Intrusion detection: it's a machine's work

Our latest MSc thesis from Royal Holloway explains how machine learning can be harnessed to improve many aspects of information security including intrusion detection.

Security professionals can get into heated arguments over the relative virtues of intrusion detection versus intrusion prevention systems. But what they can't deny is that both approaches have their weaknesses, and neither does a perfect job.

Keeping out intruders will never be an exact science, of course, and any system has to try to balance between being too zealous – and therefore throwing up false positives – or going the other way and letting in unwanted visitors. And so, human beings have to be drafted in to go through logs and try to make a judgment, which is expensive and for the individuals concerned, monotonously soul-destroying.

But technology can be taught to recognize the telltale signs of suspicious behaviour, and can even improve its performance over time. In other words, it can learn and improve with experience.

This, at least is the assertion of Sandeep Sabnani, a software engineer with Ericsson and a recent MSc student at Royal Holloway University of London (RHUL). In an article published exclusively on, he explains how machine learning can be harnessed to improve many aspects of information security.

Drawing on the research he did for his thesis, Sabnani demonstrates that machine learning can be applied successfully to intrusion detection, and can improve over time as the system gathers more experience.

Sabnani says he was prompted to study the subject because he felt security was not given enough importance in today's increasingly complex networks. "I had done a course in machine learning during my bachelor's degree, I felt I could use some concepts from machine learning to try and address the problem of novel intrusion detection," he says.

"Machine learning has an inherent capacity to handle large quantities of data to learn about a given task and then automate performance in an unknown future. Already having a bent towards artificial intelligence, I was fascinated by this possibility and this thesis gave me a great opportunity to apply these concepts to security. "

Having carried out his research, he is convinced that machine-learning can play a valuable role in developing systems that are flexible and responsive to tackle new threats effectively. "I strongly believe automation is an excellent solution. It removes the need for human analysts and systems can evolve on their own. The complexity can be handled automatically using core mathematical concepts, which in turn might make security more user-friendly and non-intrusive," he says.

So who should read the article? "Developers of IDS/IPS products would find it helpful to see how useful machine learning can be used to detect novel intrusions and how flexible it can be," he says. "But general information security professionals should also be able to acquire more knowledge about a new way to deal with intrusions and may be able to adapt this method in their respective environments."

Click HERE to read Sabnani's article, "Computer Security: A Machine Learning Approach", one of a series of features based on recent MSc theses that are being run on They all provide links back to the original thesis.

Read more on Identity and access management products