Lakhasly

To assess the proposed intrusion detection system several experiments were performed on the CIDDS-001 dataset.
First the dataset is split into train and test sets using a configuration of 60% for training and 40% for testing. In order
to simulate the intrusions in the Cloud platform a 5 minutes time-based window sampling method is applied to the
test set. The traffic records of each time window are divided subsequently to 4 parts, where each records go to a single
router. At each one of the routers sides the preprocessing tasks and the anomaly detection are performed. Then the
Random Forest ensemble learning is used to detect types of each intrusion. The obtained results of the entire proposed
IDS are compared with a standard Random Forest ensemble classifiers tested directly on the CIDDS-001 dataset. The
experiments testbed used in this paper constitutes of 4 instances created in the Google Cloud Platform with a total of
8 cores and 32 Go of memory.
6. Results and Discussion
6.1. Evaluation metrics
The proposed IDS classifies the network traffic data as either positive or negative which correspond respectively to
an attack type or normal traffic. The obtained results are evaluated using the following performance metrics:
Accuracy: Percentage of the traffic records that are correctly classified.
Accuracy = 100 ×
correctly classi f ied records
total records
(2)
False Positive Rate (FPR): Percentage of the normal records which are classified as attack records.
FPR = 100 ×
FP
FP + TN
(3)
Where FP is the number of normal records incorrectly classified as attack records. TN is the number of correctly
classified normal records.
Running time: total time needed to detect intrusions including preprocessing time, anomaly detection time and
Random Forest classification time.
ROC and AUC curves: Receiver Operator Characteristic (ROC) and Area Under ROC (AUC) curves are commonly
used to present results for binary decision problems in machine learning. The ROC curve shows how the
number of correctly classified positive examples varies with the number of incorrectly classified negative examples.
The AUC value characterizes the accuracy of the model.
6.2. Performance of the proposed IDS
In this section we give the obtained results of the proposed IDS evaluated using the CIDDS-001 dataset. The
obtained results of the anomaly detection module illustrated in figure 2. The results represent the ROC curves and
the AUC scores of the anomaly detection module at each router side of the Cloud platform. The anomaly detection
module achieves its highest accuracy of 94.3% at the third router. Also, the module achieves an accuracy of 89%,
92.7% and 91.4% for respectively routers 1, 2 and 4. Low running time and high false positive rates are also observed
at each router.
The remaining obtained overall results of the proposed IDS are tabulated in table 2. The results in table 2 represents
the average accuracy and the average false positive rates of the proposed IDS to detect the four types of attack classes
contained in the dataset used in this paper which are DoS, PortScan, PingScan and BruteForce. The overall accuracy
of the proposed IDS reached 97% for all the attack classes, with an average FPR of 0.21%. It worth nothing that the
proposed IDS outperform the standard Random Forest tested directly on the CIDDS-001 dataset which achieved and
accuracy of 85% with a high FPR of 0.43%. Also the proposed IDS achieved good running time of 6.23s for all the
dataset compared to the standard Random Forest that achieved 24.87s.