SwiftIDS: Real-time intrusion detection system based on LightGBM and parallel intrusion detection mechanism

High-speed networks are becoming common nowadays. Naturally, a challenge that arises is that the intrusion detection system (IDS) should timely detect attacks in huge volumes of traffic data produced by high-speed networks. Existing IDSs, however, mainly focus on improving detection rate and reducing false alarm rate, which are complicated and time-consuming. In this paper, we propose an IDS named SwiftIDS, which is capable of both analyzing massive traffic data in high-speed networks timely and keeping satisfactory detection performance. SwiftIDS achieves these goals by two approaches. One approach is that light gradient boosting machine (LightGBM) is adopted as the intrusion detection algorithm to handle the massive traffic data. The motivation of this approach is to not only take advantage of LightGBM’s effective detection performance, but also use its support for categorical features to simplify the data preprocessing. The other approach is that a parallel intrusion detection mechanism is utilized to analyze traffic data arriving in different time windows. In this way, the delay caused by the later-arriving data waiting for the end of the intrusion detection cycle of the first-arriving data can be avoided. The time efficiency and satisfactory detection performance of SwiftIDS are verified through the offline experiments on three benchmark datasets. Furthermore, we perform a near real-time experiment to provide more convincing proofs for the timeliness of SwiftIDS.