Received: 8 June 2022 | Revised: 6 July 2022 | Accepted: 11 July 2022 | Published online: 13 July 2022

Journal of Computational and Cognitive Engineering

RESEARCH ARTICLE 2023, Vol. 2(2) 88–97
DOI: 10.47852/bonviewJCCE2202270

Machine Learning-Based
Intrusion Detection System:
An Experimental Comparison
Imran Hidayat1, Muhammad Zulfiqar Ali2 and Arshad Arshad3,*
1
School of Computing, Edinburgh Napier University, UK
2
James Watt School of Engineering, University of Glasgow, UK
3
School of Computing, Glasgow Caledonian University, UK

Abstract: Recently, networks are moving toward automation and getting more and more intelligent. With the advent of big data and cloud
computing technologies, lots and lots of data are being produced on the internet. Every day, petabytes of data are produced from websites,
social media sites, or the internet. As more and more data are produced, a continuous threat of network attacks is also growing. An intrusion
detection system (IDS) is used to detect such types of attacks in the network. IDS inspects packet headers and data and decides whether the
traffic is anomalous or normal based on the contents of the packet. In this research, ML techniques are being used for intrusion detection
purposes. Feature selection is also used for efficient and optimal feature selection. The research proposes a hybrid feature selection technique
composed of the Pearson correlation coefficient and random forest model. For the machine learning (ML) model, decision tree, AdaBoost,
and K-nearesrt neighbor are trained and tested on the TON_IoT dataset. The dataset is new and contains new and recent attack types and
features. For deep learning (DL), multilayer perceptron (MLP) and long short-term memory are trained and tested. Evaluation is done on the
basis of accuracy, precision, and recall. It is concluded from the results that the decision tree for ML and MLP for DL provides optimal
accuracy with fewer false-positive and false-negative rates. It is also concluded from the results that the ML techniques are effective for
detecting intrusion in the networks.
Keywords: MLP, LSTM, KNN, IDS, machine learning

1. Introduction computer networks and issues alert after detecting threats. IDS can
be passive or active depending on its alert system.
A network intrusion detection system (NIDS) is used to detect Today, many researchers are working in the field of IDS. ML and
unwanted or malicious traffic in the network. An intrusion detection DL techniques are used to detect network anomalies by using historical
system (IDS) detects anomalies or attacks in real time. Nowadays, data and standard datasets. Alkhatib et al. (2021) proposed ML
mostly applications are moving to the cloud. Due to rapid and fast algorithms for intrusion detection purposes. Naïve Bayes algorithm
growth of network devices, security risks got increased. For that is used in the research. The results obtained from Naïve Bayes
reason, the security of cloud infrastructure and network resources is algorithm are compared with support vector machines (SVM). Tao
the main priority in the modern world. Therefore, IDS should be et al. (2018) used SVM and a genetic algorithm for attack detection.
accurate, error-free, and efficient. Due to the advent of cloud Detection accuracy is increased by optimizing the selection
computing, the Internet of Things (IoT) and quantum computing parameters and weights. Kim et al. (2014) used K-nearesrt neighbor
huge amount of data are being created every day, which are known (KNN) and K-means for intrusion detection purposes. The detection
as big data. This big data also helps in training the machine accuracy got increased in this research. Shapoorifard (2017)
learning (ML) model for security purposes. Network security is a proposed a novel technique to detect the attacks. First, data are
challenging field nowadays. IDS provides promising results in segmented into smaller clusters using C 4.5 algorithm, and then
determining the intrusion in the network. multiple SVM models are created from the subset of the data. This
IDS mainly consists of two types: anomaly-based and signature- technique reduces the time complexity of the model. Zhao et al.
based. Anomaly-based IDS used ML or deep learning (DL) techniques (2017) proposes a work based on deep belief networks. The
to detect data patterns. Signature-based IDS works on predefined dimensionality of data is reduced by using probabilistic models.
attacks and rules. IDS detects threats by monitoring traffic data in The probabilistic neural network is used for the classification of data.
However, several problems exist in the IDS domain like
low accuracy, high false-positive rates, and relevant feature
*Corresponding author: Arshad Arshad, School of Computing, Glasgow selection problem. The contributions of this research article
Caledonian University, UK. Email: [email protected] described below:

© The Author(s) 2022. Published by BON VIEW PUBLISHING PTE. LTD. This is an open access article under the CC BY License (https://creativecommons.org/
licenses/by/4.0/).

88
Journal of Computational and Cognitive Engineering Vol. 2 Iss. 2 2023

1. It provides a ML algorithm for the purpose of detecting intrusion Multi-tree algorithm is proposed to increase the overall performance
in the network. of the algorithm. 84.2% accuracy is achieved in this research.
2. It provides an efficient and effective feature selection technique Ring et al. (2021) proposed host-based IDS. In this research, the
based on the correlation among features. DL model is presented. A new algorithm called ALAD is also
3. It provide comparative analysis with other ML techniques. proposed in this research. This new model detects application-level
4. It increase the detection accuracy of the ML model. attacks in the network. Optimal accuracy is achieved through this
model. This model is also compared against other state-of-the-art
The paper is organized as follows: Section 2 presents the literature
algorithms. Devarakonda et al. (2022) use the NSL-KDD dataset in
review and related work, Section 3 is dedicated to methodology, and
the research. In this DL model, the autoencoder is proposed. Both
Sections 4 and 5 presents results and conclusion, respectively.
NIDS and host-based IDS are proposed in this research.
The application of DL is widely used in the field of IDS. DL
2. Related Work provides promising results when there is a huge amount of data
which need to be processed. In the security field, an enormous
According to Bashir and Chachoo (2014), organizations are amount of data is sometimes received from different sources and
facing security threats every day in the form of malware and there is a need to process that data quickly or efficiently.
cyberattacks. IDS and intrusion prevention system detect Ashiku and Dagli (2021) proposes DL-based IDS to detect
and prevent the network from these malwares. Raghunath and network attacks. They developed a flexible IDS which also detects
Mahadeo (2008) propose a NIDS that detects the attacks in the zero-day attacks. UNSW-NB 15 dataset is used for this purpose.
network by using ML techniques and associated pattern analysis Overall, 95.4% accuracy is achieved in this research. Tang et al.
technique to detect anomaly in the network. (2020) used IDS 2018 dataset for research purposes. In their
Gadze et al. (2021) proposes IDS for software-defined networks study, a novel attention-based CNN-LSTM model is proposed
and detecting distributed denial-of-service (DDoS) attack in the which is based on DL. Several experiments are performed, and
network. DL-based convolutional neural networks (CNN) and optimal accuracy is achieved in this research
long short-term memory (LSTM) models are presented and Vladimir (1967) used NSL-KDD and UNSW-NB 15 datasets are
evaluated. Overall, 89.63% accuracy is achieved in this research. used for training. The deep reinforcement learning approach is used.
The performance of the model is also compared with other The new type of network traffic attack is detected automatically.
state-of-the-art ML algorithms. Maseer et al. (2021) use the The proposed model can process a million records of network
CICIDS 2017 dataset for making of IDS. This is one of the new traffic. Paper et al. (2016) proposes a new DT technique called self-
and flow-based dataset with new attack categories. The authors taught learning. This technique learns features automatically from
utilized DL and proposed a new technique, namely AIDS. The the data and feeds them to the model. They used NSL-KDD dataset
researcher in this study evaluates the performance by using for training. Optimal accuracy is achieved in this research.
true-positive and true-negative rates. KNN-AIDS and decision tree Faker and Dogdu (2019) uses three classifiers to detect
(DT)-AIDS obtain the best results in this research. anomalies in the network. One is deep feed forward neural
Wang et al. (2020) uses the NSL-knowledge data discovery (KDD) network (DNN), and the other is an ensemble technique based on
dataset for IDS. Several ML algorithms are used in the study. A new random forest and gradient boosting. UNSW-NB and CICIDS
framework named SHAP is proposed in the research. This algorithm 2017 datasets are used. Five cross-fold validation is also used for
combines local and global explanations for IDS. Vinayakumar et al. evaluation purposes. Experimentation is done using the spark
(2019) use the DL approach along with KDD CUP 99 datasets for library. 99.16% accuracy is achieved on the UNSW-NB dataset
the making of IDS. In this research, 1,000 epochs are set for each and 99.99% on the CICIDS dataset. Park et al. (2021) proposes a
experiment. This model is also applied to different datasets like technique called HIIDS, which is hybrid intelligent IDS. This
NSL-KDD, UNSW-NB 15, and CICIDS 2017 to measure the technique learns important and most relevant features from the
performance. In this research, high-dimensional features are also dataset. LSTM and autoencoder are used. ISCX-UNB dataset is
learned by the model. This model also provides optimal accuracy. used for training. 97.52% accuracy is achieved in this research.
Rajagopal et al. (2021) uses Azure ML platform for IDS. Meta- Istiaque et al. (2021) uses KDD CUP 99 datasets for training.
classification approach is used for both binary and multi-classification Fifteen features are used along with the MLP algorithm. 95%
purposes. Three datasets are used in the research such as UNBSW, accuracy is achieved in this research. 95% accuracy is achieved in
CICIDS, and CICDOS. 99.8% accuracy is achieved on UNSW, this research. Alkhatib et al. (2021) uses the recurrent neural
whereas 99% on CICIDS and 98% on CICDOS. Train and test split networks (RNN) model, which is based on the sequence model.
ratio of 40:60 is used in the research Ahmed et al. (2020). The DL They used their own generated dataset. Area under the curve
technique is used for IDS. UNSW-NB 15 dataset is used for training (AUC) value of greater than 0.8 is achieved in this research.
and testing purposes. In this research, CNN is used with regularized Fu et al. (2022) used ML techniques for the IDS. Information
multilayer perceptron (MLP) instead of fully connected layers. Keras gain and gain ratios are used for the selection of features.
library is used for development purposes. The model is trained on IoTID20 and NSL-KDD datasets are used in the research. Several
GPU. Early stopping is also used to prevent the model from overfitting. ML algorithms like MLP, J48, IBK, and bagging are used in the
Saranyaa et al. (2019) uses KDD CUP 99 datasets with several ML research. 99% accuracy is achieved in the research. Tang et al.
algorithms like linear discriminate analysis (LDA), classification and (2022) used DL in the research. NSL-KDD dataset is used in
regression tree (CART), and random forest. Random forest achieves the research. Stacking-based model is used in the study which is
the highest accuracy with 99.8%, LDA with 98%, and CART with the combination of various classification models to improve the
98.1%. Zhang and Ran (2021) uses DL for IDS. CNN algorithm is accuracy. 86.8% accuracy is achieved in the research. The results
proposed in this research along with Google Net inception to detect of the research were also compared with four ML algorithms.
network packets binary problem. Overall, 99.63% accuracy is This technique improves the overall detection accuracy of the
achieved. Gao et al. (2019) use NSL-KDD dataset. A new ML detection model. Ullah et al. (2022) used DL to improve the
model called the adaptive ensemble learning model is proposed. accuracy of the intrusion detection model. CIC-IDS, CIC-DOS,

89
Journal of Computational and Cognitive Engineering Vol. 2 Iss. 2 2023

and CSE-CIC-IDS 2018 datasets are used in the research. LSTM and features are getting selected for the development of the model.
GRU are used in the research. Overall, 99% accuracy is achieved in Training and testing is performed after the selection of the
the research. Albulayhi et al. (2022) proposed an ML-based model to relevant features. Most effective features are get selected to train
detect zero-day attacks in the network. A DL-based model consisting or test the performance of the ML model.
of CNN, autoencoder, and LSTM is proposed. CSE-CIC-IDS 2018
dataset is used in the research. The principal component analysis 3.1.1. Dataset
technique is used to select relevant features from the dataset. The TON_IoT dataset used in the study is new dataset and
Better accuracy is achieved in the research. Halbouni et al. (2022) includes all the latest network attacks. TON_IoT contains features
proposed the ML and DL models for intrusion detection purposes. related to the IoT traffic.
The authors reviewed several approaches used for intrusion These are all the features which are present in the TON_IoT
detection purposes. Recent ML and DL algorithms are also dataset. Not all these features are used for training purposes
discussed by the authors which are used for IDS purposes. Kim because not all are necessary for predicting attacks. For that
and Pak (2022) proposed an ML model for intrusion detection purpose, a feature selection technique is used to select relevant
purposes. Several algorithms are used, like AdaBoost, random features from the data. In feature selection techniques, relevant and
forest, ELM, DNN, CNN, and XGBoost. 95% accuracy is most important features are selected, and the rest of the features are
achieved in the research. removed for training the model.
Table 1 represents the features of the dataset used for the model
3. Materials development. These are the standard features used for the
development of the ML model. ts, date, time all features are
Research methodology is discussed in this section. The collected from the real traffic and saved in the form CSV format
effectiveness of using the ML technique is also discussed in this for ML models. The features are captured in the form of packets
section. and saved in the excel format to use by the ML model.

3.1. Proposed framework 3.2. Preprocessing

In ML model, we have a block or model diagram for The data which are collected for model training and testing
development purposes. The methodology proposed for making an purpose contain outliers and null values. These values need to be
IDS is discussed below: removed for the efficient working of the ML model.
Figure 1 represents the proposed methodology of the ML The data contain categorical values and numerical values. The data
model. In ML model, firstly, we take data from a source and then are collected from real-time environments and saved as a comma
apply preprocessing techniques to that data. The data collected separated values (CSV) to use for model-building purposes.
from different sources are not clean and sometimes may include Preprocessing involves several steps like normalization,
null values, so in preprocessing, we remove null values and standardization, label encoding, one-hot encoding, and feature
replace them with suitable ones. After null values removal, data scaling. All these steps are necessary for the development of the ML
need standardization and normalization. The standardization and model. The details about these steps are described below
normalization techniques put data in the range between 0 and 1.
Step-by-step discussion about the model is discussed below. 3.3. Data standardization
Figure 2 represents the proposed model for the project. First step
is the collection of the relevant data where data for the development Data standardization is one of the most important parts of
of the proposed model is collected. Second step is the standardization preprocessing. Standardization rescales the data so that its
of the data where mean is set to zero and standard deviation to one. standard deviation becomes 1 and the mean becomes 0.
Normalization is the process where all the values in the data are Standardization brings down all features of the data to the
getting scaled to a certain range. In feature selection relevant common scale. The dataset which we used in ML mostly has

Figure 1
General framework for IDS

90
Journal of Computational and Cognitive Engineering Vol. 2 Iss. 2 2023

Figure 2
Proposed methodology

many features. The value of these features lies on a different scale. Table 1
Consider an example of house price prediction in which the area of Dataset features
the house is 200 square meters, and the number of rooms is 1, 2, or 3.
Feature Description
If we use this data without scaling, then ML gives more importance to
the features with high values. ML models will learn faster when the Ts Timestamp
data are on the same scale. One solution in ML for this problem is Date Date of logging sensor data
standardization. In standardization, mean value of the column is Time Time of logging sensor data
subtracted from each value and then divided by the standard Fridge_temperature Fridge sensor temperature measurement
deviation. In this way, data are normally distributed. In our work, Temp_condition Fridge sensor temperature condition
Label Normal or attack traffic data
we also do standardization. The resultant data obtained by
Type Normal or attack traffic type like DoS or
standardization is shown below:
DDoS.
Src_ip IP address of source
X ¼ x  µ=σ (1)
Src_port Port number of source computer
Dst_ip IP address of destination
Equation (1) is the standard equation of standardization, where μ is
Dst_port Port number of destination
the mean of the data and σ is the standard deviation of the data.
Proto Protocol either transmission control protocol
(TCP) or user datagram protocol (UDP)
3.4. Data normalization Duration Connection duration
Normalization is the second step in the process. The main purpose Src_bytes Bytes sent by a source computer
of normalization is to transform data in such a manner that the data are Dst_bytes Bytes received by a destination computer
Conn_state State of connection
either dimensionless or similar distribution. Due to normalization,
Missed_bytes Bytes missed by destination
equal weight is given to each of the variables in the dataset:
Src_pkts Packets sent by a source
Src_ip_bytes Number of IP bytes by a source
X ½:; i ¼ x½:; i  minðx½:; iÞ=maxðx½:; iÞ  minðx½:; iÞ (2)
Dst_pkts Destination packets
Dst_ip_bytes Destination IP bytes
In equation (2), min is the minimum absolute value of a, whereas
Dns_query Type of Domain name system (DNS) query
max is the maximum absolute value of a.
http_response Response generated by http
http_response Response generated by http
3.5. Label encoding http_status_code Status code of http
http_version Version of http
The label encoder technique is used to convert categorical
Weird_name Whether a transmission control protocol
features to numerical. This technique converts each and every
(TCP) is bad or not
categorical value present in dataset to a number.

91
Journal of Computational and Cognitive Engineering Vol. 2 Iss. 2 2023

3.6. Data classes The ML model is trained on data features to effectively and
efficiently detect these attacks.
After label encoding, we need to prepare our target column. For
that purpose, we assign our data label to normal or abnormal for 3.8. Feature selection
binary classification, and for multi-class classification, all the
attacks are defined. Feature selection is one of the most important tasks in the ML
domain. Not all the features are used for model training. If so many
3.7. Data distribution features are present in the dataset, then they may increase the training

Data distribution plays a very important role in ML model

training and testing purpose. If our data are imbalanced, then the
results of ML might not be good. So balanced data distribution Figure 3
plays a vital role in ML. If dataset is not balanced, then we do Data distribution
synthetic minority oversampling technique (smote) to balance our
dataset classes. In our case, our dataset is balanced, so we do not
need any smote technique.
Figure 3 represents the data distribution of the TON_IoT
dataset. It is evident from the figure that the data are balanced in
the target class. Sixty-five percent of normal data is present, along
with 35% of attack data. Normal distribution of data is mandatory
for obtaining high accuracy because all the classes need to
participate equally in model training.
Figure 4 represents the class distribution of multi-class data. In
our target class, we have 10 types of attacks. Scanning, denial-of-
service (DoS), DDoS, and man-in-the-middle (MITM) attack.
These all are network attacks. ML models classify the traffic on
the basis of these attacks. Scanning, DoS, MITM, injection,
ransomware, backdoor, and XSS are all types of network attacks.

Figure 4
Overall attack distribution

92
Journal of Computational and Cognitive Engineering Vol. 2 Iss. 2 2023

time and complexity of the model. Sometimes, obtained data are very Table 2
high dimensional, and we need to convert it to the lower dimension Random forest feature selection
for efficiency and effective attack detection. So efficient feature
Feature Selection
selection technique is necessary to cope with this problem. Also,
relevant feature selection is very important in ML. Sometimes, we Duration True
remove some most important features and may get low accuracy. Dst_ip_bytes True
We need to cope with all these problems. Various feature http_response_body_len True
selection techniques are used in ML like recursive feature http_request_body_len True
Src_pkts True
elimination, chi-square, or backward feature selection techniques.
Dst_pkts True
These techniques are used based on datasets, dimensionality, and
Src_ip_bytes True
correlation. In our case, we use the Pearson correlation coefficient
Missed_bytes True
technique for feature selection. This technique works based on the
Src_bytes True
correlation among variables.
Dst_bytes True
Dns_rcode True
3.9. Pearson’s correlation coefficient Src_port True
Dst_port True
This technique works based on correlation. This technique
ts True
depicts the linear relationship among the variables in the dataset.
This technique can take a range of values between −1 and +1.
A value of 0 indicates no relationship among variables, whereas
−1 indicates a negative relationship and +1 indicates a positive
relationship among the variables. If the relationship between two
values is stronger, the correlation is close to +1. 3.11. ML training
Figure 5 represents the features selected on the basis of the
correlation score in our dataset. These are the final features which After all the preprocessing is done, then we have the model
are selected for model training purposes. These features are training phase. The features which are obtained from
further joined with one-hot encoded variable to form complete data. preprocessing stage is given to the ML model for training
purpose. In the training phase, the data or features which are
3.10. Random forest feature scoring obtained from preprocessing stage are given to the model, and the
model starts training on these features. Some ML algorithms take
In the research, random forest feature scoring is also utilized. so much time for training, while some require less time.
The features obtained from the Pearson correlation technique are Sometimes, hyperparameter tuning is required if desired results
given to the random forest for further selection. The random forest are not obtained.
model selects features on the basis of their importance. Seventeen
features are selected with the Pearson correlation technique. These 3.12. Model evaluation
features are further reduced to 14 after utilizing the random forest
technique. The features which are obtained from the random After the testing phase, we need to evaluate our ML model on
forest model are shown below. the basis of some parameters. For classification problems, confusion
Table 2 represents features that the random forest model selects. matrix, accuracy, and receiver operating characteristic (ROC) curve
The features which are selected by the random forest model are are used to measure the model’s performance, whereas root mean
referred to as true, and the features which are not selected are square error is used for regression problems. Accuracy and
referred to as false. precision are considered the benchmark in binary classification
problems. If our mode obtains accuracy greater than 95% with
less false-positive rate, then we conclude that the performance of
Figure 5 our model is good and it is ready for a real-time production
Selected features environment. Sometimes, we also consider precision, recall, and
accuracy.

3.12.1. ROC curve

ROC curve is also used to measure the effectiveness of the
binary classification problem. ROC curve plots two parameters,
true-positive and false-positive. ROC curve is also appropriate
when the class data is balanced, whereas, for imbalanced data,
precision, recall, and f score are feasible.

4. Results
In this section, the results obtained from each model are
described. Models are evaluated on the basis of accuracy,
detection time, and testing time. The confusion matrix and ROC
curve are used to evaluate model performance. ML models are
tested on preprocessed dataset, and accuracy is calculated.

93
Journal of Computational and Cognitive Engineering Vol. 2 Iss. 2 2023

4.1. Decision tree results Figure 7

ROC curve KNN
After data preprocessing, ML model is applied to the
preprocessed data. Data are trained and tested in the ratio of
75:25. Seventy-five percent of data is used for training and 25% is
used for testing the model.
The accuracy obtained from the decision tree model is 99.6%,
which is optimal. Accuracy means how our model is accurate, and its
predictions are correct. If the ML model achieves an accuracy of 90%
or greater, then we conclude that its performance is considered
as good.
A decision tree is ideal for classification problems because it
mostly gives maximum accuracy if data preprocessing is done
properly. The decision tree is composed of nodes and branches,
and besides feature selection, it automatically makes feature
selection on each node when splitting occurs. So decision tree
often is used in classification-related problems.
Figure 6 is the ROC curve obtained from decision tree results.
ROC curve illustrates the capability of a binary classifier. A higher
AUC value tells us that the model performance is better. The ROC
curve is plotted against the model’s true- and false-positive rates.
From the classification and ROC curve, it is concluded that
the performance and accuracy of decision tree are optimal and
accurate. So, decision tree can be used for IDS in real network
environments. curve is used mostly in binary classification tasks where true
positive and false negative rates calculated. In order to make an
4.3. KNN results effective classifier high RoC score is required.

KNN algorithm is also used in our research. The results 4.4. AdaBoost accuracy
obtained from this model is described below.
The accuracy obtained from KNN algorithm is 99%. Although The accuracy achieved by the AdaBoost algorithm is 99.8%.
the accuracy obtained from KNN model is good, it takes so much The results obtained from this model are shown below. The
time to train or test the model making it inappropriate for accuracy obtained from the AdaBoost algorithm is 99.8%.
deployment purpose. When dealing with IDS, we also consider Although the accuracy obtained from the AdaBoost model is
the time taken by the model to train or test the algorithm. good, it takes so much time to train or test the model making it
Figure 7 represents the RoC Curve for KNN algorithm. The auc inappropriate for deployment purposes.
value achieved by the KNN model is 1.00 which depicts the The ROC area is 1.00 in the case of AdaBoost. This shows that
performance of the model. If auc score is near to 1 then it is the model performs well in terms of positive predictions. AUC area is
concluded that the ML model is suitable for the real time not relevant to accuracy, and it only refers to the positive predictions
deployment and it also achieves less false positive rates. The RoC of the model.
ROC and AUC curves determine the model’s efficiency in case
of true-positive and false-positive predictions. The area between the
true-positive and false-positive rate is being determined by the ROC
curve in the case of binary classification problems; however, in the
Figure 6
case of multi-class classification problems, other parameters are
ROC curve decision tree
considered.
From Table 2, it is evident that the accuracy of the ML models is
good, but the testing time and training time of the decision tree are
less than the other algorithms making it more appropriate for real-
time detection and deployment.
Figure 8 represents the RoC Curve for AdaBoost model. The
auc value achieved by the AdaBoost model is 1.00 which depicts
the performance of the model. If auc score is near to 1 then it is
concluded that the ML model is suitable for real time deployment
and it also achieves less false positive rates. Boosting algorithms
generally achieves good accuracy in classification tasks. Boosting
involves the stacking classifiers in which different classifiers are
stack on each other to perform classification.
Figure 9 represents the overall accuracy of the ML models
trained in the research. From figure it is concluded that the
supervised learning algorithms are suitable for the attack detection
tasks and detect attacks with higher accuracy. Tree based

94
Journal of Computational and Cognitive Engineering Vol. 2 Iss. 2 2023

Figure 8 Figure 10
ROC curve AdaBoost MLP accuracy curve

Figure 9
Figure 11
Comparison graph
MLP loss curve
Accuracy
100%
90%
80%
70%
60%
50%
40%
30%
20%
10%
0%
Decision Tree KNN AdaBoost

Table 3
Accuracy 4.5.1. MLP results
Algorithm Accuracy Precision Recall F1 score Figure 10 represents the accuracy curve for MLP. This curve
shows us that with the increase in the number of epochs, the
Decision tree 99.6% 99% 98% 99.8%
accuracy of the model increases. At the start, the accuracy
KNN 99% 99.2% 99.4% 99%
becomes low, but with the increase in epoch, accuracy increases.
AdaBoost 99.8% 99.8% 99.2% 99.9%
Accuracy to epoch curve is the most important evaluation
parameter for DL algorithms. With the increase in the number of
epochs, the accuracy tends to be increased.
Figure 11 is the loss curve loss of the MLP model. It is evident
algorithms mostly provides high accuracy in classification and from the figure that the loss of the model tends to be low with the
prediction tasks. increase in the number of epochs. So the number of epochs plays
Table 3 represents the overall accuracies of the ML models. It is a significant role in determining the accuracy and reducing the
concluded from the table that all the supervised learning algorithms loss of the model.
achieves high accuracy in detection and prediction tasks.

4.5. DL results 4.5.2. LSTM results

It is evident from the comparison table that the accuracy,
The results of the DL model are evaluated on the basis precision, and recall of the MLP model are better than the other
of the ROC curve and model loss and accuracy curves. The algorithm in determining the attack in the network. The
results obtained from DL models on TON_IoT dataset are discussed accuracy, precision, recall, and f1 score of the MLP model
below. provide optimal results as compared to the LSTM model.

95
Journal of Computational and Cognitive Engineering Vol. 2 Iss. 2 2023

However, LSTM also provides good results. LSTM usually works Table 4
well with sequential or temporal data, whereas MLP works well Deep learning accuracy
with numerical data.
Algorithm Accuracy Precision Recall F1 score
Figure 12 represents the Accuracy curve of the LSTM model. It
is concluded from the figure that with the increase in number of MLP 99.2% 99% 99.4% 98%
epochs the accuracy of the model gets increased. High number of LSTM 99% 99% 99.4% 99%
epochs means high accuracy but very large number of epochs
may lead to the over fitting problem while training Deep Learning
models.
Figure 13 represents the loss curve of the LSTM model. It is
concluded from the figure that with the increase in number of 5. Conclusions
epochs the loss of the model gets decreased. High number of
In this research, ML techniques are used for the detection of
epochs means low loss of the model. LSTM makes use of epochs
intrusion in computer networks. TON_IoT dataset is used in this
in order to train the model. High number of epochs sometime
research for IDSs. Pearson’s correlation coefficient feature
leads to the model overfitting.
selection technique is used for efficient feature selection
Table 4 represents the overall accuracies of the deep learning
technique. Several ML algorithms are applied to data like decision
models.it is concluded from the figure that MLP achieves an
tree, AdaBoost, and KKN. These algorithms are evaluated on the
accuracy of 99.2% and the accuracy achieved by the LSTM
basis of accuracy, precision, recall, and ROC curve. The accuracy
model is 99%. Deep Learning models are also considered as
achieved by decision tree on the TON_IoT dataset is nearly
effective for attack and intrusion detection tasks. The accuracy is
99.6% followed by AdaBoost which is also near 99.8%. KNN
the main predictor to determine the performance of ML and DL
achieves an accuracy of 99. From this research, we concluded that
models. DL algorithms makes use of activation functions in order
the use of ML algorithms for IDS is optimal and ML techniques
to train the model.
provide accurate results with very less false-positive rates and
false-negative rates. DL techniques are also being applied to the
two datasets. The results obtained on the TON_IoT dataset are
Figure 12 optimal and accurate. MLP obtained an accuracy of nearly 99.2%
LSTM accuracy curve on the TON_IoT dataset, whereas LSTM obtained 99% on
TON_IoT. It is evident from the results that the decision tree for
ML and MLP and LSTM for DL provide accurate optimal results.
ML provides efficient and accurate techniques for detecting
intrusion in the network. The algorithms like decision tree, KNN,
and MLP provide good results along with accuracy. So, we can
say that ML provides a good basis for intrusion detection in the
network. Moreover, proposed model could be implemented for the
detection of unknown attacks in the network in real time.

Conflicts of Interest
The authors declare that they have no conflicts of interest to
this work.

Informed Consent
Informed consent was obtained from all individual participants
included in the study.
Figure 13
References
LSTM loss curve
Ahmed, H., Elsayed, G., Chaffar, S., & Belhaouari, S. B. (2020).
A two-level deep learning approach for emotion recognition
in Arabic news headlines. International Journal of
Computers and Applications, 44(7), 604–613, https://doi.org/
10.1080/1206212X.2020.1851501.
Albulayhi, K., Abu Al-Haija, Q., Alsuhibany, S. A., Jillepalli, A. A.,
Ashrafuzzaman, M., & Sheldon, F. T. (2022). IoT intrusion
detection using machine learning with a novel high
performing feature selection method. Applied Sciences,
12(10), 5015, https://doi.org/10.3390/app12105015.
Alkhatib, N., Ghauch, H., & Danger, J. L. (2021). SOME/IP
intrusion detection using deep learning-based sequential
models in automotive ethernet networks. In 2021 IEEE 12th
Annual Information Technology, Electronics and Mobile
Communication Conference, 2021, 0954–0962.

96
Journal of Computational and Cognitive Engineering Vol. 2 Iss. 2 2023

Ashiku, L., & Dagli, C. (2021). Network intrusion detection system Emerging Trends in Engineering and Technology, 1272–1277,
using deep learning. Procedia Computer Science, 185, https://doi.org/10.1109/ICETET.2008.252.
239–247, doi.org/10.1016/j.procs.2021.05.025. Rajagopal, S., Kundapur, P. P., & Hareesha, K. S. (2021). Towards
Bashir, U., & Chachoo, M. (2014). Intrusion detection and effective network intrusion detection: From concept to creation
prevention system: Challenges & opportunities. In 2014 on Azure Cloud. IEEE Access, 9, 19723–19742. https://doi.
International Conference on Computing for Sustainable org/10.1109/ACCESS.2021.3054688.
Global Development, 806–809, https://doi.org/10.1109/ Ring IV, J. H., Van Oort, C. M., Durst, S., White, V., Near, J. P., &
IndiaCom.2014.6828073. Skalka, C. (2021). Methods for host-based intrusion detection
Devarakonda, A., Sharma, N., Saha, P., & Ramya, S. (2022). with deep learning. Digital Threats: Research and Practice, 2,
Network intrusion detection: A comparative study of four 1–29, https://doi.org/10.1145/3461462.
classifiers using the NSL-KDD and KDD’99 datasets. In Saranya, T., Sridevi, S., Deisy, C., Chung, T. D., & Khan, M. A. (2020).
Journal of Physics: Conference Series, 2161, 012043, Performance analysis of machine learning algorithms in intrusion
https://doi.org/10.1088/1742-6596/2161/1/012043. detection system: A review. Procedia Computer Science, 171,
Faker, O., & Dogdu, E. (2019). Intrusion detection using big data and 1251–1260, https://doi.org/10.1016/j.procs.2020.04.133.
deep learning techniques. In Proceedings of the 2019 ACM Shapoorifard, H. (2017). Intrusion detection using a novel hybrid
Southeast Conference, 86–93, https://doi.org/10.1145/3299815. method incorporating an improved KNN. International
3314439. Journal of Computer Applications, 173(1), 5–9. https://doi.
Fu, Y., Du, Y., Cao, Z., Li, Q., & Xiang, W. (2022). A deep learning model org/10.5120/ijca2017914340.
for network intrusion detection with imbalanced data. Electronics, Tang, C., Luktarhan, N., & Zhao, Y. (2020). SAAE-DNN: Deep
11(6), 898, https://doi.org/10.3390/electronics11060898. learning method on intrusion detection. Symmetry, 12, 1–20.
Gadze, J. D., Bamfo-Asante, A. A., Agyemang, J. O., Nunoo-Mensah, https://doi.org/10.3390/sym12101695.
H., & Opare, K. A. B. (2021). An investigation into the Tang, Y. (2022). Deep stacking network for intrusion detection.
application of deep learning in the detection and mitigation of Sensors, 22(1), 25. https://doi.org/10.3390/s22010025.
DDOS attack on SDN controllers. Technologies, 9, 14, https:// Tao, P., Sun, Z. H. E., & Sun, Z. (2018). An improved intrusion
doi.org/10.3390/technologies9010014. detection algorithm based on GA and SVM. IEEE Access, 6,
Gao, X., Shan, C., Hu, C., Niu, Z., & Liu, Z. (2019). An adaptive 13624–13631. https://doi.org/10.1109/ACCESS.2018.2810198.
ensemble machine learning model for intrusion detection. Ullah, S., Khan, M. A., Ahmad, J., Jamal, S. S., e Huma, Z., Hassan,
IEEE Access, 7, 82512–82521. https://doi.org/10.1109/ M. T., : : : & Buchanan, W. J. (2022). HDL-IDS: A hybrid
ACCESS.2019.2923640. deep learning architecture for intrusion detection in the
Halbouni, A., Gunawan, T. S., Habaebi, M. H., Halbouni, M., internet of vehicles. Sensors, 22(4), 1340, https://doi.org/10.
Kartiwi, M., & Ahmad, R. (2022). Machine learning and 3390/s22041340.
deep learning approaches for cybersecurity: A review. IEEE Vladimir, V. F. (1967). Candirenggo. Gastronomía Ecuatoriana y
Access, 10, 19572–19585. https://doi.org/10.1109/ACCESS. Turismo Local, 1, 5–24.
2022.3151248. Vinayakumar, R., Alazab, M., Soman, K. P., Poornachandran, P.,
Istiaque, S. M., Khan, A. I., Al Hassan, Z., & Waheed, S. (2021). Al-Nemrat, A., & Venkatraman, S. (2019). Deep learning
Performance evaluation of a smart intrusion detection system approach for intelligent intrusion detection system. IEEE
(IDS) model. European Journal of Engineering and Access, 7, 41525–41550. https://doi.org/10.1109/ACCESS.
Technology Research, 6(2), 148–152, https://doi.org/10. 2019.2895334.
24018/ejers.2021.6.2.2371. Wang, M. Z., Wang, Y. J., Wang, T. Y., Hou, L. Z., & Li, M. (2020).
Kim, G., Lee, S., & Kim, S. (2014). A novel hybrid intrusion detection New approach for information security evaluation and
method integrating anomaly detection with misuse detection. management of IT systems in educational institutions. Journal
Expert Systems with Applications, 41(4), 1690–1700. of Shanghai Jiaotong University (Science), 25(6), 689. https://
Kim, T., & Pak, W. (2022). Robust network intrusion detection doi.org/10.1007/s12204-020-2231-y.
system based on machine-learning with early classification. Zhang, Y., & Ran, X. (2021). A step-based deep learning approach
IEEE Access, 10, 10754–10767. https://doi.org/10.1109/ for network intrusion detection. Computer Modeling in
ACCESS.2022.3145002. Engineering and Science, 128(3), 1231–1245. https://doi.
Maseer, Z. K., Yusof, R., Bahaman, N., Mostafa, S. A., & Foozy, C. F. org/10.32604/cmes.2021.016866.
M. (2021). Benchmarking of machine learning for anomaly based Zhao, G., Zhang, C., & Zheng, L. (2017). Intrusion detection using
intrusion detection systems in the CICIDS2017 dataset. IEEE deep belief network and probabilistic neural network. In 2017
Access, 9, 22351–22370. https://doi.org/10.1109/ACCESS. IEEE International Conference on Computational Science and
2021.3056614. Engineering and IEEE International Conference on Embedded
Paper, C., Javaid, A. Y., & Sun, W. (2016). A deep learning approach and Ubiquitous Computing, 1, 639–642, https://doi.org/10.
for network intrusion detection system. Security and Safety, 3, 1109/CSE-EUC.2017.119.
e2. https://doi.org/10.4108/eai.3-12-2015.2262516.
Park, D., Kim, S., & Kwon, H. (2021). Host-based intrusion detection
model using siamese network. IEEE Access, 9, 76614–76623. How to Cite: Hidayat, I., Zulfiqar Ali, M., & Arshad, A. (2023). Machine Learning-
Based Intrusion Detection System: An Experimental Comparison. Journal of
https://doi.org/10.1109/ACCESS.2021.3082160.
Computational and Cognitive Engineering 2(2), 88–97, https://doi.org/10.47852/
Raghunath, B. R., & Mahadeo, S. N. (2008). Network intrusion detection bonviewJCCE2202270
system (NIDS). In 2008 First International Conference on

97