Intrusion detection and prevention model for evaluating network vulnerabilities in public universities in Kenya.

Abstract

The rapid adoption of Information and Communication Technologies (ICTs) in Kenyan public universities has enhanced administrative efficiency and academic delivery. Still, it has also exposed networks to escalating cyber threats, including intrusions and data breaches. The study reveals challenges faced by institutions of higher learning due to rising threats to their cybersecurity as they advance their information technology infrastructure. The main goal of this study was to develop a model for Intrusion Detection and Prevention in the field of cybersecurity aimed at evaluating and mitigating the network-related attacks faced by public universities in Kenya. This study adopted the Design Science Research Methodology and focused on security incident data extracted from the Kenya Education Network (KENET). An empirical analysis was conducted on network vulnerabilities and attack patterns in Kenyan public university networks, leveraging Secure Shell (SSH) and security event logs. Employing a quantitative approach, this study categorized vulnerabilities by severity and Common Vulnerabilities and Exposures (CVEs), revealing that medium-severity attacks dominate (94.4%), with SSH-general (57.3%) and CVE- 2023-48795 (37.4%) incidents prevalent, peaking between 01:00–03:00 a.m. These findings, which highlighted critical risks, such as protocol downgrade attacks and brute-force attempts, necessitating robust cybersecurity measures. The initial training on Logistic Regression, Decision Tree Classifier, Support Vector Machine, Random Forest classifier, and K-nearest Neighborhood classifier, which led to overfitting. Synthetic data of the same size as the original data (1290 responses) was created and used to create a stacking model. The model included Logistic Regression, K-nearest Neighborhood classifier, and Random Forest classifier. The stacking model had an accuracy of 0.9516, recall of 0.9516, precision of 0.9522 and a f1-score of 0.9420. The mean probability of having an attack was 2.24%, 95.66%, 1.03% for critical, medium and low severity, respectively and 1.07% chance of having an information. The permutation feature importance revealed that the attack cve-2023-48795;cve-2024-6387; ssh which corresponded to critical severity and had 14% highest impact to the model . Overall, the tag, algorithm type, password authentication method and the city of location of the server were critical to the model performance contributing to a percentage of about 41.38%,17.24%, 13.80% and 10.34% respectively amounting to about 82.76%. The proposed actionable recommendations included automated vulnerability scanning, real-time monitoring, and adoption of the model to strengthen cybersecurity strategies to enhance network resilience.