Journal Publication of International Research for Engineering and Management (JOIREM)
Volume: 10 Issue: 06 | June-2024
NEXT-GEN NETWORK ATTACK DETECTION WITH MACHINE
LEARNING AND DEEP LEARNING TECHNIQUES
Dr.M.Deepa1, M.P.Venkat Vijay2, S. SriRanjani3,V. Sowmiya4,V. Ramya5
1Assistant Professor, Department of Computer Science, Pavai Arts & Science College for Women.
2,3,4.5Student,Department of Computer Science & Engineering, Paavai College of Engineering
---------------------------------------------------------------------***---------------------------------------------------------------------
Abstract -Systems for detecting network intrusions that are
based on anomalies are very important. This research
proposes robust machine learning and deep learning models
for classifying different forms of network intrusions and
attacks. The 49-feature UNSW-NB15 dataset has been used in
experiments by suggested models for nine distinct assault
samples. Among the ensemble models, the Decision Tree
classifier yielded the highest accuracy of 99.05%, followed by
Random forest (98.96%), Adaboost (97.87%), and XGBoost
(98.08%).The K-Nearest Neighbour classifier was trained for
a range of K values, with K=7 yielding the best results and an
accuracy of 95.58%. For binary classification, a Deep
Learning model with two dense layers activated by ReLU and
a third dense layer activated by Sigmoid was created. It
yielded good accuracy of 98.44% when used with the ADAM
optimizer and an 80:20 Train-Test Split Ratio. XGBoost
detects network attack exploits with 95% accuracy, Random
Forest detects fuzzer attacks with 90% accuracy, Random
Forest detects generic assaults with 99% accuracy, and
Decision Trees detects reconnaissance attacks with 79%
accuracy. Detecting network attacks requires no feature
selection because all features are powerful and important.
KeyWords: optics, photonics, light, lasers, templates, journals
1.INTRODUCTION
The Internet of Things (IoT), cloud-based services, and
massive networking equipment are to blame for the
exponential growth in network data [1]. Attacks are
growing rapidly along with network data, posing a
serious risk to network security. Although more security
devices can be added to a network to increase security,
total protection cannot be guaranteed. Future threats
must be addressed in addition to current ones. At the
system, network, application, and transmission levels,
the current Network Intrusion Detection System (NIDS)
offers a tiered security defense for the network [12].
When an attacker gets past one layer of defense, layered
security ensures that additional layers will stop them.
Inadequate precision, dynamic network traffic behavior,
low-frequency network attacks, adaptation to software-
defined networks, and the large amount of stored data
are major issues with current NIDS.
The majority of NIDS in use today are anomaly- or
signature-based detection systems. Only the list of
known threats and associated compromise indicators are
covered by signature-based NIDS [13]. When it comes
to known assaults, it is quite accurate and processes data
quickly. However, it is unable to recognize the zero-day
attack and, regardless of the result, raises unnecessary
alarms, akin to a Window worm attempting to infiltrate
a Linux machine. Depending on the operating system,
version, and apps, it is impractical for internal attacks
[16]. Using anomaly-based NIDS, one can find novel,
suspicious activity that deviates from typical behavior.
NIDS that is anomaly-based is effective at identifying
zero-day attacks. Nevertheless, the greater chance of
false positives means more time and money need to look
into every warning of possible risks.
NIDS based on machine learning [18] has the ability to
acquire classification models from training sets.
Training the model with large and varied samples of
network data makes it robust to categorize attacks into
potential groups. By identifying attack patterns based on
network characteristics, deep learning models are also
essential to NIDS. Additionally, it does away with the
need for feature representation, selection, and
correlation [19]. With fewer false alarms, the deep
learning model effectively detects the attack and learns
the hidden network behavior. Regretfully, criminals are
utilizing
advanced methods to take advantage of computer
resource weaknesses. However, the number of
computing infrastructure breaches is rising at an
exponential rate. This research proposes a robust NIDS
with excellent accuracy and F-Measure utilizing
machine learning and deep learning approaches.
 Journal Publication of International Research for Engineering and Management (JOIREM)
Volume: 10 Issue: 06 | June-2024
2. RELATED WORKS
Moustafa et al. used the multivariate skewness,
multivariate kurtosis, and Kolmogorov-Smirnov test to
statistically analyze the observations and features. To
assess the importance between features, supervised
feature correlation using the Gain Ratio and
unsupervised feature correlation using Pearson's
correlation coefficient were also carried out. Lastly, the
complexity of the UNSW-NB15 dataset are assessed
using the current classifiers, which have metrics for false
alarm rate and accuracy. Well-performing, the decision
tree classifier yielded an accuracy of 85.56% and a false
alert rate of 15.78% [13].
An intrusion detection system, a frequent signature
database, an updating agent, and a complementing
signature database make up the four components of the
NIDS that Almutairi et al. suggested [1]. Network
packets are stripped of their signatures by IDS, which
then compares them to signature databases and sounds
an alarm if there is a match. With fewer false positives,
this four-component approach guarantees early and
accurate attack detection. Moreover, attacks with rare
signatures are detected by the signatures stored in the
supplementary database. The primary problem in
signature-based detection is false alarm minimization,
which can be resolved by state-full signatures,
vulnerability signatures, and signature augmentation.
Meftah et al. suggested using machine learning
techniques in anomaly-based NIDS. The index of
feature relevance in lowering impurity throughout the
entire forest is assigned using a random forest with 10-
fold cross-validation. Ct dstsrcltm, ctsrvdst, ctdst sport
ltm, ctsrcdportltm, and ctsrvsrc are the top features of
the UNSW-NB15 Dataset. In the binary classification
model for attack detection, Support Vector Machine
surpassed Logistic Regression and Gradient Boost
Machine with an accuracy of 82.11%. The multi-
classification model with Decision Tree C5.0 beat Naive
Bayes and Support vector machines in identifying the
type of attack.
In order to detect attacks (Normal, DoS, Probe
Categories, R2L, U2R), Peng et al. suggested Deep
Neural Network (DNN)k with five hidden layers using
the NSL-KDD Dataset. They then compared the
network's performance with machine learning models
(Support Vector Machines, Random Forest,
LinearRegression Models). For the purpose of
classifying Normal, Dos, and Prob categories, DNN
yielded acceptable results. SVM did a good job of
identifying four attacks in addition to Normal.
Moreover, random forests and linear regression were
effective in detecting network threats. [24]
The UNSW-NB15 dataset was used in earlier research,
which involved learning machine learning and deep
learning models on a subset of features. This reduced
model performance because the feature set only had 47
features, which is a relatively small number given the
importance of each feature. There is a dearth of
literature on deep neural networks, and what little there
is has only addressed a small number of assaults. To
detect network threats, four classical, three ensemble
machine learning, and deep multi-layer perceptron
models are used in this study.
3. PROPOSED METHODOLOGY
The Australian Centre for Cyber Security created the
UNSW-NB15 Dataset [22], which has 49 features (five
flow features, thirteen basic features, eight control
features, nine-time features, five additional generated
general-purpose features, seven additional generated
connection features, and two labeled features) and nine
families of attacks on which the proposed method has
been tested. These characteristics show the patterns of
modern network traffic that are gathered from packet
header, server to client, and packet header
communications [21]. The dataset comprises 2540044
samples containing network traffic related to Backdoors
(2329), DoS (16353), Exploits (44525), Normal
(2218761), Fuzzers (24246), Analysis (2677),
Reconnaissance (13987), Shellcode (1511), and Worms
(174).
Support Vector Machine (SVM), Adaboost, XGBoost,
Random Forest, K-Nearest Neighbor (KNN), Decision
Tree (DT), Multi-Layer Perceptron (MLP), and Deep
Multi-Layer Perceptron (Deep MLP) are the binary
classification models that are used to identify network
threats [26]. SVM is a statistical learning classifier that
distinguishes between network attack patterns and
regular traffic patterns using multidimensional hyper-
planes [33]. SVM with linear kernel allows for quick
 Journal Publication of International Research for Engineering and Management (JOIREM)
Volume: 10 Issue: 06 | June-2024
training and a large feature collection. KNN is a
memory-based classifier that uses the majority class
label of K-nearest neighbors to predict an unknown
sample's class label [5]. A multistage approach for
decision-making that works with both nominal and
numerical data is the DT classifier [2].
Because it only has a small number of layered simple
conditional expressions, it generates decisions quickly.
An ensemble classification model called a Random
Forest classifier uses bagging to train a set of CART
trees in order to produce predictions. This model
employs out-of-bag error estimation, random feature
selection to determine a node's choice, and averaging the
likelihood of each tree class assignment to determine the
final class [4].
Adaboost enhances a number of subpar models to create
a strong prediction model. It is the best classifier right
out of the box, requires no parameter tinkering, and is
less prone to overfitting [9]. Through parallel
implementation, Extreme Gradient (XG) is an ensemble
classifier that boosts a poor classifier. Additionally, it
facilitates hardware optimization, avoids overfitting,
handles missing data, and prunes trees.
In order to map input information to class labels, deep
neural networks are essential. Using a back propagation
weight modification approach, two models are built to
predict class labels: Multi-Layer Perceptron (MLP) and
Deep MLP.The quasi-newton lbfgs for the optimizer,
hidden neuron strength of 15, penalty regularization
term parameter alpha with value 1e-5, and random state
value 1 are the values of the MLP parameters. Two
dense layers with Relu activation and a dense layer with
a sigmoid activation function make up the suggested
Deep MLP. Based on the outputs from the preceding
layer, sigmoid activation predicts the target class, and a
dense layer using Relu activation produces an accurate
mixing of inputs from features.
4. RESULTS & DISCUSSION
The suggested intrusion detection solution for networks
was put into practice using Ubuntu 20.04.4 with an Intel
Core 11th generation i7 CPU with 16GB RAM and a
1TB hard drive. The Keras 2.3.1 and TensorFlow 2.2.0
libraries are used in Python to implement the machine
learning and deep learning models.
Accuracy, Precision, Recall, F1-Measure, Receiver
Operating Characteristic Curve (ROC), and Area under
ROC (AUC) are the metrics used to assess the suggested
system [8]. True positive (TP), False negative (FN),
False positive (FP), and True negative (TN) values make
up the 2*2 confusion matrix. The percentage of attack
samples that are categorized as attacks is called True
Positive. False Negative denotes the quantity of attack
samples that were incorrectly identified as normal.
The number of incorrectly categorized normal samples
is known as a false positive, while the number of
correctly classified normal samples is known as a
genuine negative. The percentage of samples that are
correctly classified is known as accuracy. The ratio of
accurately categorized attacks to the total number of
attack samples is known as recall. In classified assaults,
precision refers to real attack samples.
The performance of many machine learning models in
detecting network attacks. Decision Tree yielded the
highest results, with an accuracy of 99.05% and an F1-
Measure of 0.99, for recognizing network assaults. Not
insignificant are the outcomes obtained via SVM, which
yielded an accuracy of 95.17% and an F1-Measure of
0.94. The KNN models are trained for various K
neighbors (2,3,4,5,6,7,8,9), with K=7 yielding the best
accuracy of 95.58%. The features that are utilized to
train the model are highly significant and might
significantly differ between normal network traffic and
attacks. Thus, ensemble learning techniques like
bagging in random forest and boosting in Adaboost and
XGBoost are inferior to simple decision trees.
 Journal Publication of International Research for Engineering and Management (JOIREM)
Volume: 10 Issue: 06 | June-2024
Figure 1: ROC & Precision Recall curve for all ML
Models
With an 80:20 Train-Test ratio, a high accuracy of
98.44%, and an F1-Measure of 0.98 for the Adam
optimizer, the Deep Multi-Layer Perceptron performs
exceptionally well. Adam outperforms the stochastic
gradient descent optimizer in terms of performance. For
the 80:20 Train-Test split, the Deep MLP model with
Adam Optimizer yielded the best results since it
accurately reflects the ratio of attack network traffic to
normal system traffic. The Moustafa et al. network
anomaly detection method achieved 85.56% accuracy
for Decision Trees and 81.34% accuracy for Artificial
Neural Networks.
4. CONCLUSION
Deep learning and machine learning models for NIDS
are covered in this work. In terms of performance,
and XGBoost ensemble models, with a 99.05% success
rate. The UNSWNB15 dataset has robust and highly
relevant features for detecting network assaults. With
seven neighbors, the KNN machine learning model
yielded an accuracy of 95.58%. using high True
Positives and False low negatives, the deep learning
model using the ADAM optimizer and 80:20 Train-Test
split yielded an accuracy of 98.44%. Machine learning
models are also useful for classifying several types of
attacks, including reconnaissance, fuzzers, exploits, and
generic attacks.
The UNSW-NB15's features aren't strong enough to
withstand variations from DoS, Worms, Backdoors, and
Shellcode attacks. In the future, network traffic pcap
files' texts can be used to directly train deep learning
models, such as one-dimensional Convolutional Neural
Networks (CNN), to recognize assaults. With its
convolutional layers, CNN automatically extracts
features from pcap data, negating the need for intricate
feature engineering. Visualization representation is a
new technique being used for malware identification and
network assault prevention. Greyscale, RGB, or Markov
picture representations are available for the network
pcap files. Two-dimensional CNN, which can identify
network assaults with a high degree of covariance, is
trained using these images.
REFERENCES
[1] Almutairi, A.H., Abdelmajeed, N.T., 2017.
Innovative signature based intrusion detection
system: Parallel processing and minimized
database, in: 2017 International Conference on
the Frontiers and Advances in Data Science
(FADS), IEEE. pp. 114–119.
[2] Ammar, A., et al., 2015. A decision tree
classifier for intrusion detection priority
tagging. Journal of Computer and
Communications 3, 52.
[3] Arce, I., 2004. The shellcode generation. IEEE
security & privacy 2, 72–76.
[4] Belgiu, M., Dragut¸, L., 2016. Random forest in
remote sensing: A review of applications and
future directions. ISPRS journal of photogram- ˘
metry and remote sensing 114, 24–31.
[5] Cunningham, P., Delany, S.J., 2021. k-
nearestneighbour classifiers-a tutorial. ACM
Computing Surveys (CSUR) 54, 1–25.
 Journal Publication of International Research for Engineering and Management (JOIREM)
Volume: 10 Issue: 06 | June-2024
[6] Dada, E.G., Bassi, J.S., Chiroma, H., Adetunmbi,
A.O., Ajibuwa, O.E., et al., 2019. Machine
learning for email spam filtering: review,
approaches and open research problems.
Heliyon 5, e01802.
[7] De Canniere, C., Biryukov, A., Preneel, B., 2006.
An introduction to block cipher cryptanalysis.
Proceedings of the IEEE 94, 346–356.
[8] Dhanya, K., Dheesha, O., Gireesh Kumar, T.,
Vinod, P., 2020. Detection of obfuscated mobile
malware with machine learning and deep
learning models, in: Symposium on Machine
Learning and Metaheuristics Algorithms, and
Applications, Springer. pp. 221–231.
[9] Freund, Y., Schapire, R.E., 1997. A decision-
theoretic generalization of on-line learning and
an application to boosting. Journal of computer
and system sciences 55, 119–139.
[10]Friedman, J.H., 2001. Greedy function
approximation: a gradient boosting machine.
Annals of statistics , 1189–1232.
[11]Gandhi, M., Srivatsa, S., 2008. Detecting and
preventing attacks using network intrusion
detection systems. International Journal of
Computer Science and Security 2, 49–60.
[12]Garuba, M., Liu, C., Fraites, D., 2008. Intrusion
techniques: Comparative study of network
intrusion detection systems, in: Fifth
International Conference on Information
Technology: New Generations (itng 2008), IEEE.
pp. 592–598.
[13]Gascon, H., Orfila, A., Blasco, J., 2011. Analysis
of update delays in signature-based network
intrusion detection systems. Computers &
Security 30, 613–624.
[14]Hubballi, N., Suryanarayanan, V., 2014. False
alarm minimization techniques in signature-
based intrusion detection systems: A survey.
Computer Communications 49, 1–17.
[15]Jing, D., Chen, H.B., 2019. Svm based network
intrusion detection for the unsw-nb15 dataset,
in: 2019 IEEE 13th international conference on
ASIC (ASICON), IEEE. pp. 1–4.
[16]Kumar, V., Sangwan, O.P., 2012. Signature
based intrusion detection system using snort.
International Journal of Computer Applications
& Information Technology 1, 35–41.
[17]Lee, B., Amaresh, S., Green, C., Engels, D., 2018.
Comparative study of deep learning models for
network intrusion detection. SMU Data Science
Review 1, 8.
[18]Lee, C.H., Su, Y.Y., Lin, Y.C., Lee, S.J., 2017.
Machine learning based network intrusion
detection, in: 2017 2nd IEEE International
conference on computational intelligence and
applications (ICCIA), IEEE. pp. 79–83.
[19]Li, P., Salour, M., Su, X., 2008. A survey of
internet worm detection and containment. IEEE
Communications Surveys & Tutorials 10, 20–35.
[20]Meftah, S., Rachidi, T., Assem, N., 2019.
Network based intrusion detection using the
unsw-nb15 dataset. International Journal of
Computing and Digital Systems 8, 478–487.
[21]Moustafa, N., Slay, J., 2015a. The significant
features of the unsw-nb15 and the kdd99 data
sets for network intrusion detection systems,
in: 2015 4th international workshop on building
analysis datasets and gathering experience
returns for security (BADGERS), IEEE. pp. 25–
[22]Moustafa, N., Slay, J., 2015b. Unsw-nb15: a
comprehensive data set for network intrusion
detection systems (unsw-nb15 network data
set), in: 2015 military communications and
information systems conference (MilCIS), IEEE.
pp. 1–6.
[23]Moustafa, N., Slay, J., 2016. The evaluation of
network anomaly detection systems: Statistical
analysis of the unsw-nb15 data set and the
comparison with the kdd99 data set.
Information Security Journal: A Global
Perspective 25, 18–31
[24]Peng, Y., Su, J., Shi, X., Zhao, B., 2019.
Evaluating deep learning based network
intrusion detection system in adversarial
environment, in: 2019 IEEE 9th International
Conference on Electronics Information and
Emergency Communication (ICEIEC), IEEE. pp.
61–66.
[25]Rieger, P., Nguyen, T.D., Miettinen, M., Sadeghi,
A.R., 2022. Deepsight: Mitigating backdoor
attacks in federated learning through deep
model inspection. arXiv preprint
arXiv:2201.00763 .
[26] Sugunan, K., Gireesh Kumar, T., Dhanya, K.,
2018. Static and dynamic analysis for android
malware detection, in: Advances in Big Data
and Cloud Computing. Springer, pp. 147–155