A Hybrid Context-Aware Intrusion Detection Model for Enterprise Networks Using Machine Learning and Signature-Based Analysis

Intrusion Detection Systems (IDS) remain essential for enterprise and IoT security, yet traditional approaches struggle to balance accuracy, scalability, and adaptability to evolving threats. Signature-based systems such as Suricata efficiently identify known threats but fail against zero-day and polymorphic attacks. Conversely, standalone machine learning models detect novel attacks but often suffer from high false-positive rates and lack contextual reasoning necessary for operational triage. This research addresses these limitations by proposing a hybrid intrusion detection system that integrates Suricata for signature-based detection, ensemble machine learning models for anomaly detection, and the Diamond Model of Intrusion Analysis (DMIA) for contextual reasoning. The system was implemented and evaluated using the CIC-IoT 2023 and TabularIoTAttack 2024 datasets. Experiments demonstrated high detection accuracy (98.6%), precision (98.1%), recall (97.6%), and a low false positive rate (1.2%). The DMIA integration uniquely contextualized each intrusion attempt by mapping it to adversary, capability, infrastructure, and victim dimensions, enhancing both situational awareness and response prioritization. The proposed system bridges the gap between academic IDS models and operationally deployable security platforms by combining deterministic rule-based detection with probabilistic machine learning and structured contextual analysis, offering a robust framework for next-generation enterprise and IoT network defense.