Abstract
Nowadays, cyberattacks are occurring continuously. There are many kinds of attack types, which are malicious and harmful for our networks, resources and privacy. Along with this, diversity, size and density of the cyberattacks are increasing. Therefore, strong and solid detection mechanisms are required to prevent the cyberattacks. Previously, many intrusion detection mechanisms are proposed, but many of them are suffered to detect some attack classes. In this paper, an up-to-date and realistic dataset called UNSW-NB15 was used for training of an intrusion detection system. The dataset contains network data under nine different attack scenarios as well as normal operation. Firstly, wrapper feature selection was applied to the dataset, which reduced the number of features to 19 features from 43. Secondly, a decision tree classifier was trained with reduced dataset. The confusion matrix was tabulated and classes with low detection rates were identified. Finally, to achieve better detection rates for Dos, Exploit and Fuzzers classes which were low detected classes, a hierarchical multi-class classifier was proposed. As the basis of the model, random forest classifier was selected, where each classifier at a different stage of the hierarchy has a specific attack detection purpose. The proposed system achieved better overall classification accuracy of 80.78% than the baseline random forest classifier. The detection rates for DoS, Exploit and Fuzzers attacks were also increased.
Similar content being viewed by others
References
Zhong C, Lin T, Liu P, Yen J, Chen K. A cyber security data triage operation retrieval system. Comput Secur. 2018;76:12–31. https://doi.org/10.1016/j.cose.2018.02.011.
Buczak AL, Guven E. A survey of data mining and machine learning methods for cyber security intrusion detection. IEEE Commun Surv Tutor. 2016;18(2):1153–76. https://doi.org/10.1109/COMST.2015.2494502.
Iglesias F, Zseby T. Analysis of network traffic features for anomaly detection. Mach Learn. 2015;101(1–3):59–84. https://doi.org/10.1007/s10994-014-5473-9.
Gogoi P, Bhattacharyya DK, Borah B, Kalita JK. MLH-IDS: a multi-level hybrid intrusion detection method. Comput J. 2014;57(4):602–23. https://doi.org/10.1093/comjnl/bxt044.
Bolón-Canedo V, Sánchez-Maroño N, Alonso-Betanzos A. Feature selection and classification in multiple class datasets: an application to KDD Cup 99 dataset. Expert Syst Appl. 2011;38(5):5947–57. https://doi.org/10.1016/j.eswa.2010.11.028.
Najafabadi MM, Khoshgoftaar TM, Seliya N. Evaluating feature selection methods for network intrusion detection with Kyoto data. Int J Reliab Qual Saf Eng. 2016;23(01):1650001. https://doi.org/10.1142/S0218539316500017.
Amor NB, Benferhat S, Elouedi Z. Naive Bayes vs decision trees in intrusion detection systems. In: Proceedings of the 2004 ACM symposium on applied computing—SAC’04. New York: ACM Press; 2004. p. 420. https://doi.org/10.1145/967900.967989.
Khor K-C, Ting C-Y, Amnuaisuk S-P (2009) A feature selection approach for network intrusion detection. In: 2009 international conference on information management and engineering. p. 133–7. https://doi.org/10.1109/ICIME.2009.68.
Zhang J, Zulkernine M, Haque A. Random-forests-based network intrusion detection systems. IEEE Trans Syst Man Cybern Part C (Appl Rev). 2008. https://doi.org/10.1109/TSMCC.2008.923876.
Aburomman AA, Ibne Reaz MB. A novel weighted support vector machines multiclass classifier based on differential evolution for intrusion detection systems. Inf Sci. 2017;414:225–46. https://doi.org/10.1016/j.ins.2017.06.007.
Ganapathy S, Yogesh P, Kannan A. Intelligent agent-based intrusion detection system using enhanced multiclass SVM. Comput Intell Neurosci. 2012;2012:1–10. https://doi.org/10.1155/2012/850259.
Hadjadji B, Chibani Y, Guerbai Y (2014) Multiple one-class classifier combination for multi-class classification. In: 2014 22nd international conference on pattern recognition. IEEE. p. 2832–7. https://doi.org/10.1109/ICPR.2014.488.
Cordella L Pietro, Sansone C. A multi-stage classification system for detecting intrusions in computer networks. Pattern Anal Appl. 2007;10(2):83–100. https://doi.org/10.1007/s10044-006-0053-7.
Tavallaee M, Stakhanova N, Ghorbani AA. Toward credible evaluation of anomaly-based intrusion-detection methods. IEEE Trans Syst Man Cybern Part C (Appl Rev). 2010;40(5):516–24. https://doi.org/10.1109/TSMCC.2010.2048428.
Chandrashekar G, Sahin F. A survey on feature selection methods. Comput Electr Eng. 2014;40(1):16–28. https://doi.org/10.1016/j.compeleceng.2013.11.024.
Li Y, Wang JL, Tian ZH, Lu TB, Young C. Building lightweight intrusion detection system using wrapper-based feature selection mechanisms. Comput Secur. 2009;28(6):466–75. https://doi.org/10.1016/j.cose.2009.01.001.
Guyon I, Elisseeff A. An introduction to variable and feature selection. J Mach Learn Res. 2003. https://doi.org/10.1016/j.aca.2011.07.027.
Ladha L, Deepa T. Feature selection methods and algorithms. Int J Comput Sci Eng. 2011; 3(5):1787–97. Retrieved from http://journals.indexcopernicus.com/abstract.php?icid=945099.
Jungsuk Song A, Hiroki Takakura A, Yasuo Okabe A, Masashi Eto A, Daisuke Inoue A, Koji Nakao A. Statistical analysis of honeypot data and building of Kyoto 2006+ dataset for NIDS evaluation. In: Building analysis datasets and gathering experience returns for security, vol 29. 2011. https://doi.org/10.1145/1978672.1978676
Moustafa N, Slay J. UNSW-NB15: a comprehensive data set for network intrusion detection systems (UNSW-NB15 network data set). In: 2015 military communications and information systems conference (MilCIS). IEEE; 2015. p. 1–6. https://doi.org/10.1109/MilCIS.2015.7348942.
Moustafa N, Slay J. The evaluation of network anomaly detection systems: statistical analysis of the UNSW-NB15 data set and the comparison with the KDD99 data set. Inf Secur J Glob Perspect. 2016;25(1–3):18–31. https://doi.org/10.1080/19393555.2015.1125974.
Moustafa N, Slay J. A hybrid feature selection for network intrusion detection systems: central points. In: Australian information warfare and security conference, symposia and campus events. 2017. p. 5–13. https://doi.org/10.4225/75/57a84d4fbefbb.
Haider W, Hu J, Slay J, Turnbull BP, Xie Y. Generating realistic intrusion detection system dataset based on fuzzy qualitative modeling. J Netw Comput Appl. 2017;87:185–92. https://doi.org/10.1016/j.jnca.2017.03.018.
Aldehim G, Wang W. Determining appropriate approaches for using data in feature selection. Int J Mach Learn Cybern. 2017;8(3):915–28. https://doi.org/10.1007/s13042-015-0469-8.
Janarthanan T, Zargari S. Feature selection in UNSW-NB15 and KDDCUP’99 datasets. In: 2017 IEEE 26th international symposium on industrial electronics (ISIE). IEEE. 2017. p. 1881–6. https://doi.org/10.1109/ISIE.2017.8001537.
Nawir M, Amir A, Lynn OB, Yaakob N, Badlishah Ahmad R. Performances of machine learning algorithms for binary classification of network anomaly detection system. J Phys: Conf Ser. 2018;1018:012015. https://doi.org/10.1088/1742-6596/1018/1/012015.
Hosseini Bamakan SM, Wang H, Shi Y. Ramp loss K-support vector classification-regression; a robust and sparse multi-class approach to the intrusion detection problem. Knowl-Based Syst. 2017. https://doi.org/10.1016/j.knosys.2017.03.012.
Hajisalem V, Babaie S. A hybrid intrusion detection system based on ABC-AFS algorithm for misuse and anomaly detection. Comput Netw. 2018. https://doi.org/10.1016/j.comnet.2018.02.028.
Moustafa N, Slay J, Creech G. Novel geometric area analysis technique for anomaly detection using trapezoidal area estimation on large-scale networks. IEEE Trans Big Data. 2017. https://doi.org/10.1109/tbdata.2017.2715166.
Khammassi C, Krichen S. A GA-LR wrapper approach for feature selection in network intrusion detection. Comput Secur. 2017;70:255–77. https://doi.org/10.1016/j.cose.2017.06.005.
Papamartzivanos D, Gómez Mármol F, Kambourakis G. Dendron: genetic trees driven rule induction for network intrusion detection systems. Future Gener Comput Syst. 2018;79:558–74. https://doi.org/10.1016/j.future.2017.09.056.
Boulaiche A, Adi K. An auto-learning approach for network intrusion detection. Telecommun Syst. 2018;68(2):277–94. https://doi.org/10.1007/s11235-017-0395-z.
Pedregosa F, Varoquaux G, Gramfort A, Michel V, Thirion B, Grisel O, Blondel M, Müller A, Nothman J, Louppe G, Prettenhofer P, Weiss R, Dubourg V, Vanderplas J, Passos A, Cournapeau D, Brucher M, Perrot M, Duchesnay É. Scikit-learn: machine learning in Python. 2012.
Author information
Authors and Affiliations
Corresponding author
Ethics declarations
Conflict of interest
On behalf of all authors, the corresponding author states that there is no conflict of interest.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Sarıkaya, A., Kılıç, B.G. A Class-Specific Intrusion Detection Model: Hierarchical Multi-class IDS Model. SN COMPUT. SCI. 1, 202 (2020). https://doi.org/10.1007/s42979-020-00213-z
Received:
Accepted:
Published:
DOI: https://doi.org/10.1007/s42979-020-00213-z