Learning to Detect Network Intrusion from a Few Labeled Events and Background Traffic

  • Gustav Šourek
  • Ondřej Kuželka
  • Filip Železný
Conference paper

DOI: 10.1007/978-3-319-20034-7_9

Part of the Lecture Notes in Computer Science book series (LNCS, volume 9122)
Cite this paper as:
Šourek G., Kuželka O., Železný F. (2015) Learning to Detect Network Intrusion from a Few Labeled Events and Background Traffic. In: Latré S., Charalambides M., François J., Schmitt C., Stiller B. (eds) Intelligent Mechanisms for Network Configuration and Security. AIMS 2015. Lecture Notes in Computer Science, vol 9122. Springer, Cham

Abstract

Intrusion detection systems (IDS) analyse network traffic data with the goal to reveal malicious activities and incidents. A general problem with learning within this domain is a lack of relevant ground truth data, i.e. real attacks, capturing malicious behaviors in their full variety. Most of existing solutions thus, up to a certain level, rely on rules designed by network domain experts. Although there are advantages to the use of rules, they lack the basic ability of adapting to traffic data. As a result, we propose an ensemble tree bagging classifier, capable of learning from an extremely small number of true attack representatives, and demonstrate that, incorporating a general background traffic, we are able to generalize from those few representatives to achieve competitive results to the expert designed rules used in existing IDS Camnep.

Keywords

Intrusion detection Random forests NetFlow Camnep 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Copyright information

© IFIP International Federation for Information Processing 2015

Authors and Affiliations

  • Gustav Šourek
    • 1
  • Ondřej Kuželka
    • 2
  • Filip Železný
    • 1
  1. 1.CTU PraguePragueCzech Republic
  2. 2.Cardiff UniversityCardiffUK

Personalised recommendations