Supervised Learning Techniques for Intrusion Detection System based on Multi-layer Classification Approach Machine Learning and Intrusion Detection System

—The goal of this study is to discover a solution to two problems: first, the signature-based intrusion detection system SNORT can identify a new attack signature without human intervention; and second, signature-based IDS cannot detect multi-stage attacks. The interesting aspect of this study is the growing ways to address the aforementioned issues. We introduced a multi-layer classification strategy in this study, in which we employ two layers, the first of which is based on a decision tree, and the second of which includes machine learning technique fuzzy logic and neural networks. If the first layer fails to identify fresh attacks, the second layer takes over and detects new signature assaults, updating the SNORT signature automatically.

Using an existing IDS, SNORT would be used to compare packet signatures to the criteria set out by SNORT. Packets that are thought to be malicious will be run through an intelligent model that has been trained to look for harmful content [14] [9]. Using an intelligent model, SNORT might be used as the initial step of a strainer to limit traffic for unnecessary exploration, to put it another way: SNORT's workload is reduced, which in turn reduces human mediation since the intelligently trained model is responsible for determining whether or not a certain group of packets is harmful. SNORT will establish an automatic signature if a malicious group of packets is detected.
For the first time, a training model is being combined with a reasoning model to detect abuse of network data packets [9]. IDS on a production level device may then utilize the rule generated by the justification model to identify and block malicious data packets of the kind just described.
To address some of SNORT's inadequacies, this study proposes a new technique to intrusion detection that works in combination with it. In order to address these issues, a variety of data mining approaches are being presented in the answer. The following goals must be accomplished in order to attain the goal:  Make sure the data set for training and assessment is appropriate since certain machine learning techniques are involved in the solution.
 For new threats, the first line of defence will be a classifier module, built using machine learning algorithms.
 The second layer of classification is needed for traffic that cannot be accurately classified by the first layer, is based on a reasoning module.

II. METHODOLOGY AND RESULTS
The goal of the comparison research for algorithm classification is to develop a training model for detecting abuse. The results of this comparative study are offered in the form of a perplexity matrix and metrics such as true-positives, false-positives, true-negatives, and false-negatives. It also provided links between expected and predicted classes of KDD'99 intrusion detection data, with an arbitrary split of 66% for training model development and 34% for training model testing for abuse detection

A. Data Set: KDD'99
KDD'99's intrusion detection data collecting is employed. Researchers have tested several intrusion detection methods using this data collection, which is based on a DARPA programme from 1998. Using raw TCP/IP dumps, Sniffer was able to capture all network traffic. www.ijacsa.thesai.org distinct and continuous properties [6]. This includes the DoS attack, which is also known as a "user of root attack," as well as the "remote to user attack" (Probe).
Feature Selection (CFS) was used to identify the most important data points in the network. The value of each feature is determined by the search algorithm and the classifier function, and a subset of features is provided by CFS (Hall 1999).

B. Classifier Module
Both Nave Bayes and Decision Tree may be used to build a training model that can be used to identify abuse.
1) Naïve Bayes: Using probabilistic inference, Bayesian reasoning may be used in decision-making in situations where previous occurrences are utilised to predict future events [2]. Using the Bayes Theorem, we can calculate the posterior likelihood using the formulas P(q|c), P(c), and P(s|y). According to the Naive Bayesian Classifier, one predictor's influence on a given class (c) is independent of the effect of another predictor (y) [12]. Conditional freedom is granted in this way.
The Bayes algorithm explains the following: P(s|Y) = P(q1 |c)*P(q2 |c)*...P(qn |c)*P(c) 2) Decision tree: In a decision tree, the current node's choice promotes the next node's decision in a sequence of decisions [4] Open-source version of the C4.5 decision tree method -J48 [4]-is accessible through Weka [7]. J48 accepts a wide range of data kinds as input, including nominal, textual, and numeric, but it is also quite inefficient.
The algorithm constructs a decision tree starting from a training set T S, which is a set of cases, or tuples in the database terminology. Each case specifies a value for a collection of attributes and for a class [5]. Each attribute may have either discrete or continuous values. Moreover, the special value unknown is allowed, to denote unspecified values. The class may have only discrete values." The algorithm works as  The algorithm operates over a collection of training instances, T.
 If all occurrences of T is in class K.
o Then create a T and an end node.
o Select a characteristic S. Create a division node as well.
 Instant T's value for attribute S is divided into a subset (U1..n).
 Recursively apply the method to each of the T subgroups.
3) Experiment: Data from the KDD'99 intrusion detection training set was utilised in our investigation, and a complete KDD dataset was supplied. 34% of the data gathering, approximated at 150,000 of the famed classified insistences, was utilised for the persistence of these prototypes' effectiveness testing.
Using a two-model development technique, we created the training mode  All classes in the IDS have been considered as a training model in this approach.
 Malicious and natural classifications are created for the data set of training models in this method.

a) All-Classes Based Model Creation Strategy: [4]
Bhargava claim that Decision Tree findings outperform Naive Bayes [2]. Table I Table III. The usage of Decision Tree-generated training models has been shown to be superior than Naive Bayes.
A comparison of Nave Bayes and Decision Tree Classifiers utilizing a two-class modelling technique shows the difference between predicted and anticipated classes.   Although the model construction technique changed, the Decision Tree was always attained. In Fig. 4, the number of erroneously identified occurrences decreases in the upper left and lower right quadrants.  Table IV displays the cumulative relative results per classifier for the TP and FP measurements. The Decision Tree has a high true-positive rate and a low false-positive rate.

C. Reasoning Module
In the event that the first stage of classification fails, this mechanism steps in to offer a backup classification stage. A hybrid model of neural network (MLP) and fuzzy logic is used in the reasoning process [8]. This module's output will be a signature, which will be included in the rule base as an addition.
The suggested reasoning tool in this study categories network traffic into two categories: normal (1) and attack (0). To put it another way, the hybrid model is built around two modules neural networks and a fuzzy logic module. It will categorize network traffic as normal if both modules classify it as such, but it will classify it as an attack if either module does so. The neural network has the benefit of being able to operate with both poor and correct data [3]. Fig. 5 shows the hybrid model. When employed in the IDS context, this capability may be used to identify attack patterns that have been provided throughout the training.
It is possible that certain assaults will not be detected by one of the modules, but they may be detected by the other one when utilizing a hybrid method. Furthermore, one module will compensate for weaknesses in other modules' anti-malware detection capabilities. As a result, the false-positive rate for malicious traffic might rise. 1) Neural network: As a computational model of the central nervous system, it can learn and recognise patterns. It has been described as a system that adapts to overt or covert information flows during learning [1]. www.ijacsa.thesai.org This design has various tiers (one input layer, several hidden layers, and one output layer). Each layer has neurons, which are processing units. It connects to the mass of the next stratum. In the training phase, back-propagation is used. The input data is given to the neural network, and the output is compared to the intended output. This error is used to alter the weights. The error estimations and weight adjustments follow [1].
2) Fuzzy logic: To be a computer model based on human language concepts. Rule-based systems are converted to their mathematical equivalents by fuzzy systems [11]. The fuzzifier, interference engine, rule basis, and fuzzified are all represented in Fig. 6. The following is how fuzzy systems work: [11].  Each input is transformed into a fuzzy input set using the appropriate membership methods.
 The interference engine creates a fuzzed performance based on the criteria supplied.
 The defuzzification membership functions are used to turn the fuzzy output into a crisp value. Table V lists the inputs that the reasoning module gets from the ip info finder module.
The rule base includes the reasoning for generating the output. The interference engine will employ this set of (if.... then) rules to get a fuzzier result. Table VI demonstrates the reasoning module's criteria for predicting malicious traffic.
On the basis of information gathered, the reasoning module determines whether or not an IP address may be sending malicious traffic. This may be done using a data mining approach, such as clustering or regression. Many factors led to the selection of fuzzy logic for this module. The "if-then" rule form, which is supported by fuzzy logic, may be used to represent the analysis of the acquired data. Aside from that, determining whether or not an IP address is malicious might be tricky in certain cases.
The final output will be considered malicious if it is higher than 0.5, otherwise, it will be considered normal.

3) Experiment:
A three-layer neural network module (MLP) is used in our experiment. Whereas the input layer has one neuron, the hidden layer has eight, and the output layer has 10. 10% of the whole KDD'99 IDS and the starting weights were used to train the neural network segment, and the module was trained by constraining the overall mean square to .01 and the maximum number of epochs to 3000.
The KDD'99 IDData collection was used to construct the fuzzy module system:

1)
With the exception of 'support,' all of the specified features have been stabilized such that each property has the same range of values (between 0 and 1). This action contributes to the streamlining of the rule-generation process.
3) All features except service were transformed from numerical values into descriptions throughout the iteration through the training data.  The performance might be categorized as either normal or offensive. The rule was then written down as follows. The rule was then created in the following form: if (feature1 is feature_desc AND feature2 is feature2_desc AND ……. feature10 is feature10_desc) then output is output_desc 4) If the previous phase's rule was added to the rule base, it will not be applied to the rule base again. There are a total of 1248 rules applied to the fundamental rule. As illustrated in Fig. 7 and 8, the last stage in the implementation of the fuzzy module was to pick relationship functions for both inputs and outputs.

III. CONCLUSION
Despite the fact that SNORT monitors and detects an attack, the reality is that it is not designed to identify new threats and, as a result, generates a large number of false alarms at a rapid pace. For the first time, data mining approaches have been employed to bring new stages into the solution of previously existing IDS. The suggested model's initial phase accurately detects the vast majority of data. According to Decision Tree, a comparison of two distinct training models using the Naive Bayes and the Decision Tree algorithms shows that the most effective outputs have a higher true-positive score and a greater degree of granularity.
The second stage of the proposed model (reasoning mechanism) was built using a hybrid approach. used a neural network and fuzzy logic to identify new attacks. The rate of intrusion detection rose after deployment.