Local outlier factor and stronger one class classifier based hierarchical model for detection of attacks in network intrusion detection dataset

Identification of attacks by a network intrusion detection system (NIDS) is an important task. In signature or rule based detection, the previously encountered attacks are modded, and signatures/rules are extracted. These rules are used to detect such attacks in future, but in anomaly or outlier det...

Full description

Saved in:
Bibliographic Details
Published inFrontiers of Computer Science Vol. 10; no. 4; pp. 755 - 766
Main Authors VASUDEVAN, Alampallam Ramaswamy, SELVAKUMAR, Subramanian
Format Journal Article
LanguageEnglish
Published Beijing Higher Education Press 01.08.2016
Springer Nature B.V
Subjects
Classifiers
Clustering
Communications traffic
Computer Science
Data analysis
Data mining
Datasets
Deviation
Dirichlet
Dirichlet problem
Discretizer
DP clustering
False alarms
hierarchical model
Intrusion detection systems
LOF
Machine learning
NIDS
one class classifier
Outliers (statistics)
Research Article
Supervised learning
Traffic models
分类器
因子和
局部异常因子
层次模型
数据集
监督学习
网络入侵检测系统
LOF
hierarchical model
one class classifier
DP clustering
NIDS
Discretizer
Online AccessGet full text

Cover

More Information
Summary:Identification of attacks by a network intrusion detection system (NIDS) is an important task. In signature or rule based detection, the previously encountered attacks are modded, and signatures/rules are extracted. These rules are used to detect such attacks in future, but in anomaly or outlier detection system, the normal network traffic is modeled. Any deviation from the normal model is deemed to be an outlier/attack. Data mining and machine learning techniques are widely used in offline NIDS. Unsupervised and supervised learning techniques differ the way NIDS dataset is treated. The characteristic features of unsupervised and supervised learning are finding patterns in data, detecting outliers, and determining a learned function for input features, generalizing the data instances respectively. The intuition is that if these two techniques are combined, better performance may be obtained. Hence, in this paper the advantages of unsupervised and supervised techniques are inherited in the proposed hierarchical model and devised into three stages to detect attacks in NIDS dataset. NIDS dataset is clustered using Dirichiet process (DP) clustering based on the underlying data distribution. Iteratively on each cluster, local denser areas are identified using local outlier factor (LOF) which in turn is discretized into four bins of separation based on LOF score. Further, in each bin the normal data instances are modeled using one class classifier (OCC). A combination of Density Estimation method, Reconstruction method, and Boundary methods are used for OCC model. A product rule combination of the three methods takes into consideration the strengths of each method in building a stronger OCC model. Any deviation from this model is considered as an attack. Experiments are conducted on KDD CUP'99 and SSENet-2011 datasets. The results show that the proposed model is able to identify attacks with higher detection rate and low false alarms.
Bibliography:hierarchical model, DP clustering, LOF, Dis-cretizer, one class classifier, NIDS
11-5731/TP
Identification of attacks by a network intrusion detection system (NIDS) is an important task. In signature or rule based detection, the previously encountered attacks are modded, and signatures/rules are extracted. These rules are used to detect such attacks in future, but in anomaly or outlier detection system, the normal network traffic is modeled. Any deviation from the normal model is deemed to be an outlier/attack. Data mining and machine learning techniques are widely used in offline NIDS. Unsupervised and supervised learning techniques differ the way NIDS dataset is treated. The characteristic features of unsupervised and supervised learning are finding patterns in data, detecting outliers, and determining a learned function for input features, generalizing the data instances respectively. The intuition is that if these two techniques are combined, better performance may be obtained. Hence, in this paper the advantages of unsupervised and supervised techniques are inherited in the proposed hierarchical model and devised into three stages to detect attacks in NIDS dataset. NIDS dataset is clustered using Dirichiet process (DP) clustering based on the underlying data distribution. Iteratively on each cluster, local denser areas are identified using local outlier factor (LOF) which in turn is discretized into four bins of separation based on LOF score. Further, in each bin the normal data instances are modeled using one class classifier (OCC). A combination of Density Estimation method, Reconstruction method, and Boundary methods are used for OCC model. A product rule combination of the three methods takes into consideration the strengths of each method in building a stronger OCC model. Any deviation from this model is considered as an attack. Experiments are conducted on KDD CUP'99 and SSENet-2011 datasets. The results show that the proposed model is able to identify attacks with higher detection rate and low false alarms.
LOF
Document accepted on :2015-10-15
one class classifier
Document received on :2015-03-23
DP clustering
hierarchical model
NIDS
Discretizer
ISSN:2095-2228
2095-2236
DOI:10.1007/s11704-015-5116-8