Deteccion de intrusiones en redes mediante algoritmos de aprendizaje automatico: Un estudio multiclase sobre el conjunto de datos NSL-KDD

TL;DR

This study evaluates classical machine learning algorithms for multiclass network intrusion detection using the NSL-KDD dataset, demonstrating that tree-based models like Random Forest and XGBoost achieve high accuracy and highlighting challenges in detecting rare attack types.

Contribution

It provides a detailed analysis of classical ML algorithms on the multiclass NSL-KDD dataset, including data preprocessing and performance comparison, with insights into detection challenges and future research directions.

Findings

Tree-based models achieve up to 99% accuracy.

Random Forest and XGBoost outperform other models.

Difficulty in detecting rare attack classes like R2L and U2R.

Abstract

Intrusion detection is a critical component of cybersecurity, responsible for identifying unauthorized access or anomalous behavior in computer networks. This paper presents a comprehensive study on intrusion detection in networks using classical machine learning algorithms applied to the multiclass version of the NSL-KDD dataset (Normal, DoS, Probe, R2L, and U2R classes). The characteristics of NSL-KDD are described in detail, including its variants and class distribution, and the data preprocessing process (cleaning, coding, and normalization) is documented. Four supervised classification models were implemented: Logistic Regression, Decision Tree, Random Forest, and XGBoost, whose performance is evaluated using standard metrics (accuracy, recall, F1 score, confusion matrix, and area under the ROC curve). Experiments show that models based on tree sets (Random Forest and XGBoost) achieve the best performance, with accuracies approaching 99%, significantly outperforming logistic regression and individual decision trees. The ability of each model to detect each attack category is also analyzed, highlighting the challenges in identifying rare attacks (R2L and U2R). Finally, the implications of the results are discussed, comparing them with the state of the art, and potential avenues for future research are proposed, such as the application of class balancing techniques and deep learning models to improve intrusion detection.