A machine learning-based NIDS that collects training data from within the organization and updates the discriminator periodically and automatically

Abstract

To mitigate ever-changing cyber-attacks, we propose a machine-learning network-based intrusion detection system (NIDS). To address issues with related studies for a target organization, we use mirror ports to recover benign communications, and set up a honeypot to collect malicious communications. By extracting features from communication data and applying training, we create a machine learning NIDS for a target organization that reflects the latest communication data. As a result of the validation, we used RF (Random Forest) and MLP (Multilayer perceptron) as the learning algorithms, which had excellent decision accuracy. For communication data acquired by an automatic collection system, we performed discrimination according to the machine learning with the extracted features and obtained a very low false positive rate. These results show the importance of collecting benign and malicious communications within the installation organization.