The Intrusion Detection System (IDS) is an effective tool utilized in cybersecurity systems to detect and identify intrusion attacks. Traditional IDS methods rely heavily on signature-based approaches, which are limited in their ability to detect novel and sophisticated attacks. To overcome these limitations, researchers and practitioners have started to explore the integration of machine learning techniques into IDS design. Machine learning (ML) has demonstrated remarkable success in various domains, including natural language processing, computer vision, and pattern recognition. Leveraging ML algorithms in the realm of networking cybersecurity offers promising opportunities to enhance the accuracy and efficiency of intrusion detection systems.
With the rapid growth of networking technologies and the increasing number of cyber threats, ensuring effective cybersecurity has become a paramount concern. One crucial aspect of cybersecurity is the detection and prevention of unauthorized access and malicious activities within computer networks. Intrusion Detection Systems (IDS) play a vital role in monitoring network traffic and identifying potential security breaches. ML-based IDS models can learn from large volumes of network data, detect anomalous patterns, and adapt to evolving attack strategies . This approach holds the potential to improve the overall security posture by reducing false positives and detecting previously unknown attacks. The design of IDS exploiting machine learning for networking cybersecurity involves several key components. Firstly, a robust and comprehensive dataset is required for training and evaluating the ML models. The proposed datasets encompass a wide range of network traffic patterns, including both normal and malicious activities, to enable effective learning. Secondly, suitable feature selection and extraction techniques are crucial to capture relevant information from the network data . These features serve as input to the ML algorithms, enabling them to discern normal traffic from potential intrusions. Furthermore, the choice of ML algorithms plays a vital role in IDS design. Various algorithms, such as support vector machines, random forests, and deep learning architectures, have been investigated for intrusion detection. Each algorithm has its strengths and weaknesses, and the selection depends on factors such as the complexity of the problem, the availability of data, and the desired trade-offs between detection accuracy and computational efficiency.
Intrusion detection systems (IDS) play a critical role in safeguarding computer networks by identifying and responding to security threats. The use of machine learning models has gained popularity in IDS due to their ability to handle large volumes of data and detect patterns in real-time. By leveraging machine learning models, IDS can learn from historical data and detect new patterns that may indicate potential intrusions. This helps to reduce false positives and enhance the accuracy of IDS. The application of machine learning models in IDS is particularly important when dealing with diverse datasets. Different datasets may exhibit distinct characteristics, including various types of intrusions, network configurations, and user behavior. Machine learning models can be trained on different datasets and adapt to the unique characteristics of each dataset. This ensures that IDS remains effective in detecting intrusions across a variety of environments. Networked computer systems and the continuous availability of Internet services are crucial for modern society, which heavily relies on them for almost every activity. However, with the increasing use of Internet-based technologies, attackers can target computer systems without physically interfering with them, leading to malfunctions and compromising security in terms of confidentiality, availability, and integrity. Network traffic comprises packets characterized by properties such as duration, protocol type, and the amount of data transferred between source and destination. Since attackers can compromise packets by modifying their content during creation or transit, it is vital to identify attacks and ensure service integrity, considering the impossibility of creating a completely attack-free networked computer system. The number of anomalies, such as misconfigurations of network devices, port scans as preparations for future attacks, resource-consuming and self-spreading viruses and worms, or denial of service (DoS) attacks that render network services unavailable, increases proportionally with the growth of network traffic. Effective detection and diagnosis of such anomalies are crucial to guarantee proper and reliable functioning 
. In this context, network security and reliability become even more crucial in safety-critical systems (SCS). An SCS refers to a system whose failure or malfunction can result in equipment/property loss or severe damage, environmental harm, or serious injury or death to people. SCS encompasses various applications such as robots for industrial automation, logistics and human assistance, vehicles, medical systems, and defense. The continuous evolution towards software-defined autonomous and connected systems further escalates the risk of cyber attacks and their consequences. Therefore, the availability of intrusion and anomaly detection capabilities is of utmost importance for SCS. Certain literature works employ the IDS concept to manage communication flow anomalies in the context of control systems in mechatronic and industrial applications 
. Unlike attack monitoring algorithms in communication network contexts, which tend to associate a dynamic model with overall behavior in a complex manner, a hybrid approach combining model-based and data-driven techniques is employed. This involves utilizing state observers and estimates through stochastic analysis of the residuals between the model and direct process measurements. While this research often proposes specific anomaly detection solutions with known integration into the overall system, the IDS problem in the context of this research, focusing on the security of communication networks, is more complex. The attack is not treated merely as an additive nuisance that perturbs the model relative to nominal behavior. Hence, this research places significant emphasis on the security aspects of communication networks, considering three of the most widely used datasets in these applications. There have been significant advancements in the design of machine learning-based Intrusion Detection Systems (IDS) for network cybersecurity. However, there are still several research gaps and limitations that need to be addressed. One major research gap is the lack of labeled datasets for training and evaluating IDS models. Existing publicly available datasets suffer from issues like insufficient size, lack of diversity in attack scenarios, or outdated data, which makes it difficult to develop robust and generalized IDS models capable of detecting novel and sophisticated attacks. Another limitation is the lack of transparency and interpretability of machine learning-based IDS models, particularly deep learning algorithms, which operate as black boxes, making it challenging to understand the decision-making process. This lack of transparency hampers trust and adoption, especially in critical network security applications where explanations for detected threats are crucial. Additionally, existing work often focuses on a binary classification, distinguishing between normal and malicious network traffic, without exploring more detailed classification schemes like identifying specific attack types or characterizing the severity of an intrusion.
3. Advantages of Machine Learning in Network Security
Within Control Systems (CS) networks, a wide array of components engage in communication with one another. An assailant possessing proficient knowledge of networks, operating systems, and software can exploit these components to gain unauthorized access and carry out malicious activities within the control system. Among the numerous types of attacks that a network may encounter, three notable threats deserve attention: Denial of Service (DOS), Spoofing, and Eavesdropping. During a DOS attack, the intruder inundates the network with a barrage of either valid or invalid messages, thereby impairing the availability of network resources. Spoofing, on the other hand, involves the attacker assuming the identity of a legitimate user to gain unauthorized access to privileged data and network resources. Eavesdropping refers to attacks on the confidentiality of data transmitted across the network. In wireless networks, eavesdropping by third parties poses a significant threat since attackers can intercept transmissions over the air from a considerable distance, beyond the premises of the company. The ongoing cat-and-mouse game between attackers and Intrusion Detection Systems (IDS) has spurred significant advancements in security measures. However, it has also given rise to increasingly subtle and difficult-to-identify attack methods. Here are some key points of benefit introduce by ML in the context of networking cybersecurity:
Threat detection: Machine learning can be used to develop predictive models capable of identifying and detecting suspicious behavior or cyber attacks in communication networks. These models can analyze large amounts of data in real time from various sources, such as network logs, packet traffic and user behavior, in order to identify anomalies and patterns associated with malicious activity.
Automation of attack responses: Automation is a key aspect in the security of communication networks. Using machine learning algorithms can help automate an attack response, allowing you to react quickly and effectively to threats. For example, a machine learning system can be trained to recognize certain types of attacks and automatically trigger appropriate countermeasures, such as isolating compromised devices or changing security rules.
Detect new types of attacks: As cyberthreats evolve, new types of attacks are constantly emerging. The traditional signature-based approach may not be enough to detect these new threats. The use of machine learning algorithms can help recognize anomalous patterns or behavior that could indicate the emergence of new types of attacks, even in the absence of specific signatures.
Reduce False Positives: Traditional security systems often generate large numbers of false positives, that is, they falsely report normal activity as an attack. This can lead to wasted time and valuable resources in dealing with non-relevant reports. Using machine learning models can help reduce false positives, increasing the efficiency of security operations and enabling more accurate identification of real threats.
Adaptation and continuous learning: Machine learning models can be adapted and updated in real time to address new threats and changing conditions of communication networks. With continuous learning, models can improve over time, gaining greater knowledge of threats and their variants.
Ultimately, using machine learning in communication network security offers a number of benefits, including the ability to spot threats in real time, automate responses, detect new types of attacks, and reduce false positives. These benefits help improve overall network security and protect underlying data and assets.
As schematically shown in Figure 1, the machine learning paradigm is composed of the following main steps:
Data Collection: The initial phase involves the collection of training data. This data consists of labeled examples, i.e., pairs of matching inputs and outputs. For example, if researchers are trying to build a model to recognize images of cats, the data will contain images of cats labeled “cat” and different images labeled “not cat”.
Data preparation: This phase involves cleaning, normalizing, and transforming the training data to make it suitable for processing by the machine learning model. This can include eliminating missing data, handling categorical characteristics, and normalizing numeric values.
Model selection and training: In this phase, you select the appropriate machine learning model for the problem at hand. The model is then trained on the training data, which consists of making the model learn the patterns and relationships present in the data. During training, the model is iteratively adjusted to minimize the error between its predictions and the corresponding output labels in the training data.
Model Evaluation: After training, the model is evaluated using separate test data, which was not used during the training. This allows you to evaluate the effectiveness of the model in generalizing patterns to new data. Several metrics, such as accuracy, precision, and area under the ROC curve, are used to evaluate model performance.
Model Usage: Once the model has been trained and evaluated, it can be used to make predictions on new input data. The model applies the relationships learned during training to make predictions about new input instances.
Figure 1. Schematic representation of the machine learning workflow.