VOOZH about

URL: https://www.geeksforgeeks.org/machine-learning/intrusion-detection-system-using-machine-learning-algorithms/

⇱ Intrusion Detection System Using Machine Learning Algorithms - GeeksforGeeks

  • Courses
  • Tutorials
  • Interview Prep

Intrusion Detection System Using Machine Learning Algorithms

Last Updated : 10 Jul, 2025

Problem Statement: The task is to build a network intrusion detector, a predictive model capable of distinguishing between bad connections, called intrusions or attacks, and good normal connections.

Intrusion Detection System is a software application that detects network intrusion using various machine learning algorithms. IDS monitors a network or system for malicious activity and protects a computer network from unauthorized access by users, including perhaps insiders. The intrusion detector learning task is to build a predictive model (i.e., a classifier) capable of distinguishing between 'bad connections' (intrusion/attacks) and 'good (normal) connections'. Attacks fall into four main categories:

  • #DOS: denial-of-service, e.g. syn flood.
  • #R2L: unauthorized access from a remote machine, e.g., guessing password.
  • #U2R: unauthorized access to local superuser (root) privileges, e.g., various ``buffer overflow'' attacks.
  • #probing: surveillance and other probing, e.g., port scanning.

You can download the dataset used in this project from Kaggle (the name of the dataset is Intrusion Detection System Using Machine Learning).

Dataset Description: Data files:

  • kddcup.names: A list of features.
  • kddcup.data_10_percent: A 10% subset of the dataset.
  • training_attack_types: A list of intrusion types.

Features:

feature name description type
duration length (number of seconds) of the connection continuous
protocol_type type of the protocol, e.g, TCP, UDP, etc. discrete
service network service on the destination, e.g., HTTP, telnet, etc. discrete
src_bytes number of data bytes from source to destination continuous
dst_bytes number of data bytes from destination to source continuous
flag normal or error status of the connection discrete
land 1 if connection is from/to the same host/port; 0 otherwise discrete
wrong_fragment number of ``wrong'' fragments continuous
urgent number of urgent packets continuous

Table 1: Basic features of individual TCP connections.

feature namedescription type
hot number of ``hot'' indicators continuous
num_failed_logins number of failed login attempts continuous
logged_in 1 if successfully logged in; 0 otherwise discrete
num_compromised number of ``compromised'' conditions continuous
root_shell 1 if root shell is obtained; 0 otherwise discrete
su_attempted 1 if ``su root'' command attempted; 0 otherwise discrete
num_root number of ``root'' accesses continuous
num_file_creations number of file creation operations continuous
num_shells number of shell prompts continuous
num_access_files number of operations on access control files continuous
num_outbound_cmds number of outbound commands in an ftp session continuous
is_hot_login 1 if the login belongs to the ``hot'' list; 0 otherwise discrete
is_guest_login 1 if the login is a ``guest''login; 0 otherwise discrete

Table 2: Content features within a connection suggested by domain knowledge.

feature namedescription type
count number of connections to the same host as the current connection in the past two seconds continuous
Note: The following features refer to these same-host connections.
serror_rate % of connections that have ``SYN'' errors continuous
rerror_rate % of connections that have ``REJ'' errors continuous
same_srv_rate % of connections to the same servicecontinuous
diff_srv_rate % of connections to different servicescontinuous
srv_count number of connections to the same service as the current connection in the past two seconds continuous
Note: The following features refer to these same-service connections.
srv_serror_rate % of connections that have ``SYN'' errorscontinuous
srv_rerror_rate % of connections that have ``REJ'' errorscontinuous
srv_diff_host_rate % of connections to different hosts continuous

Table 3: Traffic features computed using a two-second time window.

Various Algorithms Applied: Gaussian Naive Bayes, Decision Tree, Random Forest, Support Vector Machine, Logistic Regression.

Approach Used: I have applied various classification algorithms that are mentioned above on the KDD dataset and compare there results to build a predictive model.

Step 1: Importing and Setting Up the Data

Code: Importing libraries and reading features list.


Output:

πŸ‘ 1


Appending columns to the dataset and adding a new column name 'target' to the dataset.

Output:

42

Reading the 'attack_types' file.

Output:

πŸ‘ 2


Creating a dictionary of attack_types


Reading the dataset('kddcup.data_10_percent_corrected") and adding Attack Type feature in the training dataset where attack type feature has 5 distinct values i.e. dos, normal, probe, r2l, u2r.

Output:

πŸ‘ 3


Shape of dataframe and getting data type of each feature

Output:

(494021, 43)

Finding missing values of all features.

Output:

πŸ‘ 4


No missing value found, so we can further proceed to our next step.

Step 2: Data Exploration

Finding Categorical Features

Output:

['service', 'protocol_type', 'flag']

Visualizing Categorical Features using bar graph



πŸ‘ Image
Protocol type: We notice that ICMP is the most present in the used data, then TCP and almost 20000 packets of UDP type



πŸ‘ Image
logged_in (1 if successfully logged in; 0 otherwise): We notice that just 70000 packets are successfully logged in.


πŸ‘ Image
Attack Type(The attack types grouped by attack, it's what we will predict)


Step 3: Data Preprocessing


Step 4: Splitting the Dataset

Output:

Shape of X_train: (330994, 41), X_test: (163027, 41
Shape of y_train: (330994, 1), y_test: (163027, 1)

Step 5: Feature Encoding


Step 6: Correlation Analysis

Output:

πŸ‘ 5-min
Correlation Matrix

Step 7: Removing Highly Correlated Features


Dropping Columns that don't provide high value:


Correlation Matrix with transformed dataset:

Output:

πŸ‘ 6-min
Correlation Matrix with New Features

Step 8: Scaling the Data

Output:

Shape of X_train after scaling: (330994, 30)
Shape of X_test after scaling: (163027, 30)

Step 9: Model Training and Test Accuracy

Output:

πŸ‘ 7
Training and Testing Accuracies

Conclusion

Naive Bayes:

  • Train Accuracy: 87.95%, Test Accuracy: 87.90%
  • This model performs decently but is not as good as others. It's good for a quick baseline but not the best choice for this problem.

Decision Tree:

  • Train Accuracy: 99.39%, Test Accuracy: 99.38%
  • This model is very accurate and performs almost equally well on both the training and test data. It’s great but might overfit the data (get too specialized).

Random Forest:

  • Train Accuracy: 100.00%, Test Accuracy: 99.97%
  • This model does perfectly on the training data and performs very well on the test data too. It's a strong contender but could be overfitting the training data.

SVM (Support Vector Machine):

  • Train Accuracy: 99.88%, Test Accuracy: 99.88%
  • SVM also performs almost perfectly on both training and test data. However, it takes a long time to train, which can be a downside for larger datasets.

Logistic Regression:

  • Train Accuracy: 99.36%, Test Accuracy: 99.36%
  • This model is simple, efficient, and performs really well with high accuracy, making it a good choice if you need something fast and reliable.

Gradient Boosting:

  • Train Accuracy: 99.91%, Test Accuracy: 99.91%
  • This model is another high performer with excellent accuracy on both training and test data. The downside is it takes a long time to train.


You can download the ipynb file for the complete code from here.

Comment