Cyberattacks pose a significant risk to network environments today as they can lead to the compromise of

sensitive information, disruption of digital service, and compromise the confidentiality, integrity, and availability

of information systems. Signature-based intrusion detection systems and firewalls are effective, but they can't

detect unknown, modified and zero-day attacks. This research paper proposes a machine-learning approach to

build an Intrusion Detection System for network security based on the NSL-KDD dataset, which helps to

overcome this limitation. The proposed system uses supervised machine learning algorithms to classify the

network traffic as either normal traffic or attack traffic. The methodology consists of data collection, data

preprocessing, categorical features encoding, feature selection, model training, testing, prediction and

evaluation. Random Forest is the primary classification algorithm and Support Vector Machine and Logistic

The overall findings of the study indicate that application of machine learning can enhance the performance of

IDS and it offers a practical base for future real time and deep learning based intrusion detection systems.

Random Forest

Network security refers to the protection of computer networks, connected devices, digital services, and

transmitted data from unauthorized access, misuse, disruption, or destruction. In the contemporary organizations,

virtually all the activities rely on networked systems, such as cloud computing, online banking, e-commerce,

health systems, education platforms, and Internet of Things (IoT) devices. This high level of connectivity

enhances communication and service delivery, but it also adds the attack surface by cybercriminals. Recent

cause financial and reputational costs. Some common attacks are denial-of-service attacks, probing, malware-

based intrusions, unauthorized access, and traffic manipulation. Conventional security measures like firewall,

antivirus and encryption and access control are handy but not effective when used in isolation. Firewalls

primarily regulate traffic based on predefined rules and signature-based systems rely on known attack patterns.

Consequently, they might not be able to identify new, altered, or zero-day attacks. Akuthota and Bhargava (2025)

observed that false alarms and the inability to detect unknown attacks continue to be a problem in many IDSs,

with Kasongo and Sun (2020) describing that signature-based IDSs identify known patterns and anomaly-based

IDSs examine abnormal behavior on the network.

An Intrusion Detection System (IDS) is thus needed as an extra security layer that is in constant watch of the

network traffic or activities of a host and detects suspicious activity. IDSs may be host-based, network based or

Sun, 2020; Talukder et al., 2023).

Machine Learning (ML) is applied in IDS as it is able to learn the patterns on the historical network traffic and

classify the new traffic as normal or malicious. Supervised ML algorithms including Random Forest, Support

Vector Machine, Logistic Regression, Decision Tree, and k-Nearest Neighbour have been extensively applied

in intrusion detection as they can process labeled datasets and automatically detect attack patterns. Recent

findings indicate that ML algorithms can be used to detect and categorize security threats, in particular, when

feature selection and preprocessing are applied to reduce complexity and enhance performance (Saranya et al.,

2020; Vibhute et al., 2024). Random Forest is especially appropriate in this study since it is an ensemble

technique that can be used to work with nonlinear data, reduce overfitting, and provide feature-importance values

that can be used to explain the extent to which network features contribute to attack detection.

newer datasets might be better suited to represent modern traffic, NSL-KDD is still suitable to develop a clear

model of an ML-based IDS and to compare the performance of the algorithmic models.

A number of IDS models based on machine learning have been proposed in the past but there are still some

important issues to be addressed. Traditional rule-based systems are less capable of identifying new attacks, and

advanced deep-learning and hybrid models can be more resource-hungry and complex to implement. Also, many

IDS studies have shown very good performance on benchmark datasets, however their results may not be able

to be generalized in real-time network environments. So, a clear, explainable and reproducible IDS model based

on a machine-learning approach is necessary to classify normal and attack traffic with evaluation metrics and

feature-importance analysis.

The main aim of this research is to design and evaluate a machine-learning-based Intrusion Detection System

Early intrusion detection systems were mainly rule-based or signature-based. Such systems compared the

network traffic to a set of predefined rules or known attack signatures and issued alerts when a match was

observed. These systems are also effective in detecting already known attacks, but they are less effective in

detecting new attacks or those whose attack behavior has changed. The recent IDS literature states that signature-

based detection relies on the known patterns of attacks, whereas the anomaly-based detection monitors the

deviations of the normal behavior (Kasongo and Sun, 2020). On the same note, Talukder et al. (2023) observed

Support Vector machine, and classification-based algorithms to detect attacks in environments, including

internet of things, fog computing, big data, smart cities, and 5G networks. Kocher and Kumar (2021) also

conducted a review of both ML and DL methods of intrusion detection and highlighted benchmark datasets,

measures of performance evaluation, and the challenges in research. These studies have demonstrated that

research on the use of ML-based IDS has no longer been simple rule matching, but rather automated pattern

recognition, where algorithms are trained to be able to distinguish between normal and malicious network

behavior.

One of the biggest problems in the research on IDS is the selection of features since network data can have a

large number of features, and not all these features can be useful in the detection of attacks. High-dimensional

data may have the effect of increasing the training time, reducing the efficiency of the model, and adding

importance is applicable, as it can be used to determine which network variables are most important for intrusion

detection.

Hybrid ML and DL models are also a topic of interest since they preprocess and balance features before feature

selection and classification become part of the pipeline. To compare various ML and DL algorithms, Talukder

et al. (2023) proposed a reliable hybrid model of network intrusion detection that used SMOTE to balance the

data and XGBoost to select the features before comparing the various algorithms. Their model reported a very

high accuracy on the CIC-MalMem-2022 datasets, as well as on KDDCUP-99 and CIC-MalMem-2022 datasets.

Nevertheless, these high-performance hybrid models can be even more complex than classical ML models and

they can demand more computational resources. Hence, classical algorithms, like Random Forest, SVM, and

Logistic Regression are still applicable in academic study of IDS since they are more easily implemented,

Benchmark datasets serve a significant purpose in the research of IDS since it enables the researcher to test

models in a controlled environment. Vibhute et al. (2024) designed a network anomaly detection method with

NSL-KDD and used Random Forest-based feature selection and ML classifiers like SVM, Logistic Regression,

and kNN and reported the validation accuracies of 87.58, 88.86, and 98.24, respectively. The work is pertinent

since it directly contributes to the application of NSL-KDD and comparative evaluation of ML. Rosay et al.

Mukhaini et al., 2024). The recent review by Ali et al. (2024) analyzed the latest ML and DL-based IDS

strategies, datasets, metrics, strengths, weaknesses, and future trends, highlighting that the IDS models continue

to have troubles with false alarms and new intrusion detection. The review of the modern IDS benchmark

datasets conducted by Akuthota and Bhargava (2025) revealed that to ensure proper evaluation, researchers

should select appropriate datasets and methods. These papers demonstrate that ML and DL have enhanced the

research in the field of IDS, yet the practical implementation still involves the need to carefully preprocess, select

a dataset, interpret the model, and be efficient in real-time.

The primary gap that has been identified based on the related work is that the existing IDS models continue to

be limited in the areas of accuracy, adaptability, reduction in false-alarms, and generalization to new attacks.

Rule based systems are susceptible to unknown threats, whereas advanced hybrid, and deep learning systems

can be complicated and hard to install in simple systems. Most of the research papers also have good outcomes

on benchmark datasets, although such outcomes may not necessarily be directly applicable to real-world network

traffic. Consequently, in the current study, the identification of a clear and explainable ML-based IDS under the

NSL-KDD with focus on Random Forest as the primary classifier and SVM and Logistic Regression as the

made the task of classification easier and in keeping with the goal of determining if the traffic was safe or

suspicious.

The data splitting was done with a fixed random state for reproducibility. This implies the train-test split can be

recreated in case the experiment is repeated. Reproducibility is crucial in the field of machine learning for the

purpose of enabling others to validate and replicate the results.

train-test partition. This is particularly suitable to IDS research, as the model needs to be consistent with various

traffic samples.

with regards to new network traffic data.

These models were all used to predict if a traffic record was from the normal class or the attack class. Then the

predicted labels were compared with the labels of testing set. Performance metrics like accuracy, precision,

recall, F1-score, specificity, error rate and confusion matrix were calculated using the comparison of predicted

and actual labels.

The performance of the proposed IDS model was tested using various classification analysis tools. Overall

percentage of correctly classified records was measured using accuracy. Precision is the number of records that

sensitivity).

accuracy of recognizing normal traffic of the model. The percentage of records which were misclassified was

displayed by the error rate. True positive, true negative, false positive and false negative were also presented as

The data set chosen to use in this study is the NSL-KDD dataset, which is a highly utilized benchmark dataset

used to test machine learning based intrusion detection systems. It is widely applied in the study of IDS since it

characteristics related to content. Some of its important features are protocol type, service, flag, source bytes,

destination bytes, and other indicators of traffic behavior. Type of protocol indicates the type of communication

SMTP. The flag feature is used to present the state of the network connection and the features that are related to

the packets and bytes serve to describe the amount and direction of data sent and received.

There are two basic categories of traffic in the dataset. The first one is normal traffic that is the legitimate network

communications. The second one is attack traffic which is the malicious or suspicious activity. The categories

of attack traffic in NSL-KDD usually belong to the following categories: Denial of Service, Probe, Remote-to-

Local, and User-to-Root attacks. In this research paper these types of attacks have been classified as one type of

attack under binary classification. This binary representation makes the IDS model more training and evaluation-

friendly as the primary objective is to identify whether a network record is safe or malicious.

The type of label that will be used in this research is thus normal/attack. The records bearing the label normal

testing sets. Even though newer datasets, including CIC-IDS2017, are also used in modern IDS research, NSL-

KDD is still appropriate to be used in this study due to its manageability, labeling, and wide range of use in

SVM and Logistic Regression, and also evaluation tools of classification models. The fact that Random Forest

can be used to combine several decision trees and can be used to average out predictions in order to achieve

better predictive accuracy and less overfitting makes Random Forest particularly useful.

The implementation process started by loading the NSL-KDD dataset into the Python environment. After loading

the dataset, the features and target class label were separated. The target label was then changed to a binary

classification format with normal records being considered normal traffic and all types of attacks being classified

as the attack class. The rationale behind the choice of this binary classification method is that the primary

objective of the proposed IDS is to determine whether the traffic entering the network is legitimate or not. NSL-

KDD has also been used in recent studies of IDS machine learning to detect anomalies in a network and to

compare models.

were used as the model comparison. Random Forest was chosen as the main classifier due to its effectiveness in

organized classification tasks and the possibility to assign feature-importance values, which helps to understand

which network features help the most in detecting an attack. The training data was used to train the model and

the testing data was used to test the model. The evaluation of performance was conducted based on accuracy,

precision, recall, F1-score and confusion matrix.

This section presents the later performance results of the proposed machine-learning-based IDS model. Random

Forest, SVM, and Logistic Regression were compared using accuracy, precision, recall, and F1-score. In the

current version of the study, the reported values should be treated as sample or later results. These values must

be replaced with actual experimental outputs after executing the final model on the NSL-KDD dataset. The