To simulate an Intrusion Detection System (IDS) using MATLAB that can support us to know on how IDSs detect suspicious or malicious activities within networks. It has numerous kinds of IDSs, like signature-based, anomaly-based, and hybrid IDSs. In this manual, we will concentrate on replicating anomaly-based IDS, as it contains machine learning, statistical analysis, and behavior-based detection that can be successfully executed using MATLAB.
Steps to Simulate an Intrusion Detection System (IDS) Using MATLAB
- Collect or Generate Network Traffic Data
IDSs need network traffic data to observe and identify the anomalies. We can either utilize real datasets such as KDD Cup 99, NSL-KDD, or CICIDS2017 or make synthetic network traffic data.
For simplicity, we can create few synthetic network traffic, which contains normal and attack traffic.
% Generate synthetic network traffic data
% Columns represent different features (e.g., packet size, source IP, destination IP, etc.)
% Rows represent different network events
% Normal traffic (1000 samples, 3 features: packet size, delay, and protocol type)
normalTraffic = [randn(1000, 1) * 50 + 500, randn(1000, 1) * 5 + 20, randi([1, 3], 1000, 1)];
% Attack traffic (200 samples, same features but with abnormal values)
attackTraffic = [randn(200, 1) * 200 + 1000, randn(200, 1) * 10 + 50, randi([4, 5], 200, 1)];
% Combine normal and attack traffic
trafficData = [normalTraffic; attackTraffic];
trafficLabels = [zeros(1000, 1); ones(200, 1)]; % 0 for normal, 1 for attack
- Preprocess the Data
Preprocessing is significant for training the data for machine learning models. General steps involve:
- Normalization: Climb the feature values.
- Splitting the dataset: Divide the dataset into training and testing sets.
% Normalize the features (min-max normalization)
minVal = min(trafficData);
maxVal = max(trafficData);
normalizedTrafficData = (trafficData – minVal) ./ (maxVal – minVal);
% Split the dataset into training (80%) and testing (20%)
cv = cvpartition(size(normalizedTrafficData, 1), ‘Holdout’, 0.2);
trainingData = normalizedTrafficData(training(cv), :);
trainingLabels = trafficLabels(training(cv), :);
testingData = normalizedTrafficData(test(cv), :);
testingLabels = trafficLabels(test(cv), :);
- Train a Machine Learning Model for Anomaly Detection
Anomaly-based IDS frequently utilize the machine learning algorithms to categorize traffic as typical or anomalous. Common algorithms contain:
- Support Vector Machines (SVM)
- K-Nearest Neighbors (KNN)
- Decision Trees
- Neural Networks
Now, we will utilize a Support Vector Machine (SVM) to train the IDS.
% Train an SVM model
svmModel = fitcsvm(trainingData, trainingLabels, ‘KernelFunction’, ‘rbf’, ‘Standardize’, true, ‘ClassNames’, [0, 1]);
% Predict on the training data to evaluate the model
predictedLabels = predict(svmModel, testingData);
% Calculate accuracy
accuracy = sum(predictedLabels == testingLabels) / length(testingLabels) * 100;
disp([‘Testing Accuracy: ‘, num2str(accuracy), ‘%’]);
- Test the Intrusion Detection System
Experiment the performance of the IDS utilizing the testing dataset. Examine the performance with the help of general parameters like accuracy, precision, recall, and F1-score.
% Confusion matrix to evaluate performance
confusionMatrix = confusionmat(testingLabels, predictedLabels);
% Calculate performance metrics: precision, recall, F1-score
TP = confusionMatrix(2, 2); % True Positives
FP = confusionMatrix(1, 2); % False Positives
TN = confusionMatrix(1, 1); % True Negatives
FN = confusionMatrix(2, 1); % False Negatives
precision = TP / (TP + FP);
recall = TP / (TP + FN);
f1Score = 2 * (precision * recall) / (precision + recall);
disp([‘Precision: ‘, num2str(precision)]);
disp([‘Recall: ‘, num2str(recall)]);
disp([‘F1 Score: ‘, num2str(f1Score)]);
- Visualize the Results
MATLAB environment offers great visualization tools for showing the outcomes of the IDS simulation. We can envision the ROC curve, confusion matrix, or anomaly detection utilizing the scatter plots.
Example: Visualizing the ROC Curve
The Receiver Operating Characteristic (ROC) curve offers a graphical representation of a model’s ability to differentiate amongst normal and attack traffic.
% Compute the scores of the SVM model (used for ROC curve)
[~, scores] = predict(svmModel, testingData);
% Plot the ROC curve
[X, Y, T, AUC] = perfcurve(testingLabels, scores(:, 2), 1);
figure;
plot(X, Y);
xlabel(‘False Positive Rate’);
ylabel(‘True Positive Rate’);
title([‘ROC Curve, AUC = ‘, num2str(AUC)]);
Example: Confusion Matrix Visualization
% Plot confusion matrix
figure;
confusionchart(confusionMatrix, {‘Normal’, ‘Attack’});
title(‘Confusion Matrix’);
- Simulate IDS in a Real-Time Environment (Optional)
To replicate IDS in a real-time environment, we can process the network traffic within real-time using tools such as pcap files (packet capture) or associating MATLAB to be alive network data streams.
Example: Real-time Traffic Simulation
% Assume realTimeTrafficData is incoming network traffic in real-time
realTimeTrafficData = [randn(1, 1) * 50 + 500, randn(1, 1) * 5 + 20, randi([1, 3], 1, 1)];
realTimeTrafficData = (realTimeTrafficData – minVal) ./ (maxVal – minVal); % Normalize
% Predict the class in real-time (0: normal, 1: attack)
realTimePrediction = predict(svmModel, realTimeTrafficData);
if realTimePrediction == 0
disp(‘Normal Traffic Detected’);
else
disp(‘Attack Traffic Detected’);
end
- Simulate Various Attack Scenarios
We can replicate several kinds of attacks to monitor how IDS reacts. For instance:
- Denial of Service (DoS) attacks: High packet volume from one or more sources.
- Probe/Scan attacks: Attackers searching for open ports or vulnerable services.
- User to Root (U2R): An attacker tries to acquire superuser privileges on a system.
- Remote to Local (R2L): An attacker tries to gain unauthorized access to a machine remotely.
We can change the synthetic attack data to replicate diverse situations.
Example: Simulating a DoS Attack
% DoS attack generates abnormal packet size and high traffic rate
dosAttack = [randn(100, 1) * 300 + 1500, randn(100, 1) * 30 + 100, randi([6, 7], 100, 1)];
% Classify DoS attack traffic using the IDS model
dosAttack = (dosAttack – minVal) ./ (maxVal – minVal); % Normalize
dosPrediction = predict(svmModel, dosAttack);
% Count how many DoS traffic packets were detected as attacks
numDoSDetected = sum(dosPrediction == 1);
disp([‘DoS Attack Detected in ‘, num2str(numDoSDetected), ‘ out of 100 packets’]);
- Advanced Topics in IDS Simulation
- Hybrid IDS: Aggregate the signature-based detection with anomaly detection.
- Time-series data: Integrate time-based analysis to identify slow or long-duration attacks.
- Deep learning-based IDS: Use more complex architectures, train deep neural networks for intrusion detection.
Example Projects for IDS Simulation in MATLAB
- Anomaly Detection in Network Traffic: Utilize machine learning models (SVM, Decision Trees, and Neural Networks) to identify the intrusions in synthetic or real network traffic.
- DoS and DDoS Attack Detection: Replicate DoS or DDoS attacks and make a system to identify these attacks according to the network traffic volume and patterns.
- Hybrid IDS with Signature and Anomaly Detection: Aggregate both signature-based and anomaly-based detection techniques making more comprehensive IDS.
- Network Traffic Classification: Construct an IDS, which categorizes diverse kinds of attacks (DoS, Probe, U2R, R2L) utilizing a multi-class classifier.
- Real-time IDS with Live Traffic: Associate the MATLAB to a real-time traffic stream (using pcap files or live network capture) and execute the real-time IDS.
We used MATLAB tool to perform in-depth simulations on the Intrusion Detection System projects that can be simulated and we can be provided further analysis and simulation if required.
We understand the importance of having the right simulation tools for your research. That’s why we’re here to support you. We will provide you with detailed, step-by-step instructions for simulating Intrusion Detection System Projects using MATLAB.
