IMPROVING INTRUSION DETECTION

SYSTEMS WITH MACHINE LEARNING TO

STRENGTHEN NETWORK SECURITY

1
 ABSTRACT

Machine Learning which is one of the most prominent applications of Artificial

Intelligence, is doing wonders in the research field of study. Machine Learning is a rapidly
growing field that has found its application in various industries across the world. Security
measures to prevent malicious activity and unauthorized access to computer networks are
mostly dependent on IDS. This work suggests a hybrid IDS strategy that combines the
XGBoost and Random Forest algorithms. Because of its scalability and resilience, Random
Forest can effectively handle big, highly dimensional datasets. By improving the detection
accuracy of the IDS, XGBoost, which is renowned for its effectiveness in managing sparse
data and understanding intricate patterns, enhances Random Forest. By combining the
advantages of both methods, the hybrid model seeks to increase detection rates while
lowering false positive rates. The outcomes of the experiments show how well the
suggested method works to improve IDS performance, underscoring its potential to protect
computer networks from a variety of online threats.

2
 CHAPTER 1
INTRODUCTION

3
IMPROVING INTRUSION DETECTION SYSTEMS WITH MACHINE LEARNING TO STRENGTHEN NETWORK SECURITY

CHAPTER-1
INTRODUCTION

1.1 INTRODUCTION
The security of computer networks is critical in today's globally interconnected world.
Traditional security measures by themselves are no longer adequate to fend off intrusions
and harmful activity due to the growing sophistication of cyber threats[1]. By keeping an
eye out for unusual activity in system logs and network traffic, intrusion detection systems,
or IDSs, are essential in spotting and eliminating these threats.Traditional IDSs struggle to
keep up with new attack strategies and zero-day vulnerabilities because they rely on
predetermined rules or signatures to identify knownthreats[2]. This constraint has prompted
research into machine learning (ML) methods as a way to improve IDS performance. Using
ML, IDS scan go beyond strict adherence to rules by using historical data to identify
anomalies that may be signs of an impending intrusion[3].

The life cycle of the data that is currently available thanks to new technologies involves
numerousstages, such as generation, transfer, storage, and deletion[4]. At any point in the
data cycle, the portable information is quite valuable, particularly when it comes to financial
transactions, governments, or the armed forces. As such, information security and data
privacy were crucial concerns for minimizing damages brought about by ignoring them.
Hackers attempt to steal, alter,or destroy data due to system weaknesses, frequently causing
harm to the systems themselves[5].The purpose of this study is to use machine learning
algorithms to give a thorough investigation of intrusion detection systems. It will go over
the difficulties faced by conventional IDSs, the advantages of using ML algorithms, and the
many ML techniques that are frequently applied to IDSs[6].

The introduction lays the groundwork for comprehending the role that ML-based IDSs play
in contemporary cybersecurity procedures. It emphasizes how effective defense against
changing cyberthreats requires flexible and intelligent security solutions[7] . Therefore, the
goal of thisresearch is to add to the body of knowledge about machine learning-based IDSs
and how they protect computer networks against intrusion attempts.The proposed
architecture is random forest known for its efficiency in managing huge datasets with high
dimensionality, the Random Forest method is used in the suggested Intrusion Detection
System (IDS) approach. Random Forest is an effective method for identifying both

5
IMPROVING INTRUSION DETECTION SYSTEMS WITH MACHINE LEARNING TO STRENGTHEN NETWORK SECURITY

legitimate and invasive network activity, offering a reliable way to find anomalies.
Nevertheless, Random Forest has many shortcomings in spite of its advantages[8]. One of
its primary disadvantages is that it tends to overfit when the forest has an excessive number
of trees, which might result in poorer generalization performance on data that hasn't been
seen before[9]. Furthermore, because Random Forest can bias the model in favor of the
majority class, it may not perform well on datasets that are severely imbalanced and have
one class with a considerable population advantage over the other[10]. Using this, the
output is accurate. But not faster. So, for this, we used a hybrid approach which consists of
random forest and xgboost algorithms to predict IDS.

5
 CHAPTER 2
LITERATURE SURVEY
IMPROVING INTRUSION DETECTION SYSTEMS WITH MACHINE LEARNING TO STRENGTHEN NETWORK SECURITY

CHAPTER-2
LITERATURE SURVEY

Yuansheng Dong, Rong Wang and Juan He et al. [1] proposed a real-time network intrusion
detection system based on deep learning, which through the system Flume collects log
information and network information, uses Flink to perform real-time cleaning and feature
extraction on the original data, and then transmits the extracted high-order features to the
neuralnetwork for training and judgment.

Nadeem et al. [2] proposed a neural network with semi-supervised learning, and uses a
small number of labeled samples to obtain high accuracy by using small amount of data
advantage is high efficiency when compared with deep learning technique.

Staudemeyer et al. [3] proposed a intrusion detection based on LSTM regression neural
network. The results show that the LSTM classifier lias certain advantages over other strong
staticclassifiers. These advantages lie in detecting DoS and Robe attacks, both of which can
produce unique time series characteristics. In order to compensate for the high false alarm
rate.

Kim et al. [4] proposed a call language modeling method to improve the host intrusion
detectionsystem based on LSTM. By integrating call language modeling, the system can
better analyze and understand the sequence of system calls, thereby enabling it to detect
anomalous behavior indicative of potential intrusions with higher precision and efficiency.

Agarap et al. [5] proposed a softmax by introducing linear support vector machine (SVM)
into thefinal output layer of GRU model, and applied the model to the second classification
of intrusiondetection.

7
IMPROVING INTRUSION DETECTION SYSTEMS WITH MACHINE LEARNING TO STRENGTHEN NETWORK SECURITY

Table 2.1. Literature Study

S.No Title Author Year Algorith Advantages Accuracy Limitatio
ns
publis msused
hed

Real-Time Yuansheng 2019 Deep The learning of The There are

Network Dong, Learning neural networks experiment some
Intrusion Rong Techniqu has obvious al results shortcom
Detection
Wang and essuch as advantages in of the ings in
System
JuanHe hierarchi identifying intrusion the actual
Basedon
1. cal threats. detection test,
Deep
Learning abstractio dataset mainly in
n. KDD 99 the long
show that training
the period
accuracy and poor
of the AE- portabilit
AlexNet, y.
model is as
high as
94.32%.

Automatic Nade 2016 Semi- Efficienc y is The high

salt etn, supervise very high efficiency false
deposits Muta d deep of this alann
segmentati hir, neural methodis rate.
2. on:A deep network high
learning for because of
approach network small
intmsion amount of
detection. data 96%
"

Applying Stau 2015 LSTM advantageslie in compensate LSTM

longshort- dem regressio detecting DoS for the high regre
term cyer. nneural and Robe false alarm ssion
memory Ralf network. attacks. rate. is
recurrent C. time
3. neural taken
networks proce
to ss for
intrusion analy
detection sis.

7
IMPROVING INTRUSION DETECTION SYSTEMS WITH MACHINE LEARNING TO STRENGTHEN NETWORK SECURITY

LSTM- Kim, 2016 A call Its advantage Improve One

based Gyuw language lies in its ability the host limitatio
system- an.et modeling to capture intrusio nisits
call al. method to sequential n reliance
language improve the patterns using detectio on
modeling host LSTMnetworks nsystem labeled
4. androbust intrusion ,enhancing the training
ensemble detection detection data,
method system accuracy of the which
for basedon host intrusion can be
designing LSTM. detection challengi
host-based system. ng to
intrusion obtain
detection forreal-
systems world
intrusion
scenarios
and may
introduce
biases or
inaccura
c
ies.
A neural Agarap 2018 linear More By If
network ,Abien support advanced combining the
architectu FredM. vector Technique for gated nu
re machine intrusion recurrent m
combinin (SVM) into detection. unit (GRU) ber
5. ggated the final and of
recurrent output layer support Techniqu
unit(GRU of GRU vector es used,
)and model, and machine the
support applied the (SVM) for computat
vector model to the intrusion io nal
machine second detection timealso
(SVM) for classificatio reduce increases.
intrusion nof network
detection intrusion traffic.
in detection.
network
traffic
data

8
IMPROVING INTRUSION DETECTION SYSTEMS WITH MACHINE LEARNING TO STRENGTHEN NETWORK SECURITY

CHAPTER 3
PROPOSED SYSTEM

9
IMPROVING INTRUSION DETECTION SYSTEMS WITH MACHINE LEARNING TO STRENGTHEN NETWORK SECURITY

CHAPTER 3
PROPOSED SYSTEM

3.1 PROPOSED SYSTEM

To improve network security, a hybrid approach called Random Forest and XGBoost is
suggested for the IDS. The robust and scalable Random Forest algorithm is used to
efficiently categorize both normal and intrusive network activity. By increasing the IDS's
detection accuracy, XGBoost, which is well-known for its effectiveness in managing sparse
data and understanding intricate patterns, enhances Random Forest. The IDS seeks to
improve network security by combining both algorithms into a hybrid model that will
increase detection rate while preserving low false positive rate. The hybrid approach is a
complete and user-friendly solution because it incorporates front-end connection with
Flask, enabling users to communicate with the IDS and view results in real-time. The
proposed model gives the accuracy of 99% which will be the best fit for IDS prediction.

3.2 SYSTEM ARCHITECTURE

An IDS using machine learning architecture usually consists of multiple phases. During this
phase, information is gathered from a variety of sources, including system logs, network
traffic, and other pertinent sources. Preprocessing is done on the gathered data to clean,
standardize, and format it appropriately for analysis. Data normalization, dimensionality
reduction, and feature selection might be involved in this. Preprocessed data is used to
extract pertinent features. These characteristics could be system call sequences, network
packet headers, or other elements useful for identifying intrusions. Labeled or unlabeled
data is used to train machine learning models, such as supervised learning algorithms (e.g.,
random forest, XG boost) or unsupervised learning algorithms (e.g., clustering, anomaly
detection), to identify patterns of typical and malevolent actions. Performance indicators
including accuracy, precision, recall, and F1-score are used to evaluate the trained models
to determine how well they identify incursions. A model can be used to monitor network
traffic or system activity for possible intrusions in real time after it has been trained and
assessed.

10
 IMPROVING INTRUSION DETECTION SYSTEMS WITH MACHINE LEARNING TO STRENGTHEN NETWORK SECURITY

Figure: Machine Learning Model

3.3 FLOW CHART:

The procedure of an IDS that uses machine learning is described in the flowchart. The first
step is to continuously monitor system activity or network traffic. Various sources of data are
gathered, and before analysis, preprocessing is done. The processed data is converted into
an intrusion dataset that contains annotated instances of both harmful and normal behavior.
Different activities are characterized by extracting relevant features. The intrusion dataset
is then used to build a machine-learning model that will identify intrusions. The trained
model is then used to anticipate possible attacks.

13
 IMPROVING INTRUSION DETECTION SYSTEMS WITH MACHINE LEARNING TO STRENGTHEN NETWORK SECURITY

Figure: Flow Chart

3.4 ALGORITHM:

Algorithm for proposed model Random Forest and XG Boost:

Step 1: Import Libraries:
Import the necessary libraries, including pandas for data manipulation, pickle
forserializing
Python objects, and various modules from scikit-learn for machine learning tasks.
Step 2: Loading the Data:
Load the dataset into a pandas DataFrame using pd.read_csv().

Step 3: Splitting the Data:

Split the dataset into features (X) and target variable (y) using pandas
DataFrame operations.

Split the data into training and testing sets using train_test_split() from scikit-learn.
Thisallows evaluation of the models' performance on unseen
Step 4: Random Forest Model:
• Initialize a Random Forest classifier (RandomForestClassifier()).
• Fit the model to the training data using. fit ().

• Predict the target variable for the test set using. predict ().

• Evaluate the model's performance using metrics such as accuracy.

13
 IMPROVING INTRUSION DETECTION SYSTEMS WITH MACHINE LEARNING TO STRENGTHEN NETWORK SECURITY
Step 5:XG Boost Model:
• Initialize a Random Forest classifier (XGBClassifier()).
• Fit the model to the training data using. fit ().
• Predict the target variable for the test set using. predict ().
• Evaluate the model's performance using metrics such as accuracy.
Step 6:
# Predict with Random Forest model
rf_prediction = rf_model.predict(preprocessed_input_np)
# Predict with XGBoost model
xgb_prediction = xgb_model.predict(preprocessed_input_np)
# Combine predictions (for simplicity, taking the mode)
hybrid_prediction = max(rf_prediction[0], xgb_prediction[0]) # Change based on
your logic
rf_preds.append(rf_prediction[0])
xgb_preds.append(xgb_prediction[0])
hybrid_preds.append(hybrid_prediction)
Step 7: Print Results:
Print the evaluation results for each model including accuracy and predict
the output.
Step 8: Save Model:
Serialize the Random Forest and XGBoost models using pickle.dump() to
save them as binary files for later use.

13
IMPROVING INTRUSION DETECTION SYSTEMS WITH MACHINE LEARNING TO STRENGTHEN NETWORK SECURITY

CHAPTER 4
RESULTS

14
 IMPROVING INTRUSION DETECTION SYSTEMS WITH MACHINE LEARNING TO STRENGTHEN NETWORK SECURITY

CHAPTER 4
RESULTS
4.RESULTS:
4.1.1 Input: Normal Detection

Figure 4.1.1. Input Representation For Normal Detection

4.1.1Output:

Figure 4.1.1. Output Representation For Normal Detection

16
 IMPROVING INTRUSION DETECTION SYSTEMS WITH MACHINE LEARNING TO STRENGTHEN NETWORK SECURITY

4.1.2 Input: Anamoly Detection

Figure 4.1.2. Input Representation For Anamoly Detection

4.1.2 Output:

Figure 4.1.2. Output Representation For Anamoly Detection

16
IMPROVING INTRUSION DETCETION SYSTEMS WITH MACHINE LEARNING TO STRENGTHEN NETWORK SECURITY

CHAPTER 5
CONCLUSION

17
 IMPROVING INTRUSION DETECTION SYSTEMS WITH MACHINE LEARNING TO STRENGTHEN NETWORK SECURITY

5.1 CONCLUSION

In this project, The hybrid approach hybrid approach which combines XGBoost and
Random Forest has shown to be incredibly successful. We were able to develop a reliable
and effective system that could precisely identify both normal and anamoly activity in
network data by combining the advantages of both methods. Large datasets and intricate
feature interactions were no problem for the Random Forest model, which served as a strong
base. The gradient boosting technique of XGBoost improved our detection skills even
further, enhancing the overall accuracy and performance of our IDS. We have shown
through rigorous testing and assessment on the KDDTrain.csv dataset that our hybrid
approach performs better than individual models and can categorize network traffic with a
high degree of accuracy. The system is also appropriate for deployment in large-scale
network environments because to its scalability and real-time processing capabilities, which
guarantee prompt and efficient identification of security risks. Through the integration of
sophisticated anomaly detection techniques, hyperparameter optimization, and further
exploration of feature engineering methodologies, we want to further enhance our hybrid
approach. Our ability to offer a strong defense against dynamic cyberthreats will be aided.

18
BIBLIOGRAPHY
 REFERENCES

[1] Yuansheng Dong, Rong Wang and Juan He.et.al "Real-Time Network Intrusion
Detection System Based on Deep Learning." S 978-l-7281-0945-9/19/$31.0002019
IEEE.

[2] Nadeem. Mutahir. et al. "Semi-supervised deep neural network for network intrusion
detection."(2016).

[3] Staudemeyer. Ralf C. et.al "Applying long short-term memory recurrent neural networks
to intrusion detection." South African Computer Journal 56.1 (2015): 136-154.

[4] Kim, Gyuwan. et al. "LSTM-based system-call language modeling and robust ensemble
methodfor designing host-based intrusion detection systems." arXiv preprint arXiv:
1611.01726 (2016).

[5] Agarap, Abien Fred M. et.al "A neural network architecture combining gated recurrent
unit (GRU) and support vector machine (SVM) for intrusion detection in network traffic
data." Proceedings ofthe 2018 10th International Conference on Machine Learning and
Computing. ACM, 20

19
19