Performance Investigation of Principal Component Analysis for Intrusion Detection System Using Different Support Vector Machine Kernels

: The growing number of security threats has prompted the use of a variety of security techniques. The most common security tools for identifying and tracking intruders across diverse network domains are intrusion detection systems. Machine Learning classiﬁers have begun to be used in the detection of threats, thus increasing the intrusion detection systems’ performance. In this paper, the investigation model for an intrusion detection systems model based on the Principal Component Analysis feature selection technique and a different Support Vector Machine kernels classiﬁer is present. The impact of various kernel functions used in Support Vector Machines, namely linear, polynomial, Gaussian radial basis function, and Sigmoid, is investigated. The performance of the investigation model is measured in terms of detection accuracy, True Positive, True Negative, Precision, Sensitivity, and F-measure to choose an appropriate kernel function for the Support Vector Machine. The investigation model was examined and evaluated using the KDD Cup’99 and UNSW-NB15 datasets. The obtained results prove that the Gaussian radial basis function kernel is superior to the linear, polynomial, and sigmoid kernels in both used datasets. Obtained accuracy, Sensitivity, and, F-measure of the Gaussian radial basis function kernel for KDD CUP’99 were 99.11%, 98.97%, and 99.03%. for UNSW-NB15 datasets were 93.94%, 93.23%, and 94.44%.


Introduction
Computer attacks are growing not only in number, but also in variety as the Internet continues to expand data exchange [1,2]. Antiviruses and firewalls can no longer guarantee the security of a wire and wireless network [3][4][5], which should be protected using multiple layers of security. An Intrusion Detection System (IDS) is the most prevalent critical layer, designed to protect its target from any possible attack by continuously monitoring computer applications. Signature-based detection (also known as "misuse detection"), anomaly detection, and hybrid IDS are the three main types of IDS [6,7]. In signaturebased detection, the IDS [8,9] compares the data it collects to known attack patterns. This technique is very successful and accurate, but can only detect known attacks that have been previously recorded in a database. Anomaly detection creates a model of the system's normal behavior before looking for anomalies in the monitored data. As a result, this method can detect unknown attacks, but it frequently produces a large number of false alarms. Hybrid IDS schemes attempt to effectively combine anomaly detection and misuse detection approaches, taking into account the relevance and difficulty of the IDS operations. Several Machine Learning (ML) techniques for IDS signature-based, IDS anomaly-based and IDS hybrid-based detection have been proposed to provide realistic IDS approaches with high detection accuracy rate [6,10,11]. Supervised, unsupervised, and semi-supervised learning are the three main types of Machine Learning techniques focused on the use of labeled data. There are numerous ML algorithms, but Support Vector Machine (SVM) [12,13] is the most common. SVM classifies data by defining a collection of support vectors, which are members of the named training data samples, which are based on statistical learning theory. An SVM's primary goal is to find the best hyperplane for classifying new data points. For the classification of non-linear data samples, SVM classifiers may use a variety of kernel functions such as Linear, polynomial, Gaussian radial basis function (RBF), and sigmoid [14].
Feature selection. One of the main issues in IDS, which enhances classification efficiency by locating the subset of features that best classify the data. Some of the features may be redundant or unnecessary, so removing them is critical; otherwise, the classifier output may not be accurate. One of the most frequently used techniques for selecting features is Principal Component Analysis (PCA). PCA is an unsupervised ML algorithm, a nonparametric statistical technique that is mostly utilized in ML to reduce dimensionality [15]. It is widely used to reduce a large collection of variables into a smaller set that preserves the majority of the bigger set's features. PCA offers many benefits, such as [16] eliminating feature duplication, delivering the highest possible resolution, and boosting computing efficiency while reducing complexity.
IDS is a crucial component of the active security defense against intrusion in the cloud computing system. Cloud IDS aims to capture and process data traffic from a virtual environment. Figure 1 shows the cloud platform for IDS. To create Cloud IDS, it is imperative to use an efficient classification approach and a feature selection algorithm.
Electronics 2022, 11, x FOR PEER REVIEW 2 of 17 continuously monitoring computer applications. Signature-based detection (also known as "misuse detection"), anomaly detection, and hybrid IDS are the three main types of IDS [6,7]. In signature-based detection, the IDS [8,9] compares the data it collects to known attack patterns. This technique is very successful and accurate, but can only detect known attacks that have been previously recorded in a database. Anomaly detection creates a model of the system's normal behavior before looking for anomalies in the monitored data. As a result, this method can detect unknown attacks, but it frequently produces a large number of false alarms. Hybrid IDS schemes attempt to effectively combine anomaly detection and misuse detection approaches, taking into account the relevance and difficulty of the IDS operations. Several Machine Learning (ML) techniques for IDS signature-based, IDS anomaly-based and IDS hybrid-based detection have been proposed to provide realistic IDS approaches with high detection accuracy rate [6,10,11]. Supervised, unsupervised, and semi-supervised learning are the three main types of Machine Learning techniques focused on the use of labeled data. There are numerous ML algorithms, but Support Vector Machine (SVM) [12,13] is the most common. SVM classifies data by defining a collection of support vectors, which are members of the named training data samples, which are based on statistical learning theory. An SVM's primary goal is to find the best hyperplane for classifying new data points. For the classification of non-linear data samples, SVM classifiers may use a variety of kernel functions such as Linear, polynomial, Gaussian radial basis function (RBF), and sigmoid [14]. Feature selection. One of the main issues in IDS, which enhances classification efficiency by locating the subset of features that best classify the data. Some of the features may be redundant or unnecessary, so removing them is critical; otherwise, the classifier output may not be accurate. One of the most frequently used techniques for selecting features is Principal Component Analysis (PCA). PCA is an unsupervised ML algorithm, a non-parametric statistical technique that is mostly utilized in ML to reduce dimensionality [15]. It is widely used to reduce a large collection of variables into a smaller set that preserves the majority of the bigger set's features. PCA offers many benefits, such as [16] eliminating feature duplication, delivering the highest possible resolution, and boosting computing efficiency while reducing complexity.
IDS is a crucial component of the active security defense against intrusion in the cloud computing system. Cloud IDS aims to capture and process data traffic from a virtual environment. Figure 1 shows the cloud platform for IDS. To create Cloud IDS, it is imperative to use an efficient classification approach and a feature selection algorithm. Internet of Things (IoT) technology is still in its infancy and has not reached its full security control maturity [18][19][20]. IoT systems face several security risks [21]. The IoT community has not adopted any standards-based cybersecurity strategy. As IoT use grows, the number of attacks will also increase. Among the most typical attacks launched against IoT systems are Denial of Service (DoS) [22], Distributed Denial of Service (DDoS) Internet of Things (IoT) technology is still in its infancy and has not reached its full security control maturity [18][19][20]. IoT systems face several security risks [21]. The IoT community has not adopted any standards-based cybersecurity strategy. As IoT use grows, the number of attacks will also increase. Among the most typical attacks launched against IoT systems are Denial of Service (DoS) [22], Distributed Denial of Service (DDoS) [23][24][25], Jamming [13,26], and Man in the Middle. IDS is a technique used to identify various IoT threats and address privacy and security concerns. IDS keeps track of internet activity across connected IoT devices. It provides a line of defense, assessing the risks and defending the network from unauthorized users and malicious activities. The following points provide a summary of the research's contributions:

1.
The study provides a model for IDS using PCA that decreases the number of selected features and enhances IDS performance based on the KDD Cup '99 and UNSW-NB15 datasets.

2.
The study evaluates the reduced dataset of the model using the linear, polynomial, Gaussian radial basis, and sigmoid kernel functions employed on SVM. results prove that the Gaussian radial basis outperformed other functions.
The remainder of the paper is organized as follows: The background and related works are discussed in Section 2. Section 3 goes into detail about the investigation model. The datasets, performance evaluation matrices, and results interpretation are all explained in Section 4. Finally, in Section 5, we explain our work's conclusion and future works.
The most frequently used abbreviations in this paper are shown in Table 1.

Background and Related Works
This section covers the fundamental concepts of the IDS, SVM classifiers, PCA, and related works.

Intrusion Detection Systems
Compromising the confidentiality, integrity, or availability of any network component, an intrusion is a harmful act that aims to violate the security policy of the network. [27]. IDS is a defense system that automatically monitors the activities on a computer system or network to identify breaches and then notify the user. The components of a general IDS are shown in Figure 2. IDS operates in three stages [29]: data collection, detection, and response stages. In the data collection stage, log data are used to create events. The data obtained by the target system are used to create these log data. Network traffic, operating system logs, and device logs are all examples of data sources. In the detection stage, the detection algorithm  IDS operates in three stages [29]: data collection, detection, and response stages. In the data collection stage, log data are used to create events. The data obtained by the target system are used to create these log data. Network traffic, operating system logs, and device logs are all examples of data sources. In the detection stage, the detection algorithm is implemented by the analysis engine. A variety of scripts are used to match text strings that are specific to different intrusions. The detection stage aims to help the detection system tell the difference between normal and abnormal activity in the target system. Finally, the response stage receives information about events identified as normal or abnormal by the detection stage, and decides whether to alert the administrator, automatically reconfigure the target system to keep out the intruder, or provide response mechanisms to enable manual response.
IDS are classified into three types, [6] namely: IDS-signature-based detection (also known as "misuse detection"), IDS anomaly detection, and hybrid IDS. In the IDS-signaturebased detection, the signatures of malicious activities are maintained in the IDS knowledge base. These activities hurt the system's performance. The signatures of an event are examined and sent across the database when it occurs. If the signatures match, it is considered an intrusion; otherwise, it is considered a normal event. IDS-signature-based detection is only as good as the signatures in the database. As a result, to improve performance, more signatures should be saved in the IDS knowledge base, which is considered a disadvantage of this detection methodology. In IDS-anomaly-based detection, any deviation is taken into account while detecting an intrusion. Deviation from normal behavior is analyzed and investigated. If the deviation from normal behavior is significant, the occurrence is referred to as an intrusion. This type is extremely useful in the event of unknown malicious activity, as it is easy to set up and it has a good level of accuracy. The main disadvantage of this type it generates a higher number of false alarms. Finally, the Hybrid IDS type attempts to effectively combine anomaly detection and misuse detection types.

Support Vector Machine (SVM)
SVM is a binary classifier, and it is an ML approach based on the supervised ML model used for classification and regression [30]. In the SVM method, many quadratic equations, fixed rules, and statistical techniques have been used to divide the data. In addition, to address this issue, another method is used depending on the binary classification of the data, which focuses on separating hyperplanes to increase the space of the margin in the kernel functions and then storing the resulting data in the vector. Previous studies confirmed that the SVM method is one of the best techniques due to its use of the structural risk minimization feature and its powerful generalization capability. An SVM's primary goal is to determine the best hyperplane for classifying new data points. Figure 3 shows the basic idea of the SVM classifier. The kernel is a set of mathematical functions used by SVM [14]. The kernel's job is to take data and convert them into the desired format. Different types of kernel functions are used by SVM. Several kernel functions are employed with the SVM are linear, polynomial, RBF, and sigmoid. Table 2 shows Kernel's mathematical function.  The kernel is a set of mathematical functions used by SVM [14]. The kernel's job is to take data and convert them into the desired format. Different types of kernel functions are  Table 2 shows Kernel's mathematical function.

Kernel Mathematical Functions
Linear K (ys, yt) = ys yt PCA is one of the most widely used dimensionality reduction approaches in the field of data mining, and it seeks to find data points with the maximum potential variance using statistical approaches [15]. Using PCA, redundancy and unnecessary features will be removed, and features will be more visible and organized in a new space called the principal space. The PCA is applied using the following six steps.
Sort the eigenvalues from highest to lowest. 4.
Choose the k eigenvectors that correspond to the k biggest eigenvalues, where k is the new feature subspace's number of dimensions.

5.
Construct the projection matrix from the k eigenvectors that were chosen. 6.
Create a new k-dimensional feature space by transforming the original data.
The pseudocode for computing PCA is illustrated as follows.

Pseudocode For Computing PCA
1 Procedure PCA 2 Compute dot product matrix:

Introduction
Ʌ Computer attacks are growing not only in number, but also in v the Internet continues to expand data exchange [1,2]. Antiviruses and firewal longer guarantee the security of a wire and wireless network [3][4][5], which s protected using multiple layers of security. An Intrusion Detection System (ID most prevalent critical layer, designed to protect its target from any possible

Introduction
Ʌ Computer attacks are growing not only in number, but a the Internet continues to expand data exchange [1,2]. Antiviruses and f longer guarantee the security of a wire and wireless network [3][4][5], w protected using multiple layers of security. An Intrusion Detection Syst most prevalent critical layer, designed to protect its target from any pos

Related Works
Several papers have been released in the previous decade to improve IDS performance. This section reviews previous papers that have aimed to improve IDS performance, utilizing SVM classification and PCA dimensionality reduction technologies.
A study by I. Sumaiya Thaseen and Ch. Aswani Kumar [31] proposed a novel model for IDS by combining PCA and SVM, then used a parameter selection method to improve the RBF kernel functions. The proposed IDS model has reduced the required time for training and testing and increased accuracy for IDS. KDDCup datasets were used to test the proposed model. The results of the proposed model outperformed other classification strategies that use SVM as the classifier, as well as other dimensionality reduction.
In a study by NSKH et al. [32], The SVM classifier was used with a variety of kernels, including linear, RBF, and polynomial. Furthermore, the performance of this method is assessed using the KDDCup dataset, and measures such as detection accuracy and detection time are compared using the PCA method and without it. They claimed that the PCA might minimize detection time and that the RBF kernel produces superior results with a higher detection rate, as well as faster detection speed in polynomial kernel-based SVM.
To discover and classify smart grid intrusions and attacks, a study by Raja, M Chithik Rabbani, and M Munir Ahmed [33], suggested an IDS based on SVM and PCA. The model is evaluated using KDD CUP'99 data, and numerical simulations for an intrusion detection system employing SVM and PCA are performed simultaneously on five different kernels. In addition, a comparison analysis of the proposed IDS is conducted in terms of time to response, rate of increased network efficiency and increased system error, and variations in the use or lack of use of PCA. When PCA is employed and the core of the method is radial type, the results show that the correct detection rate and the rate of attack error detection are at their best.
In a study by Ikram, Sumaiya Thaseen Cherukuri, and Aswani Kumar [34], the authors developed a hybrid IDS model by combining PCA and SVM. The developed model uses an automatic parameter selection strategy to maximize the kernel parameters of the SVM classifier. This technique optimizes the punishment factor and kernel parameter gamma, resulting in improved classifier accuracy and reduced training and testing time.
Another study was conducted by Mishra, Anukriti et al. [35]. To detect network intrusion, they proposed a supervised Machine Learning model. The proposed model uses PCA to reduce dimensionality and SVM to increase attack detection and reduce computation time. The UNSW-NB15 dataset is used to evaluate the model. The proposed model improved training and testing time by 33.75% for binary classification and 33.91% for multi-class classification, with overall accuracy of 99.99% and 99.97%, respectively.
In another study by Bhattacharya et.al [36], they proposed a model to classify IDS by developing a PCA-Firefly approach. The transformation is achieved using one-hot encoding, and the dimensionality reduction is achieved using the PCA-Firefly approach. XGBoost classifier is then used to classify the reduced dataset. The proposed model's superiority is demonstrated by experimental data. Table 3 displays a summary of previous works.

Proposed Investigation Model
The investigation model intends to improve the performance of the IDS using PCA and SVM with different kernels. This model has applied SVM with different kernels to increase the efficiency of IDS and reduce the number of features using PCA to select the best kernels. The architecture of the model is presented in Figure 4. The model for IDS is divided into four stages. The IDS model in this research primarily concentrates on the available attacks list on KDD Cup '99 and UNSW-NB15, ignoring real attacks that do not target specific attacks.

Performance Evaluation Matrices
The metrics used to evaluate the model's efficiency level are (TP), (TN), (FP), and (FN). Calculate TP, TN, FP, and FN using the confusion matrix in Table 5. Based on these measurements, other metrics such as sensitivity, precision, accuracy, and F-Measure [39] could be considered. where: TP is calculated as listed below: TN is calculated as listed below: FP is calculated as listed below: FN is calculated as listed below: Accuracy is calculated as listed below: Precision is calculated as listed below: Sensitivity is calculated as listed below: The F-Measure is calculated as listed below:

Experimental Design, Analysis, and Findings
The model testing was conducted on a 3.40 GHz i7 CPU with 6.0 GB RAM using Windows 7 as the operating system. The experiments were carried out using the Anaconda Python open source for KDD CUP'99 and UNSW-NB15 datasets. The model was implemented using python scikit-learn (sklearn) tools, An estimator for classification in Sklearn is a Python object that implements the fit( ) and predict (T) functions. The estimator used in this model is SVM with different kernels, which is an import from class sklearn.svm.SVC. The input parameters used to classify attacks were chosen based on PCA using the following function.
from sklearn.decomposition import PCA pca=PCA(n_components=2) X_train=pca.fit_transform(X_train) X_test=pca.transform(X_test) A model needs to be trained before predictions can be made. Using the train/test splits method, we have trained the models. The data were split using the following function.
from sklearn.model_selection import train_test_split X_train, X_test, y_train, y_test=train_test_split(X,y,test_size=0.2,random_state=0) Using our finalized classification model in sklearn and the predict() function, the attack can predict the class for new data samples. The attack was predicated using the following function. Y_pred = classifier.predict(X_first) Figure 5 shows the obtained confusion matrix of prediction for the KDD CUP'99 dataset for different SVM kernel functions.

X_train=pca.fit_transform(X_train) X_test=pca.transform(X_test)
A model needs to be trained before predictions can be made. Using the train/test splits method, we have trained the models. The data were split using the following function.
from sklearn.model_selection import train_test_split X_train, X_test, y_train, y_test=train_test_split(X,y,test_size=0.2,random_state=0) Using our finalized classification model in sklearn and the predict() function, the attack can predict the class for new data samples. The attack was predicated using the following function. Y_pred = classifier.predict(X_first) Figure 5 shows the obtained confusion matrix of prediction for the KDD CUP'99 dataset for different SVM kernel functions.    Based on obtained confusion matrix for KDD CUP'99 and UNSW-NB15 datasets as shown in Figure 5 and Figure 6, respectively, the performance evaluation metrics have been calculated to assist the investigation model. Table 6 shows the results of the performance metrics of the investigation model.  Based on obtained confusion matrix for KDD CUP'99 and UNSW-NB15 datasets as shown in Figures 5 and 6, respectively, the performance evaluation metrics have been calculated to assist the investigation model. Table 6 shows the results of the performance metrics of the investigation model.

Experimental Results and Discussion
This section discusses the experiment's results. Figure 7 shows the accuracy of the different SVM kernels function with PCA features reduction based on KDD CUP'99 and UNSW-NB15 datasets. Accuracy is defined as the percentage of correct predictions made by a classifier compared to the actual value of the label. The obtained accuracy for KDD CUP'99 based on SVM-linear, SVM-ploy, SVM-RBF, and SVM-sigmoid is 95.81%, 98.29%, 99.11%, and 86.25%, respectively. The obtained accuracy for UNSW-NB15 is based on SVM-linear, SVM-ploy, SVM-RBF, and SVM-sigmoid is 91.78%, 91.50%, 93.94%, and 73.28%, respectively. Based on the obtained data, the SVM-RBF kernel function outperformed the other kernel functions for both datasets in terms of accuracy.

Experimental Results and Discussion
This section discusses the experiment's results. Figure 7 shows the accuracy of the different SVM kernels function with PCA features reduction based on KDD CUP'99 and UNSW-NB15 datasets. Accuracy is defined as the percentage of correct predictions made by a classifier compared to the actual value of the label. The obtained accuracy for KDD CUP'99 based on SVM-linear, SVM-ploy, SVM-RBF, and SVM-sigmoid is 95.81%, 98.29%, 99.11%, and 86.25%, respectively. The obtained accuracy for UNSW-NB15 is based on SVM-linear, SVM-ploy, SVM-RBF, and SVM-sigmoid is 91.78%, 91.50%, 93.94%, and 73.28%, respectively. Based on the obtained data, the SVM-RBF kernel function outperformed the other kernel functions for both datasets in terms of accuracy. Precision is defined as the percentage that indicates how many of the items detected are true predictions by the classifier. Figure 8 shows the precision of the different SVM kernels function with PCA features reduction based on KDD CUP'99 and UNSW-NB15 datasets. The precision for SVM-linear, SVM-ploy, SVM-RBF, and SVM-sigmoid using the KDD CUP'99 dataset is 96.94%, 99.12%, 99.10%, and 85.00%, respectively. Meanwhile, the precision for SVM-linear, SVM-ploy, SVM-RBF, and SVM-sigmoid using the UNSW-NB15 dataset is 93.28%, 94.16%, 95.67%, and 75.70%, respectively. The obtained data show that the SVM-ploy kernel function outperformed other kernel functions for KDD CUP'99 datasets in terms of precision with a very simple superiority of the SVM-RBF function. Concerning the UNSW-NB15 dataset, the SVM-RBF kernel function outperformed other kernel functions.
Sensitivity is defined as the percentage of true positives accurately identified by the classifier. Figure 9 shows the sensitivity of the proposed model. The sensitivity of SVMlinear, SVM-ploy, SVM-RBF, and SVM-sigmoid using KDD CUP'99 dataset is 93.90%, 97.16%, 98.97%, and 85.25%, respectively. Meanwhile, the sensitivity of SVM-linear, SVMploy, SVM-RBF, and SVM-sigmoid using the UNSW-NB15 dataset is 91.71%, 90.18%, 93.23%, and 75.93%, respectively. The obtained data show that the SVM-RBF kernel function outperformed other kernel functions in both datasets in terms of sensitivity. , x FOR PEER REVIEW 14 of 17

Figure 8. Precision
Sensitivity is defined as the percentage of true positives accurately identified by the classifier. Figure 9 shows the sensitivity of the proposed model. The sensitivity of SVMlinear, SVM-ploy, SVM-RBF, and SVM-sigmoid using KDD CUP'99 dataset is 93.90%, 97.16%, 98.97%, and 85.25%, respectively. Meanwhile, the sensitivity of SVM-linear, SVMploy, SVM-RBF, and SVM-sigmoid using the UNSW-NB15 dataset is 91.71%, 90.18%, 93.23%, and 75.93%, respectively. The obtained data show that the SVM-RBF kernel function outperformed other kernel functions in both datasets in terms of sensitivity. The F-Measure or F-score is defined as the harmonic average of the precision and sensitivity. Figure 10

Figure 8. Precision
Sensitivity is defined as the percentage of true positives accurately identified by the classifier. Figure 9 shows the sensitivity of the proposed model. The sensitivity of SVMlinear, SVM-ploy, SVM-RBF, and SVM-sigmoid using KDD CUP'99 dataset is 93.90%, 97.16%, 98.97%, and 85.25%, respectively. Meanwhile, the sensitivity of SVM-linear, SVMploy, SVM-RBF, and SVM-sigmoid using the UNSW-NB15 dataset is 91.71%, 90.18%, 93.23%, and 75.93%, respectively. The obtained data show that the SVM-RBF kernel function outperformed other kernel functions in both datasets in terms of sensitivity. The F-Measure or F-score is defined as the harmonic average of the precision and sensitivity. Figure 10 Figure 9. Sensitivity.
The F-Measure or F-score is defined as the harmonic average of the precision and sensitivity. Figure 10 shows the F-Measure of the different SVM kernels function with PCA features reduction based on KDD CUP'99 and UNSW-NB15 datasets. The F-Measure using KDD CUP'99 dataset for SVM-linear, SVM-ploy, SVM-RBF, and SVM-sigmoid is 95.39%, 98.13%, 99.03%, and 85.13%, respectively. Meanwhile, the F-Measure using the UNSW-NB15 dataset for SVM-linear, SVM-ploy, SVM-RBF, and SVM-sigmoid is 92.49%, 92.13%, 94.44%, and 75.82%, respectively. The obtained data show that the SVM-RBF kernel function outperformed other kernel functions for both datasets in terms of the F-Measure. The following findings can be drawn from the above investigations: (a) The RBF kernel function is the best compared to linear, polynomial, and Sigmoid. (b) The Sigmoid kernel function is the worst.

Conclusions and Future Works
This paper introduced a model to investigate the IDS using PCA features reduction techniques and SVM classifiers with various kernel functions (linear, polynomial, RBF, and Sigmoid). On the KDD CUP'99 and UNSW-NB15 datasets, several SVM kernel functions were utilized, and Anaconda Python open source was used for simulations. The confusion matrix was used to examine the results. The efficiency of an investigation model was assessed using accuracy, precision, sensitivity, and F-Measure. The results of the analysis reveal that the RBF kernel function has superiority compared to linear, polynomial, and Sigmoid kernel functions in terms of accuracy, precision, sensitivity, and F-Measure for IDS. In future research, the modern dataset for IDS can be used to analyze this model, and a new kernel function for SVM will be developed to outperform the RBF kernel function. Additionally, other feature reduction techniques will be used instead of PCA. A limitation of the paper is that it only focuses on reducing the features using PCA and classifying the attacks that only exist on KDD CUP'99 and UNSW-NB15 using SVM with different kernel functions, and does not consider modern attacks such as DDoS, Phishing, or Brute force. The following findings can be drawn from the above investigations: (a) The RBF kernel function is the best compared to linear, polynomial, and Sigmoid. (b) The Sigmoid kernel function is the worst.

Conclusions and Future Works
This paper introduced a model to investigate the IDS using PCA features reduction techniques and SVM classifiers with various kernel functions (linear, polynomial, RBF, and Sigmoid). On the KDD CUP'99 and UNSW-NB15 datasets, several SVM kernel functions were utilized, and Anaconda Python open source was used for simulations. The confusion matrix was used to examine the results. The efficiency of an investigation model was assessed using accuracy, precision, sensitivity, and F-Measure. The results of the analysis reveal that the RBF kernel function has superiority compared to linear, polynomial, and Sigmoid kernel functions in terms of accuracy, precision, sensitivity, and F-Measure for IDS. In future research, the modern dataset for IDS can be used to analyze this model, and a new kernel function for SVM will be developed to outperform the RBF kernel function. Additionally, other feature reduction techniques will be used instead of PCA. A limitation of the paper is that it only focuses on reducing the features using PCA and classifying the attacks that only exist on KDD CUP'99 and UNSW-NB15 using SVM with different kernel functions, and does not consider modern attacks such as DDoS, Phishing, or Brute force.