Hybrid Feature Selection (RFEMI) Techniques
and Intrusion Detection
2023 10th International Systems
Conference on Future
Internet of Things
Detection Using Supervised Machine Learning
Algorithms.
Ibrahim Abobaker IEEE Student
Member
Department of Computer Science
University of Bradford
Bradford, UK
[email protected]
In the realm of business, it is crucial to establish robust
security mechanisms for identifying web attacks. Advanced
Intrusion Detection Systems (IDSs) can effectively fortify network
security by operating at the network's perimeter. However, the
presence of a vast number of features within the system presents a
significant challenge in accurately detecting web attackers. To
address this issue, a technique known as Recursive Feature
Elimination and Mutual Information (RFEMI) is proposed. This
technique aims to select the most essential features while
eliminating duplicates, thereby simplifying attack detection and
reducing computational time. The study conducted experiments to
assess the effectiveness of the proposed feature selection technique
in detecting web attacks using various Machine Learning
Algorithms (MLAs) such as Decision Tree Classifier (DTC), XGB
Classifier (XGB), Gradient Boosting Classifier (GBC) and K-
Nearest Neighbor (KNN) for Network-based Intrusion Detection
Systems (NIDS). The results demonstrate that the proposed system
can accurately identify web attacks using the CICIDS-2017
dataset. Among the classifiers, the DTC classifier exhibited the
highest accuracy at 0.9961, with a False Positive Rate (FPR) of
0.054.
Keywords— Computer networks. Intrusion Detection Systems.
Machine Learning Algorithms. High dimensionality, web attack
detection.
I.INTRODUCTION
Security mechanisms to detect web attacks are an essential
part of the design of network devices; new technologies such
as IoT and mobile devices pose new threats and challenges to
web security. This is because Web applications are widely
used in our daily lives and across communication networks for
client-server communication. Despite the efforts of
researchers and developers who have implemented security
measures like firewalls, data encryption, and user
authentication, web attacks still pose a significant challenge to
web applications. A study done by Symantec in 2019 found
that every month, around 4,818 websites were hacked with
form jacking code, and cybercriminals could make up to $2.2
million per month by stealing credit card information from
those compromised websites. [3].
Furthermore, almost one million new threats are
distributed into the network daily, as stated by Symantec [5].
There are almost one million new threats distributed daily on
XXX-X-XXXX-XXXX-X/XX/$XX.00 ©20XX IEEE
979-8-3503-1635-3/23/$31.00 ©2023 IEEE
DOI 10.1109/FiCloud58648.2023.00020
for
Web
and Cloud Attacks
(FICloud)
the web application. At the same time, the WannaCry attack
on the UK National Health Service in 2017 is an excellent
example of a significant cyber-attack. The attack used a
Windows Server Message Block protocol vulnerability to
install backdoor tools and execute a ransomware package. [6].
Another attack on Tesco Bank in the UK was targeted by an
online fraudster on November 7, 2016, resulting in cash being
taken from approximately 40,000 accounts and causing a loss
of about £600 per account. [7].
The web application uses a web browser and its
technology to complete precise tasks across the internet. Web
applications use a combination of client-side scripts and
servers to distribute data to legitimate users through a web
browser. The client-side scripts are used to present specific
data to users, while the server-side scripts help handle, store,
and retrieve the data. This model allows for the efficient and
effective sharing of data with people and businesses.[2].
Nevertheless, the web traffic has been examined via the
requests from servers and clients through the HTTPS and
HTTP protocols. Web application security is essential as it
stores numerous user data and delivers the means to access
many assets like online internet banking, online buying, online
purchase and other services provided by the financial
organization. This expansive application needs web systems
to handle and store an enormous amount of data, including
personally sensitive data such as username, password, date of
birth, and credit card information, thereby eliciting varying
degrees of cyber security threats. For example, the service is
inconsistent if it fails to defend sensitive data such as bank
details. Consequently, Web applications are vulnerable to a
wide range of security attacks that can compromise
Confidentiality, Integrity, and Availability, collectively
known as the CIA. These attacks can occur at different levels
of the web application's architecture, posing a significant
challenge to its security.
Even though Web applications have similarities with
traditional IT systems, they have unique characteristics that
make them more susceptible to attacks. This vulnerability
requires special attention to secure web applications from
various security threats.[8]. For instance, remote code
execution attacks target file systems; however, SQL injection
78
targets databases and, therefore, causes immeasurable
destruction and loss to governments and companies [9]. In
addition, data encryption has added an extra layer of
sophistication to the analysis task. Therefore, it has posed an
enormous burden on security analysts to examine traffic and
classify threats to develop suitable anomalies; the (IDS) is
often designed to detect this kind of attack [10].
However, much work has been done on the impact of web
attacks on web applications, including References , the
majority of literature focuses on increasing the detection rate,
and most of the work has been published with outdated
datasets such as (KDD99CUP, NSL-KDD and Advanced
Research Projects Agency (DARPA)). Nevertheless, The
Open Web Application Security Project (OWASP) has
identified the top 10 security risks for web applications,
including injection flaws, Broken Access Control, and XSS
attacks. These have been major threats to web applications and
servers for many years. This work focuses on understanding
the effects of web attacks on HTTP traffic, such as SQL
injection and Cross-Site Scripting (XSS). It proposes a system
for IDS using unsupervised ML and evaluating the proposed
approach with reliable datasets that had these kinds of attacks,
such as CICIDS-2017 and UNSW-NB15[11]. The purpose is
to inspire comprehensive studies that prioritize finding
solutions to detect and prevent web attacks in HTTP traffic.
The unknown attack is known as a zero-day Attacks is a
type of computer security weakness that has not been publicly
disclosed or fixed by the responsible vendor. Practitioners in
this field commonly use the term to refer to unpublished
vulnerabilities that are actively exploited in the wild. This
creates fear because IT professionals cannot protect against
something they don't know exists [12].To this end, the
proposed system includes a method for selecting the most
important features to build a lightweight intrusion-detection
model that can accurately detect web and zero-day attacks.
This approach was evaluated using the CICIDS-2017 dataset
and has the potential to reduce the problems caused by new
attacks.
A. MOTIVATION AND CONTRIBUTION
The research is driven by the increasing security threats
faced by web applications and web servers due to their
extensive and widespread use. The focus is primarily on web
attacks and their impact on web application vulnerabilities.
Anomaly detection (AD) techniques serve as the key focus
area of this study, aiming to develop an innovative approach
that emphasizes early detection and prevention of web attacks.
Within this context, the main tasks of the research paper
are as follows:
• Addressing feature selection uncertainty and
reducing the number of features: this work utilize a
Hybrid Feature Selection (FS) method called
Recursive Feature Elimination and Mutual
Information (RFEML). This technique selects ten
features from each method, eliminates duplicates,
and reduces the feature count from 78 to 13 in the
CICIDS-2017 dataset. This reduction helps reduce
training and testing time.
79
• To Propose an Intrusion Detection System (IDS) that
effectively identifies and prevents both known and
novel attacks: Our system aids in the classification of
network traffic, facilitating the identification of
various types of attacks.
• Designing, implementing, and testing an Anomaly-
Based Intrusion Detection System (ABIDS)
approach: This system utilizes the identified
anomalies and employs four different classifiers to
detect web attacks, including zero-day attacks.
Evaluation is conducted using the CICIDS-2017
dataset.
• Revealing that specific features, namely Destination
Port, Packet Length Mean, and Average Packet Size,
exhibit significance and commonality across both
methods when analyzing the CICIDS-2017 datasets.
This insight highlights the importance of these
features in detecting web attacks, indicating their
relevance and potential as key indicators of
malicious activity. Understanding the shared
significance of these features across multiple
methods provides valuable knowledge for future
research and the development of more robust
intrusion detection systems.
The performance of the classifiers in detecting intrusions
is assessed to evaluate the tasks of the proposed system.
Various metrics such as False Negative Rate, True Positive
Rate, False Positive Rate, Recall, and accuracy of different
MLAs are measured and analyzed.
The rest of this research work is structured as follows:
In Section II, the discussion revolves around the
background of detecting web attacks through the use of
machine learning. Moving forward, Section III presents the
proposed method and the process of feature selection.
Numerical Experiment and results are then presented in
Section IV, followed by the conclusion of findings in Section
V and suggestions for future work.
II. LITERATURE REVIEW
This section reviews literature relevant to Web attacks,
IDS methods for the proposed system, and related studies.
B. Web Attacks
While the web attacks threat problem has increased
sharply resulting from using web applications in our everyday
lives such as online internet banking, purchasing, and selling,
so also have the methods to detect and deal with it. Amongst
the studies on the threat of web attacks, several ways have
been suggested to prevent the conduct of potential web attacks
mainly.
For instance, SQL injection is a generally utilised attack to
exploit a command injection weakness; it is used to inject false
data into an SQL query over the web page for malicious
purposes in order to alter, delete, or insert information[13].
The banking sector is a popular target for hackers. It is
understood the essential data including full name, current
home address, and date of birth stored in the banking server's
database. This data can be gathered from the server due to
social engineering' identity fraud' [12].
 On the other hand, Cross Site Scripting (XSS) is another
kind of web attack. The improper system coding writing gives
an excellent option for the hacker to manipulate the known
weaknesses. This attack uses the victim's exposure when
visiting the vulnerable website. And the weak website works
as a medium for the hackers in order, to provide malicious
code to the target's browser[13].
The exposure of weak web applications and essential data
on it has highlighted the necessity for the exploration of
network security, which caused a sharp increase in the number
of attacks that triggered the web-based system. [14].
Among the works done to deal with the web attack issue,
several techniques have been suggested to identify the web
attacks using IDS mainly. For example, reference [7] applied
end-to-end deep learning to identify attacks autonomously in
real time. They explore the potential of end-to-end deep
learning in IDS and use deep learning in the whole process
starting with feature engineering and ending with prediction.
Their approach is to work without users manually selecting
features or constructing big labelled training sets. The authors
evaluate unsupervised and semi-supervised learning methods
to identify web attacks. Their methodology is based on the
Robust Software Modelling Tool, and their results show that
RSMT can effectively identify web attacks.
The reference work [15] proposed a detection method
using a new ensemble deep learning to detect web attacks;
they first built three models to identify the attacks. After that,
they utilise an ensemble classifier to make the final
determination corresponding to the achieved results from the
three models. They performed experiments with real-world
datasets running in a distributed environment and CSIC 2010
as a benchmark to evaluate the proposed Web attack Detection
System WADS. The investigation shows the suggested
method can identify web attacks correctly, with a performance
of 99.47% accuracy, 99.29%, and 99.70% precision. Although
the work achieved good accuracy, it seemed to overlook the
performance resulting from the ensemble methods, which
consumed more time classifying the data.
As recommended by[9], a single classifier can detect the
anomaly with a reduced attack sample in the training dataset
by evaluating different classification algorithms, including
Random Forest (RF) classifier, Logistic Regression (LR) and Naïve
Bayes (NB) algorithms. The result showed that NB skilfully
identified attacks with few samples in training, like R2L and
U2R attacks. Whereas RF and J48 have recognized attacks
like DoS and Probe, J48 showed slightly lower results than
RF. They initially evaluate the result using the complete NSL-
KDD dataset and then using 20 % in the second stage and
compare the result using Precision, Recall, and F-Score.
Although the result shows a high precision score of 98.28%
using 20 % of the data, the result may be inaccurate as there is
no evidence this module will work with other data or real-time
traffic and was not tested on novel attacks.
On the other hand, researchers [16] introduced an
architectural scheme to develop a threat intelligence strategy
to detect web attacks using four step approach as a fellow:
1. gathering web attack data using crawling websites, 2.
extracting essential features using the Association Rule
Mining3.utilizing the obtained features to simulate web attack
data, and 4. offering a new Outlier Gaussian Mixture (OGM)
method to detect known and novel attacks using an AD
method. They propose a method to capture network traffic
80
data automatically; they use the UNSW-NB15 dataset to
compare results. Their result achieves a detection rate of 97.28
using the OGM method on the web attack dataset and 95.56
using the UNSW-NB15 dataset.
As previously mentioned, a majority of the studies and
related research have failed to consider computer system
utilization or the influence of big data on the detection of web
attacks or zero-day attacks. Utilizing Machine Learning (ML)
algorithms could prove advantageous, not only for traffic
classification but also for investigating the underlying causes
of features to determine their normality or anomaly. Initially,
intrusion detection systems (IDS) operated on the principles
of "deep packet inspection," involving the examination of The
limited studies discussing web and zero-day attacks primarily
focused on achieving high accuracy and assessing the
vulnerability of such attacks. Consequently, there exists a
significant gap in the existing literature regarding solutions for
detecting and preventing web attacks [12]. This article aims to
bridge this knowledge gap, which is crucial for the
development of an efficient system. While most existing
works concentrate on analyzing the content of payloads to
identify web attacks.
C. Anomaly Detection
Anomalies detection (AD) is a technique used to identify
patterns in the data that do not conform to the defined features
of standard patterns in the data. It is defined as "an observation
that deviates so much from other observations to arouse
suspicions that a different mechanism generated it[14]. Driven
by various unusual activities from web attacks, credit card
fraud, and numerous different kinds of attacks, (AD) are
essentially the reason they point out unusual events. Thus,
they can take key actions in vast application areas[15].
Denning in [16] The concept of anomaly detection was
introduced by Denning, and since then, many researchers
worldwide have presented a lot of work on it.
On the other hand, AD is a data analysis technique that
identifies data patterns that do not conform to the standard
patterns[17, 18]. This technique is a wide and dominant
category of (IDS); It helps to detect unusual events, such as
web attacks or credit card fraud.AD work by A "norm profile"
is a baseline or standard behavior pattern created for an entity,
Figure 1Anomaly based IDS using Machine Learning
which is used to compare and identify any observed behaviors
that deviate from the norm profile[19]. It looks for patterns in
data that don't match the usual or normal patterns, as a way to
identify unusual or suspicious events. It does this by
comparing the observed behaviors to a normal behaviour
profile and identifying data entries that don't fit with the rest
of the dataset.
Figure 1 shows some ML techniques used in AD.
D. Supervised ML and Classification Techniques
Classification is a method used to differentiate unusual
patterns, and this technique is used to differentiate unusual
patterns; a fully labelled training dataset and a test dataset are
needed. The classifier is trained first and then tested with the
test dataset, making it a good choice for detecting unseen
attack patterns. This approach is effective and has a high
detection rate for known attacks.[20]. The methods used for
(IDS) can be updated with new information and strategies,
making them adaptable. They can also identify unusual data
patterns and are ideal for detecting new or "zero-day" attacks.
Most IDS models use a single classifier, such as support
Vector Machines, Genetic Algorithms, Logistic Regression,
KNN, and Random Forest. This researchers used four
Machine learning algorithms and will be discussed in details
in the following subsections.
1) T Decision Tree Classifier
Decision Tree learning is a commonly used method for
categorizing data based on different attributes. Decision trees
are useful for processing large amounts of data and are often
used in data mining applications. They do not require any prior
knowledge or specific settings and are suitable for exploratory
knowledge discovery. Decision trees are represented in a tree-
like structure, which makes the acquired knowledge easy to
understand[21].
2) XGB Classifier
XGBoost is a popular algorithm used for boosting that aims to
achieve high efficiency, flexibility, and portability. This
algorithm generates decision trees sequentially and assigns
weights to all independent variables. The model then
combines the various classifiers/predictors to form a more
powerful and precise model. XGBoost can solve problems
including regression, classification, ranking, and user-defined
prediction. It includes a sparsity-aware split discovery
algorithm to handle different forms of sparsity patterns in data,
and a distributed weighted quantile sketch approach to
determine the optimal split points across weighted
datasets[22].
3) Gradient Boosting Classifier
The Gradient Boosting Classifier (GBC) is a machine learning
algorithm used for classification and regression models. It
builds a gradual sequence of weak prediction models, such as
regression decision trees, to optimize the learning process.
These models are combined in an ensemble to improve their
accuracy, with each ensemble correcting errors from the
previous one. The nodes and leaves in the model make
predictions based on decision nodes, and the accuracy of the
model is improved as more weak models are added to the
ensemble[23].
4) K-Nearest Neighbour
The k-Nearest Neighbor Algorithm is a machine learning tool
that predicts class labels for different instances by measuring
the shortest Euclidean distance from other instances. This is
81
done by considering all the features or attributes as dimensions
in the calculation of Euclidean distances[5].
By leveraging these methods, you can enhance your ability to
detect web attacks by utilizing their unique strengths in pattern
recognition, classification, and anomaly detection. enhances
the system's ability to accurately detect web attacks. The
evaluation of the proposed system on the CICIDS-2017
dataset demonstrates promising results, indicating improved
classification accuracy and reduced model building time.
E. The CICIDS-2017 dataset
Many published works in AD and feature selection proposals
use DARPA’98 and KDD’99 Cup. However, famous critics
received advice against their use due to the out-of-data issue
and not presenting the actual network traffic[24]. In this work,
The CICIDS2017 dataset is a more recent dataset proposed by
the Canadian Institute in 2017 for cybersecurity research is
used; it includes normal traffic and new attacks when data is
collected (Catillo et al., 2021). The data is accessible in
bidirectional flow labelled form ( CSV ) and packet format (
pcap ).
Nevertheless, this data obtains massive traffic and has a large
number of features for anomaly detection. It includes recent
and challenging attack distribution attacks, including Brute
force, Infiltration, Botnet, DDoS, Dos, Web, and PortScan
(Cybersecurity, 2017).To this end, The data capture period is
five days. Monday is the "normal day" and contains benign
traffic. However, on Thursday there were web attacks
including Brute Force, XSS, and SQL Injection that occurred
between (9:20 - 10 a.m.), XSS (10:15 - 10:35 a.m.), and SQL
Injection (10:40 10:42 a.m.). The attacker was a Kali Linux
node, and the victim was a WebServer Ubuntu[25].
Feature Selection and data pre-processing
In Machine Learning, the isolation process for predictive
features from unwanted features is known as Feature
Selection (FS). It is well agreed that information theory has
become a powerful concept to undertake this strategy. This is
justified by the fact that correlation can yield a predictive
power, namely mutual information. Within the available
literature, there are numerous FS techniques. That said, a
considerable number of researchers have used several
approaches by employing filtering methods and wrapping.
The complexity of keeping the data’s dimensionality of the
data manageable and targeting the most suitable features on
which to drive the learning process would increase with the
ongoing increase of datasets. It is to be noted that the increase
in the size of datasets would be explicitly in terms of the data
features as well as the sample. However, it is unavoidable to
enhance prediction accuracy, ignore the unstoppable growth
of training complexity, and understand the model more
deeply.
The best known two categories to reduce the dimensionality
are either by transforming the feature space through feature
extraction, which describes putting the original features into
new ones, or by following a different strategy of FS, by
choosing a subset of features. The second category branches
into three methods: embedding, filtering approaches, and
wrapping. Notably, the filtering strategy is more advantageous
since it does not depend on the classifier, is more dynamic in
dealing with overfitting risks, and is more responsive to a Stage 3 employs four other Machine Learning Algorithms (MLAs)
structured method. More interestingly, many researchers have to classify the final optimized subset C, generated by the RFEML
successfully applied information-theoretic techniques and method. This step focuses on improving the overall performance of
concepts, for example,[26, 27]. the computer network, in addition to enhancing the accuracy of
attack detection. Previous studies in this field have primarily
As datasets become larger, it becomes more difficult to concentrated on enhancing the detection accuracy without adequate
manage data dimensionality and select suitable features for consideration for the network's overall performance.
learning processes and has directed our focus on classifiers, a Overall, this hybrid approach combines the strengths of both RFE
filtering method precisely for machines that can potentially and MI methods, leading to more accurate results compared to using
classify these samples. Since classes have a fixed entropy, the either method alone. This approach is particularly effective when
main target would be formulated in relation to the conditional dealing with large datasets containing numerous potential variables
entropy corresponding to the classification given the set of or factors that influence outcomes, such as classification accuracy
features. Then, the goal is to select the minimal set of features rates. Figure 3 depicts the first part of the proposed system, which
that can reduces the uncertainty classification to the required represents the described method (RFEML) for feature selection,
while table 1 show feature selected by both method separately.
level. For this reason, the Random Forest classifier (RFC)has Table 1Selected Features by (RFEML)
been used to find the most critical eight features, as shown in
fig 2; and the proposed FS method is used to confirm the Selected Features by Recursive Selected Features by
results. This problem has attracted the attention of many feature elimination Mutual Information
researchers, for example [28][[29]]. Destination Port', Destination Port',
' Total Length of Bwd Packets', ' Total Length of Bwd
Packets',
' Bwd Packet Length Mean', ' Bwd Packet Length Mean',
' Bwd Packet Length Std', ' Packet Length Mean',
' Packet Length Mean', ' Packet Length Std',
' Average Packet Size', ' Packet Length Variance',
' Avg Bwd Segment Size', ' Average Packet Size',
' Fwd Header Length.1', ' Avg Bwd Segment Size',
' Subflow Fwd Bytes', ' Subflow Bwd Bytes',
'Init_Win_bytes_forward' Destination Port',
The second part of the framework (Fig. 4) provides a
characterization of four MLA to classify the dataset based on the
whole dataset in the first stage; then, use the thirteen features from
the dataset to test (RFEML) system. Next, compare and analyze the
accuracy, precision, (FNR), (TPR), (FPR), (TNR), and percentage

Figure 2 Features important by RF.

III.METHODOLOGY, APPROACH, AND PROPOSED MODELS

The methodology, approach, and proposed models for building a
hybrid feature selection method to detect web attacks are illustrated
in Figure 3 and Figure 4. The process consists of three stages,
outlined as follows:
Stage 1 involves a pre-processing step to handle duplicate, missing,
and infinite features. This step aims to identify the most relevant
features that contribute significantly to the classification task.
In Stage 2, a combination of Recursive Feature Elimination (RFE) Figure 3first stage of the proposed method (RFEML) for FS
and Mutual Information (MI) techniques is applied to generate the
final optimal set of features. This selection process helps reduce the of incorrectly classified and correctly identifying web attacks of
training and testing time while maintaining the accuracy of the each classifier algorithm.
detection rates. For example, on the CICIDS-2017 dataset, the
number of features is reduced from 78 to 20, and further removal of
duplicate features results in a final set of 13 features. Figures 2 and IV.NUMERICAL EXPERIMENTS AND RESULTS
3 reveal that certain features, namely Destination Port, Packet
Length Mean, and Average Packet Size in the CICIDS-2017 The confusion matrix is commonly utilized in predictive
datasets, are both common and significant across all two methods. analytics to visualize the performance of the experiment
The Random Forest Classifier and the proposed system have using the proposed method, and the whole dataset and five
independently selected these features. states are considered as a following:

82
 The recall is a measure of how well the model correctly
identifies all positive cases, and it is defined using a specific
formula., as follows:
𝑇𝑇𝑇𝑇 (6)
𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅 =
𝑇𝑇𝑇𝑇 + 𝐹𝐹𝐹𝐹

Accuracy is a metric used to measure how close a predicted

value is to the actual value, it can be calculated by
𝑇𝑇𝑇𝑇 + 𝑇𝑇𝑇𝑇 (7)
𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝐴 =
𝑇𝑇𝑇𝑇 + 𝐹𝐹𝐹𝐹 + 𝑇𝑇𝑇𝑇 + 𝐹𝐹𝐹𝐹

F. Results Evaluation
Table 3 presents the results using exclusive features on the
dataset, while Table 4 displays the results using the proposed
method. Both tables compare the performance of different
Figure 4The second part of the proposed method (RFEML) for classifiers based on various metrics such as False Negative
FS Rate (FNR), True Positive Rate (TPR), False Positive Rate
(FPR), Accuracy (AC), Precision (PC), and Recall (RC).
Comparing the two tables, it can be observed that the
classifiers' performance generally improves when using the
The False Negative Rate (FNR) refers to situations where an proposed method (Table 3) compared to using exclusive
attack has occurred, but the system fails to identify it as such, features (Table 4). The FNR values decrease for all classifiers
giving a wrong prediction[5]. in Table 4, indicating a reduction in the rate of false negatives.
𝐹𝐹𝐹𝐹 (1) Similarly, the TPR values increase, indicating an
FNR = improvement in the rate of true positives.
𝐹𝐹𝐹𝐹 + 𝑇𝑇𝑇𝑇
The True Positive Rate (TPR) is a measure of how accurately
a system can identify attacks. It measures the proportion of
correctly identified attack instances out of all actual attack
instances.
𝑇𝑇𝑇𝑇 (2) Table 2Results using the whole features on the dataset
𝑇𝑇𝑇𝑇𝑇𝑇 =
𝑇𝑇𝑇𝑇 + 𝐹𝐹𝐹𝐹
The False Positive Rate (FPR) refers to the situation when a
M FNR( FPR( TPR(%) TNR AC( PC RC
system detects an attack when there is actually no attack. In LA %) %) (%) %)
other words, the system identifies a data point as an attack,
DT 0.0019 0.1203 0.998 0.879 0.9961 0.88 0.88
but it is actually not an attack. C 6 6
𝐹𝐹𝐹𝐹 (3)
𝐹𝐹𝐹𝐹𝐹𝐹 =
𝐹𝐹𝐹𝐹 + 𝑇𝑇𝑇𝑇
The True Negatives Rate (TNR) refers to the proportion of
cases where the model correctly predicts a negative outcome XG 0.0072 0.0043 0.9956 0.983 0.9924 0.99 0.83
when the actual outcome is also negative. In other words, B 9 8 5 4
TNR considers cases where both the prediction and actual
outcome are negative, and the model makes a correct KN 0.0025 0.1035 0.9974 0.896 0.9952 0.98 0.84
prediction. N 9 4
𝑇𝑇𝑇𝑇 (4)
𝑇𝑇𝑇𝑇𝑇𝑇 =
𝐹𝐹𝐹𝐹 + 𝑇𝑇𝑇𝑇

GB 0.0066 0.0663 0.9933 0.933 0.9506 0.93 0.58

The performance of AIDS will be evaluated using a set of
5 6
metrics.:
Precision is a metric that measures the accuracy of identifying
positive cases, by calculating the proportion of correctly
identified positive cases and is determined by
𝑇𝑇𝑇𝑇 (5)
𝑃𝑃𝑃𝑃𝑃𝑃𝑃𝑃𝑃𝑃𝑃𝑃𝑃𝑃𝑃𝑃𝑃𝑃 =
𝑇𝑇𝑇𝑇 + 𝐹𝐹𝐹𝐹

83
 False Negative Rate = (FNR), True Positive Rate = TPR, KNN 0.003 0.0149 0.997 0.9851 0.9952 1.0 0.9
False Positive Rate = (FPR), AC = Accuracy , Recall = RC 8

GB 0.0549 0.0004 0.945 0.9995 0.9506 1.0 0.6

Results Evaluation 8

2 False Negative Rate = (FNR), 2. True Positive Rate =

1 TPR, False Positive Rate = (FPR), AC = Accuracy , Recall =
0 RC
Evaluation method
Decision Tree Classifier
XGBClassifier
KNeighbors Classifier
GradientBoostingClassifier
Figure 5Accuracy of each classifier with the proposed
method.
In Table 4, the Decision Tree Classifier shows a decrease
in FNR from 0.00196 to 0.0015, while its TPR increases from
0.998 to 0.9984. On The other hand, XGB Classifier also
exhibits a decrease in FNR from 0.00729 to 0.0073 and an
increase in TPR from 0.9956 to 0.9927. While, the
KNeighbors Classifier shows a decrease in FNR from 0.00259
to 0.003 and an increase in TPR from 0.9974 to 0.997. Lastly,
the Gradient Boosting Classifier demonstrates a decrease in
FNR from 0.00665 to 0.0549 and an increase in TPR from
0.9933 to 0.945.
G. Discussion
In contrast to other works that primarily focused on
achieving high accuracy and low false alarm rates while
neglecting the performance of the network and devices, this
study takes into account the overall performance by selecting
an optimal number of essential features.
For instance, in the work conducted by(Moustafa et al.
2018) the Outlier Gaussian Mixture (OGM) method was
examined, resulting in an improved accuracy of 97.28% on
the web attack dataset and 95.56% on the UNSW-NB15
dataset. However, this method showed limitations in detecting
unknown attacks.
On the other hand, the work done by (Kshirsagar and
Kumar 2022) investigated various feature selection methods
such as Gain, Gain Ratio, Chi-squared, and Relief, along with
J48, Random Forest, Naïve Bayes, and KNN algorithms. Their
system achieved an enhanced detection rate of 99.9909% with
Results Evaluation
1.5
Axis Title

1
These improvements in FNR and TPR suggest that the 0.5
proposed method enhances the classifiers' ability to detect web
0
attacks accurately. Additionally, the Accuracy (AC) values
generally remain high or improve slightly in Table 4
compared to Table 3, indicating that the proposed method
maintains or improves overall classification accuracy.
Figure 5 displays the accuracy of each classifier on the Evaluation method on…
whole dataset when using exclusive features. Figure 6, on the
other hand, illustrates the accuracy of each classifier when
utilizing the proposed method. Comparing the two figures, it Decision Tree Classifier
is evident that the classifiers' accuracy tends to improve or XGBClassifier
remain consistent when employing the proposed method
(Figure 6) compared to using exclusive features (Figure 5). KNeighbors Classifier

Overall, the results in Table 4, as well as Figures 5 and 6, GradientBoostingClassifier

suggest that the proposed method enhances the performance
Figure 6Accuracy of each classifier with the proposed
of the classifiers, leading to improved accuracy and detection
method.
rates for web attacks compared to using exclusive features.
Table 3Result using the proposed method. an 11.08 s model building time using relevant features.
However, it is worth noting that their system needs to be tested
MLA FNR( FPR( TPR( TNR( AC(% PC Rec with different datasets to ensure its generalizability..
%) %) %) %) ) all Comparing the present work with the study conducted by
DTC 0.0015 0.054 0.9984 0.946 0.999 1.0 0.9 (Popov et al. 2020), where Univariate Feature Selection and
9
Principal Component Analysis (PCA) were employed, the
proposed method showcased improved results. The test
XGB 0.0073 0.0091 0.9927 0.9908 0.9924 0.9 0.9
accuracy score obtained by the proposed method was 0.95,
4 9 6 compared to 0.7502 achieved by the LR algorithm using 19
features from the dataset. This indicates that the proposed
method outperforms the previous work in terms of
classification accuracy.

84
 With respect to this objective, upon examining the Table 3 and Table 4 present the comparative performances
comparison presented in Table 1, it becomes evident that the of the classifiers based on metrics such as False Negative Rate,
suggested system, which employs the RFEML technique and True Negative Rate, True Positive Rate, False Positive Rate,
identifies the 13 most influential features, exhibits the highest Recall, and accuracy. Among the classifiers, XGB and KNN
level of classification accuracy when compared to similar exhibited superior performance in detecting web attacks on
studies. This proposed approach not only enhances the the CICIDS2017 dataset, warranting further investigation.
accuracy of classification but also significantly diminishes the However, the DTC classifier achieved the highest accuracy at
time required for model development, thereby delivering an 0.999, surpassing the other methods.
overall superior performance in contrast to previous On the other hand, the XGB and GBC algorithms
methodologies. Therefore, through careful feature selection demonstrated good accuracy at 0.992and 0.950, respectively.
and the RFEML approach, this work achieves a notable The proposed system, employing the (RFEML) method,
improvement in classification accuracy and model building effectively reduces training and testing time while improving
time compared to other relevant studies. The comparison is overall accuracy. Furthermore, the proposed approach can be
presented in Table 4 support this conclusion. enhanced in future research to detect a wider range of web
attacks. Additionally, this technical method holds potential for
deployment in IoT environments, where different feature
selection techniques can be employed to construct an optimal
Table 4Comparison with Other Work feature selection mechanism.
References Dataset Classifiers Advantages Limitation References
used /Results [1] N. Moustafa, G. Misra, and J. Slay, "Generalized outlier gaussian
mixture technique based on automated association features for
simulating and detecting web application attacks," IEEE Transactions
on Sustainable Computing, 2018.
[1] UNSW- Outlier Achieved Requires [2] D. Kshirsagar and S. Kumar, "Towards an intrusion detection system
NB15 Gaussian 97.28% validation for detecting web attacks based on an ensemble of filter feature
dataset Mixture accuracy with another selection techniques," Cyber-Physical Systems, pp. 1-16, 2022, doi:
method using the dataset; Not 10.1080/23335777.2021.2023651.
OGM effective for [3] Symantec, "ISTR Internet Security Threat Report," 2019.
method on detecting
the web unknown [4] A. S. A. Aziz, E. Sanaa, and A. E. Hassanien, "Comparison of
attack attacks. classification techniques applied for network intrusion detection and
dataset and classification," Journal of Applied Logic, vol. 24, pp. 109-118, 2017.
95.56%
[5] I. Abobaker and A. Musa, "Machine Learning for Intrusion Detection
using the
UNSW- and Network Performance," in 2021 8th International Conference on
NB15 Future Internet of Things and Cloud (FiCloud), 23-25 Aug. 2021 2021,
dataset. pp. 86-91, doi: 10.1109/FiCloud49777.2021.00020.
[2] CICIDS RF, Attaind To validate [6] M. H. Kamarudin, C. Maple, T. Watson, and N. S. Safa, "A
2017 Decision 99.6161% the result LogitBoost-Based Algorithm for Detecting Known and Unknown Web
Stump, J48, accuracy by with another
Attacks," IEEE Access, vol. 5, pp. 26190-26200, 2017, doi:
Hoeffding J48 dataset
tree, and
10.1109/access.2017.2766844.
REP [7] C. Agrawal and Z. Hasan, "Analysis of Major Security Attacks in
[4] NSL-KDD NB, RF, of 98.28% Only 20% Recent Years."
dataset J48, and using 20 % of testing
[8] Quartz. "Data is expected to double every two years for the next
ML of the data data used
when decade." https://qz.com/472292/data-is-expected-to-double-every-
comparing. two-years-for-the-next-
to training decade/#:~:text=Thanks%20to%20advancements%20in%20technolog
data which y,hitting%2045%2C000%20exabytes%20in%202020. (accessed.
can affect [9] Y. Pan et al., "Detecting web attacks with end-to-end deep learning,"
the
Journal of Internet Services and Applications, vol. 10, no. 1, pp. 1-22,
accuracy.
The CICIDS- DTC, XGB, Achieved Detect more
2019.
proposed 2017 GBC, and accuracy various web [10] M. Ahmad, Q. Riaz, M. Zeeshan, H. Tahir, S. A. Haider, and M. S.
System KNN and lees attacks. Khan, "Intrusion detection in internet of things using supervised
computing machine learning based on application and transport layer features
process. using UNSW-NB15 data-set," EURASIP Journal on Wireless
Communications and Networking, vol. 2021, no. 1, 2021, doi:
10.1186/s13638-021-01893-8.
V.CONCLUSIONS AND FUTURE WORK [11] S. M. Kasongo and Y. Sun, "Performance analysis of intrusion
detection systems using a feature selection method on the UNSW-
The findings of this study demonstrate that utilizing the NB15 dataset," Journal of Big Data, vol. 7, pp. 1-20, 2020.
proposed method to select 13 key features from the dataset [12] E. Levy, "Approaching Zero," IEEE Security & Privacy, vol. 2, no. 4,
significantly enhances the performance of the classifier by pp. 65-66, 2004, doi: 10.1109/MSP.2004.33.
eliminating data redundancy. The primary objective of this [13] P. R. McWhirter, K. Kifayat, Q. Shi, and B. Askwith, "SQL Injection
work was to achieve optimal performance and security within Attack classification through the feature extraction of SQL query
strings using a Gap-Weighted String Subsequence Kernel," Journal of
a system. By focusing on these significant features and information security and applications, vol. 40, pp. 199-216, 2018.
employing supervised machine learning classifiers such as [14] F. Cavallin and R. Mayer, "Anomaly Detection from Distributed Data
DTC, XGB, GBC, and KNN algorithms, web attacks can be Sources via Federated Learning," in Advanced Information
efficiently and effectively detected without incurring Networking and Applications: Proceedings of the 36th International
unnecessary computational costs. Conference on Advanced Information Networking and Applications
(AINA-2022), Volume 2, 2022: Springer, pp. 317-328.

85
[15] A. Smiti, "A critical overview of outlier detection methods," Computer
Science Review, vol. 38, p. 100306, 2020.
[16] D. E. Denning, "An intrusion-detection model," IEEE Transactions on
software engineering, no. 2, pp. 222-232, 1987.
[17] Y. M. Tukur, D. Thakker, and I. U. Awan, "Edge‐based blockchain
enabled anomaly detection for insider attack prevention in Internet of
Things," Transactions on Emerging Telecommunications
Technologies, vol. 32, no. 6, p. e4158, 2021.
[18] S. Garg and S. Batra, "A novel ensembled technique for anomaly
detection," International Journal of Communication Systems, vol. 30,
no. 11, p. e3248, 2017.
[19] M. H. Kamarudin, C. Maple, T. Watson, and N. S. Safa, "A New
Unified Intrusion Anomaly Detection in Identifying Unseen Web
Attacks," Security and Communication Networks, vol. 2017, pp. 1-18,
2017, doi: 10.1155/2017/2539034.
[20] S. Bahl and S. K. Sharma, "Improving Classification Accuracy of
Intrusion Detection System Using Feature Subset Selection," presented
at the 2015 Fifth International Conference on Advanced Computing &
Communication Technologies, 2015.
[21] B. Gupta, A. Rawat, A. Jain, A. Arora, and N. Dhami, "Analysis of
various decision tree algorithms for classification in data mining,"
International Journal of Computer Applications, vol. 163, no. 8, pp. 15-
19, 2017.
[22] K. Konar, S. Das, and S. Das, "Employee attrition prediction for
imbalanced data using genetic algorithm-based parameter optimization
of XGB Classifier," in 2023 International Conference on Computer,
Electrical & Communication Engineering (ICCECE), 2023: IEEE, pp.
1-6.
[23] N. Chakrabarty, T. Kundu, S. Dandapat, A. Sarkar, and D. K. Kole,
"Flight arrival delay prediction using gradient boosting classifier," in
86
Emerging Technologies in Data Mining and Information Security:
Proceedings of IEMIS 2018, Volume 2, 2019: Springer, pp. 651-659.
[24] J. McHugh, "Testing intrusion detection systems: a critique of the 1998
and 1999 darpa intrusion detection system evaluations as performed by
lincoln laboratory," ACM Transactions on Information and System
Security (TISSEC), vol. 3, no. 4, pp. 262-294, 2000.
[25] UNP. "Canadian Institute for Cybersecurity."
https://www.unb.ca/cic/datasets/ids-2017.html (accessed 15/05/2023.
[26] V. Bolon-Canedo, N. Sanchez-Marono, and A. Alonso-Betanzos,
"Feature selection and classification in multiple class datasets: An
application to KDD Cup 99 dataset," Expert Systems with
Applications, vol. 38, no. 5, pp. 5947-5957, 2011.
[27] N. Acharya and S. Singh, "An IWD-based feature selection method for
intrusion detection system," (in English), Soft computing (Berlin,
Germany), vol. 22, no. 13, pp. 4407-4416, 2017, doi: 10.1007/s00500-
017-2635-2.
[28] E. Jaw and X. Wang, "Feature Selection and Ensemble-Based Intrusion
Detection System: An Efficient and Comprehensive Approach," (in
English), Symmetry (Basel), vol. 13, no. 10, p. 1764, 2021, doi:
10.3390/sym13101764.
[29] H. B. M. Rais and T. Mehmood, "Feature selection in intrusion
detection, state of the art: A review," (in English), Journal of
Theoretical and Applied Information Technology, vol. 94, no. 1, pp.
30-43, 2016. [Online]. Available: https://go.exlibris.link/yjmgnwPK.
EEE conference templates contain guidance text for composing and
formatting conference papers. Please ensure that all template text is
removed from your conference paper prior to submission to the
conference. Failure to remove template text from your paper may result
in your paper not being published.