Improving Network Security‑Based Anomaly Detection Using Machine Learning And Deep Learning رسالة ماجستير

Abstract

Developing technology has enabled greater potential for delivering services, while at the same time exposing new threats in cyberspace and online as digital capabilities proliferate. There are a number of drawbacks to typical intrusion detection systems (IDSs). Signature-based methods are unable to deal with zero-day and stealthy attacks, and anomaly-based approaches tend to produce a large number of false positives. These difficulties are magnified in resource-limited settings like Palestine where there is limited access to state-of-the-art security resources and representative local datasets. In this study, a hybrid intrusion detection system utilizing machine learning (ML) and deep learning (DL) is developed to overcome the above-mentioned limitations. The proposed method incorporates a two-stage system. In the first stage, several predefined models are trained and validated with global benchmark datasets to determine which architecture is appropriate. Second, the chosen model is implemented and fine-tuned based on a newly created Palestinian network traffic database. This hybrid of both global and local data ensures that the system can have a general detection capability while being sensitive to region-specific traffic scenarios. Experimental results show its superiority to the classical IDSs in both stability, adaptability to real network traffic and false positive rate. The model obtained global benchmark datasets exceeding 99% and the Palestinian dataset above 98.8%. Although similar state-of-the-art works have reported high classification performance on global datasets, none have considered the performance of IDS with real Palestinian traffic. Therefore, the reported local accuracy is a first known baseline for intrusion detection in this regional domain rather than comparative measures. We also show that errors and host activity are very important for separating bad traffic from good traffic. This shows that behavior characteristics that are specific to a domain are more useful than general features for finding anomalies.This work provides practical guidelines for developing scalable and cost-effective context-aware IDS solutions to address resource-constrained environments. The results reveal that the combination of global and local datasets could introduce a robust and interpretable intrusion detection system, which can be generalized to Palestine or similar cybersecurity contexts.