Network Intrusion Detection Systems (NIDSs) using pattern matching have a fatal weakness in that they cannot detect new attacks because they only learn existing patterns and use them to detect those attacks. To solve this problem, a machine learning-based NIDS (ML-NIDS) that detects anomalies through ML algorithms by analyzing behaviors of protocols. However, the ML-NIDS learns the characteristics of attack traffic based on training data, so it, too, is inevitably vulnerable to attacks that have not been learned, just like pattern-matching machine learning. Therefore, in this study, by analyzing the characteristics of learning using representative features, we show that network intrusion outside the scope of the learned data in the feature space can bypass the ML-NIDS. To prevent this, designing the active session to be classified early, before it goes outside the detection range of the training dataset of the ML-NIDS, can effectively prevent bypassing the ML-NIDS. Various experiments confirmed that the proposed method can detect intrusion sessions early (before sessions terminate) significantly improving the robustness of the existing ML-NIDS. The proposed approach can provide more robust and more accurate classification with the same classification datasets compared to existing approaches, so we expect it will be used as one of feasible solutions to overcome weakness and limitation of existing ML-NIDSs.   

 Keywords: Decision Tree, Random Forest, XGBoost, AdaBoost, ANN, CNN.