prediction rate, underscoring the effectiveness of the decision tree model in identifying and mitigating such intrusion attempts.The accuracy measure of this method is gotten to be 79% as shown in Table 8.This is not a very high accuracy for internet security, so we will use other classification algorithms to decide on the model with the highest accuracy.The results outputted from the code for this classifier show us an accuracy level of 77%.This accuracy level is not good enough for network security purposes, so other classification algorithms and ANN are used to analyses the accuracy levels.
The accuracy of this classification algorithm is also 77% which is still not good enough for network security.So far, we have seen that machine learning algorithms are not the best for predicting R2L attacks.The ANN classifier gives an output of 0.9998 and a loss of 0.003.This accuracy level is very efficient for a network security prediction model.Figure 3 9 while the other metrics are given in Table 10.The accuracy output of this classification metric is very high at 99%, making it very efficient and appropriate for predicting network attacks.
As shown in Figure 4, the accuracy for the U2R attacks using the SVM classifier has an extremely high accuracy of 99%.This signifies that the SVM classifier efficiently predicts future U2R attacks on a network.Also, the accuracy of this KNN classifier is 99%, meaning it would be very efficient in predicting attacks and protecting the network from intrusion.The results from the ANN classification produced an output prediction value of 99.69%.

Ensemble classifier
The ensemble classifier is a combination of the various classifier previously used.This is experimented upon the dataset to determine the accuracy of identifying attacks.The ensemble classification was carried out on the R2L attack to see if there will be an increase in it is 77% accuracy, which was obtained from the other independent machine learning algorithms.The output from the ensemble classifier outputted a whooping accuracy of 99.98%.
From the results output, which has been visualized in the Table 8 and Figure 5, it is clear that using the ANN classifier is the most accurate way to predict network attacks and intrusions.The ANN classifier produces results that are close in metric to the ensemble classification, i.e., the combination of the various machine learning algorithms.

CONCLUSION
In this study, various network intrusions were analyzed using several machine learning algorithms as classifiers.This was to see how accurately, and intelligently various machine learning algorithms detect network intrusions when encountered in a system.These experiments were carried out to analyses the NSL-KDD dataset, which revealed that the dataset is ideal for comparing intrusion detection models.99% accuracy was obtained on some of the intrusion detection models developed.The experiments have demonstrated that there is no single machine learning algorithm that can efficiently handle all types of attacks, but the models can be trained to give efficiencies up to 99.98% which will tremendously predict and prevent attacks from flooding the network.


ISSN: 2088-8708 Int J Elec & Comp Eng, Vol.14, No. 1, February 2024: 983-992 986 general confusion matrix, which is used to visualize the performance of our supervised learning algorithms is shown in Table 2.

Int
Experimental analysis of intrusion detection systems using machine learning … (Ademola Abdulkareem) 987

Figure 1 .
Figure 1.Accuracy in DoS attack

Figure 2 .
Figure 2. Accuracy in probe attacks is a graphical representation of the different classification Experimental analysis of intrusion detection systems using machine learning … (Ademola Abdulkareem) 989 algorithms used to analyses the R2L dataset.The ANN classifier produces a more robust accuracy, unlike the machine learning algorithms.

Table 3 .
Confusion matrix for three classifiers on DoS attack

Table 4 .
Evaluation metrics for three classifiers on DoS attack

Table 5 .
Confusion matrix for three classifiers on probe

Table 7 .
Confusion matrix for three classifiers on probe

Table 8 .
Evaluation metrics for the three classifiers on probe

Table 9 .
Confusion matrix for the classifier on U2R

Table 10 .
Evaluation metrics for the three classifiers on U2R