A Suricata and Machine Learning Based Hybrid Network Intrusion Detection System

Abstract

The objective of this paper is to propose a hybrid model of Network Intrusion Detection System (NIDS) based on the use of two types of IDS: Signature-based NIDS (SNIDS) and Anomaly Detection-based NIDS (ADNIDS). Indeed, modern computer networks have become the backbone for all the most critical business sectors. In parallel with the evolution and expansion of computer networks, cyber threats keep improving day after day to become more and more sophisticated and capable of bypassing all security policies implemented by information security managers. Knowing that cyberattacks can cause irreparable damage, costing the victim entity a lot of money, following a leak of critical and sensitive information. In addition, traditional prevention mechanisms such as network firewalls are no longer sufficient to counter cybercrime as they can only stop known attacks from the outside but not those coming from the inside or 0-day attacks. Therefore, intrusion detection systems are important devices to deploy in IT infrastructures to protect them from suspicious activities. However, SNIDS alone only provides detection of intrusions with known signatures but not unknown 0-day attacks. ADNIDS, on the other hand, can detect unknown intrusions but generate very high false alarm rates. Another approach is to use both types of NIDS to form a hybrid system and it is the most effective solution to counter any kind of attack, including unknown cyber threats. The use of both SNIDS and ADNIDS at the same time forms what is called a hybrid NIDS. Our hybrid NIDS model is based on Suricata as the SNIDS and ADNIDS based on the Machine Learning Decision Tree algorithm. The network baseline included the set of benign traffic patterns and was designed after balancing and optimizing the CICIDS2017 dataset. The classification of the benign traffic via Decision Tree yielded very conclusive results in accuracy, F-Measure, Recall, and precision.