Combining Heterogeneous Classifiers for Network Intrusion Detection

Extensive use of computer networks and online electronic data and high demand for security has called for reliable intrusion detection systems. A repertoire of different classifiers has been proposed for this problem over last decade. In this paper we pro

  • PDF / 170,769 Bytes
  • 7 Pages / 430 x 660 pts Page_size
  • 23 Downloads / 243 Views

DOWNLOAD

REPORT


Abstract. Extensive use of computer networks and online electronic data and high demand for security has called for reliable intrusion detection systems. A repertoire of different classifiers has been proposed for this problem over last decade. In this paper we propose a combining classification approach for intrusion detection. Outputs of four base classifiers ANN, SVM, kNN and decision trees are fused using three combination strategies: majority voting, Bayesian averaging and a belief measure. Our results support the superiority of the proposed approach compared with single classifiers for the problem of intrusion detection. Keywords: Intrusion Detection, Combined Classifiers, PCA, Misuse Detection, Anomaly Detection.

1 Introduction With the rapid development in the technology based on Internet, new application domains in computer network have emerged. As networks grow in both importance and size, there is an increasing need for effective security monitors such as network intrusion detection systems to prevent illicit accesses. Intrusion detection systems provide a layer of defense which oversees network traffic to identify suspicious activity or patterns that may suggest potentially hostile traffics. One promise for network intrusion detection is the abnormal access pattern that is generated by scans. Sources that attempt to access an unusual number of uncommon or non-existent destinations, or propagate an irregular number of failed connections are often deemed suspicious [1]. An intrusion detection system (IDS) attempts to detect attacks by monitoring and controlling the network behavior. While many existing IDSs require manual definitions of normal and abnormal behavior (intrusion signatures), recent work has shown that it is possible to identify abnormalities automatically using machine learning or data mining techniques. These works analyze network or system activity logs to generate models or rules, which the IDS can use to detect intrusions that can potentially compromise the system reliability. Numerous approaches based on soft computing techniques such as artificial neural networks and fuzzy inference systems are proposed in the literature for the purpose of I. Cervesato (Ed.): ASIAN 2007, LNCS 4846, pp. 254 – 260, 2007. © Springer-Verlag Berlin Heidelberg 2007

Combining Heterogeneous Classifiers for Network Intrusion Detection

255

intrusion detection. In [2] two hierarchical neural network frameworks, serial hierarchical IDS (SHIDS) and parallel hierarchical IDS (PHIDS), are proposed. BPL and RBF are two important learning algorithms used in these neural networks. Authors have shown that BPL has a slightly better performance than RBF in the case of misuse detection, while the RBF takes less training time. On the other hand RBF shows a better performance in the case of anomaly detection. In [3], authors proposed ANNs and support vector machine (SVM) algorithms for ID with frequency-based encoding method. In the chosen DARPA data set, they used 250 attacks and 41,426 normal sessions. The percentage o