Double layer machine learning for network intrusion detection system on web server

Nowadays, web application networks are experiencing rapid growth. Consequently, cybercriminals are launching more aggressive attacks on these networks. Intrusion detection systems, also known as IDS, extensively utilize pattern-matching methods based on signatures. This capability enables the systems to identify a wide variety of network-based attacks. To accurately detect anomalies or attacks, machine learning classifiers significantly enhance the robust performance of IDS compared to pattern-matching approaches based solely on packet features, such as packet lengths, flow duration, flags, and other characteristics. However, the accuracy of a single machine learning classifier method is relatively low in detecting a particular kind of attack due to the existence of different attack patterns. This research proposes a double layer machine learning approach based on the Random Forest and KNN algorithms. The aim is to identify the two most common types of attacks on web servers, namely DOS/DDOS and brute force attacks. Two distinct ML models were developed in parallel for IDS on web servers. The initial layer of the ML model comprises a 3-class classification approach using a random forest algorithm, enabling the identification of network records from the dataset as belonging to DoS, DDoS, and normal classes. The second layer of the ML model is constructed using KNN, which categorizes network records from the dataset into four classes, namely FTP-Patator, SSH-Patator, Web Brute Force, or normal. The selected features can significantly reduce both the training processing time and the prediction processing time. Based on the simulation results, the first layer, utilizing the random forest algorithm, achieved the best metrics with an accuracy of 0.9994 when using 40 features. On the other hand, the second layer obtained the best metrics with an accuracy of 0.9945 when using 64 features, but also performed well with 40 features.