In this paper, the incremental learning method to cascade Service Classifier and ITI (incremental tree inducer) methods for supervised anomaly detection, called "SC+ITI", is proposed for classifying anomalous and normal instances in a computer network. Since the ITI method can not handle new instances with new service value, the SC+ITI cascading method is proposed to avoid this. Two steps are in SC+ITI cascading methods. First, the Service Classifier method partitions the training instances into n service clusters according to different service value. Second, in order to avoid handling instances with new service value, the ITI method is trained with instances with the same service value in the cluster. In 2007, Gaddam et al. showed KMeans+ID3 cascading method which mitigates two problems 1) the Forced Assignment problem and 2) the Class Dominance problem. His method with Nearest Neighbor (NN) combination rule outperforms the other three methods (i.e., K-Means, ID3 and KMeans+ID3 with Nearest Consensus rule) over the 1998 MIT-DARPA data set. Since the KDD'99 data set was also extracted from the 1998 MIT-DARPA data set, Nearest Neighbor combination rule within K-Means+ITI and SOM+ITI cascading methods is used in our experiments. We compare the performance of SC+ITI with the K-Means, SOM, ITI, K-Means+ITI and SOM+ITI methods in terms of the Detection Rate and False Positive Rate (FPR) over the KDD'99 data set. The results show that the ITI method have better performance than the K-Means, SOM, K-Means+ITI and SOM+ITI methods in terms of the overall Detection Rate. Our method, the Service Classifier and ITI cascading method outperforms the ITI method in terms of the Detection Rate and FPR and shows better Detection Rate as compared to other methods. Like the ITI method, our method also provides the additional options of handling missing values data and incremental learning.
[1]
J. A. Hartigan,et al.
A k-means clustering algorithm
,
1979
.
[2]
Jorma Laaksonen,et al.
SOM_PAK: The Self-Organizing Map Program Package
,
1996
.
[3]
Tom Fawcett,et al.
An introduction to ROC analysis
,
2006,
Pattern Recognit. Lett..
[4]
Paul E. Utgoff,et al.
Decision Tree Induction Based on Efficient Tree Restructuring
,
1997,
Machine Learning.
[5]
Vir V. Phoha,et al.
K-Means+ID3: A Novel Method for Supervised Anomaly Detection by Cascading K-Means Clustering and ID3 Decision Tree Learning Methods
,
2007,
IEEE Transactions on Knowledge and Data Engineering.
[6]
Usama M. Fayyad,et al.
On the Handling of Continuous-Valued Attributes in Decision Tree Generation
,
1992,
Machine Learning.
[7]
Teuvo Kohonen,et al.
The self-organizing map
,
1990,
Neurocomputing.
[8]
S.T. Sarasamma,et al.
Min-max hyperellipsoidal clustering for anomaly detection in network security
,
2006,
IEEE Transactions on Systems, Man, and Cybernetics, Part B (Cybernetics).
[9]
Salvatore J. Stolfo,et al.
Adaptive Intrusion Detection: A Data Mining Approach
,
2000,
Artificial Intelligence Review.
[10]
Maurice K. Wong,et al.
Algorithm AS136: A k-means clustering algorithm.
,
1979
.
[11]
John McHugh,et al.
Testing Intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory
,
2000,
TSEC.
[12]
J. Ross Quinlan,et al.
Induction of Decision Trees
,
1986,
Machine Learning.