The propagation and increasing complexity of computer networks have led to an unprecedented rise in security threats. As these networks expand and evolve, so too does the potential for significant damage to critical infrastructure, necessitating the development of more sophisticated protective measures. Among these, intrusion detection systems (IDS) have emerged as a pivotal component of network security. However, the effectiveness of traditional IDS is often limited, particularly in their ability to identify and respond to previously unknown attacks. This limitation underscores the need for advanced methods that can analyze the behavior and operational sequences of attacks in real-time to enhance detection capabilities.

Machine learning (ML), a subset of artificial intelligence (AI), has become a cornerstone in addressing these challenges. The integration of ML techniques into IDS has demonstrated significant potential in improving their ability to detect and mitigate emerging threats. By enabling systems to learn from vast amounts of network data and adapt to new attack vectors, ML enhances the overall robustness of IDS.

This study reviews several machine learning techniques employed in the realm of intrusion detection, with a particular focus on the Adaptive Neuro-Fuzzy Inference System (ANFIS). ANFIS combines the learning capabilities of neural networks with the decision-making processes of fuzzy logic, creating a hybrid system that is both adaptive and precise. Additionally, this research explores the application of genetic algorithms for feature selection during the training and testing phases, a method that optimizes the input features, thereby improving the system’s performance.

The application of AI and ML in IDS represents a modern approach to enhancing network security, capable of adapting to the rapid evolution of attack types and structures. This study’s contributions are threefold:

IntegrationofWeightedLogic: The proposed system leverages fuzzy logic to enhance decision accuracy, determining whether a data packet constitutes an attack or normal network activity.NeuralNetworkLearning: The inherent learning ability of neural networks is harnessed to continuously improve the detection capabilities of the IDS.GeneticAlgorithmOptimization: Feature selection is optimized through genetic algorithms, ensuring that the most relevant attributes are used in the training process.

These elements collectively shape the training process of the proposed system, aiming to create an IDS capable of learning and adapting to the rapidly changing landscape of cyber threats. The system’s performance is then benchmarked against that of the widely used Snort IDS, providing a comprehensive analysis of its efficacy in real-world scenarios.

The application of machine learning techniques to intrusion detection systems (IDS) has been a focal point of research, with numerous studies exploring various approaches to enhance detection capabilities. One early study introduced the use of feedforward neural networks combined with K-Nearest Neighbor (KNN) classifiers to improve the accuracy of IDS. This approach, however, faced challenges due to the high dimensionality of features, which led to difficulties in optimizing the classifier’s performance. To mitigate this issue, the researchers implemented a genetic algorithm for feature selection, which successfully reduced the feature space and enhanced the system’s overall efficiency. The effectiveness of this method was demonstrated using the KDD Cup99 dataset, where improvements in detection rates were observed, albeit with an accompanying increase in false positive rates.

Building on this work, Patil etal. [1] developed a framework that leverages the Binary Bat algorithm for feature extraction, applying it specifically to the UNSW-NB15 dataset. The Binary Bat algorithm, known for its capability to solve complex optimization problems, was employed to optimize the selection of relevant features, thereby improving the IDS’s detection accuracy. Despite the algorithm’s strengths, the study highlighted the trade-offs between detection accuracy and computational efficiency, emphasizing the need for further refinement in balancing these aspects.

In a similar vein, researchers have explored the integration of various machine learning classifiers into IDS frameworks. For instance, the work of Tsai etal. [2] explored the use of ensemble learning methods, combining classifiers such as Random Forest (RF), Support Vector Machines (SVM), and K-Nearest Neighbors (KNN) to enhance detection performance across multiple datasets. The study demonstrated that ensemble methods, particularly those incorporating boosting algorithms like AdaBoost, were effective in improving detection rates while maintaining a low false positive rate. However, the computational complexity associated with these methods remains a concern, especially when applied to large-scale datasets.

Further research by Khan etal. [3] focused on the comparative performance of different machine learning techniques, including Artificial Neural Networks (ANN), SVM, and Decision Trees (DT), in the context of IDS. Their study, which utilized the CSE-CIC-2018 dataset, provided a detailed analysis of each classifier’s strengths and limitations. The findings suggested that while deep learning models like ANN showed high accuracy, traditional classifiers such as SVM and DT offered better interpretability and faster processing times, making them more suitable for real-time intrusion detection applications.

In addition to these approaches, studies have also explored the role of feature selection techniques in enhancing IDS performance. For example, Guyon and Elisseeff [4] provided a comprehensive review of feature selection methods, emphasizing their importance in reducing the dimensionality of data and improving model interpretability and accuracy. Their work underscores the critical role that feature selection plays in the development of efficient and effective IDS.

More recent investigations have further demonstrated the advantages of hybrid neuro-fuzzy models in intrusion detection contexts. Aljanabi etal. [5] developed a fuzzy logic-based IDS optimized using neural network learning, demonstrating enhanced detection of distributed denial-of-service (DDoS) attacks in IoT environments. Their work underscores the capacity of neuro-fuzzy integration to handle the inherent uncertainty and noise present in network traffic data while maintaining interpretable rule sets. In a complementary study, Ishaque et al. [6] proposed a hybrid IDS framework combining genetic algorithms for feature optimization with a fuzzy inference classifier, achieving notable improvements in both detection accuracy and computational efficiency across multiple benchmark datasets. These studies corroborate the effectiveness of the genetic neuro-fuzzy hybrid paradigm and highlight its applicability to contemporary cybersecurity challenges, including IoT-specific threats and large-scale network monitoring. The model presented in this paper builds upon these foundations by integrating ANFIS with a genetically optimized feature selector, thereby offering a unified framework capable of addressing both feature dimensionality reduction and adaptive classification.

These studies collectively highlight the diverse approaches taken by researchers to refine machine learning methods for IDS, with each contributing to the understanding of the trade-offs and challenges inherent in this field. The ongoing advancements in feature selection, ensemble learning, and optimization algorithms continue to push the boundaries of what is possible in intrusion detection, paving the way for more robust and adaptive security systems.

Intrusion Detection Systems (IDS) are essential components of network security, designed to monitor and analyze data packets within a network to detect and respond to potential threats. IDS can be categorized based on their operational mode [7]: Host-Based IDS (HIDS) operate on individual devices, while Network-Based IDS (NIDS) monitors traffic across an entire network. Additionally, IDS can be classified by their detection methods: Signature-Based Detection, which identifies threats by matching network traffic against known attack signatures, and Anomaly-Based Detection, which detects deviations from established patterns of normal behavior, potentially indicating novel or zero-day attacks.

Evaluating IDS performance requires the use of specific metrics to assess its accuracy and reliability. The key metrics include:

FalseNegative(FN): Occurs when the IDS fails to identify an actual attack, representing a significant security lapse.FalsePositive(FP): Occurs when the IDS incorrectly identifies benign activity as malicious, leading to unnecessary alerts.TruePositive(TP): Represents the correct identification of an attack.TrueNegative(TN): Indicates the correct identification of non-malicious activity as benign.

The overall effectiveness of an IDS can be quantified using the following metrics [8]:

DetectionRate(DR): The proportion of actual attacks correctly identified by the IDS, calculated as the ratio of TP to the total number of attacks (TP + FN).FalsePositiveRate(FPR): The proportion of benign events incorrectly classified as threats, calculated as the ratio of FP to the total number of benign events (FP + TN).

The equations for Accuracy and FPR are given by:

To evaluate and benchmark IDS performance, several well-established datasets are commonly employed in research:

KDDCup99: [9] Originating from the DARPA 1998 benchmark, this dataset comprises approximately 4 GB of TCP dump data, organized into 41 attributes, both continuous and discrete, across 22 attack types. These attacks are classified into four categories: Denial of Service (DoS), Root to Local (R2L), User to Root (U2R), and Probe. Although widely used, the KDD Cup 99 dataset has faced criticism for containing redundant records, which may bias machine learning models and lead to overfitting.NSL-KDD: [10] Developed as an improvement over the KDD Cup 99, the NSL-KDD dataset addresses the issues of redundancy and data imbalance by removing duplicate records. It retains the original number of attributes and types of attacks, offering a more balanced and reliable benchmark for evaluating IDS performance.UNSW-NB15: [11] Compiled by the Australian Centre for Cyber Security (ACCS), this dataset offers a realistic portrayal of modern network traffic and includes nine attack types such as Analysis, Backdoors, DoS, Exploits, Fuzzers, Generic, Reconnaissance, Shellcode, and Worms. The dataset is widely recognized for its applicability in testing IDS in contemporary network environments.CSE-CIC-IDS2018: [12] This dataset contains a wide variety of 14 different attack types, including DoS GoldenEye, Heartbleed, DoS Hulk, DoS SlowHTTP, DoS Slowloris, DDoS, SSH-Patator, FTP-Patator, Brute Force, XSS, Botnet infiltration, PortScan, and SQL injection. It is highly valued for its comprehensive coverage of modern attack vectors, making it an excellent resource for evaluating IDS in realistic scenarios.Bot-IoT: [12] Created within a simulated environment at UNSW Canberra’s Cyber Range Lab, this dataset includes over 72 million records of various IoT-based attacks, such as DDoS, DoS, OS and Service Scan, Keylogging, and Data Exfiltration. Its detailed categorization of DDoS and DoS attacks, particularly in IoT contexts, provides a valuable resource for assessing IDS performance in increasingly prevalent IoT environments.

Recent studies have emphasized the importance of evaluating IDS using these datasets to reflect contemporary network environments and evolving threat landscapes. For instance, recent work by Sharafaldin etal. [10] highlights the use of the CSE-CIC-IDS2018 dataset to develop and benchmark new IDS models, pointing to the dataset’s richness in representing modern attack strategies. Similarly, Moustafa etal. [11] have explored the UNSW-NB15 dataset’s relevance in modeling real-world network traffic and its effectiveness in assessing IDS capabilities against complex, multifaceted threats.

The proposed model for enhancing the performance of Intrusion Detection Systems (IDS) involves several critical steps, each aimed at optimizing the system’s ability to detect malicious activities. The first step in this process involves converting textual attributes within the datasets into numerical attributes, a necessary transformation for most machine learning algorithms. All datasets are divided using an 80% training and 20% testing split, with stratified sampling to preserve the original class distribution. A fixed random seed of 42 is employed across all experiments to ensure reproducibility. No k-fold cross-validation was applied in this study; results are reported on the held-out test sets. This conversion ensures that all data are in a format suitable for processing and analysis. Following this, the data undergoes a standardization process, where each attribute is scaled based on its minimum and maximum values. This normalization is crucial to prevent any single attribute from disproportionately influencing the model due to differences in scale, and is performed using the Unit Range (UR) method, expressed as:

where X represents the value of the attribute, and X max and X min are the maximum and minimum values of that attribute, respectively.

After standardization, the next step involves feature selection, a critical process in which the most relevant attributes are identified and retained for model training. The selection process is conducted using a genetic algorithm (GA), which is known for its effectiveness in optimization problems, particularly in reducing the dimensionality of data while preserving its informative value. The GA operates by encoding the attributes as chromosomes, performing operations such as selection, crossover, and mutation to evolve the population of attributes across generations. The goal is to identify a set of features that maximizes the fitness function. The fitness function for the genetic algorithm is defined as the F1-score achieved by a lightweight ANFIS classifier trained on the candidate feature subset. The F1-score—the harmonic mean of precision and recall—is selected because it provides a balanced assessment of classification quality, particularly in imbalanced datasets where attack samples may be significantly outnumbered by normal traffic. This metric directly reflects the discriminative power of the selected features, in contrast to simpler heuristics such as the attack-to-normal ratio, which does not account for actual classification outcomes. This approach is particularly effective in high-speed networks where rapid processing is essential.

The feature selection process is followed by the implementation of the Adaptive Neuro-Fuzzy Inference System (ANFIS). ANFIS combines the learning capabilities of neural networks with the decision-making logic of fuzzy systems, creating a hybrid model that can adapt to the complexities of network traffic patterns. The model is trained using the selected features, and its performance is tested across various datasets to ensure robustness and generalizability.

Figure 1 illustrates the architecture of the proposed model, detailing the flow from raw data preprocessing through to feature selection and ANFIS implementation.

Figure 1. Proposed model architecture.

The implementation of the proposed Adaptive Neuro-Fuzzy Inference System (ANFIS) model involves integrating the 21 selected features identified during the feature selection process. These features represent critical attributes that significantly impact the performance of the IDS. The ANFIS model was implemented using MATLAB, specifically leveraging the Fuzzy Logic Toolbox to manage the membership functions and the rule-based inference system.

For each of the 21 features, we defined five membership functions, representing varying degrees of attribute association: large, medium, small, low, and very small. This granularity allows the model to capture subtle differences in the data, improving its ability to distinguish between normal and malicious activities. The membership functions were constructed by dividing each attribute’s domain into five sections, using the calculated arithmetic mean and standard deviation to ensure precise segmentation. Table 2. Shows the model hyper-parameters.

Table 2. GA and ANFIS hyper-parameter configuration.

Training of the ANFIS model employed a hybrid learning algorithm, combining the Least Squares Method (LSM) for fine-tuning the linear parameters in the fuzzy inference system and the Gradient Descent (GD) method for optimizing the non-linear parameters. The LSM was particularly effective in adjusting the parameters of the fourth layer of the ANFIS network, where the membership functions are configured. In contrast, the GD algorithm was utilized to model the weighting system based on the training data.

After determining the optimal values for the parameters in the fourth layer, the training process continued with a backward pass, where the membership function parameters were further refined using the training dataset as summarized in Table 3:

Table 3. ANFIS system setup.

To benchmark the performance of the proposed GA-ANFIS system, we implemented a comparative analysis using the Snort IDS, a widely recognized intrusion detection system. The implementation details are summarized in Table 4, which outlines the configurations and computational resources used for both systems.

Table 4. General summary of the systems and tools used in the proposed work.

The performance of the proposed GA-ANFIS system was evaluated using standard datasets, including KDDCup 99, NSL-KDD, UNSW-NB15, CSE-CIC-IDS2018, and Bot-IoT. These datasets were chosen for their widespread use in IDS research and their ability to represent a diverse range of attack types and network conditions.

The comparison between the GA-ANFIS system and the Snort IDS is presented in Table 5. The results indicate that the GA-ANFIS system consistently outperformed Snort in terms of both accuracy and False Positive Rate (FPR). Notably, the GA-ANFIS system achieved an accuracy of 99.72% with an FPR of 0.28% on the KDDCup 99 dataset, compared to Snort’s 92% accuracy and 12% FPR. Similarly, significant improvements were observed across the other datasets, with the GA-ANFIS system showing superior performance.

Table 5. Performance comparison between GA-ANFIS and Snort IDS.

The superior performance of the GA-ANFIS system over Snort can be attributed to several key factors. First, the integration of neural networks with fuzzy logic in the ANFIS model allows for more nuanced decision-making, particularly in cases where traditional rule-based systems might fail to capture complex patterns in the data. The genetic algorithm’s role in optimizing feature selection further enhances the system’s ability to accurately identify relevant attributes, thus improving the overall accuracy and reducing the FPR.

The performance discrepancies between the datasets also highlight the importance of data quality and diversity in training machine learning models. For example, the GA-ANFIS system performed exceptionally well on the CSE-CIC-IDS2018 dataset, likely due to the dataset’s comprehensive representation of modern attack vectors. Conversely, the NSL-KDD dataset, which contains some redundant records, posed more challenges, potentially leading to suboptimal training and higher error rates.

This research presents a generalized methodology that combines machine learning and data mining techniques to enhance the learning process of IDS. Future research could focus on refining the rule extraction process within the ANFIS model, possibly by exploring alternative methods such as fuzzy association rules or hybrid algorithms that incorporate deep learning components.

Additionally, expanding the model to detect a wider range of attack types, beyond simple binary classification, could improve its applicability in real-world scenarios. Further exploration into unsupervised learning techniques, which do not rely on labeled data, could also provide valuable insights into detecting previously unknown or evolving threats.