Anomaly Detection Enhanced Classification in Computer Intrusion Detection
This paper describes experiences and results applying Support Vector Machine (SVM) to a Computer Intrusion Detection (CID) dataset. This is the second stage of work with this dataset, emphasizing incorporation of anomaly detection in the modeling and prediction of cyber-attacks. The SVM method for classification is used as a benchmark method (from previous study  ), and the anomaly detection approaches compare so-called “one class” SVMs with a thresholded Mahalanobis distance to define support regions. Results compare the performance of the methods, and investigate joint performance of classification and anomaly detection. The dataset used is the DARPA/KDD-99 publicly available dataset of features from network packets classified into non-attack and four attack categories.
KeywordsMahalanobis Distance Anomaly Detection Attack Type Probe Attack Anomaly Detection Method
Unable to display preview. Download preview PDF.
- 1.Mike Fugate, James R. Gattiker, “Detecting Attacks in Computer Networks”, Los Alamos National Laboratory Technical Report, LA-UR-02-1149.Google Scholar
- 3.Trevor Hastie, Robert Tibshirani, Jerome Friedman, The Elements of Statistical Learning: Data Mining, Inference, and Prediction, Springer-Verlag, 2001.Google Scholar
- 6.Bernhard Schölkopf, et al. (2000). “Estimating the Support of a High-Dimensional Distribution”, Technical report MSR-TR-99-87, Microsoft Research, Microsoft Corporation.Google Scholar
- 7.C. Chang, C. Lin, ”LIBSVM: a library for support vector machines”, http://www.csie.ntu.edu.tw/cjlin/papers/libsvm.ps.gz
- 8.T. Joachims, “Making large-Scale SVM Learning Practical”, Advances in Kernel Methods-Support Vector Learning, B. Schölkopf and C. Burges and A. Smola (ed.), MIT-Press, 1999.Google Scholar
- 9.M. Gokhale, D. Dubois, A. Dubois, M. Boorman, ”Gigabit Rate Network Intrusion Detection Technology”, Los Alamos National Laboratory Technical Report, LA-UR-01-6185.Google Scholar