Incremental Open Set Intrusion Recognition Using Extreme Value Machine

• Published in: 2017 16th IEEE International Conference on Machine Learning and Applications (ICMLA) pp. 1089 - 1093
• Main Authors: Henrydoss, James, Cruz, Steve, Rudd, Ethan M., Gunther, Manuel, Boult, Terrance E.
• Format: Conference Proceeding
• Language: English
• Published: IEEE 01.12.2017
• Subjects: Anomaly detection; Anomaly/Intrusion Detection; Internet Security; Intrusion detection; Kernel; Machine Learning; Protocols; Statistical Extreme Value Theory; Support vector machines; Training
• DOI: 10.1109/ICMLA.2017.000-3

Typically, most network intrusion detection systems use supervised learning techniques to identify network anomalies. A problem exists when identifying the unknowns and automatically updating a classifier with new query classes. This is defined as an open set incremental learning problem and we propose to extend a recently introduced method, the Extreme Value Machine (EVM) to address the issue of identifying new classes during query time. The EVM is derived from the statistical extreme value theory and is the first classifier that can perform kernel-free, nonlinear, variable bandwidth outlier detection combined with incremental learning. In this paper, we utilize the EVM for intrusion detection and measure the open set recognition performance of identifying known and unknown classes. Additionally, we evaluate the performance on the KDDCUP'99 dataset and compare the results with the state-of-the-art Weibull-SVM (W-SVM). Our findings demonstrate that the EVM mirrors the performance of the W-SVM classifier, while it supports incremental learning.