Scaling up Detection Rates and Reducing False Positives in Intrusion Detection using NBTree
In this paper, we present a new learning algorithm for
anomaly based network intrusion detection using improved self
adaptive naïve Bayesian tree (NBTree), which induces a hybrid of
decision tree and naïve Bayesian classifier. The proposed approach
scales up the balance detections for different attack types and keeps
the false positives at acceptable level in intrusion detection. In
complex and dynamic large intrusion detection dataset, the detection
accuracy of naïve Bayesian classifier does not scale up as well as
decision tree. It has been successfully tested in other problem
domains that naïve Bayesian tree improves the classification rates in
large dataset. In naïve Bayesian tree nodes contain and split as
regular decision-trees, but the leaves contain naïve Bayesian
classifiers. The experimental results on KDD99 benchmark network
intrusion detection dataset demonstrate that this new approach scales
up the detection rates for different attack types and reduces false
positives in network intrusion detection.
[1] James P. Anderson, "Computer security threat monitoring and
surveillance," Technical Report 98-17, James P. Anderson Co., Fort
Washington, Pennsylvania, USA, April 1980.
[2] Dorothy E. Denning, "An intrusion detection model," IEEE Transaction
on Software Engineering, SE-13(2), 1987, pp. 222-232.
[3] D. Y. Yeung, and Y. X. Ding, "Host-based intrusion detection using
dynamic and static behavioral models," Pattern Recognition, 36, 2003,
pp. 229-243.
[4] Lazarevic, A., Ertoz, L., Kumar, V., Ozgur,. A., Srivastava, and J., "A
comparative study of anomaly detection schemes in network intrusion
detection," In Proc. of the SIAM Conference on Data Mining, 2003.
[5] Barbara, Daniel, Couto, Julia, Jajodia, Sushil, Popyack, Leonard, Wu,
and Ningning, "ADAM: Detecting intrusion by data mining," IEEE
Workshop on Information Assurance and Security, West Point, New
York, June 5-6, 2001.
[6] Lee W., Stolfo S., and Mok K., "Adaptive Intrusion Detection: A data
mining approach," Artificial Intelligence Review, 14(6), December
2000, pp. 533-567.
[7] N.B. Amor, S. Benferhat, and Z. Elouedi, "Naïve Bayes vs. decision
trees in intrusion detection systems," In Proc. of 2004 ACM Symposium
on Applied Computing, 2004, pp. 420-424.
[8] Mukkamala S., Janoski G., and Sung A.H., "Intrusion detection using
neural networks and support vector machines," In Proc. of the IEEE
International Joint Conference on Neural Networks, 2002, pp.1702-
1707.
[9] J. Luo, and S.M. Bridges, "Mining fuzzy association rules and fuzzy
frequency episodes for intrusion detection," International Journal of
Intelligent Systems, John Wiley & Sons, vol. 15, no. 8, 2000, pp. 687-
703.
[10] YU Yan, and Huang Hao, "An ensemble approach to intrusion detection
based on improved multi-objective genetic algorithm," Journal of
Software, vol. 18, no. 6, June 2007, pp. 1369-1378.
[11] Shon T., Seo J., and Moon J., "SVM approach with a genetic algorithm
for network intrusion detection," In Proc. of 20th International
Symposium on Computer and Information Sciences (ISCIS 2005),
Berlin: Springer-Verlag, 2005, pp. 224-233.
[12] Dorothy E. Denning, and P.G. Neumann "Requirement and model for
IDES- A real-time intrusion detection system," Computer Science
Laboratory, SRI International, Menlo Park, CA 94025-3493, Technical
Report # 83F83-01-00, 1985.
[13] D. Anderson, T. Frivold, A. Tamaru, and A. Valdes, "Next generation
intrusion detection expert system (NIDES)," Software Users Manual,
Beta-Update Release, Computer Science Laboratory, SRI International,
Menlo Park, CA, USA, Technical Report SRI-CSL-95-0, May 1994.
[14] D. Anderson, T.F. Lunt, H. Javitz, A. Tamaru, and A. Valdes, "Detecting
unusual program behavior using the statistical component of the next
generation intrusion detection expert system (NIDES)," Computer
Science Laboratory, SRI International, Menlo Park, CA, USA, Technical
Report SRI-CSL-95-06, May 1995.
[15] S.E. Smaha, and Haystack, "An intrusion detection system," in Proc. of
the IEEE Fourth Aerospace Computer Security Applications
Conference, Orlando, FL, 1988, pp. 37-44.
[16] N. Ye, S.M. Emran, Q. Chen, and S. Vilbert, "Multivariate statistical
analysis of audit trails for host-based intrusion detection," IEEE
Transactions on Computers 51, 2002, pp. 810-820.
[17] Martin Roesch, "SNORT: The open source network intrusion system,"
Official web page of Snort at http://www.snort.org/
[18] L. C. Wuu, C. H. Hung, and S. F. Chen, "Building intrusion pattern
miner for sonrt network intrusion detection system," Journal of Systems
and Software, vol. 80, Issue 10, 2007, pp. 1699-1715.
[19] W. Lee, R.A. Nimbalkar, K.K. Yee, S.B. Patil, P.H. Desai, T.T. Tran,
and S.J. Stolfo, "A data mining and CIDF based approach for detecting
novel and distributed intrusions," In Proc. of the 3rd International
Workshop on Recent Advances in Intrusion Detection (RAID 2000),
Toulouse , France, 2000, pp. 49-65.
[20] W. Lee, and S.J. Stolfo, "Data mining approach for intrusions
detection," In Proc. of the 7th USENIX Security Symposium
(SECURITY-98), Berkeley, CA, USA, 1998, pp. 79-94.
[21] C. Kruegel, D. Mutz, W. Robertson, and F. Valeur, "Bayesian event
classification for intrusion detection," In Proc. of the 19th Annual
Computer Security Applications Conference, Las Veges, NV, 2003.
[22] N. Ye, M. Xu, and S.M. Emran, "Probabilistic networks with undirected
links for anomaly detection," In Proc. of the IEEE Systems, Man, and
Cybernetics Information Assurance and Security Workshop, West Point,
NY, 2000.
[23] A. Valdes, and K. Skinner, "Adaptive model-based monitoring for cyber
attack detection," In Recent Advances in Intrusion Detection Toulouse,
France, 2000, pp. 80-92.
[24] A.K. Ghosh, and A. Schwartzbart, "A study in using neural networks for
anomaly and misuse detection," In Proc. of the Eighth USENIX Security
Symposium, Washington, DC, 1999, pp. 141-151.
[25] M. Ramadas, and S.O.B. Tjaden, "Detecting anomalous network traffic
with self-organizing maps," In Proc. of the 6th International Symposium
on Recent Advances in Intrusion Detection, Pittsburgh, PA, USA, 2003,
pp. 36-54.
[26] R. Kohavi, "Scaling up the accuracy of naïve Bayes classifiers: A
Decision Tree Hybrid," In Proc. of the 2nd International Conference on
Knowledge Discovery and Data Mining, Menlo Park, CA:AAAI
Press/MIT Press, 1996, pp. 147-149.
[27] The KDD Archive. KDD99 cup dataset, 1999.
http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html
[1] James P. Anderson, "Computer security threat monitoring and
surveillance," Technical Report 98-17, James P. Anderson Co., Fort
Washington, Pennsylvania, USA, April 1980.
[2] Dorothy E. Denning, "An intrusion detection model," IEEE Transaction
on Software Engineering, SE-13(2), 1987, pp. 222-232.
[3] D. Y. Yeung, and Y. X. Ding, "Host-based intrusion detection using
dynamic and static behavioral models," Pattern Recognition, 36, 2003,
pp. 229-243.
[4] Lazarevic, A., Ertoz, L., Kumar, V., Ozgur,. A., Srivastava, and J., "A
comparative study of anomaly detection schemes in network intrusion
detection," In Proc. of the SIAM Conference on Data Mining, 2003.
[5] Barbara, Daniel, Couto, Julia, Jajodia, Sushil, Popyack, Leonard, Wu,
and Ningning, "ADAM: Detecting intrusion by data mining," IEEE
Workshop on Information Assurance and Security, West Point, New
York, June 5-6, 2001.
[6] Lee W., Stolfo S., and Mok K., "Adaptive Intrusion Detection: A data
mining approach," Artificial Intelligence Review, 14(6), December
2000, pp. 533-567.
[7] N.B. Amor, S. Benferhat, and Z. Elouedi, "Naïve Bayes vs. decision
trees in intrusion detection systems," In Proc. of 2004 ACM Symposium
on Applied Computing, 2004, pp. 420-424.
[8] Mukkamala S., Janoski G., and Sung A.H., "Intrusion detection using
neural networks and support vector machines," In Proc. of the IEEE
International Joint Conference on Neural Networks, 2002, pp.1702-
1707.
[9] J. Luo, and S.M. Bridges, "Mining fuzzy association rules and fuzzy
frequency episodes for intrusion detection," International Journal of
Intelligent Systems, John Wiley & Sons, vol. 15, no. 8, 2000, pp. 687-
703.
[10] YU Yan, and Huang Hao, "An ensemble approach to intrusion detection
based on improved multi-objective genetic algorithm," Journal of
Software, vol. 18, no. 6, June 2007, pp. 1369-1378.
[11] Shon T., Seo J., and Moon J., "SVM approach with a genetic algorithm
for network intrusion detection," In Proc. of 20th International
Symposium on Computer and Information Sciences (ISCIS 2005),
Berlin: Springer-Verlag, 2005, pp. 224-233.
[12] Dorothy E. Denning, and P.G. Neumann "Requirement and model for
IDES- A real-time intrusion detection system," Computer Science
Laboratory, SRI International, Menlo Park, CA 94025-3493, Technical
Report # 83F83-01-00, 1985.
[13] D. Anderson, T. Frivold, A. Tamaru, and A. Valdes, "Next generation
intrusion detection expert system (NIDES)," Software Users Manual,
Beta-Update Release, Computer Science Laboratory, SRI International,
Menlo Park, CA, USA, Technical Report SRI-CSL-95-0, May 1994.
[14] D. Anderson, T.F. Lunt, H. Javitz, A. Tamaru, and A. Valdes, "Detecting
unusual program behavior using the statistical component of the next
generation intrusion detection expert system (NIDES)," Computer
Science Laboratory, SRI International, Menlo Park, CA, USA, Technical
Report SRI-CSL-95-06, May 1995.
[15] S.E. Smaha, and Haystack, "An intrusion detection system," in Proc. of
the IEEE Fourth Aerospace Computer Security Applications
Conference, Orlando, FL, 1988, pp. 37-44.
[16] N. Ye, S.M. Emran, Q. Chen, and S. Vilbert, "Multivariate statistical
analysis of audit trails for host-based intrusion detection," IEEE
Transactions on Computers 51, 2002, pp. 810-820.
[17] Martin Roesch, "SNORT: The open source network intrusion system,"
Official web page of Snort at http://www.snort.org/
[18] L. C. Wuu, C. H. Hung, and S. F. Chen, "Building intrusion pattern
miner for sonrt network intrusion detection system," Journal of Systems
and Software, vol. 80, Issue 10, 2007, pp. 1699-1715.
[19] W. Lee, R.A. Nimbalkar, K.K. Yee, S.B. Patil, P.H. Desai, T.T. Tran,
and S.J. Stolfo, "A data mining and CIDF based approach for detecting
novel and distributed intrusions," In Proc. of the 3rd International
Workshop on Recent Advances in Intrusion Detection (RAID 2000),
Toulouse , France, 2000, pp. 49-65.
[20] W. Lee, and S.J. Stolfo, "Data mining approach for intrusions
detection," In Proc. of the 7th USENIX Security Symposium
(SECURITY-98), Berkeley, CA, USA, 1998, pp. 79-94.
[21] C. Kruegel, D. Mutz, W. Robertson, and F. Valeur, "Bayesian event
classification for intrusion detection," In Proc. of the 19th Annual
Computer Security Applications Conference, Las Veges, NV, 2003.
[22] N. Ye, M. Xu, and S.M. Emran, "Probabilistic networks with undirected
links for anomaly detection," In Proc. of the IEEE Systems, Man, and
Cybernetics Information Assurance and Security Workshop, West Point,
NY, 2000.
[23] A. Valdes, and K. Skinner, "Adaptive model-based monitoring for cyber
attack detection," In Recent Advances in Intrusion Detection Toulouse,
France, 2000, pp. 80-92.
[24] A.K. Ghosh, and A. Schwartzbart, "A study in using neural networks for
anomaly and misuse detection," In Proc. of the Eighth USENIX Security
Symposium, Washington, DC, 1999, pp. 141-151.
[25] M. Ramadas, and S.O.B. Tjaden, "Detecting anomalous network traffic
with self-organizing maps," In Proc. of the 6th International Symposium
on Recent Advances in Intrusion Detection, Pittsburgh, PA, USA, 2003,
pp. 36-54.
[26] R. Kohavi, "Scaling up the accuracy of naïve Bayes classifiers: A
Decision Tree Hybrid," In Proc. of the 2nd International Conference on
Knowledge Discovery and Data Mining, Menlo Park, CA:AAAI
Press/MIT Press, 1996, pp. 147-149.
[27] The KDD Archive. KDD99 cup dataset, 1999.
http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html
@article{"International Journal of Information, Control and Computer Sciences:50887", author = "Dewan Md. Farid and Nguyen Huu Hoa and Jerome Darmont and Nouria Harbi and Mohammad Zahidur Rahman", title = "Scaling up Detection Rates and Reducing False Positives in Intrusion Detection using NBTree", abstract = "In this paper, we present a new learning algorithm for
anomaly based network intrusion detection using improved self
adaptive naïve Bayesian tree (NBTree), which induces a hybrid of
decision tree and naïve Bayesian classifier. The proposed approach
scales up the balance detections for different attack types and keeps
the false positives at acceptable level in intrusion detection. In
complex and dynamic large intrusion detection dataset, the detection
accuracy of naïve Bayesian classifier does not scale up as well as
decision tree. It has been successfully tested in other problem
domains that naïve Bayesian tree improves the classification rates in
large dataset. In naïve Bayesian tree nodes contain and split as
regular decision-trees, but the leaves contain naïve Bayesian
classifiers. The experimental results on KDD99 benchmark network
intrusion detection dataset demonstrate that this new approach scales
up the detection rates for different attack types and reduces false
positives in network intrusion detection.", keywords = "Detection rates, false positives, network intrusiondetection, naïve Bayesian tree.", volume = "4", number = "4", pages = "665-5", }
