MLTs-ADCNs: Machine Learning Techniques for Anomaly Detection in Communication Networks

From a security perspective, the research of the jeopardized 6G wireless communications and its expected ultra-densified ubiquitous wireless networks urge the development of a robust intrusion detection system (IDS) with powerful capabilities which could not be sufficiently provided by the existing conventional systems. IDSs are still insufficient against continuous renewable unknown attacks on the wireless communication networks, especially with the new highly vulnerable networks, leading to low accuracy and detection rate with high (false-negative and false-positive) rates. To this end, this paper proposed a novel anomaly detection in communication networks by using an ensemble learning (EL) algorithm-based anomaly detection in communication networks (ADCNs). EL-ADCNs consists of four main stages; the first stage is the preprocessing steps. The feature selection method is the second stage. It adopts the proposed hybrid method using correlation with the random forest algorithm of ensemble learning (CFS–RF). It reduces dimensionality and retrieves the best subset feature of all the three datasets (NSL_KDD, UNSW_NB2015, and CIC_IDS2017) separately. The third stage is using hybrid EL algorithms to detect intrusions. It involves modifying two classifiers (i.e., random forest (RF), and support vector machine (SVM)) to apply them as adaboosting and bagging EL Algorithms; using the voting average technique as an aggregation process. The final stage is testing the proposal using binary and multi-class classification forms. The experimental results of applying 30, 35, and 40 features of the proposed system to the three datasets achieved the best results of a 99.6% accuracy with a 0.004 false-alarm rate for NSL_KDD, a 99.1% accuracy with a 0.008 false-alarm rate for UNSW_NB2015, and a 99.4% accuracy with a 0.0012 false-alarm rate for CIC_IDS2017.


I. INTRODUCTION
The new era of wireless communications, changeable mobile network infrastructure, the proliferation of connected Internet of Everything (IoE) devices/applications, and the variety of expected services raise critical security concerns and present complications with high risks of data security at the networks' core and edge. Due to the high vulnerability of communication networks to various renewable attacks, academic and industrial research must prioritize deploying intelligent security systems to satisfy the emerging requirements and The associate editor coordinating the review of this manuscript and approving it for publication was Joey Tianyi Zhou.
technologies of the next generations of communication systems (6G and beyond). Thereby, it is critical to develop a robust intrusion detection system (IDS) to eliminate those risks sufficiently other than the existing insufficient security systems that cannot adapt to the updatable attacks [1].
The networks' edges connect several types of billions of served nodes that provide various services, e.g., communicating, computing, processing, or sensing for multiple applications via a base station (BS) using terahertz (THz) radio frequency signals [1], [2].
When IDSs detect unexpected activities or recognized dangers, they issue alerts. An intrusion is any harmful activity that disrupts the information system [11]. IDSs observe computer systems for any odd activity that a traditional packet filter could miss. They scan network packets for signs of potentially harmful behavior, cyber resiliency in defiance of disrupting activities, and illegal access to the system. Signature Intrusion Detection Systems (SIDS) and Anomaly Intrusion Detection Systems (AIDS) are the two methods used by IDSs to identify intrusions [12], [13], [14]. AIDS has flaws and high false-alarm rates [15], [16], [17]. To address these flaws, a novel IDS model that incorporates SIDS and AIDS was provided to improve accuracy and reduce FAR. SIDS could detect common incursions, whereas AIDS could detect new ones [9].
Intrusion detection (ID) is a data analysis in which data mining (DM) techniques used to discover, extract, and distinguish the normal or intrusive patterns automatically. There are four types of tasks typically used in DM: classification, clustering, regression, and association rule learning are all techniques used to learn rules [18], [19]. The feature selection (FS) approach is an essential IDS process to specify the influential features and cancel the worthless features for less performance devolution. [20], [21], [22]. Correlation FS (CFS) uses a correlation-based heuristic evaluation function to rank features. It contrasts the attribute vectors' subsets linked to class-label and not to each other. According to the CFS algorithm, the irrelevant features with minimal link to the class must be omitted. Excess features should be investigated as they are frequently linked to one or more of the other features [23].
The weak learners are models used as a development part of the complex models, merging several weak learners by ensemble learning (EL) methods. For the majority of the time, those essential models are not efficient when they work individually due to the bias (e.g., degree of freedom insufficiencies) or the variation to be dependable (e.g., high degree of freedom). Ensemble approaches aim to decrease weak learners bias/variance, combining a large number of them into a strong learner (i.e., an ensemble algorithm) that performs better [24].
The technological world is moving towards IoE and sophisticated networking based on devices with lightweight algorithms. Despite the continued efforts of researchers, intrusion detection systems still lack the required optimization of detection rate (DR), false alarm rate (FAR), FNR, FPR, or time complexity (execution time) due to the high dimensions of the standard dataset and many Zero-day attacks. Moreover, time complexity has not been considered an influential factor despite its direct impact on resources. This paper provides a proposed method for dimensionality reduction with an FS for extracting the optimal subset of the original features. Then, passing these subsets to the proposed hybrid EL increases the stability and accuracy of the IDS with minimizing the required computation and consequent time.
The proposal trains the FS method and hybrid EL algorithms to attain accurate and efficient IDs. The major contributions of this paper are: • In the context of FS, we propose a novel method based on CFS combined with forest panelized attributes (CFS-RF) used to assess the correlation of the selected features. It is very beneficial to enhance the efficiency of the training and testing phases.
• We improve the performance of the binary class and the multi-class forms applied to the three unbalanced datasets. The proposal introduces hybrid ensemble algorithms by modifying two various classifiers to work as adaboosting, then combining decisions from multiple ensemble classifiers [random forest (RF) and support vector machine (SVM)] into one decision using the voting average technique (bagging method). The rest of this paper is structured as follows: Section II presents several related works. The proposed system, methodology, and different machine learning (ML) algorithms are defined in detail in section III. Section IV describes the implementation of the used datasets with the proposed system, while section V discusses the experimental results. Finally, the conclusion and future work are summarized in section VI.

II. RELATED WORK
Dwar Koba, Gaik-wad, and Ravindra Thool proposed ''DAREnsemble: Decision tree and rule learner-based ensemble for network intrusion detection system.'' A new architecture of DAR ensemble was proposed for IDSs that consist of unstable base classifiers using NSL KDD dataset. The experimental results showed 80%, 81%, and 15.1% for accuracy, DR, and FAR, respectively [25].
Hamed, et. al, proposed ''Two-tier network anomaly detection model: A machine learning approach'' using two-class ML-based classification models, KNN certainty factor voting classifiers where dimensionality reduction was done using linear discriminant analysis. Two generated training datasets used to train the model with SMOTE method for evaluating the selected similarity to deal with the network imbalance of anomaly datasets. The experimental evaluation using NSL-KDD showed an accuracy of 83.24%, FAR of 4.83%, TPR of 82%, and FPR of 5.43 when 16 features were chosen [26].
Kanakarajan and Muniasamy K. proposed ''Improving the accuracy of intrusion detection using gar-forest with feature selection:'' Those researchers have applied greedy randomized adaptive search procedures with annealed randomness-Forest (GAR-Forest) with FS processes, e.g., information gain, symmetrical uncertainty, feature-subset based on correlation, and NSL-KDD datasets. The results showed an accuracy of 85.0559% with 32-features for binary class and information gain achieved an accuracy of a 78.9035% with 10-features for multi-class [27]. VOLUME 10, 2022 Mittal, et. al, suggested: ''Machine learning techniques for energy efficiency and anomaly detection in hybrid wireless sensor networks'' using NSL KDD to detect the attack on the wireless sensor network. The experimental results showed that accuracy was 95%, whereas precision, recall, and F1-Score were 94.00%, 98.00%, and 96.00%, respectively [28].
N. Gupta, et. al, suggested the CSE-IDS using costsensitive deep learning (DL) with ensemble algorithms to treat an imbalanced class of IDSs. It consists of 3 phases; phase 1 uses a deep neural network (DNN) to divide and disseminate normal or suspicious network attacks. In phase 2, eXtreme Gradient Boosting is used to classify main attacks. However, for phase 3, RF is adopted for minor attacks' classification. The researchers adopted NSL_KDD, CIDDS-001, and CIC_IDS2017 datasets for system performance evaluation, while the accuracies were 99%, 96%, and 92% for NSL, CIDDS-001, and CIC_IDS2017, respectively, whereas the complexity time measurement has taken several hours [30].
In [31], Mighan and Kahani have adopted a stacked auto encoding network to extract features. Afterward, they proposed random forest, SVM, and another classifying method.
Souza et al. [32] have presented a DNN-KNN hybrid binary classifying méthodologies. There were a number of hybrid ML and DL algorithms.
Doaa, Ammar, and Soukeana in [33] have adopted feature selection (i.e., correlation feature selection-forest attribute) and ensemble learning techniques. The experimental result of this work used only the CIC_IDS2017 dataset. Furthermore, the testing accuracy reached 87% using 30 feature-selected.
In [34], Doaa and Soukeana have proposed correlation feature selection methods to select the best feature by applying only two datasets (i.e., NSL-KDD and UNSW_BN2015). Moreover, they have chosen only 30 features for those datasets.
Several researchers have studied distributed ML algorithms [35], [36], and they treat high dimensional data in a considerably short time and sufficiently. They have shown the benefits of using them to deal with massive data for preprocessing stage of IDS. Whereas, in the multiple target anomaly classifying step, DL algorithms could reach hidden features to detect unknown attacks while.
To the best of the author's knowledge, the presented system achieves the best results and the highest performance compared to previous systems. It outperforms the state-ofthe-art performance using multiple datasets and significantly achieves the best detection, false-alarm, and false-negative rates, in addition to the lowest complexity time.

III. METHODOLOGY A. OVERVIEW
IDS can track malicious activity over the entire network. It was introduced into a wireless communication network to verify any unusual activity during control transmission and data transmission. The intruder tries to attack the network to block transmission or steal precious information from the networks. The intruder embeds bugs into the networks by breaking the network security and unbalancing the activities in the sensor network. In order to overcome this problem, a robustly secured framework is required to save the system from malicious attacks. Figure 1 shows the proposed framework's general structure.
The proposed framework consists of various steps to detect anomalies. First, the defense mechanism consists of an IDS system with databases that position behind the firewall (i.e., data collected from the network, which undergoes preprocessing). After preprocessing, it needs to detect the missing values in the system and then replace the null values with other values. By default, average values are considered, then, duplicate values are removed from the dataset. The encoded data goes through a dimensional reduction process to help with data handling. Thus, feature optimization is done to fetch the optimal features from the data, which assists anomaly detection. Further, the cleaned data is passed to the next stage to select only the affected features for the final results using the proposed method called CFS-RF. Finally, the system uses the proposed algorithms HABBAs as a classifier to detect potential attacks or normal activities. Figure 2 depicts the detailed structure of the proposed system. It is composed of sequential stages where each stage consists of a number of steps, each of which performs a specific work. The input for the next stage is provided by the previous stage. These stages and steps are explained in detail successively. The collected datasets (i.e., NSL_KDD, UNSW_NB2015, and CIC_IDS2017) are being read, then perform the preprocessing stage that consists of three main steps: (filtration, transformation, and normalization).
The FS stage selects the best subset of features using the proposed CFS-RF method.
The classifiers' training stage is performed by building the hybrid adaboosting bagging algorithms (HABBAs), modifying the classifiers (RF and SVM) to work as adaboosting, and aggregating the composite model to work as a bagging algorithm. The main reasons behind integrating these two algorithms are the lack of accuracy and susceptibility to model overfitting in the adaboosting and bagging algorithms, respectively. Thus, HABBAs tend to achieve greater accuracy with less overfitting.
The attacks recognition stage is accuracy verification during the testing process of comparing the original and prediction tests using the CFS-RF and HABBAs with the weighting average voting technique.
The classifications evaluation stage applies specific performance measurements (i.e., Accuracy, Recall, Precision, F-measure, DR, and FAR) using two types of each dataset form (i.e., binary and multi-class classifications).

B. PREPROCESSING STAGE 1) DATASETS DESCRIPTION
This system uses three different datasets to implement experiments: NSL_KDD, UNSW_NB2015, and CIC_IDS2017.
The NSL-KDD is the first dataset. It was developed to improve the prediction complications as an influential parameter. Various baseline classifiers were adopted for records categorization of 5 complexity degrees with the number of accurate predictions provided notes next to each occurrence [12]. The percentage of records in the initial KDDCup'99 dataset chosen for every difficulty degree classification is inversely correlated with the number of records selected. KDD_Train set had 125.973 occurrences in our sample, including 58.630 occurrences of attacks and 67.343 of regular traffic. The second dataset (UNSW-NB15) incorporates the bulk of existing low-key attacks in an effort to mimic current network settings. It had 2,540,044 records of 4 big-data CSV files, training/testing records of 175,341 /82,332, and 45 columns (id=1, features=44). Finally, CIC_IDS2017 contains benign data and latest widespread attacks [37] and the results of the CIC flow meter network traffic analysis. The protocols, source/destination IPs, ports, and all attacks were time-stamped flows (CSV files). Moreover, its dataset is most recent, including updated DDoS, Brute Force, XSS, SQL Injection, Infiltration, Port Scan, and Botnet attacks. It had 2,830,743 records of 8 files, whereas every record includes 78 different labeled features.

2) PREPROCESSING STEPS
The preprocessing transforms the raw data into an analysisready form and then applies it in three steps. These steps (i.e., filtration, transformation, and normalization) are demonstrated in figure 3, whereas algorithm 1 explains the preprocessing stage.

a: THE FILTRATION STEP
It removes unwanted or meaningless data from the datasets, redistributes the resulted data, and rearranges it into categorized groups to make the datasets easier to understand and treat.

b: THE TRANSFORMATION STEP
It converts the non-numerical attribute data into numerical using a one-hot encoding function, which transforms categorical features into numerical values, for instance, converting protocol types (e.g., user datagram protocol (UDP) VOLUME 10, 2022 Step  At first, it takes the result from preprocessing stage (X i Value), then, applies it to each feature using the merit equation, given by: where r c f is the correlation between feature and class, r f f is the correlation between features. The computed correlation (CFS) explains in example 1. Thereafter, it generates subsets of RF by: {h (x, θ k ) , k= 1, 2 . . .} where h is the RF, K is the integer number, θ k is the theta, and x is the vector. The process of verifying the redundant features by computing weight range is where wR λ is the weight range, and λ is lambda. It selects the most relevant feature with less variance by computing standard division σ i , given by: where: σ i is standard division and ω i is the weight. The proposed algorithm of feature selection (algorithm 2) is explained in example 1 as follows: • When applying CFS and obtaining µs in this state, it applies RF with penalizing attributes for these µs randomly using 10 estimators (10 subsets) and ensemble learning (RF). For each set, it computes Wi selecting the highest weight and ignoring lower weights. Ultimately, only the best influential subset features will be selected (i.e., the features that affect the intrusion detection performance). Figure 5 explains the analysis dataset before FS. Figure 5 explains the features' correlation and distribution in the dataset. It is noticeable that the most correlated features are: • ct_srv_src, ct_dst_src_ltm, ct_srv_dst 1. All features range between 0 to 60. 2. Most values are close to 0 and less than 10.
3. Values are well scattered, however, there is a clear line, indicating some linear relationship. The hybrid CFS-RF method reduces dimensionality and eliminates superfluous attributes from the dataset.
At this end, the analysis and distribution of datasets of the proposed CFS-RF result in 30 features for NSL_KDD, 35 features for UNSW_NB2015, and 40 features for CIC_IDS2017. TABLES 2 summarizes the outputs of the base classifiers using the NSL_KDD, UNSW_NB2015, and CIC_IDS2017 datasets sequentially when applied to the proposed modified HABBAs. TABLE 2 demonstrates the performance measurement and the execution time in four states (i.e., all, 35, 40, and 30-features). They show that the 30, 35, and 40 features selected are the best in evaluating system measurements (i.e., accuracy, precision, F-measure, and DR are 0.99%). Moreover, they are the best features for reducing execution time to 0.539, 0.839, and 0.931 sec.
By conducting tests on the three datasets, we compare the proposed CFS-RF with several common FS methods, e.g., information gain (IG) [38], IGR information gain ratio (IGR) [39], genetic algorithm (GA) [40], particle swarm optimization (PSO) [41], neural network (NN) [42], and Auto Encoder [43].  This comparison research employs standard measures such as Accuracy, F-Measure, DR, and FAR. For the efficiency measurement of the presented IDS, a comparison was made for the number of features and the selection time. Compared with several FS methods, the proposed work outperforms state-of-the-art FS-based approaches on each dataset with accuracy measurement, as demonstrated in figure 6. Figure 6 explains that all the methods use a different number of FS and use F-Measure to verify the accuracy score of each classifier used in these various datasets with a variety of execution time values as it is high and may take hours when computed. It shows that all results are not convincing, whereas the proposed CFS-RF is the best. This measure depends essentially on two specific parts of recall and precision to verify all the records in the datasets with less time complexity.

D. (HYBRID ADABOOSTING AND BAGGING ALGORITHMS) TRAINING-TESTING AND RECOGNITION ATTACK
Hybrid EL algorithms are built in this stage. The successive classifiers (i.e., RF and SVM) are modified to work sequentially as adaboosting using their updated weights for achieving a convenient performance.

1) MODIFIED RF CLASSIFIER
Algorithms 3 explains the modified RF to work as adaboosting. The parameters and weights are also modified to increase the efficiency of detecting unknown attacks. At first, the initialization process equalizes all values of the XiBest with Wi and generates the RF subsets using equation (5). Afterwords, for each training set, it computes the weight and standard deviation by: where B is a constant and P denotes population. It is very important to compute the σ for each XiBest in algorithm 3 as a stopping criteria condition.
Then, the proposed model aggregates these classifiers to work in parallel as bagging, using the weighting average voting technique to achieve the best results of these modified classifiers. Algorithm 5 presents the main idea of the proposed HABBAs. In algorithm 3, according to weights updates, the RF is modified to work sequentially as adaboosting. In order to achieve the best results of variance and bias, aggregation is performed and applied to other modified classifiers using the weighting average voting technique. This algorithm is modified resulting in a better performance with the least error-rate. The algorithm's general work is depicted in figure 7.

2) MODIFIED SVM CLASSIFIER
Algorithm 4 performs the SVM mathematical and computational operations, which requires empirical time. It updates the weight of each XiBest feature in the datasets. Figure 8 depicts the steps of splitting the datasets classes using the modified SVM classifier and computing the support vector using: where: W is the weight and B is the bias.

For each XiBest in the training set Do
Determine the support vectors using linear. Compute F(x) for each support vector using equation (6). update the weight for each XiBest. Select high Wi 4. End for 5. Compute measurements: Accuracy, DR, FAR 6. Return Performance-Measurements End Algorithm 5 consists of two main steps; the first step implies applying the adaboosting algorithm for each modified classifier (i.e., algorithms 3 and 4) by computing the weight for each classifier using: where wj is the weight and err(Xj) error for each classifier. Then, by verifying the error rate by computing the weight using: This results in variance reduction and performance enhancement. The second step applies the principle of bagging algorithm to enable these classifiers to work as bootstrap, then performs aggregation by weighting average voting technique to obtain a composite model with less bias and overfitting (overfitting is reduced in the proposed system by using less depth tree, a sample number of variables during each splitting process, using different dataset) by using: Equation 9 computes the voting average technique.

IV. IMPLEMENTATION
The proposed system is implemented using three different datasets (i.e., NSL_KDD, UNSW_NB2015, and CIC_IDS2017). The training dataset used is 70%, whereas the rest 30% is the testing dataset dedicated to evaluating the proposed system. Performance evaluation of the proposed work is examined by executing it with three different selected features, i.e., 13, 30, and all using CFS_RF for the NSL KDD dataset, 13, 35, and all for UNSW_NB2015, and 13, 40, and all for CIC_IDS2017. Afterby, the potential intrusions will be detected using HABBAs and two types of Confusion-Matrices (i.e., binary class and multi-class) classification forms. Finally, system performance is evaluated using different measurements; recall, precision, DR, FAR, and FNR. It is implemented by software (i.e., python 3.8 and colab with sklearn library) using computer hardware with the following technical specifications: Core i7 CPU, 10 TH GEN, and 64bit OS Windows 11.

V. EXPERIMENTAL RESULTS AND EVALUATION A. BINARY CONFUSION-MATRIX
HABBAs are implemented using three datasets. The Confusion-Matrix is manually applied to each class, which VOLUME 10, 2022  (9) is used to apply the principle of voting.

Until the two classifiers, Ci is done Testing part: (do the following steps): Looping
After voting computes, the accuracy for each (prediction) after and before to achieve both Xi-After, and If Xi-Before. If Xi-Before is greater than Xi-After, then Replacing process:( voting average with the highest probability). else Accuracy, FAR, FNR, DR, and FAR are computed. End if Until the stopping criterion is done.

Return Measurements, and A composite model. End
has both normal and abnormal traffics. The FSs (i.e., 13,30,35,40, and all features) are applied to the presented CFS-RF and HABBAs to detect intrusions. The proposal applies a Confusion-Matrix in binary class form.
The proposal is applied to the NSL_KDD classes.     The main purpose of using various datasets is to discover new attacks, making the system more robust against external and new attacks (zero-day attacks). TABLE 6 explains the accuracy and FNR of all these features in detail. It addresses that the best results of accuracy and FNR can be achieved when applying 30-features to the proposed system. FNR is the division of false-negative detections divided by false-negative and true-positive detections in an experiment. This measurement is considerably important to evaluate the performance and quality of the proposed system by computing the number of errors discovered for each attack diagnosed as normal. In addition, when applying 13 Table 7 depicts the accuracy of each attack in the dataset with the f-score measure. Table 7 addresses all classes' best results when applying the proposed system, reaching 100% in XXS and Bot. It indicates that the number of features is ideal and helpful for identifying all forms of attacks.

B. THE COMPLEXITY TIME AND RUN TIME
It includes the computations of complexity time for the presented work by computing Big-O notation, which is O (N^2). However, figures 9, 10, and 11 explain the running time applying NSL_KDD, UNSW_NB2015, and CIC_IDS2017, respectively, showing the highest and lowest values. In figure 9, the highest is 9.6 sec. in the DoS class and the lowest is 1.3 sec. in the R2L class. While in figure 10, the highest     figure 11, the highest is 11.5 sec. in DDoS_ston class, while the lowest is 1.1 sec. in the brute force class. Hence, the running time increases when the input increases; thus, it is proportional to the number of inputs.

C. COMPARISON WITH OTHER STUDIES
The proposed system is examined and compared to other studies in terms of accuracy, FAR, DR, number of FS, FS method, and classification method. The detection accuracy of the proposal is 99% for training and 90% for testing. it yields a higher DR with a lower FAR comparing to the single-stage approach. This trade-off is elaborated in VOLUME 10, 2022

D. ANALYSIS RESULTS
Preprocessing stage is essential to prepare the dataset for the feature selection stage (CFS-RF). In the CFS-RF stage, each class in the dataset undergoes an analysis process to verify and select only the best influential subset features that affect the final results. Ultimately, CFS-RF selects the most appropriate features subset of the datasets (i.e., 30 features of NSL_KD, 35-features of the UNSW_NB201, and 40 features of CIC_IDS201. Afterby, the classifiers stage starts to make each classifier (SVM and RF) work as adaboosting (sequentially) and aggregates using the voting average technique to work as a bagging algorithm (in parallel).

E. LIMITATIONS
The main objective of the proposed work is to distinguish between normal and abnormal activities to increase system robustness against new attacks. However, it has the following limitations: The HABBAs system achieves an excellent performance when applying dataset attacks but does not take into account more attacks launched by external networks (when available).
In the HABBAs system training phase, once it is completed, the values of the training part are fixed (i.e., 70%), making it difficult to migrate to detect more attacks.

VI. CONCLUSION AND FUTURE WORK
Despite adopting various ML strategies previously to improve IDSs' efficacy, the existing IDSs are still unsuccessful, significantly to cope with the vulnerability of the expected wireless paradigms. Based on the preferred hybrid methods in FS and EL algorithms, this paper developed a unique IDS method to adapt to the imbalanced and high-dimensional traffic with low DR. A hybrid CFS-RF method was presented to achieve the optimal subset of function correlation using 30-features for NSL_KDD, 35-features for UNSW_NB2015, and 40-features for CIC_IDS2017 sample with a hybrid EL method. The results showed an accuracy of 0.99% for all the datasets, while FAR values were 0.004, 0.008, and 0.0012 for the NSL_KDD, UNSW_NB2015, and CIC_IDS2017 datasets, respectively. Hence, other parametric values are detailed in the results comparison table. Moreover, the proposed method outperformed the existing classification algorithms. As demonstrated, this method provided a significant competitive edge to the IDS market compared to other strategies. Despite the privilege of CFS-RF with ensemble algorithms (HABBAs), more extensive work is still required to expand system capacity to treat infrequent traffic hazards in the future. The authors recommend analyzing a stream of data connections can help detect the undetectable assaults by applying IDS to each connection record individually and employing the proposed NIDS on the systems' confidential servers of security establishments. Apparently, the proposed system is considerably an excellent and robust system for detecting intrusions on the network rapidly, providing high accuracy.