Combining Genetic-Based Misuse and Anomaly Detection for Reliably Detecting Intrusions in Computer Networks
When addressing the problem of detecting malicious activities within network traffic, one of the main concerns is the reliability of the packet classification. Furthermore, a system able to detect the so-called zero-day attacks is desirable. Pattern recognition techniques have proven their generalization ability in detecting intrusions, and systems based on multiple classifiers can enforce the detection reliability by combining and correlating the results obtained by different classifiers.
In this paper we present a system exploiting genetic algorithms for deploying both a misuse-based and an anomaly-based classifier. Hence, by suitably combining the results obtained by means of such techniques, we aim at attaining a highly reliable classification system, still with a significant degree of new attack prediction ability. In order to improve classification reliability, we introduce the concept of rejection: instead of emitting an unreliable verdict, an ambiguous packet can be logged for further analysis. Tests of the proposed system on a standard database for benchmarking intrusion detection systems are also reported.
KeywordsFalse Alarm False Alarm Rate Intrusion Detection Anomaly Detection Intrusion Detection System
- 1.Vigna, G., Kemmerer, R.: Netstat: a network based intrusion detection system. Journal of Computer Security 7(1) (1999)Google Scholar
- 2.Axelsson, S.: Research in Intrusion Detection Systems: A Survey, TR 98-17, Chalmers University of Technology (1999)Google Scholar
- 3.Kumar, R., Spafford, E.H.: A Software Architecture to Support Misuse Intrusion Detection. In: Proceedings of the 18th National Information Security Conference, pp. 194–204 (1995)Google Scholar
- 4.Ghosh, A.K., Schwartzbard, A.: A Study in Using Neural Networks for Anomaly and Misuse Detection. In: Proc. 8’th USENIX Security Symposium, Washington DC, August 26-29 (1999)Google Scholar
- 7.Esposito, M., Mazzariello, C., Oliviero, F., Romano, S.P., Sansone, C.: Real Time Detection of Novel Attacks by Means of Data Mining Techniques. In: Proceedings of the 7th International Conference on Enterprise Information Systems, Miami (USA), May 24-28 (2005) (in press)Google Scholar
- 14.Cohen, W.W.: Fast effective rule induction. In: Proc. of the 12th International Machine Learning Conference. Morgan Kaufmann, San Francisco (1995)Google Scholar
- 16.Liu, Y., Chen, K., Liao, X., Zhang, W.: A genetic clustering method for intrusion detection. Pattern Recognition 37 (2004)Google Scholar