Skip to main content
SpringerLink
Log in

A cascaded classifier approach for improving detection rates on rare attack categories in network intrusion detection

  • Published:
Applied Intelligence Aims and scope Submit manuscript

Abstract

Network intrusion detection research work that employed KDDCup 99 dataset often encounter challenges in creating classifiers that could handle unequal distributed attack categories. The accuracy of a classification model could be jeopardized if the distribution of attack categories in a training dataset is heavily imbalanced where the rare categories are less than 2% of the total population. In such cases, the model could not efficiently learn the characteristics of rare categories and this will result in poor detection rates. In this research, we introduce an efficient and effective approach in dealing with the unequal distribution of attack categories. Our approach relies on the training of cascaded classifiers using a dichotomized training dataset in each cascading stage. The training dataset is dichotomized based on the rare and non-rare attack categories. The empirical findings support our arguments that training cascaded classifiers using the dichotomized dataset provides higher detection rates on the rare categories as well as comparably higher detection rates for the non-rare attack categories as compared to the findings reported in other research works. The higher detection rates are due to the mitigation of the influence from the dominant categories if the rare attack categories are separated from the dataset.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Conklin A, White GB, Cothren C, Williams D, Davis RL (2005) Principles of computer security: security + and beyond. McGraw-Hill, New York

    Google Scholar 

  2. Depren O, Topallar M, Anarim E, Ciliz MK (2005) An intelligent intrusion detection system for anomaly and misuse detection in computer networks. Expert Syst Appl 29(4):713–722

    Article  Google Scholar 

  3. Computer Network Intrusion Detection (1999) ACM KDDCUP. http://www.sigkdd.org/kddcup/

  4. Lee W, Stolfo SJ (2000) A framework for constructing features and models for intrusion detection systems. ACM Trans Inf Syst Secur 3(4):227–261

    Article  Google Scholar 

  5. Li Y, Wang JL, Tian ZH, Lu TB, Young C (2009) Building lightweight intrusion detection system using wrapper-based feature selection mechanisms. Comput Secur 28:466–475

    Article  Google Scholar 

  6. Abadeh MS, Habibi J, Barzegar Z, Sergi M (2007) A parallel genetic local search algorithm for intrusion detection in computer networks. Eng Appl Artif Intell 20(8):1058–1069

    Article  Google Scholar 

  7. Chen Y, Abraham A, Yang B (2007) Hybrid flexible neural-tree-based intrusion detection system. Int J Intell Syst 22:337–352

    Article  MATH  Google Scholar 

  8. Shon T, Moon J (2007) A hybrid machine learning approach to network anomaly detection. Inf Sci 177(18):3799–3821

    Article  Google Scholar 

  9. Liu G, Yi Z, Yang S (2007) A hierarchical intrusion detection model based on the PCA neural networks. Neurocomputing 70(7–9):1561–1568

    Article  Google Scholar 

  10. Sung AH, Mukkmala S (2003) Identifying important features for intrusion detection using support vector machines and neural networks. In: Proceedings of the symposium on application and the internet, pp 209–217

    Chapter  Google Scholar 

  11. Khor KC, Ting CY, Phon-Amnuaisuk S (2009) A feature selection approach for network intrusion detection. In: Proceedings of international conference on information management and engineering, pp 133–137

    Chapter  Google Scholar 

  12. Gupta KK, Nath B (2010) Layered approach using conditional random fields for intrusion detection. IEEE Trans Dependable Secure Comput 7(1):35–49

    Article  Google Scholar 

  13. Peddabachigari S, Abraham A, Thomas J (2004) Intrusion detection systems using decision trees and support vector machines. Int J Appl Sci Comput. doi:10.1.1.60.4079

  14. Wang W, Guan X, Zhang X (2004) A novel intrusion detection method based on principle component analysis in computer security. In: Lecture Notes in Computer Science, vol 3174. Springer, Berlin, pp 657–662

    Google Scholar 

  15. Shyu ML, Chen SC, Sarinnapakorn K, Chang LW (2003) Principal component-based anomaly detection scheme. Stud Comput Intell 9:311–329

    Article  Google Scholar 

  16. Chimphlee W, Abdullah AH, Noor MD, Sap M, Srinoy S, Chimphlee S (2006) Anomaly-based intrusion detection using fuzzy rough clustering. In: Proceedings of international conference on hybrid information technology, pp 329–334

    Chapter  Google Scholar 

  17. Khor KC, Ting CY, Phon-Amnuaisuk S (2008) A probabilistic approach for network intrusion detection. In: Proceedings of Asia international conference on modelling & simulation, pp 463–468

    Chapter  Google Scholar 

  18. Toosi AN, Kahani M (2007) A new approach to intrusion detection based on an evolutionary soft computing model using neuro-fuzzy classifiers. Comput Commun 30(10):2201–2212

    Article  Google Scholar 

  19. Kayacik HG, Nur Zincir-Heywood A, Heywood MI (2007) A hierarchical SOM-based intrusion detection system. Eng Appl Artif Intell 20(4):439–451

    Article  Google Scholar 

  20. Tsang CH, Kwong S, Wang H (2007) Genetic-fuzzy rule mining approach and evaluation of feature selection techniques for anomaly intrusion detection. Pattern Recognit 40(9):2373–2391

    Article  MATH  Google Scholar 

  21. Khan L, Awad M, Thuraisingham B (2007) A new intrusion detection system using support vector machines and hierarchical clustering. VLDB J 16(4):507–521

    Article  Google Scholar 

  22. Corona I, Giacinto G, Roli F (2008) Intrusion detection in computer systems using multiple classifier systems. Stud Comput Intell 126:91–113

    Article  Google Scholar 

  23. Ozyer T, Alhajj R, Barker K (2007) Intrusion detection by integrating boosting genetic fuzzy classifier and data mining criteria for rule pre-screening. J Netw Comput Appl 30:99–113

    Article  Google Scholar 

  24. Giacinto G, Perdisci R, Rio MD, Roli F (2008) Intrusion detection in computer networks by a modular ensemble of one-class classifiers. Inf Fus 9(1):69–82

    Article  Google Scholar 

  25. Chebrolu S, Abraham A, Thomas J (2005) Feature deduction and ensemble design of intrusion detection systems. Comput Secur 24(4):295–307

    Article  Google Scholar 

  26. Hu WM, Hu W, Maybank S (2008) AdaBoost-based algorithm for network intrusion detection. IEEE Trans Syst Man Cybern Part B, Cybern 38(2):577–583

    Article  Google Scholar 

  27. Peddabachigari S, Abraham A, Grosan C, Thomas J (2007) Modelling intrusion detection using hybrid intelligent systems. J Netw Comput Appl 30(1):114–132

    Article  Google Scholar 

  28. Kou G, Peng Y, Chen Z, Yong S (2009) Multiple criteria mathematical programming for multi-classification and application in network intrusion detection. Inf Sci 179:371–381

    Article  Google Scholar 

  29. Zeng J, Liu X, Li T, Li G, Li H, Zeng J (2009) A novel intrusion detection approach learned from the change of antibody concentration in biological immune response. Appl Intell. doi:10.1007/s10489-009-0202-y

    Google Scholar 

  30. Axelsson S (2000) The base-rate fallacy and the difficulty of intrusion detection. ACM Trans Inf Syst Secur 3(3):186–205

    Article  MathSciNet  Google Scholar 

  31. Khor KC, Ting CY, Phon-Amnuaisuk S (2010) Comparing single and multiple Bayesian classifiers approaches for network intrusion detection. In: Proceedings of international conference on knowledge discovery, vol 2. IEEE Computer Society, Los Alamitos, pp 325–329

    Google Scholar 

  32. Lippmann RP, Haines JW, Fried DJ, Korba J, Das K (2000) The 1999 DARPA off-line intrusion detection evaluation. In: Proceedings of DARPA information survivability conference and exposition, vol 2, pp 12–26

    Chapter  Google Scholar 

  33. Pfahringer B (2000) Winning the KDD99 classification cup: bagged boosting. SIGKDD Explor 1(2):65–66

    Article  Google Scholar 

  34. Han JW, Kamber M (2006) Data mining: concepts and techniques. Morgan Kaufmann, San Mateo

    MATH  Google Scholar 

  35. Kittler J, Hatef M, Duin RP, Matas JG (1998) On combining classifiers. IEEE Trans PAMI 20(3):226–239

    Article  Google Scholar 

  36. Xiang C, Yong PC, Meng LS (2008) Design of multiple-level hybrid classifier for intrusion detection system using Bayesian clustering and decision trees. Pattern Recognit Lett 29(7):918–924

    Article  Google Scholar 

  37. Khor KC, Ting CY, Phon-Amnuaisuk S (2010) Forming an optimal feature set for classifying network intrusions involving multiple feature selection methods. In: Proceedings of international conference on information retrieval and knowledge management. IEEE Computer Society, Los Alamitos, pp 178–182

    Google Scholar 

  38. Witten IH, Frank E (2005) Data mining: practical machine learning tools and techniques. Morgan Kaufmann, San Mateo

    MATH  Google Scholar 

  39. Friedman N, Geiger D, Goldszmidt M (1997) Bayesian network classifiers. Mach Learn 29(2–3):131–163

    Article  MATH  Google Scholar 

  40. Bouzida Y, Cuppens F (2006) Detecting known and novel network intrusions. In: Security and privacy in dynamic environments, vol 201. Springer, Boston, pp 258–270

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Faculty of Information Technology, Multimedia University, 63100, Cyberjaya, Selangor, Malaysia

    Kok-Chin Khor & Choo-Yee Ting

  2. Faculty of Creative Industries, University Tunku Abdul Rahman, 3 Jalan 13/6, 46200, Petaling Jaya, Selangor, Malaysia

    Somnuk Phon-Amnuaisuk

Authors
  1. Kok-Chin Khor
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Choo-Yee Ting
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Somnuk Phon-Amnuaisuk
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Kok-Chin Khor.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Khor, KC., Ting, CY. & Phon-Amnuaisuk, S. A cascaded classifier approach for improving detection rates on rare attack categories in network intrusion detection. Appl Intell 36, 320–329 (2012). https://doi.org/10.1007/s10489-010-0263-y

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10489-010-0263-y

Keywords

Search

Navigation