International Journal of Computer & Communication Engineering Research (IJCCER) Volume 3 - Issue 2 March 2015 © http://ijccer.org e-ISSN: 2321-4198 p-ISSN: 2321-418X Page 16 A Novel Network Intrusion Detection System using Two-stage Hybrid Classification Technique Jamal Hussain 1 , Samuel Lalmuanawma 2 , Lalrinfela Chhakchhuak 3 1,2 Mathematics & Computer Science Department Mizoram University Aizawl, Mizoram, Tanhril 796004, India jamal.mzu@gmail.com, samuellalmuanawma@mzu.edu.in 3 Department of Computing, University of York Heslington, York, YO10 5DD, United Kingdom rinfelc@gmail.com ABSTRACT−Traditional Network intrusion detection system (NIDS) mostly uses individual classification techniques; such system fails to provide the best possible attack detection rate. In this paper, we propose a new two-stage hybrid classification technique using Support Vector Machine (SVM) as anomaly detection in the first stage and Artificial Neural Network (ANN) as misuse detection in the second, the key idea is to combine the advantages of each algorithm to ameliorate classification accuracy along with low false positive. The first stage (Anomaly) classify the network data into two classes namely, normal and attack. The second stage (Misuse) further classify the attack data into four classes namely, Denial of Service (DoS), Remote to Local (R2L), User to Root (U2R) and Probe. Training and testing datasets are obtained from NSL-KDD datasets. Simulation results demonstrate that the proposed algorithm outperforms conventional model and individual classification of SVM and ANN algorithm. The test results showed that the proposed system has a reliable degree of detecting anomaly activity over the network data. Keywords: Intrusion Detection Systems, Support Vector Machine, Artificial Neural Network, Machine Learning, NSL-KDD 1. INTRODUCTION Modern communication system has converted connectivity applications into a digital system, industries, institution and organizations associated with complex computer network which results huge service to society in an admirable approach with accurate high speed connectivity. These advancements lead to increase the risk of an intrusion attempt over the network system. Due to these rapid changes, network intrusion detection system is becoming challenging areas of research in computer network security. As shown by [1], our network system suffers from various security vulnerabilities, which activate to deny, disrupt, degrade and destroy services and information resident in the network system. The main aim of the network attack was to compromise the integrity, availability or confidentiality of the network system which is done through the data stream on a computer network by an intruder. Therefore, Intrusion detection system (IDS) is intended to detect malicious or unauthorized activities over the network and block the intruder traffic connection to prevent the system from further damage. IDS first analyzed all the network traffic and raise alarm to assists the network administrator if malicious attempts are found. Therefore with the growing usage of internetwork, IDS is becoming challenging area in research community. An IDS is designed to monitors network activity to identify malicious events. It functions in three stages namely, prevention, detection and reaction [2]. Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking resources [3]. So, numerous techniques and controls are normally adopted to prevent the network system from unauthorized and malicious attacks by implementing firewall, antivirus, etc. If the intrusion penetrates the network systems even after installing preventive software, IDS acts as a next line of protection for the system. Intrusion detection system can be broadly categorized into two broad categories, Signature Based System (SBS) also called misuse based and Anomaly Based Systems (ABS) [4]. SBS rely on pattern matching techniques, containing a database of signatures of known attacks and tried to match these signatures against the analyzed data. When a match is found, an alarm is raised. On the other hand, ABS first builds a statistical model describing the normal network traffic which defines the normal baseline profile model and then flags any behavior that significantly deviates from the model. Although SBS is effective against known intrusion types, except it cannot detect new attacks that were not predefined. ABS on the other hand, approaches the problem by attempting to find deviations from the established baseline normal profile model against the analyzed data, which gave the ABS ability to detect new types of attacks. However, it may also cause a significant number of false alarms because the normal behavior varies widely and obtaining complete description of normal behavior is often difficult [5]. Generally, most of the detection techniques employed by IDS are Signature Based, which try to search for patterns or signatures of the already known attacks [6]. The advantage of such kind of system is that signatures can be developed for known attacks and that are faster compared to ABS. However, the main disadvantage of the SBS techniques is that it can only identify already known attacks, which results to lack of detection for new or unknown attack.