Analysis of error-based machine learning algorithms in network anomaly detection and categorization

Intrusion and anomaly detection are particularly important to protect computer networks and communication vulnerability. This research aims to experimentally identify the best error-based machine learning algorithm for anomaly detection and anomaly attack categorization with the highest accuracy and fastest build time. A two-stage anomaly and categorization framework has been set up for experimental evaluation. The first stage identifies if a network flow is normal or anomalous and the second stage identifies type of attack if the first stage result is anomalous. The goal is to eventually use the best algorithm in an online stream model of network intrusion detection. To this end, five research propositions are defined, four sets of experiments are set up, and four research questions are asked. The UNSW-NB15 dataset for network anomaly is used for training and testing in the experiments. Machine learning algorithms are classified into four different learning approaches: information-based, similarity-based, probability-based, and error-based. Our focus in this paper is on the error-based learning models, specifically, the following algorithms: Winnow, Logistic, Perceptron, Support Vector Machine (SVM), and Deep Learning. The results are also compared with the results of non-error-based machine learning algorithms. The results obtained show that, overall, the error-based machine learning algorithm, Winnow, is the best with 100% accuracy and time to build the model of 0.47 s for network anomaly detection. In terms of accuracy only, SVM comes top for network anomaly attack categorization but Simple Logistic is the best when accuracy and time to build are considered together.