Per-Instance Selection of Machine Learning Classifiers for IDS and IPS

Generally, malicious attacks on a network or server can be detected and counteracted using various techniques. The intrusion detection systems (IDS) and intrusion prevention systems (IPS) are two of the most common application systems in detecting and preventing cyber threats. Despite the ability of each of these systems to help organizations overcome various types of threats to their networks, additional decisions are required to ensure that they operate effectively. Even IDS and IPS remain vulnerable to conditions that render them less efficient and incapable of meeting the required operational targets. Consequently, it is imperative that organizations make decisions and take actions that tend to optimize the efficiency with which the cybersecurity applications operate.

Most organizations have IT infrastructure nowadays, and they differ in their requirements and sizes, but there is a common problem that is managing the flood of alerts coming from the IDS(Simone, 2009). The IDS creates a huge number of alerts. Not all the threats detected are true, but it means that the IDS has found a matching signature or pattern. These types of alarms are considered false positives and a result of misclassification. They can be a real pain for organizations to determine if these alarms are actionable or not. Because of the issues with the current IDS, there is a need for continued research to solve the classification issues, and for that, a per-instance multi-classifier is proposed.

This research will discuss the importance of researching a new algorithm that is a portfolio of multiple classifiers for intrusion detection systems in the cyber-security space. There is already much research in this field, and many classifiers have been proposed, but the fact there is no single classifier that can cover all threats with high accuracy. The intention is to have a portfolio of classifiers. Each classifier will be tested and trained on the dataset. The idea of having multiple classifiers that each classifier can complement and contribute to the classification. A Master classifier will determine the fitness of each classifier, depending on the presented instance, and all the fit classifiers will contribute to the classification by voting. The vote will determine if the instance is benign or an anomaly, and if it is an anomaly, it will determine the type of attack.