A REVIEW PAPER OF MACHINE LEARNING
TECHNIQUES FOR INTRUSION DETECTION SYSTEM
SHAHBAZ HASSAN, AAQIB MEHRAN, ASIM NASEER
In recent age internet and computer
network are exposed to an increasing
number of security issues (Cyber Security).
Cyber Security is the set of technologies
and process designed to protect computers,
network, programs and data from attack,
unauthorized access, change or destruction.
Cyber security systems are composed of
network security systems and computer
(host) security systems. Each of these has,
at a minimum, a firewall, antivirus
software, and an intrusion detection system
(IDS). IDSs help discover, determine, and
identify unauthorized use, duplication,
alteration, and destruction of information
systems [1]. There are many kinds of
attacks appearing continuously over the
network also known as security breaches.
These security breaches can be catagorized
in two parts internal and external. To
prevent from these attacks developing a
flexible and adaptive security approach is a
challenge.
Intrusion Detection System (IDS) is a system
devised to monitor networks or system from
rules violation/malicious activity. There are
multiple cyber security solution available to
mitigate these types of threats. IDS goes
very closely with a firewall solution. The
difference between these two solution is
that firewall watches and protect the
network from outward threats (external
breaches) while IDS signal an alarm when a
malicious activity is detected on the
network/system or a host generated with in
the network or host (internal breach) or
form any external source (external breach).
One of many important phase in defining
network/cyber security is Intrusion
Detection Engine (IDS) engine. The IDS
engine must be able to process the
protocols and understand the goal. Even
protocol analysis is very expensive in term
of computation cost but it generates the
rule set which helps in less false positive
alarm.
There are three main type os cyber
analytics in support of IDS: signature base
(also known as misuse-based), anomaly
based and hybrid. Signature based IDS
techniques are designed to detect known
attacks through signature which is being
stored on a local database. This technique
is effective in detecting known type of
threats with minimum generated false
alarm number. This technique requires
frequent updation of database along with
signatures and rules. This technique cannot
be used to zero-day attacks (Novel Attacks).
Anomaly based network intrusion technique
is a valuable technology to protect the
system and network against the malicious
activities. The anomaly based network is a
centralised process that works on the
concept of baseline for network behaviour.
The baseline is the description of a
accepted network behaviour learned by the
network administrator. The major drawback
of anomaly detection is its rule sets. They
produce high false alarm rate because of
unseen legitimate system activity may also
be categorised as an anomaly. The system
efficiency depends on how well the system
is implemented and tested over all
protocols. Rule defining process also affects
the performance of protocols. To detect
accurately the administrator should
required developing deep knowledge about
the accepted network behaviour, but once
the rules are defined and protocol is built
then anomaly detection system will work
well. Many distinct techniques are used in
anomaly based detection system which is
based on type of processing. they are
statistical based, operational or threshold
metric model, markoveprocess/marker
model, statistical moments/mean and
standard deviation model, univariate
model, multivariate model, time series
model, cognition based, finite state
machine model, descriptions script model,
baysine model, genetic algorithms model,
neural network model, fuzzy logic model,
outlier detection model. Hybrid technique
is the result of combination of both
signature and anomaly detection. This
technique is used to get the maximum
detection of known (signature based)
attacks/breaches and lowering false
positive rate for the unknowns.
IDS can also be classified based on the
where they look for intrusion behavior:
network based or host based. A network
based IDS analyze and monitor the network
for any malicious activity using network
devices while host based IDS actively
analyze/monitor the process and activity
related to files and software on a specific
host.
[5]Most techniques used in IDS are not able
to deal with dynamic and complex nature of
cyber attack on computer network. Hence
efficient adaptive methods like various
techniques of machine learning can result
in higher detection rate, lower false alarm
rate and reasonable computation and
communication cost.[5] in this paper we
explain several techniques of machine
learning i.e. Artificial neural network, Fuzzy
system, Evolutionary computation, Artificial
immunes system and swarm intelligence.
Neural networks have already been used to
solve many problems related to pattern
recognition, data mining, data compression
and research is still underway with regards
to intrusion detection systems.
Unsupervised learning and fast network
convergence are some features that can be
integrated in the newly designed IDS system
using neural networks. The technology
promises to detect misuse and improve the
recognition of malicious events with more
consistency. A neural network is able to
detect any instances of possible misuse,
allowing system administrators to protect
their entire organisation through enhanced
resilience against threats. Many
computational Intelligence methods and
their applications to intrusion detection
methods such as Artificial Neural Networks
(ANNs), Fuzzy Systems, Evolutionary
Computation, Artificial Immune Systems,
and Swarm Intelligence are used to apply
IDS concepts with in a network/system or
for a host. Some of which are briefly
described here. Evolutionary computation
(EC) is a computational intelligence
technique inspired from natural evolution.
[2] It is loosely based on the “process of
survival of fittest” where each individual
are competing with each other for survival
[2]. The evolutionary computation played
very important role in intrusion detection.
The aim of attacker is to attack the target
system to achieve their goal. In order to
achieve their goal they must create new
attack to the target system , on the other
hand these IDS system are generally
unable to detect these new attacks
particularly misused based detection system
are ineffective to detect these new attacks.
Therefore computational evolution
techniques are used to solve these security
issues.[3]The artificial immunes systems
were inspired by human immunes system
which is robust, decentralized, error
tolerant, and adaptive [3]. Which protects
the body from harmful bacteria, viruses,
parasites and fungi? It does this largely
without prior information of this pattern in
human body. This made the focus of
interest in computer science and intrusion
detection community. From this prospectus
the HIS can be viewed as anomaly detector
with very low false positive and false
negative error rate. [4]To consider this
concept the IDS is placed on each host
based computer. And this host based
computer is divided into two defense
layers. First layer is called innate immune
detection system and second layer is called
adaptive immune detection system. The
innate immune detection layer accept the
file arrive into the host computer. If the file
is belong from valid extension it allow to
perform operation and if the file is not
belong from valid extension it immediately
send as alarming ones to second layer
adaptive immunes detection. The adaptive
immunes detection is invoked when it
receive alarm from innate layer and will
change the extension of file[4]. Fuzzy logic
is a set of concepts, techniques, and
theorems designed to handle vagueness and
imprecision. These can be used to evaluate
the probability of a given threat by using
knowledge about all the possible attempts
against security in the target system.

REFERENCES
1. A. Mukkamala, A. Sung, and A. Abraham, “Cyber security challenges: Designing efficient
intrusion detection systems and antivirus tools” in Enhancing Computer Security with Smart
Technology, V. R. Vemuri, Ed. New York, NY, USA: Auerbach, 2005, pp. 125–163.

2. Sen, S., & Clark, J. A. (2011), “Evolutionary computation techniques for intrusion detection in
mobile ad-hoc networks”, Computer Networks, 55(15), 3441-3457.
3. Aziz, Amira Sayed A., et al. "Artificial immune system inspired intrusion detection system using
genetic algorithm." Informatica 36.4 (2012).
4. Dutt, Inadyuti, Samarjeet Borah, and Indrakanta Maitra, “Intrusion Detection System using
Artificial Immune System”, International Journal of Computer Applications 144.12 (2016).

5. Zamani, Mahdi, and Mahnush Movahedi. "Machine learning techniques for intrusion
detection." arXiv preprint arXiv:1312.2177 (2013).

6. Shanmugavadivu, R., and N. Nagarajan. "Network intrusion detection system using fuzzy
logic." Indian Journal of Computer Science and Engineering (IJCSE) 2.1 (2011): 101-111.

7. Selman, Alma Husagic. "Intrusion Detection System using Fuzzy Logic." Southeast Europe Journal
of soft computing 2.1 (2013).

8. Shanmugavadivu, R., and N. Nagarajan. "Network intrusion detection system using fuzzy
logic." Indian Journal of Computer Science and Engineering (IJCSE) 2.1 (2011): 101-111.

9. Mkuzangwe, Nenekazi Nokuthala Penelope, and Fulufhelo Vincent Nelwamondo. "A fuzzy logic
based network intrusion detection system for predicting the TCP SYN flooding attack." Asian
conference on intelligent information and database systems. Springer, Cham, 2017.

10.Sen, Sevil. "A survey of intrusion detection systems using evolutionary computation." Bio-Inspired
Computation in Telecommunications. 2015. 73-94.

11.Shen, Junyuan, and Jidong Wang. "Network intrusion detection by artificial immune
system." IECON 2011-37th Annual Conference on IEEE Industrial Electronics Society. IEEE, 2011.

12.Yang, Hua, et al. "A survey of artificial immune system based intrusion detection." The Scientific
World Journal 2014 (2014).

13.Ehret, Christoph, and Ulrich Ultes-Nitsche. "Immune system based intrusion detection
system." Innovative Minds (Information Systems Security Association-ISSA 2008), Johannesburg,
South Africa, July 2008. 2008.

14.Kim, Jungwon, et al. "Immune system approaches to intrusion detection–a review." Natural
computing 6.4 (2007): 413-466.

15.Diaz-Gomez, Pedro A., and Dean F. Hougen. "Misuse Detection-An Iterative Process vs. A Genetic
Algorithm Approach." ICEIS (2). 2007.

16.Depren, Ozgur, et al. "An intelligent intrusion detection system (IDS) for anomaly and misuse
detection in computer networks." Expert systems with Applications 29.4 (2005): 713-722.

17.Buczak, Anna L., and Erhan Guven. "A survey of data mining and machine learning methods for
cyber security intrusion detection." IEEE Communications Surveys & Tutorials 18.2 (2016):
1153-1176.