DML-IDS: Distributed Multi-Layer Intrusion Detection System for Securing Healthcare Infrastructure
In recent years, the number of cyberattacks targeting healthcare resources has rapidly increased. Conventional IDSs rely heavily on predefined rules and attack signatures. However, modern zero- day attacks with unpredictable behavior and multi-vector attack patterns can still breach healthcare networks. When a new type of cyberattack targets a specific server, an existing IDS may fail to detect it because it depends on static, predefined rules. To address these issues, we propose DML- IDS: Distributed Multi-Layer Intrusion Detection System, designed to operate across multiple nodes in a network to collaboratively detect suspicious activities. The proposed approach employs a multi- layer ensemble strategy to improve detection accuracy while reducing computational overhead on a single machine. All incoming network packets are first analyzed by the Distributed Threat Analysis Module (DTAM), which runs a Random Forest-based model as the base classifier to distinguish between benign and malicious traffic. Based on the nature and severity of the threat, malicious packets are flagged as highAlert (HA) in the Threat Prioritization Layer (TPL) and then forwarded to the respective Confirmatory Ensemble Model (CEM) for further, attack-specific analysis. These CEM models are designed to scale efficiently and detect zero-day as well as multi-vector attacks. The proposed model was trained on the CICIDS-2017 dataset. DTAM achieved an accuracy of 98.5%, while the CEM models for DDoS, Patator, and Web Attack achieved 99.01%, 98.87%, and 98.91% accuracy, respectively. Furthermore, the computational overhead of the DML-IDS architecture was evaluated and compared with an existing ensemble learning-based IDS.