An adaptive method and a new dataset, UKM-IDS20, for the network intrusion detection system

Abstract

In recent years, the demand for computer networks has grown rapidly, thus allowing for higher risk of novel attack incidents. Traditional network intrusion detection systems (IDSs) usually have difficulties detecting these attacks because they need to adapt to more advanced or challenging technologies of novel attacks, yet updating them can be computationally expensive and complicated. Therefore, an adaptive IDS is crucial to keep computer networks protected. In addition, consistent update of IDS datasets is essential due to the advancement in network technology and attack strategies. Updating the IDS datasets would allow for the testing of the proposed IDSs on datasets that are relevant to the recent attacks. Moreover, the connection between processing raw network data and creating an adaptive IDS has not been sufficiently studied in this domain. Therefore, this study presents an adaptive IDS and a new real-world network dataset called the UKM-IDS20. The proposed IDS employs the homogeneous ensemble method to create a model that can be periodically updated to detect novel attacks. The update procedure includes training new classifiers and adding them to the base ensemble model. Since this procedure requires further data, a simple data acquisition methodology is used for processing raw network traffic data. This process involves three stages; packet capturing, packet integration, and feature extraction. The collected data from the tests of this study is then used to create the UKM-IDS20 dataset. The created dataset contains 46 features and covers four types of attacks, namely ARP poisoning, DoS, Scans, and Exploits. The complexity of the UKM-IDS20 is compared to the KDD99 and UNSW-NB15 datasets from two aspects. First, an analysis of the features and classes is demonstrated using the rough-set theory. Second, a dynamic artificial neural network is used to test and compare the three datasets mentioned above. The results show a higher complexity and relevancy of the features in the introduced dataset. The UKM-IDS20 dataset is publicly available and can be accessed by all researchers. This study is anticipated to provide enough information to help cybersecurity academics to generate effective IDSs and up-to-date datasets.