A GP-based ensemble classification framework for time-changing streams of intrusion detection data
- PDF / 2,069,062 Bytes
- 20 Pages / 595.276 x 790.866 pts Page_size
- 7 Downloads / 172 Views
METHODOLOGIES AND APPLICATION
A GP-based ensemble classification framework for time-changing streams of intrusion detection data Gianluigi Folino1
· Francesco Sergio Pisani1 · Luigi Pontieri1
© Springer-Verlag GmbH Germany, part of Springer Nature 2020
Abstract Intrusion detection tools have largely benefitted from the usage of supervised classification methods developed in the field of data mining. However, the data produced by modern system/network logs pose many problems, such as the streaming and non-stationary nature of such data, their volume and velocity, and the presence of imbalanced classes. Classifier ensembles look a valid solution for this scenario, owing to their flexibility and scalability. In particular, data-driven schemes for combining the predictions of multiple classifiers have been shown superior to traditional fixed aggregation criteria (e.g., predictions’ averaging and weighted voting). In intrusion detection settings, however, such schemes must be devised in an efficient way, since (part of) the ensemble may need to be re-trained frequently. A novel ensemble-based framework is proposed here for the online intrusion detection, where the ensemble is updated through an incremental stream-oriented learning scheme, correspondingly to the detection of concept drifts. Differently from mainstream ensemble-based approaches in the field, our proposal relies on deriving, though an efficient genetic programming (GP) method, an expressive kind of combiner function defined in terms of (non-trainable) aggregation functions. This approach is supported by a system architecture, which integrates different kinds of functionalities, ranging from the drift detection, to the induction and replacement of base classifiers, up to the distributed computation of GP-based combiners. Experiments on both artificial and real-life datasets confirmed the validity of the approach. Keywords Data streams · Ensemble learning · Genetic programming · Intrusion detection · Cybersecurity
1 Introduction Cyber-security issues are attracting increasing interest in disparate fields, owing to the severe threats that cyber crime is posing to citizens, companies, and governments (CERT Australia 2012). Intrusion detection tools constitute a valuable solution in this context, for timely recognizing malicious behaviors, and eventually protecting information systems, sensitive information and physical/monetary assets. Basically, a Intrusion Detection System (IDS) is a system devoted to automatically detect suspicious activities, witnessing unauthorized accesses (intrusions) to a computer system/network, based on a continuous analysis of
Communicated by V. Loia.
B 1
Gianluigi Folino [email protected] ICAR-CNR, Rende, Italy
different kinds of log data (e.g., network traffic’s logs, application/system logs, etc.). Very many proposals have appeared in the last two decades in the literature that leverage classification-oriented data mining techniques for detecting and analyzing intrusions, based on these data. However, such a c
Data Loading...