By: Jowin John Chemban (jowinchemban@gmail.com) HGW16CS022 (2016-2020 Batch) S7 B.Tech Computer Science Engineering Holy Grace Academy of Engineering, Mala Date : September 2019

1. Network Intrusion Detection
using
Supervised Machine Learning
Technique
with
Feature Selection
By :-
Jowin John Chemban
S7 CSE
Holy Grace Academy of Engineering

2. Intrusion
Intrusion is some time also called as hacker or
cracker attempting to break into or misuse your
system/network.
i.e., an intrusion attempt or a threat to be the
potential possibility of a deliberate unauthorized
attempt to
• Access information/resources
• Manipulate information
• Render a system unreliable or unusable.

3. Intrusion Detection System (IDS)
• Intrusion Detection is a set of techniques and methods
that are used to detect suspicious activity both at the
network and host level.
• An intrusion detection system (IDS) inspects all inbound
and outbound network activity and identifies suspicious
patterns that may indicate a network or system attack
from someone attempting to break into or compromise a
system/network.
• An IDS installed on a network provides much the same
purpose as a burglar alarm system installed in a house.
Through various methods, both detect when an
intruder/attacker/burglar is present, and both
subsequently issue some type of warning or alert.

4. Why Intrusion Detection System
• The wide spreading usages of internet and increases in
access to online contents, cybercrime is also happening at
an increasing rates.
• Intrusion detection is the first step to prevent security
attack.
• IDS detects attacks from a variety of systems and
network sources by collecting information and then
analyzes the information for possible security breaches.
• As the number of IoT devices and other smart devices
which are connected to network continue to multiply wildly,
so do the security issues associated with it.

6. Network Intrusion Detection System
• The network based IDS analyzes the data packets that
travel over a network and this analysis are carried out in
two ways,
 Signature based Network Intrusion Detection
 Anomaly based Network Intrusion Detection
• Till today anomaly based detection is far behind than the
detection that works based on signature and hence
anomaly based detection still remains a major area for
research.

7. No firewall is foolproof, and no network is
impenetrable.
Attackers continuously develop new
exploits and attack techniques designed to
circumvent your defenses. Many attacks
leverage other malware or social
engineering to obtain user credentials that
grant them access to your network and
data.
.
Why You Need Network IDS

8. • A network intrusion detection system (NIDS) is crucial
for network security because it enables you to detect and
respond to malicious traffic.
• The primary purpose of an intrusion detection system is to
ensure IT personnel is notified when an attack or network
intrusion might be taking place.
• The network IDS monitors network traffic and triggers
alerts when suspicious activity or known threats are
detected, so IT personnel can examine more closely and
take the appropriate steps to block or stop an attack
Why You Need Network IDS

11. Issues in Network IDS
• False Positives
Signature-based threat detection is generally accurate, but
when it comes to anomaly-based detection and identifying
potentially suspicious or malicious activity you will likely
encounter false positives.
• False Negatives
On the other side of the spectrum from false positives, you also
face a risk that suspicious or malicious activity will not be
detected 100% of the time. This is particularly an issue with
zero-day or emerging threats that rely on new exploits and
attack techniques that the IDS is unfamiliar with.
• Security Experts
With a network IDS, the biggest challenge—aside from false
negatives and false positives—can be the sheer volume of
alerts. One of the most important elements of using a network
intrusion detection system effectively is ensuring you have IT
security personnel with the knowledge and skills.

12. Machine Learning Principles
in
Network Intrusion Detection

13. SYSTEM Model

14. • The system proposed is composed of
– feature selection and
– learning algorithm.
• Feature selection component are responsible to extract
most relevant features or attributes to identify the
instance to a particular group or class.
• Learning algorithm component builds the necessary
intelligence or knowledge using the result found from the
feature selection component.
• Using the training dataset, the model gets trained and
builds its intelligence.
• The learned intelligences are applied to the testing
dataset to measure the accuracy of home much the model
correctly classified on unseen data.
SYSTEM Model

15. Feature Selection
• Used to reduce the reduce data dimensionality in machine
learning.
• Two methods,
 Filter method
 Wrapper method

16. • Filter method
– Features are selected on the basis of their scores in
various statistical tests that measure the relevance of
features by their correlation with dependent variable
or outcome variable. The filter method uses an
attribute evaluator along with a ranker to rank all the
features in the dataset.
• Wrapper method
– Wrapper methods are based on greedy search
algorithms as they evaluate all possible combinations of
the features and select the combination that produces
the best result for a specific machine learning
algorithm.
Wrapper method is useful for machine learning test whereas
filter method is suitable for data mining test because data
mining has thousands of millions of features.

17. Support Vector Machine (SVM)
• SVM is a supervised algorithm that classifies cases by
finding a separator.
1. Mapping data to a high-dimensional feature space.
2. Finding a separator

18. wTx+b=-1
wTx+b=0
wTx+b=-1

20. Artificial Neural Network (ANN)
• ANN is another tool used in Machine Learning.
• System inspired by human brain system and replicate the
learning system of human brain.
• Consists of input and output layers with one or more
hidden layers.
• The ANN uses a technique called back propagation to
adjust the outcome with the expected result or class.

22. ExperimentalAnalysis
ofthe
System

23. Feature Selection
• Experiment carried out using WEKHA open source
software suite.
– In first part, extracted relevant features using different feature
selection methods.
– In wrapper method, SVM classification algorithm with cross-
validation to avoid over fitting and under fitting problem.
– In the filter method, A ranker algorithm used to find the best
result suitable for the proposed classifier.
• Training Data used = NSL-KDD dataset with 25,191
instances.
FS
Technique
FS Type
Input
Features
Output
Features
Correlation Based
Wrapper 41 17
Chi-Square Based
Filter 41 35

24. Classification
• Classification using supervised machine learning requires
training the model using training dataset.
• To training the model we used SVM and ANN learning
algorithms for each feature selection methods.
• Next, these models were evaluated using 22,542
instances of testing data from NSL-KDD testing dataset.
Learning Type Number of
Features
Detection
Accuracy
SVM 17 81.78%
SVM 35 82.34%
ANN 17 94.02%
ANN 35 83.68%

25. Learning
Type
Our Model
Accuracy
Existing Models
Accuracy
SVM 82.34% 69.52% 92.84%
ANN 94.02% 77.23% 81.2%
Final Result
• The detection success rate of the proposed model is also
compared with other existing models.
• After several trial and error methods, found the best
detection rate with 3 hidden layers and 0.1 learning rate.

26. Conclusion
• We have presented different machine learning models
using different machine learning algorithms and different
feature selection methods to find a best model.
• The analysis of the result shows that the model built using
ANN and wrapper feature selection outperformed all
other models in classifying network traffic correctly with
detection rate of 94.02%.
• The intrusion detection system exist today can only
detect known attacks. Detecting new attacks or zero day
attack still remains a research topic due to the high false
positive rate of the existing systems.

27. References
• ieeexplore.ieee.org
• www.cloudflare.com
• www.forbes.com
• www.cisco.com
• blog.alertlogic.com
• searchsecurity.techtarget.com
• www.comparitech.com
• www.websitehostingrating.com
• www.stackabuse.com
• https://youtu.be/iBsGSsbDMyw