An NIDS for Known and Zero-Day Anomalies

Abstract

Rapid development in the network infrastructure has resulted in sophisticated attacks which are hard to detect using typical network intrusion detection systems (NIDS). There is a strong need for efficient NIDS to detect these known attacks along with ever-emerging zero-day exploits. Existing NIDS are more focused on detecting known attacks using supervised machine learning approaches, achieving better performance for known attacks but poor detection of unknown attacks. Many NIDS have utilized the unsupervised approach, which results in better detection of unknown anomalies. In this paper, we proposed a Hybrid NIDS based on Semisupervised One-Class Support Vector Machine (OC-SVM) and Supervised Random Forest (RF) algorithms. This detection system has several stages. The First stage is based on OC-SVM, which filters benign and malicious traffic. The next stages use many parallel supervised models and an additional OC-SVM model to separate known and unknown attacks from malicious traffic. The previous process is done so that known attacks are classified by their type, and unknown attacks are detected. The proposed NIDS is tested on the standard public dataset CSE-CIC-IDS-2018. The evaluation results show that the system achieves a high accuracy, 99.45%, for detecting known attacks. Our proposed NIDS achieves an accuracy of 93.99% for unknown or zero-day attacks. The overall accuracy of the proposed NIDS is 95.95%. The system significantly improves the detection of known and unknown anomalies using a hybrid approach.