Applied Intelligence

, Volume 36, Issue 2, pp 320–329 | Cite as

A cascaded classifier approach for improving detection rates on rare attack categories in network intrusion detection

  • Kok-Chin Khor
  • Choo-Yee Ting
  • Somnuk Phon-Amnuaisuk


Network intrusion detection research work that employed KDDCup 99 dataset often encounter challenges in creating classifiers that could handle unequal distributed attack categories. The accuracy of a classification model could be jeopardized if the distribution of attack categories in a training dataset is heavily imbalanced where the rare categories are less than 2% of the total population. In such cases, the model could not efficiently learn the characteristics of rare categories and this will result in poor detection rates. In this research, we introduce an efficient and effective approach in dealing with the unequal distribution of attack categories. Our approach relies on the training of cascaded classifiers using a dichotomized training dataset in each cascading stage. The training dataset is dichotomized based on the rare and non-rare attack categories. The empirical findings support our arguments that training cascaded classifiers using the dichotomized dataset provides higher detection rates on the rare categories as well as comparably higher detection rates for the non-rare attack categories as compared to the findings reported in other research works. The higher detection rates are due to the mitigation of the influence from the dominant categories if the rare attack categories are separated from the dataset.


Network intrusion detection Cascaded classifiers Imbalanced dataset 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Conklin A, White GB, Cothren C, Williams D, Davis RL (2005) Principles of computer security: security + and beyond. McGraw-Hill, New York Google Scholar
  2. 2.
    Depren O, Topallar M, Anarim E, Ciliz MK (2005) An intelligent intrusion detection system for anomaly and misuse detection in computer networks. Expert Syst Appl 29(4):713–722 CrossRefGoogle Scholar
  3. 3.
    Computer Network Intrusion Detection (1999) ACM KDDCUP.
  4. 4.
    Lee W, Stolfo SJ (2000) A framework for constructing features and models for intrusion detection systems. ACM Trans Inf Syst Secur 3(4):227–261 CrossRefGoogle Scholar
  5. 5.
    Li Y, Wang JL, Tian ZH, Lu TB, Young C (2009) Building lightweight intrusion detection system using wrapper-based feature selection mechanisms. Comput Secur 28:466–475 CrossRefGoogle Scholar
  6. 6.
    Abadeh MS, Habibi J, Barzegar Z, Sergi M (2007) A parallel genetic local search algorithm for intrusion detection in computer networks. Eng Appl Artif Intell 20(8):1058–1069 CrossRefGoogle Scholar
  7. 7.
    Chen Y, Abraham A, Yang B (2007) Hybrid flexible neural-tree-based intrusion detection system. Int J Intell Syst 22:337–352 zbMATHCrossRefGoogle Scholar
  8. 8.
    Shon T, Moon J (2007) A hybrid machine learning approach to network anomaly detection. Inf Sci 177(18):3799–3821 CrossRefGoogle Scholar
  9. 9.
    Liu G, Yi Z, Yang S (2007) A hierarchical intrusion detection model based on the PCA neural networks. Neurocomputing 70(7–9):1561–1568 CrossRefGoogle Scholar
  10. 10.
    Sung AH, Mukkmala S (2003) Identifying important features for intrusion detection using support vector machines and neural networks. In: Proceedings of the symposium on application and the internet, pp 209–217 CrossRefGoogle Scholar
  11. 11.
    Khor KC, Ting CY, Phon-Amnuaisuk S (2009) A feature selection approach for network intrusion detection. In: Proceedings of international conference on information management and engineering, pp 133–137 CrossRefGoogle Scholar
  12. 12.
    Gupta KK, Nath B (2010) Layered approach using conditional random fields for intrusion detection. IEEE Trans Dependable Secure Comput 7(1):35–49 CrossRefGoogle Scholar
  13. 13.
    Peddabachigari S, Abraham A, Thomas J (2004) Intrusion detection systems using decision trees and support vector machines. Int J Appl Sci Comput. doi:
  14. 14.
    Wang W, Guan X, Zhang X (2004) A novel intrusion detection method based on principle component analysis in computer security. In: Lecture Notes in Computer Science, vol 3174. Springer, Berlin, pp 657–662 Google Scholar
  15. 15.
    Shyu ML, Chen SC, Sarinnapakorn K, Chang LW (2003) Principal component-based anomaly detection scheme. Stud Comput Intell 9:311–329 CrossRefGoogle Scholar
  16. 16.
    Chimphlee W, Abdullah AH, Noor MD, Sap M, Srinoy S, Chimphlee S (2006) Anomaly-based intrusion detection using fuzzy rough clustering. In: Proceedings of international conference on hybrid information technology, pp 329–334 CrossRefGoogle Scholar
  17. 17.
    Khor KC, Ting CY, Phon-Amnuaisuk S (2008) A probabilistic approach for network intrusion detection. In: Proceedings of Asia international conference on modelling & simulation, pp 463–468 CrossRefGoogle Scholar
  18. 18.
    Toosi AN, Kahani M (2007) A new approach to intrusion detection based on an evolutionary soft computing model using neuro-fuzzy classifiers. Comput Commun 30(10):2201–2212 CrossRefGoogle Scholar
  19. 19.
    Kayacik HG, Nur Zincir-Heywood A, Heywood MI (2007) A hierarchical SOM-based intrusion detection system. Eng Appl Artif Intell 20(4):439–451 CrossRefGoogle Scholar
  20. 20.
    Tsang CH, Kwong S, Wang H (2007) Genetic-fuzzy rule mining approach and evaluation of feature selection techniques for anomaly intrusion detection. Pattern Recognit 40(9):2373–2391 zbMATHCrossRefGoogle Scholar
  21. 21.
    Khan L, Awad M, Thuraisingham B (2007) A new intrusion detection system using support vector machines and hierarchical clustering. VLDB J 16(4):507–521 CrossRefGoogle Scholar
  22. 22.
    Corona I, Giacinto G, Roli F (2008) Intrusion detection in computer systems using multiple classifier systems. Stud Comput Intell 126:91–113 CrossRefGoogle Scholar
  23. 23.
    Ozyer T, Alhajj R, Barker K (2007) Intrusion detection by integrating boosting genetic fuzzy classifier and data mining criteria for rule pre-screening. J Netw Comput Appl 30:99–113 CrossRefGoogle Scholar
  24. 24.
    Giacinto G, Perdisci R, Rio MD, Roli F (2008) Intrusion detection in computer networks by a modular ensemble of one-class classifiers. Inf Fus 9(1):69–82 CrossRefGoogle Scholar
  25. 25.
    Chebrolu S, Abraham A, Thomas J (2005) Feature deduction and ensemble design of intrusion detection systems. Comput Secur 24(4):295–307 CrossRefGoogle Scholar
  26. 26.
    Hu WM, Hu W, Maybank S (2008) AdaBoost-based algorithm for network intrusion detection. IEEE Trans Syst Man Cybern Part B, Cybern 38(2):577–583 CrossRefGoogle Scholar
  27. 27.
    Peddabachigari S, Abraham A, Grosan C, Thomas J (2007) Modelling intrusion detection using hybrid intelligent systems. J Netw Comput Appl 30(1):114–132 CrossRefGoogle Scholar
  28. 28.
    Kou G, Peng Y, Chen Z, Yong S (2009) Multiple criteria mathematical programming for multi-classification and application in network intrusion detection. Inf Sci 179:371–381 CrossRefGoogle Scholar
  29. 29.
    Zeng J, Liu X, Li T, Li G, Li H, Zeng J (2009) A novel intrusion detection approach learned from the change of antibody concentration in biological immune response. Appl Intell. doi: 10.1007/s10489-009-0202-y Google Scholar
  30. 30.
    Axelsson S (2000) The base-rate fallacy and the difficulty of intrusion detection. ACM Trans Inf Syst Secur 3(3):186–205 MathSciNetCrossRefGoogle Scholar
  31. 31.
    Khor KC, Ting CY, Phon-Amnuaisuk S (2010) Comparing single and multiple Bayesian classifiers approaches for network intrusion detection. In: Proceedings of international conference on knowledge discovery, vol 2. IEEE Computer Society, Los Alamitos, pp 325–329 Google Scholar
  32. 32.
    Lippmann RP, Haines JW, Fried DJ, Korba J, Das K (2000) The 1999 DARPA off-line intrusion detection evaluation. In: Proceedings of DARPA information survivability conference and exposition, vol 2, pp 12–26 CrossRefGoogle Scholar
  33. 33.
    Pfahringer B (2000) Winning the KDD99 classification cup: bagged boosting. SIGKDD Explor 1(2):65–66 CrossRefGoogle Scholar
  34. 34.
    Han JW, Kamber M (2006) Data mining: concepts and techniques. Morgan Kaufmann, San Mateo zbMATHGoogle Scholar
  35. 35.
    Kittler J, Hatef M, Duin RP, Matas JG (1998) On combining classifiers. IEEE Trans PAMI 20(3):226–239 CrossRefGoogle Scholar
  36. 36.
    Xiang C, Yong PC, Meng LS (2008) Design of multiple-level hybrid classifier for intrusion detection system using Bayesian clustering and decision trees. Pattern Recognit Lett 29(7):918–924 CrossRefGoogle Scholar
  37. 37.
    Khor KC, Ting CY, Phon-Amnuaisuk S (2010) Forming an optimal feature set for classifying network intrusions involving multiple feature selection methods. In: Proceedings of international conference on information retrieval and knowledge management. IEEE Computer Society, Los Alamitos, pp 178–182 Google Scholar
  38. 38.
    Witten IH, Frank E (2005) Data mining: practical machine learning tools and techniques. Morgan Kaufmann, San Mateo zbMATHGoogle Scholar
  39. 39.
    Friedman N, Geiger D, Goldszmidt M (1997) Bayesian network classifiers. Mach Learn 29(2–3):131–163 zbMATHCrossRefGoogle Scholar
  40. 40.
    Bouzida Y, Cuppens F (2006) Detecting known and novel network intrusions. In: Security and privacy in dynamic environments, vol 201. Springer, Boston, pp 258–270 CrossRefGoogle Scholar

Copyright information

© Springer Science+Business Media, LLC 2010

Authors and Affiliations

  • Kok-Chin Khor
    • 1
  • Choo-Yee Ting
    • 1
  • Somnuk Phon-Amnuaisuk
    • 2
  1. 1.Faculty of Information TechnologyMultimedia UniversityCyberjayaMalaysia
  2. 2.Faculty of Creative IndustriesUniversity Tunku Abdul RahmanPetaling JayaMalaysia

Personalised recommendations