Open Access  Subscription or Fee Access

Intrusion detection relies on the extensive knowledge of security experts, particularly, on their familiarity with the computer systems to be protected. To reduce this dependency, various machine learning techniques and data mining techniques have been deployed for intrusion detection. An IDS is usually deployed in a dynamically changing environment, which requires continuous training of the intrusion detection model, in order to sustain sufficient performance. The manual training process carried out in the current systems depends on the system administrators in working out the training solution and in integrating it into the intrusion detection model. In this paper, an automatically training IDS is proposed which will automatically train the detection model on-the-fly according to the feedback provided by operators when false predictions are encountered. The proposed system is evaluated using the KDDCup’99 intrusion detection dataset. Experimental results show that the system achieves up to 31% improvement in terms of misclassification cost when compared with a system lacking the tuning feature. If only 12% false predictions are used to train the model, the system still achieves about 32% improvement. Administrators can focus on verification of predictions with low confidence level, as only those predictions determined to be false will be used to train the detection model.

Intrusion Detection, Classification, Data Mining, Learning Algorithm

N. Ye, S. Emran, X. Li, and Q. Chen, ―Statistical process control for computer intrusion detection,‖ in Proc. DISCEX II, Jun. 2001, vol. 1, pp. 3–14.

N. Ye, S. Vilbert, and Q. Chen, ―Computer intrusion detection through EWMA for auto correlated and uncorrelated data,‖ IEEE Trans. Rel., vol. 52, no. 1, pp. 75–82, Mar. 2003.

N. Ye, S. Emran, Q. Chen, and S. Vilbert, ―Multivariate statistical analysis of audit trails for host-based intrusion detection,‖ IEEE Trans. Comput., vol. 51, no. 7, pp. 810–820, Jul. 2002.

D. Barbara, J. Couto, S. Jajodia, L. Popyack, and N.Wu, ―ADAM: Detecting intrusions by data mining,‖ in Proc. IEEE Workshop Inf. Assurance and Security, Jun. 2001, pp. 11–16.

L. Ertoz, E. Eilertson, A. Lazarevic, P. Tan, J. Srivastava, V. Kumar, and P. Dokas, The MINDS—Minnesota Intrusion Detection System: Next Generation Data Mining. Cambridge, MA: MIT Press, 2004.

K. Julish, ―Data mining for intrusion detection: A critical review,‖ IBM, Kluwer, Boston, MA, Res. Rep. RZ 3398, Feb. 2002. No. 93450.

I. Dubrawsky and R. Saville, SAFE: IDS Deployment, Tuning, and Logging in Depth, CISCO SAFE White Paper.

W. Lee, S. Stolfo, and P. Chan, ―Real time data mining-based intrusion detection,‖ in Proc. DISCEX II, Jun. 2001, pp. 89–100.

E. Eskin, M. Miller, Z. Zhong, G. Yi, W. Lee, and S. Stolfo, ―Adaptive model generation for intrusion detection systems,‖ in Proc. 7th ACM Conf. Comput. Security Workshop Intrusion Detection and Prevention, Nov. 2000

A. Honig, A. Howard, E. Eskin, and S. Stolfo, ―Adaptive model generation: An architecture for the deployment of data mining-based intrusion detection systems,‖ in Data Mining for Security Applications. Norwell, MA: Kluwer, 2002.

M. Hossian and S. Bridges, ―A framework for an adaptive intrusion detection system with data mining,‖ in Proc. 13th Annu. CITSS, Jun. 2001.

W. Lee and S. Stolfo, ―A framework for constructing features and models for intrusion detection systems,‖ ACMTrans. Inf. Syst. Secur., vol. 3, no. 4, pp. 227–261, Nov. 2000.

G. Giacinto, F. Roli, and L. Didaci, ―A modular multiple classifier system for the detection of intrusions in computer networks,‖ in Proc. 4th Int.Workshop MCS, Jun. 2003, pp. 346–355.

M. Sabhnani and G. Serpen, ―Application of machine learning algorithms to KDD intrusion detection dataset within misuse detection context,‖ in Proc. Int. Conf. Mach. Learn.: Models, Technol. and Appl., Jun. 2003, pp. 209–215.

V. Kumar, ―Data mining for network intrusion detection: Experience with KDDCup’99 data set,‖ presented at the Presentation Workshop Netw. Intrusion Detection, Aberdeen, MD, Mar. 2002.

R. Agarwal and M. Joshi, ―PNrule: A new framework for learning classifier models in data mining (a case-study in network intrusion detection),‖ in Proc. 1st SIAM Conf. Data Mining, Apr. 2001. [Online]. Available: http://www.siam.org/meetings/sdm01/pdf/sdm01_30.pdf

B. Pfahringer, ―Winning the KDD99 classification cup: Bagged boosting,‖ ACM SIGKDD Explor., vol. 1, no. 2, pp. 65–66, 1999.

I. Levin, ―KDD-99 classifier learning contest LLSoft’s results overview,‖ ACM SIGKDD Explor., vol. 1, no. 2, pp. 67–75, 1999.

Z. Yu and J. Tsai, ―A multi-class SLIPPER system for intrusion detection,‖ in Proc. 28th IEEE Annu. Int. COMPSAC, Sep. 2004, pp. 212–217.

W. Cohen and Y. Singer, ―A simple, fast, and effective rule learner,‖ in Proc. Annu. Conf. Amer. Assoc. Artif. Intell., 1999, pp. 335–342.

S. Robert and S. Yoram, ―Improved boosting algorithms using confidencerated predictions,‖ Mach. Learn., vol. 37, no. 3, pp. 297–336, Dec. 1999.

C. Elkan, ―Results of the KDD’99 classifier learning,‖ SIGKDD Explor.,ACM SIGKDD, vol. 1, no. 2, pp. 63–64, Jan. 2000.