A Hybrid Machine-Learning Framework for Intrusion Detection: Comparative Evaluation and Statistical Validation

Muhammad Rashid; Arbab Masood Ahmad; Yasir Saleem Afridi; Rehmat Ullah

Authors

Muhammad Rashid Department of Computer Systems Engineering, University of Engineering and Technology Peshawar
Arbab Masood Ahmad Department of Computer Systems Engineering, University of Engineering and Technology Peshawar
Yasir Saleem Afridi Department of Computer Systems Engineering, University of Engineering and Technology Peshawar
Rehmat Ullah Department of Computer Systems Engineering, University of Engineering and Technology Peshawar

Keywords:

Intrusion Detection Systems (IDS), Cybersecurity, Machine Learning (ML), Supervised Learning, Unsupervised Learning, Deep Learning

Abstract

The increasing sophistication and frequency of cyberattacks have intensified the need for Intrusion Detection Systems (IDS) that are both accurate and adaptive. Traditional IDS, whether signature-based or anomaly-based, provides foundational protection but faces well-documented limitations: signature-based systems struggle against zero-day exploits, while anomaly-based systems often produce high false positive rates. To address these challenges, researchers and practitioners are increasingly turning to Machine Learning (ML) as a means of enhancing IDS capabilities. This paper explores the integration of ML techniques—supervised, unsupervised, and deep learning—into IDS frameworks and evaluates their effectiveness using widely recognized datasets, including NSL-KDD and CICIDS2017. Supervised learning methods such as Random Forest and Support Vector Machines (SVM) demonstrate strong classification abilities, while unsupervised clustering approaches offer promise in identifying novel attacks. Deep learning models, particularly Recurrent Neural Networks (RNNs), show state-of-the-art performance in capturing sequential traffic patterns and detecting subtle anomalies. In addition to model comparisons, this study emphasizes the practical relevance of ML-enhanced IDS by examining its integration with established tools like Snort and Zeek. Our results highlight that ML-driven IDS consistently outperforms traditional approaches, with RNNs and Random Forest achieving the highest balance of accuracy and efficiency. The findings underscore the potential of ML-based IDS to serve as the next frontier in cybersecurity, offering improved detection accuracy, reduced false alarms, and adaptability to evolving threats. At the same time, challenges remain in terms of dataset representativeness, computational demands, and the interpretability of deep learning models. By situating the analysis within both academic research and real-world deployment contexts, this paper contributes to a clearer understanding of the opportunities and trade-offs in advancing IDS through machine learning.

References

Accenture, “The Cost of Cybercrime Study 2023,” Accent. Secur., 2023, [Online]. Available: https://www.accenture.com

I. Spronck and T. J. . Beerepoot, “The power of insight : finding the courage to connect in business,” Book, p. 114, 2003, Accessed: Oct. 09, 2025. [Online]. Available: https://books.google.com/books/about/The_Power_of_Insight.html?id=8ncxngEACAAJ

Snort, “Snort - Network Intrusion Detection & Prevention System.” Accessed: Oct. 12, 2025. [Online]. Available: https://www.snort.org/

D. E. Denning, “An Intrusion-Detection Model,” IEEE Trans. Softw. Eng., vol. 13, no. 2, pp. 222–232, 1987, doi: 10.1109/TSE.1987.232894.

V. K. Varun Chandola,Arindam Banerjee, “Anomaly detection: A survey,” ACM Comput. Surv., vol. 41, no. 3, pp. 1–58, 2009, doi: https://doi.org/10.1126/science.1235338.

F. Pedregosa FABIANPEDREGOSA et al., “Scikit-learn: Machine Learning in Python,” J. Mach. Learn. Res., vol. 12, no. 85, pp. 2825–2830, 2011, Accessed: Jun. 16, 2024. [Online]. Available: http://jmlr.org/papers/v12/pedregosa11a.html

Y. Kim, S., Kim, H., & Park, “Anomaly-Based Intrusion Detection System for Software Defined Networking,” IEEE Access, vol. 8, pp. 151087–151103, 2020.

P. B. Martín Abadi, “TensorFlow: A system for large-scale machine learning,” Proc. 12th USENIX Symp. Oper. Syst. Des. Implementation, OSDI 2016, pp. 265–283, 2016, [Online]. Available: https://arxiv.org/abs/1605.08695

I. Goodfellow, “Deep Learning.” Accessed: Oct. 12, 2025. [Online]. Available: https://www.deeplearningbook.org/

H. L. Yanmeng Mo, “An intrusion detection system based on convolution neural network,” PeerJ Comput. Sci., vol. 10, p. e2152, 2024, [Online]. Available: https://peerj.com/articles/cs-2152/#table-1

A. Lopez-Martin, M., Carro, B., & Sanchez-Esguevillas, “Application of Deep Autoencoders for Feature Reduction in Intrusion Detection Systems,” Sensors, vol. 17, no. 9, p. 1967, 2017.

L.Dhanabal and D. S. P. Shantharajah, “A Study on NSL-KDD Dataset for Intrusion Detection System Based on Classification Algorithms,” Comput. Sci. Eng., 2015.

A. Zhang, J., Zulkernine, M., & Haque, “A Hybrid Semi-Supervised Approach for Intrusion Detection,” J. Netw. Comput. Appl., vol. 151, p. 102482, 2019.

M. A. J. Farnaaz Nabila, “Random Forest Modeling for Network Intrusion Detection System,” Procedia Comput. Sci., vol. 89, pp. 213–217, 2016, doi: https://doi.org/10.1016/j.procs.2016.06.047.

L. I. Nwobodo, L. O., Chibueze, K. I., & Ezigbo, “Hybrid Machine Learning-Based Framework for Effective Network Intrusion Detection,” Eur. J. Sci. Innov. Technol., vol. 4, no. 6, 2024, [Online]. Available: https://ejsit-journal.com/index.php/ejsit/article/download/565/528/

A. Paszke et al., “PyTorch: An Imperative Style, High-Performance Deep Learning Library,” Adv. Neural Inf. Process. Syst., vol. 32, Dec. 2019, Accessed: May 25, 2024. [Online]. Available: https://arxiv.org/abs/1912.01703v1

V. P. Ron Ross, “Enhanced Security Requirements for Protecting Controlled Unclassified Information,” NIST Spec. Publ., 2021, [Online]. Available: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-172.pdf

M. J. I. and A. R. I. Ahmad, M. Basheri, “Performance Comparison of Support Vector Machine, Random Forest, and Extreme Learning Machine for Intrusion Detection,” IEEE Access, vol. 6, pp. 33789–33795, 2018, doi: 10.1109/ACCESS.2018.2841987.

M. Tavallaee, E. Bagheri, W. Lu, and A. A. Ghorbani, “A detailed analysis of the KDD CUP 99 data set,” IEEE Symp. Comput. Intell. Secur. Def. Appl. CISDA 2009, Dec. 2009, doi: 10.1109/CISDA.2009.5356528.

G. Candea and B. Plattner, “Nsl-kdd data set,” Kaggle, 2003, [Online]. Available: https://www.kaggle.com/datasets/hassan06/nslkdd

N. Shone, T. N. Ngoc, V. D. Phai, and Q. Shi, “A Deep Learning Approach to Network Intrusion Detection,” IEEE Trans. Emerg. Top. Comput. Intell., vol. 2, no. 1, pp. 41–50, Feb. 2018, doi: 10.1109/TETCI.2017.2772792.

M. A. R. Vinayakumar, “Deep Learning Approach for Intelligent Intrusion Detection System,” IEEE Access, vol. 7, 2019, doi: 10.1109/ACCESS.2019.2895334.

C. I. for Cybersecurity, “CICIDS2017 dataset,” Univ. New Brunswick, 2017, [Online]. Available: https://www.unb.ca/cic/datasets/ids-2017.html

S. G. Adam Paszke, “PyTorch: an imperative style, high-performance deep learning library,” Proc. 33rd Int. Conf. Neural Inf. Process. Syst., vol. 721, pp. 8026–8037, 2019, [Online]. Available: https://dl.acm.org/doi/10.5555/3454287.3455008