Self-healing hybrid intrusion detection system: an ensemble machine learning approach

Abstract

Read online

Abstract The increasing complexity and adversity of cyber-attacks have prompted discussions in the cyber scenario for a prognosticate approach, rather than a reactionary one. In this paper, a signature-based intrusion detection system has been built based on C5 classifiers, to classify packets into normal and attack categories. Next, an anomaly-based intrusion detection was built based on the LSTM (Long-Short Term Memory) algorithm to detect anomalies. These anomalies are then fed into the signature generator to extract attributes. These attributes get uploaded into the C5 training set, aiding the ensemble model in continual learning with expanding signatures of unknown attacks. By generating signatures of unknown attacks, the self-healing attribute of the ensemble model contributes to the early detection of attacks. For the C5 classifier, the proposed model is evaluated on the UNSW-NB15 dataset, while for the LSTM model, it is evaluated on the ADFA-LD dataset. Compared to conventional models, the experimental results show better detection rates for both known and unknown attacks. The C5 classifier achieved a True Positive Rate of 97% while maintaining a false positive rate of 8%. Also, the LSTM model achieved a detection rate of 90% while retaining a 17% False Alarm Rate. As the proposed model learns, its performance in real network traffic also improves and it also eliminates human intervention when updating training data.

Keywords

• Anomaly detection system
• Convolutional neural network
• Deep learning
• Long short-term memory
• Recurrent neural network
• Self-healing