Intrusion Detection System Based on Cost Based Support Vector Machine
In this paper, a novel intrusion detection system (IDS) is developed using a cost based support vector machine (SVM). While developing an IDS, due to the imbalanced characteristics it is very difficult to differentiate the attack events from a non-attack
- PDF / 185,978 Bytes
- 11 Pages / 439.37 x 666.142 pts Page_size
- 39 Downloads / 278 Views
Abstract In this paper, a novel intrusion detection system (IDS) is developed using a cost based support vector machine (SVM). While developing an IDS, due to the imbalanced characteristics it is very difficult to differentiate the attack events from a non-attack (normal) event in any network environment. The cost based SVM facilitates to put much weight to one pattern over another ones to differentiate attack and non-attack cases with a high accuracy. The same can be applied on a multiclass attack problems by using cost factor to each ratio of different types of attacks. In this study, the cost based SVM has been applied to classify DARPA99 intrusion detection dataset. The experimental results show that the cost based SVM can outperform standard SVM while attempting to differentiate a case as either attack or non-attack (normal). Furthermore, we applied the cost based SVM with an RBF kernel to a multiclass attack problem. Experimental result achieved about 99 % detection accuracy when it was applied to detect the type of attacks as either of Normal, DOS, Probe and R2L from DARPA99 dataset. Keywords IDS
⋅
Cost based SVM
⋅
Imbalanced data
1 Introduction Intrusion Detection is very much essential these days to protect information systems security, especially in the view of worldwide increasing incidents of cyber attacks. Identification of unauthorized use, misuse and attacks on information system is defined as intrusion detection. It is needed because traditional firewalls can’t provide full protection against security breaches. An Intrusion Detection System (IDS) doesn’t prevent an intrusion, it only detects it and informs the operator.
Md.R. Hassan (✉) Department of Information and Computer Science, King Fahd University of Petroleum and Minerals, Dhahran 31261, Saudi Arabia e-mail: [email protected] © Springer International Publishing Switzerland 2016 P. Meesad et al. (eds.), Recent Advances in Information and Communication Technology 2016, Advances in Intelligent Systems and Computing 463, DOI 10.1007/978-3-319-40415-8_11
105
106
Md.R. Hassan
It detects a hacker breaking into the system or a genuine user exploiting the system resources. Primary measurement criteria for an IDS are as follows • False Positives i.e. an event being incorrectly identified as an intrusion when none has occurred. • False Negatives i.e. an event which IDS fails to identify as an intrusion when it really occurs. • True positive i.e. an event being correctly classified as an intrusion when one has occurred. • True Negative i.e. an event being not classified as an intrusion when none has occured. • Accuracy i.e. how efficient the IDS is in detecting intrusions when it has really occurred. It is essential to analyze the audit data (generated by the operating systems and networks) in order to estimate the extent of damage occurred, specially in attack trace and listing the attack pattern for future prevention. This makes an IDS a real time detection and prevention tool as well as forensic analysis tool [1]. Artificial intelligence techniqu
Data Loading...
