Taxonomy of Supervised Machine Learning for Intrusion Detection Systems

  • Ahmed Ahmim
  • Mohamed Amine Ferrag
  • Leandros MaglarasEmail author
  • Makhlouf Derdour
  • Helge Janicke
  • George Drivas
Conference paper
Part of the Springer Proceedings in Business and Economics book series (SPBE)


This paper presents a taxonomy of supervised machine learning techniques for intrusion detection systems (IDSs). Firstly, detailed information about related studies is provided. Secondly, a brief review of public data sets is provided, which are used in experiments and frequently cited in publications, including, IDEVAL, KDD CUP 1999, UNM Send-Mail Data, NSL-KDD, and CICIDS2017. Thirdly, IDSs based on supervised machine learning are presented. Finally, analysis and comparison of each IDS along with their pros and cons are provided.


Machine learning Intrusion detection Cyber analytics 


  1. 1.
    Death D (2017) Information security handbook: develop a threat model and incident response strategy to build a strong information security framework. Packt Publishing Ltd., BirminghamGoogle Scholar
  2. 2.
    Maglaras LA, Jiang J (2014) Intrusion detection in SCADA systems using machine learning techniques. In: 2014 science and information conference. IEEE, Piscataway, pp 626–631CrossRefGoogle Scholar
  3. 3.
    European Union Agency for Network and Information Security (2018) ENISA threat landscape report 2018Google Scholar
  4. 4.
    Garcia-Teodoro P, Diaz-Verdejo J, Maciá-Fernández G, Vázquez E (2009) Anomaly-based network intrusion detection: techniques, systems and challenges. Comput Secur 28:18–28CrossRefGoogle Scholar
  5. 5.
    Zhou CV, Leckie C, Karunasekera S (2010) A survey of coordinated attacks and collaborative intrusion detection. Comput Secur 29:124–140CrossRefGoogle Scholar
  6. 6.
    Elshoush HT, Osman IM (2011) Alert correlation in collaborative intelligent intrusion detection systems - a survey. Appl Soft Comput 11:4349–4365CrossRefGoogle Scholar
  7. 7.
    Sperotto A, Schaffrath G, Sadre R, Morariu C, Pras A, Stiller B (2010) An overview of IP flow-based intrusion detection. IEEE Commun Surv Tutorials 12:343–356CrossRefGoogle Scholar
  8. 8.
    Modi C, Patel D, Borisaniya B, Patel H, Patel A, Rajarajan M (2013) A survey of intrusion detection techniques in cloud. J Netw Comput Appl 36:42–57CrossRefGoogle Scholar
  9. 9.
    Ferrag MA, Maglaras LA, Janicke H, Jiang J, Shu L (2017) Authentication protocols for internet of things: a comprehensive survey. Secur Commun Netw 2017:41 ppCrossRefGoogle Scholar
  10. 10.
    Ferrag MA, Maglaras LA, Janicke H, Jiang J, Shu L (2018) A systematic review of data protection and privacy preservation schemes for smart grid communications. Sustain Cities Soc 38:806–835CrossRefGoogle Scholar
  11. 11.
    Ferrag MA, Maglaras L, Ahmim A (2017) Privacy-preserving schemes for ad hoc social networks: a survey. IEEE Commun Surv Tutorials 19:3015–3045CrossRefGoogle Scholar
  12. 12.
    Butun I, Morgera SD, Sankar R (2014) A survey of intrusion detection systems in wireless sensor networks. IEEE Commun Surv Tutorials 16:266–282CrossRefGoogle Scholar
  13. 13.
    Vasilomanolakis E, Karuppayah S, Mühlhäuser M, Fischer M (2015) Taxonomy and survey of collaborative intrusion detection. ACM Comput Surv 47:55CrossRefGoogle Scholar
  14. 14.
    Milenkoski A, Vieira M, Kounev S, Avritzer A, Payne BD (2015) Evaluating computer intrusion detection systems: a survey of common practices. ACM Comput Surv 48:12CrossRefGoogle Scholar
  15. 15.
    Buczak AL, Guven E (2016) A survey of data mining and machine learning methods for cyber security intrusion detection. IEEE Commun Surv Tutorials 18:1153–1176CrossRefGoogle Scholar
  16. 16.
    Ahmed M, Mahmood AN, Hu J (2016) A survey of network anomaly detection techniques. J Netw Comput Appl 60:19–31CrossRefGoogle Scholar
  17. 17.
    Sharafaldin I, Lashkari AH, Ghorbani AA (2018) Toward generating a new intrusion detection dataset and intrusion traffic characterization. In: ICISSP, pp 108–116Google Scholar
  18. 18.
    Cannady J (1998) Artificial neural networks for misuse detection. In: National information systems security conference, Baltimore, vol. 26Google Scholar
  19. 19.
    Lippmann RP, Cunningham RK (2000) Improving intrusion detection performance using keyword selection and neural networks. Comput Netw 34:597–603CrossRefGoogle Scholar
  20. 20.
    Bivens A, Palagiri C, Smith R, Szymanski B, Embrechts M, et al (2002) Network-based intrusion detection using neural networks. In: Intelligent engineering systems through artificial neural networks, vol 12, pp 579–584Google Scholar
  21. 21.
    Kruegel C, Mutz D, Robertson W, Valeur F (2003) Bayesian event classification for intrusion detection. In: 19th annual computer security applications conference, 2003. Proceedings. IEEE, Piscataway, pp 14–23CrossRefGoogle Scholar
  22. 22.
    Kruegel C, Toth T (2003) Using decision trees to improve signature-based intrusion detection. In: International workshop on recent advances in intrusion detection. Springer, Berlin, pp 173–191CrossRefGoogle Scholar
  23. 23.
    Benferhat S, Kenaza T, Mokhtari A (2008) A naive Bayes approach for detecting coordinated attacks. In: 2008 32nd annual IEEE international computer software and applications conference. IEEE, Piscataway, pp 704–709CrossRefGoogle Scholar
  24. 24.
    Apiletti D, Baralis E, Cerquitelli T, DElia V (2009) Characterizing network traffic by means of the NetMine framework. Comput Netw 53:774–789CrossRefGoogle Scholar
  25. 25.
    Amiri F, Yousefi MR, Lucas C, Shakery A, Yazdani N (2011) Mutual information-based feature selection for intrusion detection systems. J Netw Comput Appl 34:1184–1199CrossRefGoogle Scholar
  26. 26.
    Brahmi H, Brahmi I, Yahia SB (2012) OMC-IDS: at the cross-roads of OLAP mining and intrusion detection. In: Pacific-Asia conference on knowledge discovery and data mining. Springer, Berlin, pp 13–24CrossRefGoogle Scholar
  27. 27.
    Li Y, Xia J, Zhang S, Yan J, Ai X, Dai K (2012) An efficient intrusion detection system based on support vector machines and gradually feature removal method. Expert Syst Appl 39:424–430CrossRefGoogle Scholar
  28. 28.
    Bilge L, Sen S, Balzarotti D, Kirda E, Kruegel C (2014) Exposure: a passive DNS analysis service to detect and report malicious domains. ACM Trans Inf Syst Secur 16:14CrossRefGoogle Scholar
  29. 29.
    Aljawarneh S, Aldwairi M, Yassein MB (2018) Anomaly-based intrusion detection system through feature selection analysis and building hybrid efficient model. J Comput Sci 25:152–160CrossRefGoogle Scholar
  30. 30.
    Ahmim A, Maglaras L, Ferrag MA, Derdour M, Janicke H (2018) A novel hierarchical intrusion detection system based on decision tree and rules-based models. Preprint arXiv:1812.09059Google Scholar

Copyright information

© Springer Nature Switzerland AG 2020

Authors and Affiliations

  • Ahmed Ahmim
    • 1
  • Mohamed Amine Ferrag
    • 2
  • Leandros Maglaras
    • 3
    • 4
    Email author
  • Makhlouf Derdour
    • 1
  • Helge Janicke
    • 3
  • George Drivas
    • 4
    • 5
  1. 1.University of Larbi TebessiTebessaAlgeria
  2. 2.Guelma UniversityGuelmaAlgeria
  3. 3.De Montfort UniversityLeicesterUK
  4. 4.National Cyber Security Authority, General Secretariat of Digital PolicyMinistry of Digital Policy, Telecommunications and MediaAthensGreece
  5. 5.Department of Digital SystemsUniversity of PiraeusPiraeusGreece

Personalised recommendations