Flow-Based Rules Generation for Intrusion Detection System using Machine Learning Approach

Abstract

Rapid increase in internet users also brought new ways of privacy and security exploitation. Intrusion is one of such attacks in which an authorized user can access system resources and is major concern for cyber security community. Although AV and firewall companies work hard to cope with this kind of attacks and generate signatures for such exploits but still, they are lagging behind badly in this race. This research proposes an approach to ease the task of rules generation
by making use of machine learning for this purpose. We used 17 network features to train a random forest classifier and this trained classifier is then translated into rules which can easily be integrated with most commonly used firewalls like snort and suricata etc. This work targets five kind of attacks: brute force, denial of service, HTTP DoS, infiltrate from inside and SSH brute force. Separate rules are generated for each kind of attack. As not every generated rule contributes toward detection that's why an evaluation mechanism is also used which selects the best rule on the basis of precision and f-measure values. Generated rules for some attacks have 100% precision with detection rate of more than 99% which represents effectiveness of this approach on traditional firewalls. As our proposed system translates trained classifier model into set of rules for firewalls so it is not only effective for rules generation but also give machine learning characteristics to traditional firewall to some extent.