A Stacking Ensemble Learning Approach for Intrusion Detection System

Year 2021, Volume: 9 Issue: 4, 1329 - 1341, 31.07.2021

Murat Uçar , Emine Uçar , Mürsel Ozan İncetaş

https://doi.org/10.29130/dubited.737211

Cited By: 1

Abstract

Intrusion detection systems (IDSs) have received great interest in computer science, along with increased network productivity and security threats. The purpose of this study is to determine whether the incoming network traffic is normal or an attack based on 41 features in the NSL-KDD dataset. In this paper, the performance of a stacking technique for network intrusion detection was analysed. Stacking technique is an ensemble approach which is used for combining various classification methods to produce a preferable classifier. Stacking models were trained on the NSLKDD training dataset and evaluated on the NSLKDDTest+ and NSLKDDTest21 test datasets. In the stacking technique, four different algorithms were used as base learners and an algorithm was used as a stacking meta learner. Logistic Regression (LR), Decision Trees (DT), Artificial Neural Networks (ANN), and K Nearest Neighbor (KNN) are the base learner models and Support Vector Machine (SVM) model is the meta learner. The proposed models were evaluated using accuracy rate and other performance metrics of classification. Experimental results showed that stacking significantly improved the performance of intrusion detection systems. The ensemble classifier (DT-LR-ANN + SVM) model achieved the best accuracy results with 90.57% in the NSLKDDTest + dataset and 84.32% in the NSLKDDTest21 dataset.

Keywords

Intrusion detection, Stacking, Security, Ensemble learning

Saldırı Tespit Sistemi İçin İstifleme Topluluk Öğrenme Yaklaşımı

Abstract

Saldırı tespit sistemleri (STS'ler), artan ağ verimliliği ve güvenlik tehditlerinin yanı sıra bilgisayar bilimlerinde de büyük ilgi görmüştür. Bu çalışmanın amacı, NSL-KDD veri kümesindeki 41 özelliğe bağlı olarak gelen ağ trafiğinin, normal veya saldırı olup olmadığını belirlemektir. Bu yazıda, ağ izinsiz giriş tespiti için bir istifleme tekniğinin performansı analiz edilmiştir. İstifleme tekniği, tercih edilebilir bir sınıflandırıcı üretmek için çeşitli sınıflandırma yöntemlerini birleştirerek kullanılan bir topluluk yaklaşımıdır. İstifleme modelleri NSLKDD eğitim veri seti üzerinde eğitilmiş ve NSLKDDTest+ ve NSLKDDTest21 test veri setleri üzerinde test edilmiştir. İstifleme tekniğinde temel öğrenenler olarak dört farklı algoritma ve istifleme meta öğrenicisi olarak bir algoritma kullanılmıştır. Lojistik Regresyon (LR), Karar Ağaçları (KA), Yapay Sinir Ağları (YSA) ve K En Yakın Komşu (KEYK) temel öğrenici modelleridir ve Destek Vektör Makinesi (DVM) modeli meta öğrenicidir. Önerilen modeller, doğruluk oranı ve sınıflandırmanın diğer performans metrikleri kullanılarak değerlendirilmiştir. Deney sonuçları istiflemenin saldırı tespit sisteminin performansını önemli ölçüde artırdığını göstermiştir. Topluluk sınıflandırıcısı (KA-LR-YSA + DVM) modeli, NSLKDDTest+ veri kümesinde %90.57 ve NSLKDDTest21 veri kümesinde %84.32 ile en iyi sonuçlara ulaşmıştır.

Keywords

: Saldırı tespiti, İstifleme, Güvenlik, Topluluk Öğrenimi

References

• [1] C. Tsai, Y. Hsu, C. Lin, and W. Lin, “Expert Systems with Applications Intrusion detection by machine learning : A review,” Expert Syst. Appl., vol. 36, no. 10, pp. 11994–12000, 2009.
• [2] S. Morgan, (2019, Jun 15). “2017 Cyber Crime Report.” [Online]. Available: https://cybersecurityventures.com/2015-wp/wp-content/uploads/2017/10/2017-CybercrimeReport.pdf.
• [3] G. Karataş and O. Şahingöz, “Neural network based ıntrusion detection systems with different training functions,” IEEE, pp. 1–6, 2018.
• [4] D. P. Vinchurkar and A. Reshamwala, “A review of ıntrusion detection system using neural network and machine learning technique,” International Journal of Engineering Science and Innovative Technology (IJESIT),vol. 1, no. 2, pp. 54–63, 2012.
• [5] K. Leung and C. Leckie, “Unsupervised anomaly detection in network ıntrusion detection using clusters,” in Proceedings of the Twenty-eighth Australasian Conference on Computer Science – Volume 38, 2005, pp. 333–342.
• [6] P. Ning and S. Jajodia, (2020, Feb 10). “Intrusion detection techniques.” [Online]. Available: https://doi.org/10.1002/047148296X.tie097.
• [7] L. I. Kuncheva, J. C. Bezdek and R. P. Duin, “Decision templates for multiple classifier fusion: an experimental comparison,” Pattern Recognition, vol. 34, no. 2, pp. 299–314, 2001.
• [8] M. Gyanchandani, R. N. Yadav and J. L. Rana, “Intrusion Detection using C4 . 5 : Performance Enhancement by Classifier Combination,” ACEEE Int. J. on Signal & Image Processing, vol. 01, no. 03. pp. 46–49, 2010.
• [9] E. Bahri, N. Harbi, and H. N. Huu, “Approach Based Ensemble Methods for Better and Faster Intrusion Detection,” in Proceedings of the 4th International Conference on Computational Intelligence in Security for Information Systems, 2011, pp. 17–24.
• [10] I. Syarif, E. Zaluska, A. Prugel-Bennett, and G. Wills, “Application of bagging, boosting and stacking to ıntrusion detection,” in Proceedings of the 8th International Conference on Machine Learning and Data Mining in Pattern Recognition, 2012, pp. 593–602.
• [11] A. K. Shrivas and A. K. Dewangan, “Article: An ensemble model for classification of attacks with feature selection based on KDD99 and NSL-KDD Data Set,” Int. J. Comput. Appl., vol. 99, no. 15, pp. 8–13, 2014.
• [12] D. P. Gaikwad and R. C. Thool, “Intrusion detection system using bagging with partial decision treebase classifier,” Procedia Comput. Sci., vol. 49, pp. 92–98, 2015.
• [13] B. A. Tama and K. H. Rhee, “A Combination of PSO-Based Feature Selection and Tree-Based Classifiers Ensemble for Intrusion Detection Systems,” in CSA/CUTE, 2015.
• [14] S. Choudhury and A. Bhowal, “Comparative analysis of machine learning algorithms along with classifiers for network intrusion detection,” 2015 Int. Conf. Smart Technol. Manag. Comput. Commun. Control. Energy Mater., 2015, pp. 89–95.
• [15] I. S. Thaseen and C. A. Kumar, “Intrusion detection model using fusion of PCA and optimized SVM,” in 2014 International Conference on Contemporary Computing and Informatics (IC3I), 2014, pp. 879–884.
• [16] S. Naseer, Y. Saleem, S. Khalid, M. K. Bashir, J. Han, M. M. Iqbal and K. Han, “Enhanced network anomaly detection based on deep neural networks,” IEEE Access, vol. 6, pp. 48231–48246, 2018.
• [17] R. C. Aygun and A. G. Yavuz, “Network anomaly detection with stochastically ımproved autoencoder based models,” 2017 IEEE 4th Int. Conf. Cyber Secur. Cloud Comput., 2017, pp. 193 198.
• [18] C. Yin, Y. Zhu, J. Fei, and X. He, “A deep learning approach for ıntrusion detection using recurrent neural networks,” IEEE Access, vol. 5, pp. 21954–21961, 2017. [19] N. Shone, T. N. Ngoc, V. D. Phai and Q. Shi, "A deep learning approach to network intrusion detection," in IEEE Transactions on Emerging Topics in Computational Intelligence, vol. 2, no. 1, pp. 41–50, 2018.
• [20] T. A. Tang, L. Mhamdi, D. McLernon, S.A.R. Zaidi, M. Ghogho and F El Moussa, “DeepIDS: deep learning approach for intrusion detection in software defined networking,” Electronics, vol. 9, pp. 1533, 2020.
• [21] A. Ledezma, R. Aler, and D. Borrajo, “Heuristic Search-Based Stacking of Classifiers,” 2002.
• [22] D. H. Wolpert, “Stacked Generalization,” Neural Networks, vol. 5, pp. 241–259, 1992.
• [23] Z.-H. Zhou, Ensemble Methods: Foundations and Algorithms, 1st ed. Chapman & Hall/CRC, 2012.
• [24] S. Haykin, Neural Networks and Learning Machines. New Jersey: Prentice Hall, 2008.
• [25] E. Öztemel, Yapay Sinir Ağları. İstanbul, Türkiye: PapatyaYayıncılık, 2012
• [26] N. Demir and G. Dalkiliç, “Modified stacking ensemble approach to detect network intrusion,” Turkish J. Electr. Eng. Comput. Sci., vol. 26, pp. 418–433, 2018.
• [27] W. Wang, X. Zhang, and S. Gombault, “Constructing attribute weights from computer audit data for effective intrusion detection,” J. Syst. Softw., vol. 82, pp. 1974–1981, 2009.
• [28] M. Pontil and A. Verri, “Support vector machines for 3D object recognition,” IEEE Trans. Pattern Anal. Mach. Intell., vol. 20, no. 6, pp. 637–646, 1998.
• [29] N. Cristianini and J. Shawe-Taylor, An Introduction to Support Vector Machines and Other Kernel-Based Learning Methods. Cambridge University Press, 2000.
• [30] M. Tavallaee, E. Bagheri, W. Lu, and A. A. Ghorbani, “A detailed analysis of the KDD CUP 99 data set,” in 2009 IEEE Symposium on Computational Intelligence for Security and Defense Applications, 2009, pp. 1–6.
• [31] UNB. (2021, March 6). “The NSL-KDD Data Set.” [Online]. Available:https://github.com/ defcom17/NSL_KDD.
• [32] T. Poongothai, K. Jayarajan and P.Udayakumar, “An Effective and Intelligent Intrusion DetectionSystem using Deep Auto-Encoders”, IJAST, vol. 29, no. 9s, pp. 3139–3154, 2020.
• [33] F. Pedregosa et al., “Scikit-learn: Machine Learning in Python,” J. Mach. Learn. Res., vol. 12, no. 85, pp. 2825–2830, 2011.
• [34] M. Mohammadi, B. Raahemi, A. Akbari, and B. Nasersharif, “New class-dependent feature transformation for intrusion detection systems,” Secur. Commun. Networks, vol. 5, pp. 1296–1311, 2012.
• [35] P. Krömer, J. Platos, V. Snásel, and A. Abraham, “Fuzzy classification by evolutionary algorithms,” 2011 IEEE Int. Conf. Syst. Man, Cybern., 2011, pp. 313–318.
• [36] J. Kevric, S. Jukic, and A. Subasi, “An effective combining classifier approach using tree algorithms for network intrusion detection,” Neural Comput. Appl., vol. 28, pp. 1051–1058, 2016.