A hybrid method based on genetic algorithm, self-organised feature map, and support vector machine for better network anomaly detection

Anomaly-based network intrusion detection techniques are a valuable technology to shield our systems and networks against the malicious activities. Anomaly detection is done by soft margin Support Vector Machine(SVM), which classify the input into any one of the label (normal and anomalous) category with respect to its anomalous behavior. SVM gives much better classification, out of wide variety of class discrimination algorithms which deals with huge collection of data. Here genetic algorithm (GA) and self-organised feature map (SOFM) are used to enhance the feature and information extraction from a huge dataset similar to KDD99. GA gives us the most prominent features contributing to the anomalous behaviour of a connection and SOFM helps to identify similar groups from the dataset by using the similarity metric. These two machine learning algorithms help to reduce the volume of dataset and features to train SVM. The proposed framework GSS (GA-SOFM-SVM) has 10% increase in detection rate and 50% reduction in false positive and false negative rate compared to soft margin SVM.

[1]  Teuvo Kohonen,et al.  The self-organizing map , 1990, Neurocomputing.

[2]  Dorothea Heiss-Czedik,et al.  An Introduction to Genetic Algorithms. , 1997, Artificial Life.

[3]  Dong Xiang,et al.  Information-theoretic measures for anomaly detection , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[4]  Risto Miikkulainen,et al.  Intrusion Detection with Neural Networks , 1997, NIPS.

[5]  Ali A. Ghorbani,et al.  A detailed analysis of the KDD CUP 99 data set , 2009, 2009 IEEE Symposium on Computational Intelligence for Security and Defense Applications.

[6]  H. Javitz,et al.  Detecting Unusual Program Behavior Using the Statistical Component of the Next-generation Intrusion Detection Expert System ( NIDES ) 1 , 1997 .

[7]  Yongdae Kim,et al.  A machine learning framework for network anomaly detection using SVM and GA , 2005, Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop.

[8]  VARUN CHANDOLA,et al.  Anomaly detection: A survey , 2009, CSUR.

[9]  Lekha Bhambhu,et al.  DATA CLASSIFICATION USING SUPPORT VECTOR MACHINE , 2009 .

[10]  K. S. Easwarakumar,et al.  Network Anomaly Detector System for Active Networks , 2008 .

[11]  Rung Ching Chen,et al.  Using Rough Set and Support Vector Machine for Network Intrusion Detection System , 2009, 2009 First Asian Conference on Intelligent Information and Database Systems.

[12]  Corinna Cortes,et al.  Support-Vector Networks , 1995, Machine Learning.

[13]  Young-Seuk Park,et al.  Self-Organizing Map , 2008 .

[14]  Malcolm I. Heywood,et al.  Selecting Features for Intrusion Detection: A Feature Relevance Analysis on KDD 99 , 2005, PST.

[15]  Thorsten Joachims,et al.  Making large scale SVM learning practical , 1998 .

[17]  Gabriel Maciá-Fernández,et al.  Anomaly-based network intrusion detection: Techniques, systems and challenges , 2009, Comput. Secur..

[18]  Carolina Fortuna,et al.  ANOMALY DETECTION IN COMPUTER NETWORKS USING LINEAR SVMs , 2007 .

[19]  Cheng-Lung Huang,et al.  A GA-based feature selection and parameters optimizationfor support vector machines , 2006, Expert Syst. Appl..

[20]  Marina Thottan,et al.  Anomaly detection in IP networks , 2003, IEEE Trans. Signal Process..