INTRUSION DETECTION SYSTEM USING COHEN’S D AND WILCOXON TEST

Abstract

In an age where cyber-attacks and malicious activities are at their peak, cybersecurity is crucial for detecting network intrusions and preventing unauthorized access to sensitive data. This thesis underscores the importance of network security, highlighting that network attacks can cause significant financial and operational losses for companies, organizations, and individuals. Traditional defences like antivirus software and firewalls, once sufficient, are now inadequate against the evolving nature of these threats. These conventional tools have proven ineffective in protecting network systems from increasingly sophisticated attacks and malware. This situation necessitates intelligent countermeasures to maintain the security of networks and critical systems. The objective of this work is to create a robust system designed to identify intrusions by analysing network traffic. Chapter 1 introduces the concept and function of intrusion detection systems (IDS). Intrusion detection entails monitoring network traffic and computer activities to detect any malicious or unauthorized behaviour. An IDS can be either a device or a software application that performs this detection. Unlike firewalls, which focus on protecting the network perimeter, IDSs scrutinize activities within the protected network. IDSs can be categorized into three types: signature-based, anomaly-based, and hybrid systems. For an IDS to be effective, it must be efficient, adaptable, and scalable. The chapter concludes with an exploration of the limitations and challenges associated with current systems. Chapter 2 reviews the literature on network traffic-based intrusion detection, examining over 50 research papers. In Chapter 3, we present the 11 features utilized in our research, detailing their names and meanings. We conduct statistical tests to evaluate and rank these features according to their effectiveness in detecting network intrusions. Our objective is to v determine a set of features that together provide higher accuracy than any single feature or any other combination of features .We use two statistical tests: Cohen’s d, which assesses the effect size by comparing the means of various sample data, and the Wilcoxon test, which determines whether there are significant differences between paired samples. We then discuss the purpose of the machine learning classifiers used in our research: SVM, Navies Bayes, Logistic Regression and Decision Tree. Features are ranked from least to most efficient, creating three columns: one for Cohen’s d , one for Wilcoxon test. We also prepare a table where each feature is individually evaluated using all three classifiers. To investigate the potential effectiveness of different feature combinations, we evaluate various combinations using all four classifiers, producing four distinct sets of results. This method is repeated across the four sets of results to identify the final set of features that are most effective for network intrusion detection. Chapter 4 presents the tables, calculations, and evidence supporting our conclusion that a specific combination of five features—"Floe duration”, “Packets received per second," "Average packet size received," "Average Packet size sent," and "Average packet size"—achieved the highest accuracy of 99.70% when using the Decision Tree classifier, outperforming all other features and the combinations. Chapter 5 concludes the thesis and outlines potential directions for future research.