In this study, we use the ten percent version, which consists of 494,021 connections and 24 types of attacks with 5 classes (Normal, DOS, U2R
, R2L, and PROBE).
8, the U2R
attack type contains the most new attack type, which accounts for a considerable proportion.
 used decision tree and genetic algorithm to select features that are beneficial to detect low-frequency attacks, and then the detection rate of U2R
and R2L is increased to 76.92% and 83.75%, respectively.
ISCX dataset 2012 includes categories of attacks involving scan, DoS, R2L, U2R
Class Attacks in the training data DOS Back, Land, Smurf, Pod, Neptune, and Teardrop Probe IPsweep, Portsweep, Nmapr, and Satan U2R
Load module, Rootkit, Perl, and Buffer_overflow R2L Guess_passwd, Multihop, Ftp_write, Spy, Phf, Imap, Warezclient, and Warezmaster Table 6: Attack model for SCADA.
Distribution of the data sets used for training and test 10% Training Category Set Training Subset Test Set Test Subset Normal 97278 986 60593 4000 Probing 4107 41 4166 1107 DoS 391458 3961 229853 13715 U2R
52 1 228 52 R2L 1126 11 16189 1126 total 494021 5000 311029 20000 Table 3.
We conducted learning the process for classification of two-class (normal and attack) and multiclass (normal, DoS, Probe, R2L, and U2R
NSL_KDD training data set consists of 125973 records, from which 67343 are labelled as normal and the rest of the records are labelled as attacks: denial-of-service (DOS), surveillance and other probing (PROB), unauthorized access from a remote to local host (R2L) or unauthorized access to local super user (U2R
He tested with machine-learning algorithms to find efficient SMOTE ratios of rare classes such as U2R
, R2L, and Probe.
After user access, attacker tries to get opportunity by user-to-root (U2R
) attack, if attacker gets master user access it can have privilege of stealing or modification, and if the targeted system is negotiated/compromised then the attackers have authority to go further at this step.
Each instance in NSL-KDD dataset is a TCP/IP connection record depicted by 41 different features and classified as one of the following classes: normal event, denial of service (DoS) attack, probe attack, user to root (U2R
) attack, and remote to local (R2L) attack.
Attacks such as U2R
and R2L are generally embedded because they do not have frequent sequential patterns in data records like DoS attacks.