Cascaded intrusion detection system using machine learning

Cybercrime is becoming an increasing concern these days. In response to the growing cyberthreat, various intrusion detection systems have been developed and proposed to detect anomalies. However, most detection systems suffer from some common issues, such as a high number of false positives that cause regular behaviors to be detected as intrusions, as well as the system’s excessive complexity. Many single classifier models have accuracy issues since they are unable to detect certain anomalies caused by the attack’s polymorphic and zero-day behavior. The signature-based intrusion detection system (SIDS) is unable to identify zero-day intrusions. On the other side, the anomaly-based intrusion detection system (AIDS) generates a significant number of false-positive alarms. In this research, a cascaded intrusion detection system (CIDS) is proposed by combining the one-class support vector machine (OC-SVM)-based AIDS and the decision tree-based SIDS. OC-SVM is used in conjunction with the newly built Distance-Based Intrusion Classification System (DICS). SIDS that use decision trees can discover and classify anomalies. Because OC-SVM is a binary classifier, the intrusion type is determined by DICS.The suggested method aims to detect both popular and well-known zero-day attacks, as well as their type. The CIDS is evaluated using publicly available benchmark datasets, such as the Knowledge Discovery in Databases (KDD) Cup 1999 and the NSL-KDD dataset. The results of the proposed study show that CIDS outperformed both traditional SIDS and AIDS in terms of performance. Both anomalies and their types are detected with high accuracy. •Proposing a new cascaded intrusion detection system (CIDS) that integrates a one-class support vector machine (OC-SVM) anomaly-based IDS (AIDS) with a decision tree-based signature-based IDS (SIDS). This hybrid approach aims to enhance detection accuracy and reduce false positives.•Emphasizing an efficient pre-processing procedure and extensive experimentation. It includes data cleaning, encoding, scaling, and sampling, highlighting the simplicity and effectiveness of the proposed method despite its straightforward approach.•Designing to detect both known and zero-day attacks. OC-SVM is used for its binary classification capability, and the Distance-Based Intrusion Classification System (DICS) is introduced to classify the type of intrusion, addressing the limitation of traditional SIDS in detecting zero-day attacks.•Effectiveness of th