Skip to main content
SpringerLink
Log in

A Class-Specific Intrusion Detection Model: Hierarchical Multi-class IDS Model

  • Original Research
  • Published:
SN Computer Science Aims and scope Submit manuscript

Abstract

Nowadays, cyberattacks are occurring continuously. There are many kinds of attack types, which are malicious and harmful for our networks, resources and privacy. Along with this, diversity, size and density of the cyberattacks are increasing. Therefore, strong and solid detection mechanisms are required to prevent the cyberattacks. Previously, many intrusion detection mechanisms are proposed, but many of them are suffered to detect some attack classes. In this paper, an up-to-date and realistic dataset called UNSW-NB15 was used for training of an intrusion detection system. The dataset contains network data under nine different attack scenarios as well as normal operation. Firstly, wrapper feature selection was applied to the dataset, which reduced the number of features to 19 features from 43. Secondly, a decision tree classifier was trained with reduced dataset. The confusion matrix was tabulated and classes with low detection rates were identified. Finally, to achieve better detection rates for Dos, Exploit and Fuzzers classes which were low detected classes, a hierarchical multi-class classifier was proposed. As the basis of the model, random forest classifier was selected, where each classifier at a different stage of the hierarchy has a specific attack detection purpose. The proposed system achieved better overall classification accuracy of 80.78% than the baseline random forest classifier. The detection rates for DoS, Exploit and Fuzzers attacks were also increased.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5

Similar content being viewed by others

References

  1. Zhong C, Lin T, Liu P, Yen J, Chen K. A cyber security data triage operation retrieval system. Comput Secur. 2018;76:12–31. https://doi.org/10.1016/j.cose.2018.02.011.

    Article  Google Scholar 

  2. Buczak AL, Guven E. A survey of data mining and machine learning methods for cyber security intrusion detection. IEEE Commun Surv Tutor. 2016;18(2):1153–76. https://doi.org/10.1109/COMST.2015.2494502.

    Article  Google Scholar 

  3. Iglesias F, Zseby T. Analysis of network traffic features for anomaly detection. Mach Learn. 2015;101(1–3):59–84. https://doi.org/10.1007/s10994-014-5473-9.

    Article  MathSciNet  Google Scholar 

  4. Gogoi P, Bhattacharyya DK, Borah B, Kalita JK. MLH-IDS: a multi-level hybrid intrusion detection method. Comput J. 2014;57(4):602–23. https://doi.org/10.1093/comjnl/bxt044.

    Article  Google Scholar 

  5. Bolón-Canedo V, Sánchez-Maroño N, Alonso-Betanzos A. Feature selection and classification in multiple class datasets: an application to KDD Cup 99 dataset. Expert Syst Appl. 2011;38(5):5947–57. https://doi.org/10.1016/j.eswa.2010.11.028.

    Article  Google Scholar 

  6. Najafabadi MM, Khoshgoftaar TM, Seliya N. Evaluating feature selection methods for network intrusion detection with Kyoto data. Int J Reliab Qual Saf Eng. 2016;23(01):1650001. https://doi.org/10.1142/S0218539316500017.

    Article  Google Scholar 

  7. Amor NB, Benferhat S, Elouedi Z. Naive Bayes vs decision trees in intrusion detection systems. In: Proceedings of the 2004 ACM symposium on applied computing—SAC’04. New York: ACM Press; 2004. p. 420. https://doi.org/10.1145/967900.967989.

  8. Khor K-C, Ting C-Y, Amnuaisuk S-P (2009) A feature selection approach for network intrusion detection. In: 2009 international conference on information management and engineering. p. 133–7. https://doi.org/10.1109/ICIME.2009.68.

  9. Zhang J, Zulkernine M, Haque A. Random-forests-based network intrusion detection systems. IEEE Trans Syst Man Cybern Part C (Appl Rev). 2008. https://doi.org/10.1109/TSMCC.2008.923876.

    Article  Google Scholar 

  10. Aburomman AA, Ibne Reaz MB. A novel weighted support vector machines multiclass classifier based on differential evolution for intrusion detection systems. Inf Sci. 2017;414:225–46. https://doi.org/10.1016/j.ins.2017.06.007.

    Article  Google Scholar 

  11. Ganapathy S, Yogesh P, Kannan A. Intelligent agent-based intrusion detection system using enhanced multiclass SVM. Comput Intell Neurosci. 2012;2012:1–10. https://doi.org/10.1155/2012/850259.

    Article  Google Scholar 

  12. Hadjadji B, Chibani Y, Guerbai Y (2014) Multiple one-class classifier combination for multi-class classification. In: 2014 22nd international conference on pattern recognition. IEEE. p. 2832–7. https://doi.org/10.1109/ICPR.2014.488.

  13. Cordella L Pietro, Sansone C. A multi-stage classification system for detecting intrusions in computer networks. Pattern Anal Appl. 2007;10(2):83–100. https://doi.org/10.1007/s10044-006-0053-7.

    Article  MathSciNet  Google Scholar 

  14. Tavallaee M, Stakhanova N, Ghorbani AA. Toward credible evaluation of anomaly-based intrusion-detection methods. IEEE Trans Syst Man Cybern Part C (Appl Rev). 2010;40(5):516–24. https://doi.org/10.1109/TSMCC.2010.2048428.

    Article  Google Scholar 

  15. Chandrashekar G, Sahin F. A survey on feature selection methods. Comput Electr Eng. 2014;40(1):16–28. https://doi.org/10.1016/j.compeleceng.2013.11.024.

    Article  Google Scholar 

  16. Li Y, Wang JL, Tian ZH, Lu TB, Young C. Building lightweight intrusion detection system using wrapper-based feature selection mechanisms. Comput Secur. 2009;28(6):466–75. https://doi.org/10.1016/j.cose.2009.01.001.

    Article  Google Scholar 

  17. Guyon I, Elisseeff A. An introduction to variable and feature selection. J Mach Learn Res. 2003. https://doi.org/10.1016/j.aca.2011.07.027.

    Article  MATH  Google Scholar 

  18. Ladha L, Deepa T. Feature selection methods and algorithms. Int J Comput Sci Eng. 2011; 3(5):1787–97. Retrieved from http://journals.indexcopernicus.com/abstract.php?icid=945099.

  19. Jungsuk Song A, Hiroki Takakura A, Yasuo Okabe A, Masashi Eto A, Daisuke Inoue A, Koji Nakao A. Statistical analysis of honeypot data and building of Kyoto 2006+ dataset for NIDS evaluation. In: Building analysis datasets and gathering experience returns for security, vol 29. 2011. https://doi.org/10.1145/1978672.1978676

  20. Moustafa N, Slay J. UNSW-NB15: a comprehensive data set for network intrusion detection systems (UNSW-NB15 network data set). In: 2015 military communications and information systems conference (MilCIS). IEEE; 2015. p. 1–6. https://doi.org/10.1109/MilCIS.2015.7348942.

  21. Moustafa N, Slay J. The evaluation of network anomaly detection systems: statistical analysis of the UNSW-NB15 data set and the comparison with the KDD99 data set. Inf Secur J Glob Perspect. 2016;25(1–3):18–31. https://doi.org/10.1080/19393555.2015.1125974.

    Article  Google Scholar 

  22. Moustafa N, Slay J. A hybrid feature selection for network intrusion detection systems: central points. In: Australian information warfare and security conference, symposia and campus events. 2017. p. 5–13. https://doi.org/10.4225/75/57a84d4fbefbb.

  23. Haider W, Hu J, Slay J, Turnbull BP, Xie Y. Generating realistic intrusion detection system dataset based on fuzzy qualitative modeling. J Netw Comput Appl. 2017;87:185–92. https://doi.org/10.1016/j.jnca.2017.03.018.

    Article  Google Scholar 

  24. Aldehim G, Wang W. Determining appropriate approaches for using data in feature selection. Int J Mach Learn Cybern. 2017;8(3):915–28. https://doi.org/10.1007/s13042-015-0469-8.

    Article  Google Scholar 

  25. Janarthanan T, Zargari S. Feature selection in UNSW-NB15 and KDDCUP’99 datasets. In: 2017 IEEE 26th international symposium on industrial electronics (ISIE). IEEE. 2017. p. 1881–6. https://doi.org/10.1109/ISIE.2017.8001537.

  26. Nawir M, Amir A, Lynn OB, Yaakob N, Badlishah Ahmad R. Performances of machine learning algorithms for binary classification of network anomaly detection system. J Phys: Conf Ser. 2018;1018:012015. https://doi.org/10.1088/1742-6596/1018/1/012015.

    Article  Google Scholar 

  27. Hosseini Bamakan SM, Wang H, Shi Y. Ramp loss K-support vector classification-regression; a robust and sparse multi-class approach to the intrusion detection problem. Knowl-Based Syst. 2017. https://doi.org/10.1016/j.knosys.2017.03.012.

    Article  Google Scholar 

  28. Hajisalem V, Babaie S. A hybrid intrusion detection system based on ABC-AFS algorithm for misuse and anomaly detection. Comput Netw. 2018. https://doi.org/10.1016/j.comnet.2018.02.028.

    Article  Google Scholar 

  29. Moustafa N, Slay J, Creech G. Novel geometric area analysis technique for anomaly detection using trapezoidal area estimation on large-scale networks. IEEE Trans Big Data. 2017. https://doi.org/10.1109/tbdata.2017.2715166.

    Article  Google Scholar 

  30. Khammassi C, Krichen S. A GA-LR wrapper approach for feature selection in network intrusion detection. Comput Secur. 2017;70:255–77. https://doi.org/10.1016/j.cose.2017.06.005.

    Article  Google Scholar 

  31. Papamartzivanos D, Gómez Mármol F, Kambourakis G. Dendron: genetic trees driven rule induction for network intrusion detection systems. Future Gener Comput Syst. 2018;79:558–74. https://doi.org/10.1016/j.future.2017.09.056.

    Article  Google Scholar 

  32. Boulaiche A, Adi K. An auto-learning approach for network intrusion detection. Telecommun Syst. 2018;68(2):277–94. https://doi.org/10.1007/s11235-017-0395-z.

    Article  Google Scholar 

  33. Pedregosa F, Varoquaux G, Gramfort A, Michel V, Thirion B, Grisel O, Blondel M, Müller A, Nothman J, Louppe G, Prettenhofer P, Weiss R, Dubourg V, Vanderplas J, Passos A, Cournapeau D, Brucher M, Perrot M, Duchesnay É. Scikit-learn: machine learning in Python. 2012.

Download references

Author information

Authors and Affiliations

  1. Graduate School of Informatics, Information Systems, Middle East Technical University, Ankara, Turkey

    Alper Sarıkaya & Banu Günel Kılıç

Authors
  1. Alper Sarıkaya
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Banu Günel Kılıç
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Alper Sarıkaya.

Ethics declarations

Conflict of interest

On behalf of all authors, the corresponding author states that there is no conflict of interest.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Sarıkaya, A., Kılıç, B.G. A Class-Specific Intrusion Detection Model: Hierarchical Multi-class IDS Model. SN COMPUT. SCI. 1, 202 (2020). https://doi.org/10.1007/s42979-020-00213-z

Download citation

  • Received:

  • Accepted:

  • Published:

  • DOI: https://doi.org/10.1007/s42979-020-00213-z

Keywords

Search

Navigation