See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/357785493

A Suricata and Machine Learning Based Hybrid Network Intrusion Detection

System

Chapter · January 2022

DOI: 10.1007/978-3-030-91738-8_43

CITATIONS READS

3 2,217

3 authors:

Said Ouiazzane Malika Addou

Hassania School of Public Works Hassania School of Public Works
12 PUBLICATIONS 78 CITATIONS 45 PUBLICATIONS 158 CITATIONS

SEE PROFILE SEE PROFILE

Fatimazahra Barramou

48 PUBLICATIONS 143 CITATIONS

SEE PROFILE

All content following this page was uploaded by Said Ouiazzane on 09 May 2023.

The user has requested enhancement of the downloaded file.

 A Suricata and Machine
Learning based hybrid
Network Intrusion
Detection System

Said OUIAZZANE1* Malika ADDOU2 Fatimazahra BARRAMOU3

1ASYR Team, LaGeS Laboratory, Hassania School of Public Works, Morocco

[email protected]

Abstract. The objective of this paper is to propose a hybrid model of Network Intrusion
Detection System (NIDS) based on the use of two types of IDS: Signature-based NIDS
(SNIDS) and Anomaly Detection-based NIDS (ADNIDS). Indeed, modern computer
networks have become the backbone for all the most critical business sectors. In parallel
with the evolution and expansion of computer networks, cyber threats keep improving
day after day to become more and more sophisticated and capable of bypassing all
security policies implemented by information security managers. Knowing that
cyberattacks can cause irreparable damage, costing the victim entity a lot of money,
following for example a leak of critical and sensitive information. In addition, traditional
prevention mechanisms such as network firewalls are no longer sufficient to counter
cybercrime as they are only able to stop known attacks from the outside but not those
coming from the inside or 0-day attacks. Therefore, intrusion detection systems are very
important devices to deploy in IT infrastructures to protect them from suspicious
activities. However, SNIDS alone only provides detection of intrusions with known
signatures but not unknown 0-day attacks. ADNIDS, on the other hand, can detect
unknown intrusions but generate very high false alarm rates. Another approach is to use
both types of NIDS to form a hybrid system and it is the most effective solution to
counter any type of attack, including unknown cyber threats. The use of both SNIDS and
ADNIDS at the same time forms what is called a hybrid NIDS. Our hybrid NIDS model
is based on Suricata as the SNIDS and ADNIDS based on the Machine Learning
Decision Tree algorithm. The network baseline includes the set of benign traffic patterns
and was designed after balancing and optimizing the CICIDS2017 dataset. The
classification of the benign traffic via Decision Tree yielded very conclusive results in
accuracy, F-Measure, Recall, and precision.

Keywords: Intrusion Detection. Zero-day attacks. Machine Learning. Multi-Agent

Systems. Cybersecurity.

1 Introduction

Computer networks have become the backbone for all of the most critical business sectors [1].
As these networks evolve and expand, cyber threats continue to threaten the security of IT
infrastructures. As a result, security threats are improving day by day, becoming more
sophisticated and capable of circumventing all security policies implemented by government
agencies and critical infrastructures.
Network intrusions can come from several sources of threats, including the presence of
software bugs due to operating systems and software that are becoming larger and more
feature-rich [2]. Cyberattacks can cause irreparable damage at a high cost to the victim entity,
for example by leaking critical and sensitive information. In addition, traditional firewalls and
prevention mechanisms are no longer effective in protecting modern networks, as they only
intercept attacks from the outside, but not those from the inside. Therefore, it is imperative to
find alternatives to ensure the security of Local Area Networks (LAN) while detecting cyber
threats that may target computer networks.
 Network Intrusion Detection Systems (NIDS) are now very important appliances that must
be deployed at the level of network infrastructure to protect the computer networks from
suspicious activities that may threaten network security [3]. We can distinguish between two
types of NIDS, the first type is called Signature-based NIDS (SNIDS) and the second type is
called Anomaly Detection-based NIDS (ADNIDS). On the one hand, the SNIDS is based on
a signature database and can detect known intrusions with a very low false-positive rate. On
the other hand, ADNIDS is based on the detection of anomalies while identifying deviations
from the normal operation of the network (baseline).
NIDS is the current trend and several researchers have addressed the problem of intrusion
detection and have proposed very interesting and promising approaches. Nevertheless, most
of the proposed works still suffer from inadequacies in terms of zero-day attack detection, lack
of modularity and scalability features, use of old or even obsolete training datasets, and lack
of exploitation of open source NIDS supporting Multiple Threading.
In this research work, we propose a more efficient NIDS model for detecting intrusions
targeting modern computer networks. Thus, the NIDS we propose is based on two detection
mechanisms to monitor networks against known and unknown (zero-day) attacks. On the one
hand, the first mechanism aims at providing first filtering against known attacks while
employing Suricata which is an open-source NIDS having the Multiple Threading
functionality. On the other hand, the second mechanism is dedicated to detecting unknown
attacks that have deviated from the normal traffic baseline. Furthermore, our system is based
on the multi-agent paradigm, which allows us to have a modular NIDS while supporting the
addition of components to support the evolution of networks.
The rest of this paper is organized as follows: Section 2 discusses some related research
works that have been conducted by the scientific community. Section 3 highlights our hybrid
NIDS model while presenting the proposed architecture and its operating principle. Section 4
deals with the experimentation and testing part and finally section 5 concludes the article and
gives an update on our perspectives.

2 Related work
In this section, we will highlight some of the work done by the scientific community to
advance the field of intrusion detection.
Several research works on intrusion detection systems have been conducted by
cybersecurity researchers. Notably, S Smys et al [4] proposed an IDS to detect intrusions in
IoT networks while based on a hybrid neural network model. According to the author, his
system can give satisfactory results in high-dimensional IoT networks. Sydney et al [5]
proposed a Deep Learning-based method for developing a wireless IDS. The author used the
Wrapper Based Feature Extraction Unit (WFEU) to reduce the dimension of UNSW-NB15
and AWID datasets. Hadeel Alazzam et al [6] proposed a method based on the Pigeon Inspired
Optimizer algorithm to reduce the dataset dimension while keeping only the most relevant
features. The evaluation of their approach was done on the datasets KDDCUP99, NLS-KDD,
and UNSW-NB15. Ferrag et al [7] proposed an IDS that he named Rules and Decision Tree-
based Intrusion Detection System (RDTIDS) to detect intrusions that may target IoT networks.
His approach combines various classification techniques which are: Decision tree, JRip
algorithm, Forest PA, and REP Tree. Kumar et al [8] proposed a signature-based IDS that is
capable of detecting five categories of network traffic namely: Exploit, Probe, Generic, DOS,
and Normal. The proposed system behaves like a dog watcher capable of monitoring the
network against suspicious activities. The author based on the UNSW-NB15 dataset and
generated his test dataset bearing the name Real-Time dataset at NIT Patna CSE lab
(RTNITP18). S. Jin et al [9] proposed a lightweight signature-based IDS capable of detecting
intrusions targeting the In-Vehicle Controller Area Network Bus Network. The research
confirms that this type of network still lacks protection mechanisms against cybercrime and
requires the proposed IDS to be as lightweight as possible since these networks are very
notorious for their limitation in computational resources. A. N. Cahyo et al [10] confirmed
that the hybrid NIDSs proposed by the scientific community are not yet mature and need to
be improved to be usable in real networks. Thus, the researcher conducted a literature review
of hybrid NIDS during the last five years while presenting the different architectures adopted
in the various proposed approaches. H. Gajjar et al [11] opted for analyzing and comparing
different approaches which rely on the Openstack private cloud to detect intrusions based on
either signatures or anomaly detection. Dinesh Goyal et al [12] proposed a solution to reduce
the number of false alarms generated from NIDS based on anomaly detection. The author
designed an anomaly detection-based NIDS that is capable of detecting intrusions with a
reduced false alarm rate. To achieve this, the researcher focused on three main components:
the preprocessing component, the detection engine, and the module for alert processing. R.
Samrin et al [13] conducted a state-of-the-art study on the set of approaches for anomaly
detection-based NIDS that used the KDDCUP99 dataset. Then, the researcher identified some
shortcomings and weaknesses of the proposed methods in the literature while proposing
improvement points to design a more effective anomaly-based NIDS. Asish Kumar Dalai et
al [14] conducted a state-of-the-art study on hybrid NIDS while opting for a comparative study
between the various approaches. Said OUIAZZANE et al [15] proposed a NIDS to detect
intrusions that could target UAV networks. The author used multi-agent systems and machine
learning techniques to model the NIDS. Thus, a set of classification methods were used and
evaluated to choose the most reliable one. The author of [16] proposed a mechanism for
intrusion detection in networks generating big data. The researcher merged the use of two
classification techniques namely: a Long Short-Term Memory (LSTM) and a Convolutional
Neural Network (CNN). In addition, the author opted for balancing the CIDDS-001 dataset to
limit the impact of the imbalance of the training dataset on the classification results. According
to the researcher, the results were conclusive for both multi-class classification (99.83%
accuracy) and binary classification (99.17% accuracy).
The scientific community has indeed started to focus on different types of NIDS and
researchers are constantly proposing new approaches to improve the effectiveness of NIDS.
Nevertheless, the field of intrusion detection is not yet mature and requires more effort to
succeed in developing more effective and efficient NIDS.
The rapid development of cybercrime via the appearance of new, more sophisticated, and
targeted 0-day attacks is jeopardizing the security of networks in small and large companies.
In addition, traditional security mechanisms are no longer able to protect networks against
modern cyber attacks as they are mainly based on known attack signatures developed by
security experts.
Most of the approaches proposed in the literature are unsatisfactory and deal with very
limited problems. On the one hand, several researchers have just focused on signature-based
detection mechanisms. However, classical SNIDS are no longer effective in detecting
unknown 0-day attacks. In addition, SNIDS can no longer ensure the security of modern
computer networks and require very frequent updates in signature development for newly
emerging attacks. On the other hand, the majority of research works have proposed approaches
to improve the detection mechanisms adopted by ADNIDS by trying to propose highly
efficient classification techniques based on Machine Learning and Deep Learning algorithms.
On the other hand, ADNIDS generates very high false-positive rates, which overlaps with the
visibility of administrators on the security of their IT infrastructure. Furthermore, few research
works have proposed to opt for hybrid approaches that aim to combine both NIDS types
(SNIDS and ADNIDS). Furthermore, hybrid detection-based approaches just deal with
classification techniques and do not address the architectural aspect of the proposed NIDS,
which hinders the proper understanding of the proposed models.
In our present research work, we will put forward a simple and efficient architecture for the
detection of known and unknown attacks. Our model is based on the combination of two
detection mechanisms: SNIDS and ADNIDS. The SNIDS of our model allows first filtering
to detect known attacks whose signatures are already known by the experts, while the
ADNIDS is implemented to detect deviations from the network baseline. The network
baseline consists of developing a reference profile of the network during its normal operation
in the absence of any trace of cyberattacks.

3 Proposed approach
In this section, we will highlight our proposed NIDS model for detecting known and unknown
attacks.

3.1 Proposed NIDS Model

We propose a hybrid NIDS based on a SNIDS and an ADNIDS. The SNIDS is used to detect
intrusions whose signatures are already known by security experts. On the other hand, the
second brick ADNIDS allows detecting deviations from the network baseline during its
normal operation. Figure 1 shows the components of the proposed NIDS model. Indeed, our
NIDS model is mainly based on two detection mechanisms:
 Signature-based NIDS (SNIDS): This is the first brick of our system and allows capturing
network packets and checking the match against a signature base of known intrusions. This
layer is capable of detecting known cyber attacks;
 Anomaly Detection-based NIDS (ADNIDS): This detection layer can model what is normal
based on machine learning algorithms. The ADNIDS component of our model is used to
detect 0-day attacks whose signatures are not yet known by the security community. Indeed,
this component can recognize normal behavior and considers any deviation from the baseline
as an anomaly.

Fig. 1. The proposed model of NIDS

The diagram in figure 2 gives an overview of the workflow adopted by our NIDS system
to detect known attacks as well as Zero-day attacks. Indeed, our system is composed of a
SNIDS and an ADNIDS that work together to detect all types of intrusions including those
whose signatures are not yet known. On the one hand, we have used Suricata as a SNIDS to
perform network traffic capture and detection of known attacks corresponding to attack
signatures. On the other hand, if the packet does not match a known intrusion by Suricata, the
packet will be sent to ADNIDS to check if it matches the network baseline or not. Thus,
ADNIDS is based on machine learning techniques to recognize what is normal and therefore
to detect any deviation from the baseline. Therefore, any network packet, whose
characteristics do not match a known intrusion and which does not match the baseline patterns,
is considered a zero-day attack if it is not a false positive or false negative.
Fig. 2. The detection mechanism of known and zero-day attacks adopted by our
proposed system.

3.2 Operating principle of the proposed model

Figure 3 shows the intrusion detection mechanism adopted by our proposed system. Indeed,
the system allows to check the matching of the network packet with two detection modules,
the first module is a SNIDS ensuring the detection of attacks whose signatures are known. The
second module is an ADNIDS and it allows to verify the pattern matching of the packet (which
does not correspond to a known attack) against the network baseline. Thus, our NIDS system
is able to detect known intrusions using its first SNIDS module and also ensures the detection
of deviations from the normal network profile (baseline) to detect zero-day intrusions whose
signatures are not yet known or developed by security experts.

Fig. 3. The operating principle of the proposed NIDS

According to the figure 3 above, the detection mechanism is done in 8 steps. Thus, the
workflow adopted during the process of cyber attack detection by our NIDS model can be
presented as follows:
 Step 0: Before counting the detection phases, it is wise to start with the presentation
of what is ensured during phase 0. This is because ADNIDS is used to model benign
 traffic that is free of any trace of the cyberattack. In Phase 0, ADNIDS is supposed
to be trained on normal traffic describing the normal operation of the network without
the presence of a cyber attack. For this purpose, a set of machine learning techniques
must be used and tested to select the most reliable ones in terms of accuracy and
precision. In addition, annotated datasets can be used to model the normal behavior
of network packets;
 Step 1: In this step, the proposed hybrid NIDS captures the network traffic via the
Sniffer of the SNIDS component. To do this, the system must have a high-speed
network card and that must be connected to a SPAN port on the Federator Switch.
This way, the Sniffer can collect a copy of the network traffic without causing
network latency as opposed to the inline mode;
 Step 2: At this point, the network packets are captured by the Sniffer and it is time to
check their match against the SNIDS signature database. The latter checks if there is
a possible match between the characteristics of the captured network packet and the
known intrusion patterns stored in the SNIDS signature database. We can distinguish
between two cases:
 If the packet matches a pattern recognized by the SNIDS database, an alert
is sent to the security administrator to get his attention regarding the
detected intrusion;
 If the packet does not match any known attack signature, the network packet
in question must pass through the second component, which is the
ADNIDS.
 Step 3: If the network packet matches a known intrusion, an alert is automatically
sent to the security administrators to investigate and analyze the suspicious packets;
 Step 4: If the network packet is not recognized as a known intrusion, the ADNIDS
intervenes to compare the characteristics of the packet to the network baseline;
 Step 5: If the characteristics of the network packet deviate from the baseline, an alert
will be sent to the administrator to inform him/her that a suspicious packet is present
in the network traffic;
 Step 6: When the packet deviates from the baseline, it is considered suspicious and
its signature will be sent to the SNIDS so that the packet will be recognized as
suspicious in the next detections;
 Step 7: If the packet corresponds to normal behavior, it is considered benign and does
not represent a risk of intrusion on the IT assets.

3.3 Use case of the proposed model

The proposed hybrid NIDS will be deployed at the network level in passive mode. The
architecture diagram in Figure 4 shows the mode of deployment of our NIDS system. Indeed,
our NIDS will be connected to a Switch L3 on a port in SPAN mode, in this way, the NIDS
does not intercept the network traffic and it receives a copy of all the network traffic
circulating in the L3 backbone switch. Thus, all traffic flowing through the different broadcast
domains will be copied and sent to the NIDS for analysis and detection of suspicious packets.
Our NIDS model is connected to the network on a SPAN port of the backbone switch.
Thus, the system captures all traffic passing through the network so that it checks the match
of the packets against the SNIDS signature database to detect known attacks and if the packet
does not correspond to a known intrusion, the ADNIDS checks the match of the packet against
the baseline of the network describing its normal operation. If the packet deviates from the
characteristics of benign traffic represented by the baseline, the packet in question is
considered a zero-day attack that must be analyzed and investigated thoroughly to avoid
falling into the trap of false positives. Thus, the new patterns are communicated to the
signature database so that the system can now detect similar packets using SNIDS.
Fig. 4. Deployment mode of the proposed model

4 Experimentation
In this section, we will discuss the network baseline development mechanism at the ADNIDS
brick level. For this purpose, we used the CICIDS2017 dataset after optimizing and balancing
it. Then, we used the Decision Tree algorithm to classify the benign traffic of the optimized
dataset.

4.1 CICIDS2017 dataset optimization

CICIDS2017 includes missing data and data with infinite values. This type of data could
falsify the classification results using Machine Learning algorithms. Therefore, the
CICIDS2017 dataset must be cleaned up to make the classification as reliable as possible.

Cleaning the CICIDS2017 dataset. After analyzing the contents of the CICIDS2017 dataset,
it was found that it includes missing values and infinite data. We used Pandas' "isnull().any(1)"
and dropna(axis=0, how='any') functions to remove the missing values and then we removed
the infinite values by using the function "replace([np.inf, -np.inf], np.nan, inplace=True)".

Balancing the CICIDS2017 dataset. The CICIDS2017 dataset is unbalanced and consists of
less abundant classes than others (see Table 1).

Table 1. The CICIDS2017 dataset is unbalanced.

Class of network traffic Frequency

NORMAL 2272688
ABNORMAL 556697

After balancing the CICIDS2017 dataset, the distribution of normal and abnormal instances
is presented by Table 2 below.

Table 1. The balanced CICIDS2017 dataset

Class of network traffic Frequency

NORMAL 250000
ABNORMAL 582504

Feature selection. We opted for feature selection to eliminate less relevant attributes that
 could falsify the classification results and cause huge learning delays. First, we removed
attributes with constant or qua-constant values since they do not add value during the learning
phase. Second, we removed duplicated features using the Python function duplicated(). Third
and finally, we removed correlated attributes using the corr() function. Thus, the remaining
relevant attributes are in Table 3.
Table 2. The retained attributes of the CICIDS2017 dataset

Selected features Selected features Selected features

Destination Port Flow IAT Mean FIN Flag Count
Flow Duration Flow IAT Min PSH Flag Count
Total Fwd Packets Fwd IAT Min ACK Flag Count
Total Length of Fwd Packets Bwd IAT Total URG Flag Count
Fwd Packet Length Max Bwd IAT Mean Down/Up Ratio
Fwd Packet Length Min Bwd IAT Std Init_Win_bytes_forward
Fwd Packet Length Mean Fwd PSH Flags Init_Win_bytes_backward
Bwd Packet Length Max Fwd Header Length Active Mean
Bwd Packet Length Min Bwd Header Length Active Std
Flow Bytes/s Bwd Packets/s Idle Std
Flow Packets/s Min Packet Length Label

4.2 Classification of benign traffic

After optimizing the CICIDS2017 dataset, we used the Decision Tree (DT) algorithm to
classify the normal traffic and gave conclusive results presented in Table 4. The DT was able
to classify benign traffic with 99.9% of accuracy with a very low false alarm rate.

Table 3. Metrics to evaluate the use of Decision Tree algorithm

TP FP TN FN Recall Precision Sensitivity Specificity F- Accuracy

Measure
Benign 74704 94 174779 135 99.8 99.9 % 99.8 % 99.9 % 99.8 % 99.9 %
%

5 Conclusion
In this work, we were able to propose a hybrid NIDS based on the use of both SNIDS and
ADNIDS. The proposed model is capable of detecting any type of computer attack including
zero-day intrusions and exploits, and it is based on the open-source Suricata system as well as
machine learning techniques. The Decision Tree has performed well in classifying benign
traffic while achieving 99.9% of accuracy. The work is not yet complete and we plan to
perform the following tasks in our future publications:
 Using several Machine Learning algorithms and comparing them to choose the
most reliable one to model the network baseline;
 Trying several datasets and comparing the results obtained;
 Testing the system in a real computer network.

References

1. Chiba, Zouhair Abghour, Noreddine Moussaid, Khalid Omri, Amina El Rida, Mohamed – 2019 –
Newest collaborative and hybrid network intrusion detection framework based on suricata and
isolation forest algorithm
2. M. Ali Aydın *, A. Halim Zaim, K. Gökhan Ceylan – 2009 – A hybrid intrusion detection system
design for computer network security
 3. Jiang, CHan, X – 2021 – A Novel Hybrid Model for Intrusion Detection Systems in SDNs based
on CNN and a New Regularization Technique – Journal of Network and Computer Applications
4. S Smys, A Basar, H Wang - Hybrid intrusion detection system for internet of Things (IoT) - Journal
of ISMAC, 2020 - irojournals.com
5. Sydney Mambwe Kasongo Yanxia Sun - A deep learning method with wrapper based feature
extraction for wireless intrusion detection system - 2020 - Computers & Security
6. Hadeel Alazzam et al. - A feature selection algorithm for intrusion detection system based on Pigeon
Inspired Optimizer – 2020 - Expert Systems with Applications
7. Ferrag, M.A.; Maglaras, L.; Ahmim, A.; Derdour, M.; Janicke, H. RDTIDS: Rules and Decision
Tree-Based Intrusion Detection System for Internet-of-Things Networks. Future Internet 2020, 12,
44. https://doi.org/10.3390/fi12030044
8. Kumar, V., Sinha, D., Das, A.K. et al. An integrated rule based intrusion detection system: analysis
on UNSW-NB15 data set and the real time online dataset. Cluster Comput 23, 1397–1418 (2020).
https://doi.org/10.1007/s10586-019-03008-x
9. S. Jin, J. -G. Chung and Y. Xu, "Signature-Based Intrusion Detection System (IDS) for In-Vehicle
CAN Bus Network," 2021 IEEE International Symposium on Circuits and Systems (ISCAS), 2021,
pp. 1-5, doi: 10.1109/ISCAS51556.2021.9401087.
10. A. N. Cahyo, A. Kartika Sari and M. Riasetiawan, "Comparison of Hybrid Intrusion Detection
System," 2020 12th International Conference on Information Technology and Electrical
Engineering (ICITEE), 2020, pp. 92-97, doi: 10.1109/ICITEE49829.2020.9271727.
11. H. Gajjar and Z. Malek, "A Survey of Intrusion Detection System (IDS) using Openstack Private
Cloud," 2020 Fourth World Conference on Smart Trends in Systems, Security and Sustainability
(WorldS4), 2020, pp. 162-168, doi: 10.1109/WorldS450073.2020.9210313.
12. Dinesh Goyal, S. Balamurugan, Sheng-Lung Peng, O.P. Verma - Soft Computing-Based Intrusion
Detection System With Reduced False Positive Rate – 2020
13. R. Samrin and D. Vasumathi, "Review on anomaly based network intrusion detection system," 2017
International Conference on Electrical, Electronics, Communication, Computer, and Optimization
Techniques (ICEECCOT), 2017, pp. 141-147, doi: 10.1109/ICEECCOT.2017.8284655.
14. Asish Kumar Dalai and Sanjay Kumar Jena – 2017 – Hybrid Network Intrusion Detection Systems:
A Decade’s Perspective
15. Said OUIAZZANE, Fatimazahra BARRAMOU and Malika ADDOU, “Towards a Multi-Agent
based Network Intrusion Detection System for a Fleet of Drones” International Journal of Advanced
Computer Science and Applications(IJACSA), 11(10),
2020. http://dx.doi.org/10.14569/IJACSA.2020.0111044
16. Samed Al, Murat Dener, STL-HDL: A new hybrid network intrusion detection system for
imbalanced dataset on big data environment, Computers & Security,
https://doi.org/10.1016/j.cose.2021.102435.

View publication stats