SABADT: Hybrid Intrusion Detection Approach for Cyber Attacks Identification in WLAN

With the advancement of technology, the use of wireless media and devices are increasing every day. In particular, the use of wireless local area networks (WLAN) has increased rapidly in recent years and is expected to increase further. The current state of wireless local area network technologies makes the network vulnerable to attacks ranging from passive listening to active intervention. Intrusion detection systems (IDSs) are being developed against these kinds of attacks. The IDSs play an important role in WLAN security by detecting and preventing malicious activities. However, most techniques used in IDSs cannot cope with dynamic and complex attacks. The aim of this study is to reduce the deficiencies in present IDSs for WLANs and build a more effective system which can detect unknown and complex attack variants dynamically. In this context, a methodology has been proposed. The proposed methodology basically has two contributions. The first contribution is the Feature Selection Approach (FSAP) to increase the speed of attack detection by reducing the number of used features. The second contribution is the hybrid attack detection technique, SABADT (Signature and Anomaly Based Attack Detection Technique), which detects attacks fast and with high accuracy. The proposed methodology is implemented on the KDD’99 and UNSW-NB15 datasets. The obtained results are compared with existing machine learning techniques. The detection model is created by using KDD’99, UNSW-NB15 training dataset and tested on the KDD’99 and UNSW-NB15 training dataset. The obtained 99.65% and 99.17% accuracy rates are quite high when compared to leading methods in the literature. In addition, common attack tools were used to obtain a mix of normal activities and current attack behaviors in order to test on novel attacks within the scope of the study. These different types of attacks were captured with the Wireshark tool. Some of the captured attacks were used only in the testing phase. Here, the attacks were detected with an accuracy rate of 99.69%.


I. INTRODUCTION
With the advancement of technology, cables have left most of our lives and have been replaced by wireless devices and technologies [1]. Especially, the use of wireless local area networks has increased rapidly in recent years and is expected to be increased further [2,3]. The popularity and rapid development of wireless technology has made our daily life easier, but it has brought more security problems [4,5]. For these reasons, interest in network intrusion detection systems (NIDSs) has increased among researchers [6,7]. Intrusion Detection Systems are widely used in detection of both unknown and known attacks carried out by both external and internal attackers in wireless networks. In addition, security standards for WLAN are still ambiguous for protection [8].
Due to the intensive interest in WLANs, research in the field of IDS has increased [9,10]. However, in proportion to the speed of these researches, the density and types of attacks increase as well. To illustrate, attacks may become undetectable with small changes on a known attack type [11]. Therefore, existing IDSs cannot cope with fast evolving attack surface. The goal of this study is to contribute to the development of IDS that increase the accuracy of new kinds of attacks in WLAN. In this context, destination id. These features are used for signature-based attack detection techniques in proposed methodology. Also, each data set has content features according to its formation. These features are used for anomaly-based attack detection techniques in proposed methodology. Thus, both the signature and anomaly-based techniques were combined in the proposed SABADT.
In the first part of FSAP, the features that are appropriate for the model to be formed and that are distinct in reaching the result are selected. In the second part, signatures were extracted according to the "normal" and "attack" status by using the basic and common features of the datasets in the literature. After that, a hybrid technique (SABADT) for analyzing non-common content features and extracting rules is proposed. Using these features and data analysis, behaviors are determined and rules are extracted according to these behaviors. While evaluating the performance of the proposed methodology, the KDD'99 and UNSW-NB15 datasets were used. The obtained results compared with the standard machine learning techniques which are mostly applied in the literature. KDD'99 and UNSW-NB15 training datasets were used while extracting the signature/rule, and the KDD'99 and UNSW-NB15 test dataset was used when evaluating the created model. Because KDD'99 and UNSW-NB15 test dataset also includes attack types that are not found in KDD'99 and UNSW-NB15 training dataset. An accuracy rate of 99.65% and 99.17% was achieved respectively. In addition, it is aimed to test the proposed method on current attacks within the scope of the study. For this purpose, common hacking tools (Hulk, Nmap, Tor's Hammer, etc.) were used to obtain a mix of normal activities and current attack behaviors. Different types of attacks such as sniffing, flooding, jamming, guess_password, imap, portscan, ipscan, etc. have been carried out with these tools. These different types of attacks were captured and recorded with the Wireshark tool. On these recorded data, the attacks were detected with an accuracy rate of 99.69% with the developed algorithm. This part of the study will be developed in the future by further detailing and creating a general data set. When results are compared with leading methods in the literature, time and memory usage were also saved. In summary, in this study, both feature reduction was performed and by analyzing network traffic in WLANs abnormal behaviors were detected and classified.
The rest of the study is organized as follows. In section II, related works are summarized. In section III, the proposed methodology is explained in detail. In section IV, the implementation, results of the proposed methodology and other machine learning techniques are given. Finally, conclusion is given in section V.

II. RELATED WORK
With the increasing use of WLAN technology, interest in the subject has also increased among researchers. A lot of research and studies have been done on this subject. Researchers are studying various methods and datasets to detect WLAN attacks. When these studies are examined, it is seen that there are important results that have been obtained up to the present. The summary of the related studies can be seen in Table I. Singhrova [15] described architecture of Host-based Intrusion Detection System for DoS attack in distributed WLAN. The presented system is an intelligent system that detects the intrusion periodically and dynamically. In this context, each host monitored its surrounding nodes, and maintained a database about the transmission of its own as well as its neighbor nodes transmission. According to the authors, the proposed system is confident and efficient, as it applied on distributed nodes and all destination IP addresses. This study can be enhanced by checking the same approach for other attack types in WLAN. Thanthrige et al. [16] studied feature reduction techniques by using AWID dataset. Information Gain (IG) and Chi-Squared statistics (CH) were applied to reduce the feature number and evaluate the dataset performance. The obtained results showed that feature reduction increases the performance in terms of complexity, time and accuracy. The accuracy of classification increased 2.4% with feature reduction from 110 to 41. However, this study can be improved by implementing proposed approach on other well-known datasets.
Manzoor and Kumar [17] explained a feature reduction method which applies feature ranking based on correlation and information gain. The proposed method was based on ANN (Artificial Neural Network) and applied on KDD'99 dataset. Comparison of proposed method with and without feature reduction is performed. According to the obtained results, the performance of the feature reduction system is better than the system without feature reduction. In addition, this study can be improved further by implementing proposed approach on other datasets. Usha and Kavita [18] presented a normalized gain based IDS for 802.11 intrusions named as NMI. The proposed NMI consists of two components. The first component is optimal feature selection and the second component is categorizing and detecting intrusions by using SVM classifier. The proposed method was applied on AWID dataset. The experimental results demonstrated that computation complexity and false positive rates were reduced by decreasing the number of features, and an accuracy rate of 99.2% was obtained. However, the proposed study can be extended by using individual attack scenarios.
Primartha and Tama [19] explained a random forest classifier by setting parameters to enhance the performance of anomaly detection in the IoT network. They compared IDSs performance with the proposed algorithm by using false alarm rate and accuracy metrics. They experimented on the GPRS, UNSW-NB15 and NSL-KDD dataset. According to the authors, they obtained better results than most recent studies on the NSL-KDD dataset in terms of false alarm rate and accuracy. Also, obtained a better result than the MLP algorithm on the GPRS dataset in terms of accuracy, but could not perform better on the UNSW-NB15 dataset. Comparison of NIDSs is explained by Magán-Carrión et al. [22] The study consists of two stages. First stage includes a It is confident and efficient, as it applied to distributed nodes. 2011 Thanthrige et al. [16] Feature reduction techniques such as Information Gain (IG) and Chi-Squared statistics (CH).
Feature reduction can give better results according to accuracy, time and complexity. 2016 Manzoor and Kumar [17] Feature reduction method based on information gain and Artificial Neural Network.

2017
Usha and Kavita [18] Gain based intrusion detection system for 802.11 intrusions named as NMI.
The computation complexity and false positives reduced and accuracy rate of 99.2% was obtained 2017 Primartha and Tama [19] Random forest classifier with parameter setting.
Obtained better results than most recent studies on NSL-KDD dataset according to false alarm rate and accuracy.
Random Forest algorithm and 32 features achieves a maximum accuracy of 99.64%. 2018 Zwane et al. [21] Analyzed performance of machine learning classifiers for IDSs.
Ensemble-based learning methods are better than single learning methods. However, it can be slower in terms of building time and model testing time.

2018
Magán-Carrión et al. [22] Including comprehensive research and proposed a methodology named as FaaC for addressing NIDSs.
Investigated papers did not accomplish mandatory steps for a reliable evaluation. The proposed methodology can help future research to fairly assess NIDSs.

2020
Lopez-Martin et al. [23] Proposed an application of deep reinforcement learning (DRL) algorithms for intrusion detection.
Double Deep Q-Network algorithm gave the best result. The proposed classifier with DRL is faster than other models. 2020 comprehensive research of recent network based intrusion detection systems based on machine learning approaches. Second stage includes a methodology named as FaaC (Feature as a Counter) for addressing network attack detection problems. The proposed methodology is tested on UGR'16 dataset. According to the authors, almost all of the investigated papers did not accomplish mandatory steps for a reliable comparison and evaluation of NIDSs. However, this study can be further improved not only by using standard machine learning techniques, but also proposing their own method. According to Abdulhammed et al. [20] feature selection is a key factor for an improved wireless intrusion detection system based on machine learning classifiers. This study discusses multiclass classification using four effective feature sets of 5, 7, 10, and 32 features, respectively. The obtained results used the AWID dataset to evaluate the efficiency of seven well-known machine learning classifiers based on the selected set of features. The proposed system used a Random Forest algorithm with 32 features and achieved a maximum accuracy of 99.64%. Zwane et al. [21] analyzed performance of machine learning classifiers for IDSs. In this paper, different seven classifiers based on machine learning are analyzed. The WEKA was used to evaluate and implement the classifiers. According to the obtained results, ensemblebased learning methods are better than the single learning methods. However, ensemble classifiers can be slower in terms of building and testing time.
Lopez-Martin et al. [23] suggested an application of different deep reinforcement learning (DRL) algorithms to intrusion detection by using NSL-KDD and AWID datasets. They made a conceptual change to the classical DRL paradigm. In addition, they presented the results of applying their technique to four DRL models: Actor-Critic, Double Deep Q-Network, Deep Q-Network and Policy Gradient. According to the obtained results, the Double Deep Q-Network algorithm produced the best result. Additionally, the proposed classifier by using DRL is faster than other models.
Duan et al. [24] suggested an intelligent intrusion detection framework which uses deep belief networks (DBN) and principal component analysis (PCA). They used two different methods to preprocess the data, namely: PCA with BP (back propagation), and DBN. In PCA with BP stage, they used PCA to perform feature learning on the collected network data, and combined with BP as a classifier to complete data preprocessing steps. In the DBN stage, they extracted original input layer by layer and combined it with multi-layer RBM (restricted Boltzmannmachines). According to the paper, the test results showed that DBN improved the performance for feature learning. A wireless intrusion detection system (WIDS), which works on deep learning with a wrapper, is proposed by Kasongo and Sun [25]. The proposed system used a feed-forward deep neural network (FFDNN) which uses wrapper-based feature extraction (WFE). The WFE uses additional trees to generate an optimal feature vector. To evaluate the model performance, they used UNSW-NB15 and the AWID datasets. They also compared their results with RF, SVM, NB, DT, and KNN classifiers. According to the test results, the proposed system outperformed the existing approaches in terms of accuracy.
When existing studies are examined, it is seen that wellknown datasets in the literature such as KDD'99, AWID etc. are used. The various techniques such as preprocessing feature selection and reduction, and machine learning methods have been applied on datasets to detect attacks and obtain high accuracy. When the techniques in these studies are evaluated, it is seen that preprocessing and feature reduction steps increase performance before applying machine learning methods [10,[26][27][28]. Additionally, some machine learning methods may outperform others depending on the number of used features, the distribution and size of the data generated [5]. As a result, when studies are examined, it seems that WLAN attacks still cannot be detected dynamically with high accuracy and there is no classification for attack types. In addition, studies only work on feature reduction or attack detection. There is no study that presents an original approach for both. In addition, when testing methodologies, studies generally used a single data set. In this context, our proposed study conducts experiments on more data sets. At the same time, a small data set was created using attack tools, and a study was conducted on it. With these aforementioned aspects, our study provides more important contributions than the studies in the literature.

III. THE PROPOSED METHODOLOGY
It is important to detect attack traffic with high accuracy to protect WLANs. In addition to detecting with high accuracy, fast detection is also important. In this context, a methodology is proposed to detect attacks quickly and accurately. Although the time and memory usage of the signature based model is low, the anomaly based model provides high accuracy thanks to its ability to detect previously unknown attacks.
The block diagram of the proposed method is given in Figure 1. The proposed method consists of 4 blocks: 1. Dataset is selected and analyzed 2. Features are selected and grouped 3. Signature and anomaly based attacks are detected 4. The training and classification are performed to detect the attacks In Block 1, the features are grouped according to the traffic results (normal/attack) to determine the effect of each feature. Existing datasets and analysis methods were used in scope of Block 1. One of the main contributions of study is the FSAP approach for feature selection which was proposed in scope of Block 2. To select the important features, the calculated threshold value and proposed algorithm are used. Another contribution of study is SABADT which is a combination of signature and anomaly based techniques for attack detection which was proposed in scope of Block 3.
Firstly, signatures are extracted with features that can be reached to the result directly by using signature-based technique. Secondly, behaviors are determined and rules are extracted by using anomaly-based technique. In Block 4, the training and classification are carried out with both the proposed methodology and known techniques in the literature.

A. ANALYZING DATASET
At this stage, well-known datasets including KDD'99, UNSW-NB15, ADFA-LD, AWID etc. were used. These datasets were analyzed according to their features and results. As a result of the analysis, common features of datasets were determined. These common features are used in the signature-based model stage of the proposed attack detection technique. The content features of the datasets are used in the anomaly-based model stage of the proposed attack detection technique. The features of 3 different dataset are given in Table II. There are some features common to all of them. Some of these features are marked and these features are used as basic features that can be in every data set.

B. PROPOSED FEATURE SELECTION APPROACH (FSAP)
Feature selection process is one of the most important steps in building a machine learning model [29]. Each feature also has an impact on the result of traffic, but some of these features have less impact [30,31]. Proposed FSAP approach for feature selection consists of two steps. In the first step, threshold value is calculated by using Eq. (1). (1) Where, t is the threshold value for feature selection, f is the total number of features in the dataset and g is the number of groups formed for the "feature & traffic result" grouping, std(g) is the standard deviation of all groups.  As a result of Eq.1, the features below the threshold value were eliminated. In the second step, the groups formed by the remaining features (> t ) were analyzed. The number of data in the group can be above the threshold value. However, the feature may consist of a wide range of values or each value can correspond to both traffic results (normal or attack). For example, suppose a feature consists of 100 (1, 2, …, 100) different values. If each value meets both the attack and the normal situation, a group may consist of 200 different situations. The number of groups may remain above the threshold value, but when the content is analyzed, it is not an important feature in detecting the attack status. Formation of a group is given in Table III.   TABLE III. FEATURE  In the second step of feature selection, following parameters are determined:  the number of different data in the group  the distribution of the number of data in the group on the result  the min/max/average values of normal  attack states according to the features Features that provide the result of these parameters are added to the selected properties list. The used algorithm when selecting the features is given in Algorithm 1. VOLUME XX, 2017

ALGORITHM 1: FSAP Algorithm
Input: Feature Groups List Output: Selected Features List Definitions the number of results corresponding to the data in the group tN: total number of normal results corresponding to the data in the group tA: total number of attack results corresponding to the data in the group : state corresponding to data in the group the same number of data in group ratio of normal/ attack results of the same data normal max value of the feature normal min value of the feature max value of the feature in attack state min value of the feature in attack for i← 1 to n do 3.
if g(j+1)<miA then 13 As a result of applying threshold value and feature selection algorithm, important features were selected. Selecting the appropriate features is very important for creating a successful model in machine learning. In this context, with the FSAP approach, both the selection of the correct features and the feature reduction take place.

C. PROPOSED HYBRID SIGNATURE AND ANOMALY BASED ATTACK DETECTION TECHNIQUE (SABADT)
The SABADT model is proposed by combining the signature and anomaly based techniques. In the first step, signature based technique has been used. Because this technique quickly detects known attacks. In the second step, anomaly based technique has been used as it can also detect unknown attacks. With this hybrid model, it is aimed to develop an attack detection system that is fast and has high accuracy

1) SIGNATURE BASED MODEL
At this step of the model, firstly, the behaviors (signatures) of the attack types known in the literature are considered. Their rules are recorded. Some of these known rules are as follows: 1. Flood attacks often cause an increase in management frameworks per unit time. While it is easy to distinguish a flood attack from normal traffic, it is not always easy to distinguish it from other types of attacks [32][33][34]. 2. Injection attacks often cause corruption of valid and encrypted data frames. In these attacks, the attacker wants to transfer a large number of small data frames over a considerable period of time [35]. 3. During fragmentation attack, the attacker injects a short and fragmented data frame. If successful, this process usually takes no more than a second, but if not successful, the same process is repeated [36]. 4. Impersonation attacks provide an additional AP (access point) in the neighborhood broadcasting a pre-existing valid network. The common signature of all impersonation attacks is that the victim network nearly doubles the number of Beacon frames [37].
Afterwards, datasets commonly used in the literature were examined [9,38,39]. Each dataset created has its own content features as well as basic features that are commonly used when detecting intrusions. Rules are extracted based on these basic features. Firstly, each of the selected based features was analyzed separately. Parameters were determined from the result of this analysis (average/max/min normal time, number of transferred packets, used protocols, etc.). If there are cases in which the result can be reached directly, the rules were extracted and added to the signature list. For instance, the maximum time in the normal state of a network was determined and a rule was extracted by comparing time in the attack state. Secondly, all of the selected based features were analyzed together. This is because situations other than the determined parameters are prevented from being ignored. For example, in case of an attack, the usage time of the network can be in the normal range. When the time feature is examined by adding the amount of transferred data feature, the amount of transferred data may be much higher than normal status. This shows that there is an attack in normal traffic time. The aim of the first step of the model is to determine the results that can be reached directly and to increase the speed of detecting the attack. In the second step, it is aimed to obtain a high accuracy rate by examining all situations that can be overlooked. The algorithm of the signature-based model is given in Algorithm 2. (Due to the large number of parameters and rules determined, the calculation details are not given for each of them, they are written as basic functions). VOLUME XX, 2017 To summarize in general, both the signatures of known attacks in the literature and the signatures of unknown attacks determined on the common basic features in widely used datasets were recorded. Initially, each of the selected basic features was analyzed separately and the parameters were determined as a result of the analysis. If there are situations where the result can be reached directly, the rules were extracted and added to the signature list. Then, all of the selected based features were analyzed together. With this model, it is aimed to increase the accuracy rate by detailed analysis of the features and the speed of detection of the attack with rules reached to result directly.

2) ANOMALY BASED MODEL
In the second step of the model, traffic behavior analysis was performed by using the content features of the dataset. The time-dependent traffic features, additional features according to the dataset, and the rules were extracted. Thanks to the anomaly-based model, unknown attacks can be detected. Although the time and memory usage is high compared to the signature-based model, it provides high accuracy thanks to its ability to detect previously unknown attacks [40,41]. While creating an anomaly-based model, each feature group was first analyzed among themselves. After that, all the features were analyzed together and the rules were extracted. The algorithm of the anomaly-based model is given in Algorithm 3 (Due to the large number of parameters and rules determined, the calculation details are not given for each of them, they are written as basic functions). In the anomaly-based model, the number of rules is large and the details are quite complex. During the implementation of the model, the use of time is high, but the accuracy rate increases when detecting the attacks. In addition, thanks to the reduced features, improvement is achieved in terms of time reduced features.

D. TRAINING AND CLASSIFICATION
While performing the training and classification, the proposed methodology and machine learning techniques in the literature were applied on KDD'99 dataset. While applying the training phase, the KDD'99 training dataset (494020) was used and applying testing phase, the KDD'99 testing dataset (311028) was used. As well as machine learning algorithms have been used in many different areas for many years, they have been used in the analysis and detection of attacks in wireless local area networks recently. Therefore, applicable algorithms are used in this study. Although it cannot be said that one algorithm is better than another in general, each algorithm has its own advantages and disadvantages. An algorithm can perform better than other algorithms depending on the distribution of the data, the number of features, and the dependencies between features [15,19,42,43].

E. EVALUATION OF MODEL PERFORMANCE
To evaluate the model performance as well as comparing the machine learning algorithms performance, metrics such as recall, false positive, false negative, precision, f-measure and accuracy are used. These values are calculated using the confusion matrix (Table IV). (3) f-Measure=(2*precision*recall)/(precision+recall) (4) Accuracy =TP+TN/ (TP+TN+FP+FN) (5)

IV. IMPLEMENTATION OF PROPOSED METHODOLOGY
Implementation of the proposed methodology was carried out on the Python platform on KDD'99 dataset. The implementation on KDD'99 dataset has been explained since it contains a high amount of data and is the most used dataset in this field. The implementation of this methodology is explained in detail in the following sections.

A. KDD'99 DATASET
The KDD'99 dataset was created by passing the DARPA data set through some preprocessing in 1999 and has been used and cited in many studies [38]. The KDD'99 dataset is primarily used in IDS and machine learning research. In the KDD'99 data set, a feature map consisting of 9 basic and 32 derived, in total 41 features, was created. These 41 features are defined in four main categories: Basic features, Content features, Host-based traffic features and Time-based traffic features (Table V). The basic features of this dataset are the basic features taken only from TCP connections. These features are easier to achieve than other categories as there is no need to preprocess the network traffic data. Traffic features are the link content features that appear with domain information. Time-dependent traffic features are the names given to features extracted using "same server" and "same service" features. "Same server" features are obtained by examining the connections made to the same server in the last two seconds. Similarly, "same service" features are obtained by examining the connections made to the same service in the last two seconds. Number of connections to the same host as the current connection in the past two seconds srv-count Number of connections to the same service as the current connection in the past two seconds serror-rate Percent of connections with "SYN" errors at same host srv-serror-rate Percent of connections with "SYN" errors at same service rerror-rate Percent of connections with "REJ" errors at same host srv-rerror-rate Percent of connections with "REJ" errors at same service same-srv-rate Percent of connections to the same service diff-srv-rate Percent of connections to different services srv-diff-host-rate Percent of connections to different hosts Host-based features dst-host-count Number of connections with the same destination host dst-host-srv-count Number of connections with the same destination host and using the same service dst-host-same-srv-rate Percent of connections with the same destination host and using the same service dst-host-diff-srv-rate Percent of different services on the current host dst-host-same-src-portrate Percent of connections to the current host with the same src port dst-host-srv-diff-hostrate Percent of connections to the same service coming from different hosts dst-host-serror-rate Percent of connections to the current host with S0 error dst-host-srv-serror-rate Percent of connections to the current host and specified service that have an S0 error dst-host-rerror-rate Percent of connections to the current host with RST error dst-host-srv-rerror-rate Percent of connections to the current host and specified service with RST error KDD'99 dataset includes 38 different statuses in total. While 23 of these are in the training dataset, the test dataset includes 15 more attack types that are not included in the training dataset. In this study, it is aimed to detect known 23 and unknown 15 attack types with high accuracy (Table VI). While creating the proposed technique, KDD'99 training dataset was used. In order to determine traffic results, all attack types are labeled as "attack" and "normal". First of all, the important features are selected with the proposed feature selection approach. Afterwards, the model was created by extracting rules from the situations that can directly reach the result (signature-based) and traffic behavior (anomalybased). In the testing phase of the proposed model, the whole KDD'99 dataset was used.

IMPLEMENTATION OF FSAP
Firstly, each feature in the dataset is grouped with the traffic condition result (normal/attack) (service-result, count-result, duration-result, etc.). The number of groups formed by each feature, that is, its effect on the result, is compared with the calculated threshold value. Features above this value are important features for the result and these features have been selected.
In Figure 2, when the "logged_in" feature is separated according to the values it contains and the attack status, it has created 4 different groups but its determination is low. When the "logged_in" feature is 0, there are 393445 attacks, 27339 normal situations, and when it is 1, there are 3298 attacks, 66939 normal situations. Looking at the numbers, the number of attacks and the number of normal traffic is not negligible in the same situation. When considered together with other situations, there is of course a determining aspect, but there are more important features that can make us reach results faster. For this reason, this feature, which is below the threshold value, has been eliminated while selecting the features.

FIGURE 2. Grouping result of "logged_in" feature
In Figure 3, when the "duration" feature is separated according to its values and the attack status, it has formed 2560 different groups. Looking at the numbers, there are both attacks and normal numbers in the same situation (0,1,2). However, there is a difference between these numbers and the attack status. The attack status is noticeable above the max(normal_duration) time. The parameters specified in the proposed feature selection method are provided in this feature. As a result, the duration feature has been added to the feature list by staying above the threshold value and providing the parameters for feature selection. In summary, the list of selected features to be used in the created model as a result of the proposed feature selection method is given in Table VII.   TABLE VII. SELECTED FEATURES  duration srv-diff-host-rate service dst-host-count src-bytes dst-host-same-srv-rate dst-bytes dst-host-srv-diff-host-rate count dst-host-serror-rate srv-count dst-host-srv-serror-rate serror-rate dst-host-rerror-rate srv-rerror-rate dst-host-srv-rerror-rate same-srv-rate

IMPLEMENTATION OF SABADT
By using the remaining features after the feature selection algorithm, one of the basic features of the KDD'99 dataset specified in Table 4, the rules that can directly achieve the result of the attack for the signature-based model have been extracted. These were recorded by labeling "attack". In this stage, the result of 35% of the dataset can be reached. In this case, it saves us time and memory. Some of these signatures are given in Table  VIII.  TABLE VIII. EXTRACTED SIGNATURES FROM BASIC FEATURES (THE LIST IS   ABBREVIATED) duration<min("normal-duration") attack duration>max("normal-duration") attack src-bytes>max("normal-src-bytes") attack dst-bytes>max("normal-dst-bytes") attack duration>=1,src-btyes=0,dst-btes=0 attack duration>=avg(normal),src-btyes=1,dst-btes=0 attack duration>=avg(normal),src-btyes=0,dst-btes=1 attack other situations without attack normal In the second step of the proposed model, the behavior analysis has been performed and rules have been created by using the content features, host-based features and timebased features of KDD'99. During the analysis, first the content features, then the host-based features, and then the time-based features were examined, sequentially. Some of the rules are as follows: if making a connection over a private service type, no data flow is seen and the number of failed logins is higher from 0. If the number of connections made to the same host in the last 2 seconds is intense, etc., these are labeled as an attack. Some of these rules are given in Table  IX.   TABLE IX. EXTRACTED RULES FROM ADDITIONAL FEATURES (THE LİST İS   ABBREVİATED) service=private, src-btyes=0, dst-btes=0 attack service=private, serror-rate !=0, serror-rate !=0 attack service=eco-i, srv-diff-host-rate=1 attack service=http , src-bytes>max("normal-src-bytes") attack service=finger, count>= ort("normal-count"), dst-host-srvserror-rate >=0.1 attack service=ssh, src-btyes=0, dst-btes=0 attack service=ftp-data, duration=0, dst-host-same-srv-rate=1, dsthost-diff-srv-rate=0, dst-host-same-src-port-rate=1 attack service=telnet, count>=ort("normal-count"), srv-count >= ort("normal-srv-count") attack other situations without attack normal In the last stage, the rules derived by using KDD'99 training dataset were applied to the KDD'99 testing dataset.
To evaluate the success of the proposed methodology when detecting unknown attacks, KDD'99 testing dataset which consists of 311028 records was used. Test dataset includes 15 more attack types that are not included in the training dataset. In addition to the proposed methodology, different machine learning techniques in the literature were also used. These are Naive Bayes, SVM, Decision Tree, and Decision Table. 4

. OBTAINED RESULTS
The results of the metrics used to compare the performances of the proposed model are given in Table X. As a result of testing the proposed method, an accuracy rate of 99.65% was achieved in detecting attacks. SVM and Decision Tree techniques have also yielded good results, but their performance in terms of time and memory usage is poor compared to the proposed methodology.
The leading methods which are used in the literature can be seen in Table XI. Considering the methods in the literature, there are not many studies that have developed algorithms for both feature selection and attack detection. Compared to the existing ones, the study of Babirye and Mwebaze [51] produced the closest accuracy to the proposed method, but the proposed method is more successful in terms of both the number of used features and the obtained accuracy rate. Although the study of Iwendi et al. [53] seems effective in terms of the number of used features, the proposed method is more successful in terms of accuracy rate.

B. UNSW-NB15 DATASET
The raw network packets of the UNSW-NB 15 dataset were generated by the IXIA PerfectStorm tool at the Australian Cyber Security Center's (ACCS) Cyber Range Lab to yield a mix of real normal activities and synthetic contemporary attack behavior. The tcpdump tool was used to capture 100 GB of raw traffic (for example, Pcap files). It consists of 49 features in total (Table XII). There are nine different types of attacks in this dataset: Fuzzers, Analysis, Backdoors, DoS, Exploits, Generic, Reconnaissance, Shellcode, and Worms (TableXIII).  It is malware that the attacker enters into a small piece of code, starting from a shell, to control the compromised machine. worms It is an attack that the attacker replicates and spreads to other computers. It often uses a computer network to propagate itself, depending on the security flaws of the target computer used to access it.
The UNSW-NB15_training-set dataset was used while creating the model for training and classification. The attack types are labeled as "attack" and normal situations are labeled as "normal" in order to determine the result as attack or normal, which is the first stage of our problem. First of all, important features were selected with FSAP. Afterwards, our model was created by extracting the rules from the situations (signature-based) and the behavior of the traffic (anomalybased) where we could directly reach the result. In the testing phase of the model, the UNSW-NB15_testing-set dataset was used.

IMPLEMENTATION OF FSAP
Firstly, each feature in the dataset is grouped with the traffic condition result (normal/attack) (service-attack_cat, proto-attack_cat, sttl-attack_cat etc.). The number of groups formed by each feature, that is, its effect on the result, is compared with the calculated threshold value. Features above this value are important features for the result and these features have been selected. In Figure 4 "ct_ftp_cmd" feature consists of 0,1 and 2 values. When the "ct_ftp_cmd" feature is separated according to the values it contains and the attack status, it has created 6 different groups but its determination is low. When the "ct_ftp_cmd" feature is 0, there are 45021 attacks, 36661 normal situations. Looking at the numbers, the number of attacks and the number of normal traffic is not negligible in the same situation. When considered together with other situations, there is of course a determining aspect, but there are more important features that can make us to reach results faster. For this reason, this feature, which is below the threshold value, has been eliminated while selecting the features. In Figure 5, when the "spkts" feature is separated according to its values and the attack status, it has formed 572 different groups. There is a heterogeneous distribution in general when looking at the types of services and attack types that are connected. For instance, while the packet number is 2, there are 2 different situations and the number of "attacks" is significantly higher than normal. After a certain value, that is, as the amount of packets increases, the attack situation becomes more pronounced. The parameters specified in the proposed feature selection method are also provided in this feature. As a result, the "spkts" feature has been added to the feature list, both by being above the threshold value and providing feature selection methods.   min("normal_duration")<duration<max("normal_duration") normal service="-", protocol="tcp", dur< max("normal_duration") normal service="http", protocol="tcp", dur > max("normal_duration") attack min("normal_src_bytes")<sbytes <max("normal_src_bytes") normal service="dns", protocol="udp", dur > max("normal_duration") attack duration=0, spkts>max(normal_spkts) attack service="smtp", protocol="tcp", dur > max("normal_duration") attack In the second step of the proposed model, the behavior analysis has been made and rules have been created by using the content features, flow features, time features and additional features of UNSW-NB15. While analyzing, first the content features, then the flow features, then the time features, and then the time-based features were examined, sequentially. Some of these rules are given in Table XVI.  In the last stage, the rules extracted using the training dataset were applied to the test dataset.

OBTAINED RESULTS
The results of the metrics used to compare the performances of the proposed model are given in Table XV.   TABLE XV. OBTAINED RESULTS As a result of testing the proposed method, an accuracy rate of 99.17% was obtained in detecting attacks. The Decision Table and Decision Tree techniques also gave similar results, but their performance is poor compared to the proposed method in terms of runtime and memory usage. In addition, looking at the results, Naive Bayes and AdaBoost algorithms cannot generate satisfactory results in datasets where the hints of attacks are not obvious.
The contributions, methods, number of features and accuracy rates of some studies on the UNSW-NB15 dataset are given in Table XVI. Considering the methods in the literature, there are not many studies that develop algorithms for both feature selection and attack detection. Compared to existing ones, Moustafa and Slay's work is close to the proposed method in terms of features used, but far behind in accuracy. However, Moustafa et al. is close to the proposed method in terms of accuracy, but in this study, there is no study in the area of feature selection, all features are used and standard methods are used for classification.

FIGURE 6. Distribution of researches' contribution
As seen in Figure 6, only 12% of the literature studies performed on KDD'99 and the UNSW-NB15 datasets, which contributed to both feature selection and classification, 24% of them performed only in one of the mentioned dataset. The remaining part has tested in both datasets, but used existing methods in the literature in at least one of the dataset.

IV. CONCLUSION
Due to the intense interest in wireless local area networks, research in the field of IDSs have increased. However, there is a lack of a WLAN intrusion detection system that can reliably and accurately detect all possible attacks. A type of attack previously identified as an anomaly may behave differently and cannot be identified. As a result, most techniques used in today's IDS cannot cope with the dynamic and complex nature of cyber-attacks. In order to solve these problems, a new methodology has been proposed, which contributes to both feature selection and classification processes. Firstly, the Feature Selection Approach (FSAP) which is the basic step of creating a model and consists of developed equation and algorithm is proposed. Secondly, a hybrid SABADT technique which combines signature-and anomaly-based methods are proposed for training and testing.
In order to evaluate the performance of the proposed methodology, the KDD'99 and UNSW-NB15 dataset were used. The obtained results are compared with the standard machine learning techniques results that are mostly used in the literature. As a result of the testing of the proposed method, an accuracy rate of 99.65% and 99.17% were achieved at detecting attacks. In addition, it is aimed to test the proposed method on current attacks within the scope of the study. For this purpose, common hacking tools (Hulk, Nmap, Tor's Hammer, etc.) were used to obtain a mix of normal activities and current attack behaviors. These tools have been used to perform attacks such as sniffing, overflow, jamming, password guessing, imap, portscan, ipcan, etc. These different types of attacks were captured with the Wireshark tool. Some of the captured attacks were used only in the testing phase. Here, the attacks were detected with an accuracy rate of 99.69%. When comparing obtained results with the known machine learning techniques, the ranging from 0.6% to %11 better results were obtained according to the detection rate metrics. While testing the model created with the extracted signatures and rules in the proposed study, test datasets containing attack types that are not included in the training datasets were used. Considering the obtained accuracy rates, it is seen that these unknown attack types are also detected with high accuracy. In addition, the time and memory usage of the proposed methodology performed better than other machine learning algorithms. On the other hand, when compared with the studies in the literature, there are very few studies that proposed both feature selection and classification approach. The proposed study gives better results than other studies in terms of the number of used features and accuracy rate. On the other hand, in the testing phase of proposed methodologies in other researches, generally used a single dataset. In this context, our proposed study conducts experiments on more data sets. At the same time, a small data set was created using attack tools, and a study was conducted on it. With these aforementioned aspects, our study provides more important contributions than the studies in the literature. In the future work, it is aimed to determine the types of attacks in addition to determining the attacks by implementing novel approaches. In this process, the accuracy rate can be increased further by reducing the number of used features.