Intelligent Decision Technologies 5 (2011) 347–356 347 DOI 10.3233/IDT-2011-0117 IOS Press Network intrusion detection system: A machine learning approach Mrutyunjaya Panda a,∗ , Ajith Abraham b , Swagatam Das c and Manas Ranjan Patra d a Department of EEE GITA, Bhubaneswar, Odisha, India b MIR Labs, Washington, USA c Department of ECE, Jadavpur University, Kolkata, India d Department of Comp. Sc., Berhampur University, Odisha, India Abstract. Intrusion detection systems (IDSs) are currently drawing a great amount of interest as a key part of system defence. IDSs collect network traffic information from some point on the network or computer system and then use this information to secure the network. Recently, machine learning methodologies are playing an important role in detecting network intrusions (or attacks), which further helps the network administrator to take precautionary measures for preventing intrusions. In this paper, we propose to use ten machine learning approaches that include Decision Tree (J48), Bayesian Belief Network, Hybrid Na¨ ıve Bayes with Decision Tree, Rotation Forest, Hybrid J48 with Lazy Locally weighted learning, Discriminative multinomial Na¨ ıve Bayes, Combining random Forest with Na¨ ıve Bayes and finally ensemble of classifiers using J48 and NB with AdaBoost (AB) to detect network intrusions efficiently. We use NSL-KDD dataset, a variant of widely used KDDCup 1999 intrusion detection benchmark dataset, for evaluating our proposed machine learning approaches for network intrusion detection. Finally, Experimental results with 5-class classification are demonstrated that include: Detection rate, false positive rate, and average cost for misclassification. These are used to aid a better understanding for the researchers in the domain of network intrusion detection. Keywords: Intrusion detection, machine learning, cost matrix 1. Introduction Intrusion detection is defined as the process of moni- toring the events occurring in a computer system or net- work and analyzing them for signs of intrusions [32]. The need for effective intrusion detection mechanism for computer systems was recommended by Denning and Neumann [5] in order to find reasons for intrusion detection within a secure computing framework. The first major work in the area of intrusion detection was discussed by Anderson in [16] with an insight to the fact that certain types of intrusions to the computer system security could be identified through a detailed analy- sis of information contained in the system’s audit trial. Three threats were identified by Anderson which could be: External Penetrations – as unauthorized users of * Corresponding author. E-mail: mrutyunjaya@ieee.org. the system, internal penetrations – as authorized system users who use the system in an unauthorized manner, and finally Misfeasors – an authorized user who try to exploit their access privileges. But, it is Denning [6], who proposed an intrusion detection model which is considered to be the fundamental core of most intrusion detection research in use today. Approaches for intrusion detection can be broadly divided into two types: misuse detection and anoma- ly detection. In misuse detection system, all known types of attacks (intrusions) can be detected by looking into the predefined intrusion patterns in system audit traffic. In case of anomaly detection, the system first learns a normal activity profile and then flags all system events that do not match with the already established profile. The main advantage of the misuse detection is its capability for high detection rate with a difficulty in finding the new or unforeseen attacks. The advantage of anomaly detection lies in the ability to identify the ISSN 1872-4981/11/$27.50  2011 – IOS Press and the authors. All rights reserved