Abstract
Bayesian networks are important knowledge representation tools for handling uncertain pieces of information. The success of these models is strongly related to their capacity to represent and handle dependence relations. Some forms of Bayesian networks have been successfully applied in many classification tasks. In particular, naive Bayes classifiers have been used for intrusion detection and alerts correlation. This paper analyses the advantage of adding expert knowledge to probabilistic classifiers in the context of intrusion detection and alerts correlation. As examples of probabilistic classifiers, we will consider the well-known Naive Bayes, Tree Augmented Naïve Bayes (TAN), Hidden Naive Bayes (HNB) and decision tree classifiers. Our approach can be applied for any classifier where the outcome is a probability distribution over a set of classes (or decisions). In particular, we study how additional expert knowledge such as “it is expected that 80 % of traffic will be normal” can be integrated in classification tasks. Our aim is to revise probabilistic classifiers’ outputs in order to fit expert knowledge. Experimental results show that our approach improves existing results on different benchmarks from intrusion detection and alert correlation areas.
Similar content being viewed by others
Notes
Dependable Anomaly Detection with Diagnosis, http://www.rennes.supelec.fr/DADDi/.
Probabilistic graphical models and Logics for Alarm Correlation in Intrusion Detection, http://placid.insarouen.fr/.
The Intrusion Detection Message Exchange Format.
References
Ahn JJ, Byun HW, Oh KJ, Kim TY (2012) Bayesian forecaster using class-based optimization. Appl Intell 36(3):553–563
An X, Jutla D, Cercone N (2006) Privacy intrusion detection using dynamic Bayesian networks. In: Proceedings of the 8th international conference on electronic commerce, session: privacy, security and trust track. ACM international conference proceeding series, vol 156, pp 208–215
Altendorf EE, Restificar AC, Dietterich TG (2005) Learning from sparse data by exploiting monotonicity constraints. In: Proceedings of the 21th annual conference on uncertainty in artificial intelligence (UAI-05), Arlington, Virginia, pp 18–26
Anderson J (1980) Computer security threat monitoring and surveillance
Ben Amor N, Benferhat S, Elouedi Z (2004) Naive Bayes vs decision trees in intrusion detection systems. In: ACM symposium on applied computing, SAC 04, March, p 1417
Boutilier C, Friedman N, Goldszmidt M, Koller D (1996) Context-specific independence in Bayesian networks. In: Proceedings of 12th UAI, pp 115–123
Benferhat S, Kenaza T, Mokhtari A (2008) False alert filtering and detection of high severe alerts using Naive Bayes. In: Computer security conference (CSC 08), South Carolina, April 2008
Benferhat S, Sedki K, Tabia K (2007) Reprocessing rough network traffic for intrusion detection purposes. In: IADIS: international conference telecommunications, networks and systems, Portugal
Benferhat S, Sedki K (2008) Alert correlation based on a logical handling of administrator preferences and knowledge. In: International conference on security and cryptography (SECRYPT’08), Porto, Portugal, July 2008, pp 50–56
Ben Messaoud M, Leray P, Ben Amor N (2011) SemCaDo: a serendipitous strategy for learning causal Bayesian networks using ontologies. In: Proceedings of symbolic and quantitative approaches to reasoning with uncertainty. Springer, Berlin/Heidelberg, pp 182–193
Chickering D, Geiger D, Heckerman D (1994) Learning Bayesian networks is NP-hard. Technical report MSR-TR-94-17, Microsoft Research Technical Report
Chickering D (1996) Learning Bayesian networks is NP-Complete. In: Fisher D, Lenz H (eds) Learning from data: artificial intelligence and statistics, vol V. Springer, Berlin, pp 121–130
Chow CK, Liu CN (1968) Approximating discrete probability distributions with dependence trees. IEEE Trans Inf Theory 14:462–467
Chow C (1970) On optimum recognition error and reject tradeoff. IEEE Trans Inf Theory 16:41–46
Cohen I, Goldszmidt M (2004) Properties and benefits of calibrated classifiers. HP Laboratories, Palo Alto
Cooper GF (1990) Computational complexity of probabilistic inference using Bayes belief networks. Artif Intell 42:393–405
Cuppens F, Miege A (2002) Alert correlation in a cooperative intrusion detection framework. In: Proceedings, 2002 IEEE symposium on security and privacy. IEEE Press, New York, pp 202–215
Darwiche A (2009) Modeling and reasoning with Bayesian networks, vol I-XII. Cambridge University Press, Cambridge, pp 1–548
Debar H, Becker M, Siboni D (1992) A neural network component for an intrusion detection system. In: Proceedings of the 1992 IEEE symposium on security and privacy, SP’92, pp 240–250
Debar H, Dacier M, Wespi A (1999) Towards a taxonomy of intrusion-detection systems. Comput Netw 31(8):805–822
Debar H, Wespi A (2001) Aggregation and correlation of intrusion-detection alerts, recent advances in intrusion detection Springer, London, pp 85–103
Denning DE (1987) An intrusion-detection model. IEEE Trans Softw Eng SE-13:222–232
Domotor Z (1980) Probability kinematics and representation of belief change. Philos Sci 47(3):384–403
Faour A, Leray P (2006) A SOM and Bayesian network architecture for alert filtering in network intrusion detection systems. In: RTS—conference on real-time and embedded systems, pp 1161–1166
Feelders AJ, van der Gaag LC (2005) Learning Bayesian network parameters with prior knowledge about context-specific qualitative influences. In: Proceedings of the twenty-first conference annual conference on uncertainty in artificial intelligence (UAI-05), Arlington. AUAI Press, Berkeley, pp 193–200
Feelders AJ, van der Gaag LC (2006) Learning Bayesian network parameters under order constraints. Int J Approx Reason 42:37–53
Friedman N, Getoor L, Koller D, Pfeffer A (1999) Learning probabilistic relational models. In: Proceedings of 16th IJCAI, pp 1300–1307
Friedman N, Geiger D, Goldszmidt M (1997) Bayesian network classifiers. Mach Learn 29(2–3):131–163
Geiger D, Heckerman D (1997) A characterization of the Dirichlet distribution through global and local parameter independence. Ann Stat 25:1344–1369
Gerven MV, Peter JFL (2004) Using background knowledge to construct Bayesian classifiers for data-poor domains. In: Proceedings of AI-2004, the twenty-fourth SGAI international conference on innovative techniques and applications of artificial intelligence, queens’. Queens’ College, Cambridge, pp 13–15
Hamine V, Helman P (2004) Learning optimal augmented Bayes networks. Dept of Computer Science, University of New Mexico, Albuquerque, New Mexico 87131 USA
Hooper P (2004) Dependent Dirichlet priors and optimal linear estimators for belief net parameters. In: Proceedings of the 20th annual conference on uncertainty in artificial intelligence (UAI-04). AUAI Press, Berkeley, pp 251–259
Huijuan L, Jianguo C, Wei W (2008) Two stratum Bayesian network based anomaly detection model for intrusion detection system. In: Proceedings of the 2008 international symposium on electronic commerce and security (ISECS), pp 482–487
Ingham KL, Inoue H (2007) Comparing anomaly detection techniques for HTTP. In: RAID: recent advances in intrusion detection, pp 42–62
Ingham KL, Inoue H (2007) Web attack data set. http://www.i-pi.com/HTTP-attacks-JoCN-2006
Jacobson V, Leres C, McCanne S (2012) TCPDump. http://www.tcpdump.org/
Jeffrey RC (1965) The logic of decision. McGraw-Hill, New York
Jensen F (1996) An introduction to Bayesian networks. Springer, Berlin
John G (1997) Enhancements to the data mining process. PhD thesis, Stanford University
Kdd cup 99 intrusion detection dataset task description. University of California Department of Information and Computer Science (1999). http://kdd.ics.uci.edu/databases/kddcup99/task.html
Kenaza T, Tabia K, Benferhat S (2010) On the use of Naive Bayesian classifiers for detecting elementary and coordinated attacks. Fundam Inform 105(4):435–466
Khor KC, Ting CY, Amnuaisuk SP (2008) A probabilistic approach for network intrusion detection. In: Proceedings of the 2008 second Asia international conference on modelling and simulation (AMS), pp 463–468
Khor KC, Ting CY, Amnuaisuk SP (2012) A cascaded classifier approach for improving detection rates on rare attack categories in network intrusion detection. Appl Intell 36(2):320–332
Koller D, Pfeffer A (1997) Object oriented Bayesian networks. In: Proceedings of 13th UAI, pp 302–313
Kruegel C, Mutz D, Robertson W, Valeur F (2003) Bayesian event classification for intrusion detection. Reliable Software Group, University of California, Santa Barbara
Langley P, Iba W, Thompson K (1992) An analysis of Bayesian classifiers. In: Proceedings of the tenth national conference on artificial intelligence. AAAI Press and MIT Press, Menlo Park, Cambridge, pp 223–228
Lee LH, Wan CH, Rajkumar R, Isa D (2012) An enhanced support vector machine classification framework by using Euclidean distance function for text document categorization. Appl Intell 37(1):80–99
Lee LH, Rajkumar R, Isa D (2012) Automatic folder allocation system using Bayesian-support vector machines hybrid classification approach. Appl Intell 36(2):295–307
MIT Lincoln Laboratories (2000) DARPA intrusion detection specific dataset. http://www.ll.mit.edu/IST/ideval/2000/2000_data_index.html
Mukkamala S, Janoski G, Sung A (2002) Intrusion detection using neural networks and support vector machines. In: Proceedings of the 2002 international joint conference on neural networks, IJCNN’02, pp 1702–1707
Mutz D, Valeur F, Vigna G, Kruegel C (2006) Anomalous system call detection. ACM Trans Inf Syst Secur 9:61–93
Niculescu RS, Mitchell T, Rao RB (2005) Parameter related domain knowledge for learning in graphical models. In: Proceedings of SIAM data mining conference
Ning P, Cui Y, Reeves DS (2002) Constructing attack scenarios through correlation of intrusion alerts. In: 9th ACM conference on computer and communications security. ACM Press, New York, pp 245–254
Pearl J (1988) Probabilistic reasoning in intelligent systems. Morgan Kaufmann, San Francisco
Quinlan JR (1986) Induction of decision trees. Mach Learn 1(1):81–106
Quinlan JR (1993) C4.5: programs for machine learning. Morgan Kaufmann, San Francisco
Rao RB, Sandilya S, Niculescu RS, Germond C, Rao H (2003) Clinical and financial outcomes analysis with existing hospital patient records. In: Proceedings of the ninth ACM SIGKDD international conference on knowledge discovery and data mining, pp 416–425
Robinson RW (1977) Counting unlabeled acyclic digraphs. In: Little CHC (ed) Combinatorial mathematics V. Lecture notes in mathematics, vol 622. Springer, Berlin, pp 28–43
Rokach L (2009) Taxonomy for characterizing ensemble methods in classification tasks: a review and annotated bibliography. In: Proceedings of computational statistics & data analysis, corrected proof (in press)
Segal E, Pe’er D, Regev A, Koller D, Friedman N (2003) Learning module networks. In: Proceedings of 19th UAI, pp 525–534
Shahrul Y, Lakhmi J (2012) An insect classification analysis based on shape features using quality threshold ARTMAP and moment invariant. Appl Intell 37(1):12–30
Tabia K, Benferhat S (2008) On the use of decision trees as behavioral approaches in intrusion detection. In: Proceeding of seventh international conference on machine learning and applications, ICMLA’08, San Diego, USA, pp 665–670
Tabia K, Leray P (2010) Handling IDS’ reliability in alert correlation—a Bayesian network-based model for handling IDS’s reliability and controlling prediction/false alarm rate tradeoffs. In: SECRYPT, pp 14–24
Tjhai GC, Papadaki M, Furnell S, Clarke NL (2008) Investigating the problem of IDS false alarms: an experimental study using snort. In: 23rd international information security conference SEC 2008, pp 253–267
Tylman W (2008) Anomaly-based intrusion detection using Bayesian networks. In: Proceedings of the 2008 third international conference on dependability of computer systems (DepCoS-RELCOMEX), pp 211–218
Valdes A, Skinner K (2000) Adaptive model-based monitoring for cyber attack detection. In: Proceedings of recent advances in intrusion detection (RAID 2000), Toulouse, France, pp 80–92
Valdes A, Skinner K (2001) Probabilistic alert correlation, recent advances in intrusion detection. Springer, London, pp 54–68
Wallenta C, Kim J, Bentley P, Hailes S (2010) Detecting interest cache poisoning in sensor networks using an artificial immune algorithm. Appl Intell 32(1):1–26
Wang J, Byrnes J, Valtorta M, Huhns M (2012) On the combination of logical and probabilistic models for information analysis. Appl Intell 36(2):472–497
Zhang H, Ling CX, Zhao Z (2005) Hidden Naive Bayes. In: Proceedings of Canadian artificial intelligence conference. AAAI Press, Menlo Park, pp 432–441
Zeng J, Liu X, Li T, Li G, Li H, Zeng J (2011) A novel intrusion detection approach learned from the change of antibody concentration in biological immune response. Appl Intell 35(1):41–62
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Benferhat, S., Boudjelida, A., Tabia, K. et al. An intrusion detection and alert correlation approach based on revising probabilistic classifiers using expert knowledge. Appl Intell 38, 520–540 (2013). https://doi.org/10.1007/s10489-012-0383-7
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10489-012-0383-7