Enhancing Attack Classification for Intrusion Detection Systems using Machine Learning Techniques

Abstract

Intrusion Detection Systems (IDSs) are effective security mechanisms that identify attacks by examining network traffic flowing through the network. Moreover, IDS can be deployed along with other security mechanisms as a line of defense to ensure security of system and network resources. There have been various efforts in designing IDS using Machine Learning (ML) techniques. Furthermore, attempts have been made to improve the classification performance of ML-based IDS by designing a hybrid approach for intrusion detection and classification, incorporating feature engineering techniques to extract significant features for learning, to name a few. However, advancement in networking technologies has led to evolution in variants of attacks, and hence, there is a need to develop an effective and efficient intrusion detection and classification system. Moreover, majority of the research work in the field of IDS have considered earliest intrusion detection datasets that consists of outmoded and narrow attack scenarios. Apart from advancement in network technologies and network attacks, there are various research gaps and challenges concerning ML-based IDS which includes handling high-dimensional dataset, addressing over-fitting issue in ML techniques, managing uneven distribution of data samples in intrusion detection datasets, to name a few, for achieving desired outcome for intrusion detection and classification. In the thesis, we focus to propose approaches for enhancing attack classification capability of designed IDS by considering various aspects such as good generalization ability, enhanced feature engineering capability, improved learning capability, effortless handling of high-dimensional data, and handling class imbalance in intrusion detection datasets. To address the issue of over-fitting and achieve good generalization ability for intrusion detection and classification, the thesis presents empirical analysis of six ML classifiers, namely, Decision Tree (DT), Random Forest (RF), Na¨ıve Bayes (NB), k-Nearest Neighbours (k-NN), Support Vector Machine (SVM), and Deep Neural Network (DNN) with a novel sampling technique, namely, Coefficient of Variation (CoV)-based stratified cross-validation. Moreover, the thesis also presents pragmatic application of regularization techniques and fusion of regularization techniques for handling over-fitting in DNN. DNN technique is an advanced ML technique that is vi based on artificial neural network. Moreover, empirical analysis of ML classifiers reveal that DNN possess intriguing efficacy to learn and analyze data. Hence, we focus to consider DNN for designing intrusion detection and classification system for the successive approaches. For attaining enhanced feature engineering capability the thesis present two novel feature selection techniques, namely, fusion of statistical importance using Standard Deviation and Difference of Mean and Median that selects features based on their statistical importance, and fusion of Genetic Algorithm (GA) with Correlation-based Feature Selection (CFS) technique that selects features based on their correlation with target label. The merit and integrity of holistic and abstract view of data representation can be considered as primer for the underlying classification technique which can influence the performance of designed IDS. It can be implicitly deduced that if the data is not represented well then it might have negative impact on the performance of the underlying classification technique, whereas abstract and fine representation of data would result in better understanding and learning. With an aim to enhance the performance of designed IDS, the thesis presents two approaches that incorporates custom layers that strives to achieve fine representation of data in DNN architecture, namely, custom feature selection layer with weighted modeling and custom AntiRectifier layer. For ensuring improved learning capability of DNN and effective handling of high-dimensional data, advanced analytical techniques are proposed in this thesis that includes federated learning inspired DNN architecture wherein, dataset is divided into multiple clusters using k-means and derived clusters are used to train DNN models, an ensemble learning approach using threshold-based retraining inspired from re-reading learning strategy of individual is designed for DNN-based IDS, and a novel approach using adaptive learning rate derived using implicit human skill learning process is proposed for DNN-based IDS. Intrusion detection datasets considered in literature for the performance evaluation suffer from imbalance class problem. Hence, to address the class imbalance problem, a novel ensemble learning-based DNN is proposed in this thesis for enhancing the performance of intrusion detection and classification. The performance of the proposed approaches is evaluated using different intrusion detection datasets that vary in various aspects such as type of network environment considered for capturing network packets, type of network features, variability in data instances, wide range of attack categories, to name a few. Moreover, the thesis explores capabilities of ML techniques for attack detection and classification to achieve enhanced performance in terms of varied performance measures that includes, accuracy, precision, recall, f-score, and False Positive Rate (FPR). Hence, the thesis presents empirical analysis of proposed solutions using varied intrusion detection datasets consisting of synthetic as well as realistic network traffic. It can be inferred from results of the proposed approaches that the designed approaches enhance attack classification capability by addressing various aspects. The results achieved for considered evaluation metrics are also statistically significant as tested using Wilcoxon signed-rank test.