A Statistical Rule Learning Approach to Network Intrusion Detection

With the enormous growth of users reliance on the Internet, the need for secure and reliable computer networks also increases. A good security mechanism requires an Intrusion Detection System (IDS) in order to monitor security breaches when the prevention schemes are circumvented. To be able to react to different network attacks in changing environments, a generic and flexible detection system is of paramount importance. This paper presents a method that uses statistical features as the input to a rule learning technique. First, for extracting suitable features for intrusion detection, an entropy and volume- based approach is introduced. Then, for the classification task, a genetic-based rule learning technique that utilises an interval-based representation for statistical features of network traffic is proposed. Two sources of data are used to evaluate this technique and to compare against other machine learning techniques. The results show that our proposed approach provides simple rulesets with competitive detection performance in comparison to other algorithms.

[1]  Andreas Holzinger,et al.  Data Mining with Decision Trees: Theory and Applications , 2015, Online Inf. Rev..

[2]  Vyas Sekar,et al.  An empirical evaluation of entropy-based traffic anomaly detection , 2008, IMC '08.

[3]  M. Kubát An Introduction to Machine Learning , 2017, Springer International Publishing.

[4]  Wanlei Zhou,et al.  Low-Rate DDoS Attacks Detection and Traceback by Using New Information Metrics , 2011, IEEE Transactions on Information Forensics and Security.

[5]  Sotiris B. Kotsiantis,et al.  Supervised Machine Learning: A Review of Classification Techniques , 2007, Informatica.

[6]  Jaume Bacardit,et al.  Analysis and Improvements of the Adaptive Discretization Intervals Knowledge Representation , 2004, GECCO.

[7]  Charu C. Aggarwal,et al.  Mining Text Data , 2012, Springer US.

[8]  LeeWenke,et al.  Toward cost-sensitive modeling for intrusion detection and response , 2002 .

[9]  William W. Cohen Fast Effective Rule Induction , 1995, ICML.

[10]  Jie Zhang,et al.  An advanced entropy-based DDOS detection scheme , 2010, 2010 International Conference on Information, Networking and Automation (ICINA).

[11]  John Yearwood,et al.  Adaptive Clustering with Feature Ranking for DDoS Attacks Detection , 2010, 2010 Fourth International Conference on Network and System Security.

[12]  Hussein A. Abbass,et al.  An adaptive genetic-based signature learning system for intrusion detection , 2009, Expert Syst. Appl..

[13]  María José del Jesús,et al.  KEEL: a software tool to assess evolutionary algorithms for data mining problems , 2008, Soft Comput..

[14]  Arthur B. Maccabe,et al.  The architecture of a network level intrusion detection system , 1990 .

[15]  G. MeeraGandhi,et al.  Effective Network Intrusion Detection using Classifiers Decision Trees and Decision rules , 2010 .

[16]  Ester Bernadó-Mansilla,et al.  Accuracy-Based Learning Classifier Systems: Models, Analysis and Applications to Classification Tasks , 2003, Evolutionary Computation.

[17]  Muhammad Ali Akbar,et al.  Application of evolutionary algorithms in detection of SIP based flooding attacks , 2009, GECCO '09.

[18]  Ruby B. Lee,et al.  Distributed Denial of Service: Taxonomies of Attacks, Tools, and Countermeasures , 2004, PDCS.

[19]  Philip Hingston,et al.  Evolving statistical rulesets for network intrusion detection , 2015, Appl. Soft Comput..

[20]  Salvatore J. Stolfo,et al.  Toward Cost-Sensitive Modeling for Intrusion Detection and Response , 2002, J. Comput. Secur..

[21]  Ali A. Ghorbani,et al.  A detailed analysis of the KDD CUP 99 data set , 2009, 2009 IEEE Symposium on Computational Intelligence for Security and Defense Applications.

[22]  Vern Paxson,et al.  Outside the Closed World: On Using Machine Learning for Network Intrusion Detection , 2010, 2010 IEEE Symposium on Security and Privacy.

[23]  Jaume Bacardit,et al.  Performance and Efficiency of Memetic Pittsburgh Learning Classifier Systems , 2009, Evolutionary Computation.

[24]  Dan Schnackenberg,et al.  Statistical approaches to DDoS attack detection and response , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[25]  Zubair A. Baig,et al.  An Entropy and Volume-Based Approach for Identifying Malicious Activities in Honeynet Traffic , 2011, 2011 International Conference on Cyberworlds.

[26]  Ian H. Witten,et al.  Weka: Practical machine learning tools and techniques with Java implementations , 1999 .

[27]  Sang Joon Kim,et al.  A Mathematical Theory of Communication , 2006 .