An Information-Theoretic Combining Method for Multi-Classifier Anomaly Detection Systems

Recent studies have shown that standalone anomaly classifiers used by network anomaly detectors are unable to provide acceptable accuracies in real-world deployments. To achieve higher accuracies, Network Anomaly Detection Systems (NADSs) now use multiple classifiers whose outputs are combined to formulate an aggregate anomaly score. Judicious methods of combining these classifiers' outputs are largely unexplored. In this paper, we propose a novel information-theoretic combining method which caters for the individual classifiers' accuracies in a multi-classifier NADS. We first show that existing combining schemes designed for or adapted to the problem of multi-classifier NADS combining do not provide good accuracies because they do not use individual classifiers' detection and false alarm rates in the combining process. Furthermore, we reveal that an accurate multi-classifier NADS, in addition to catering for the mean accuracy rates, must also consider the classifiers' variances during combining. Therefore, we propose a Standard Deviation normalized Entropy of Accuracy (SDnEA) method for classifier combining. Using 9 prominent classifiers operating on two publicly-available traffic datasets, we show that around 3%-10% increase in detection rate and a 40% decrease in false alarm rate over existing combining techniques can be provided by the proposed information-theoretic NADS combining technique.

[1]  Fabio Roli,et al.  Intrusion detection in computer networks by a modular ensemble of one-class classifiers , 2008, Inf. Fusion.

[2]  Matthew V. Mahoney,et al.  Network traffic anomaly detection based on packet bytes , 2003, SAC '03.

[3]  Adam Krzyżak,et al.  Methods of combining multiple classifiers and their applications to handwriting recognition , 1992, IEEE Trans. Syst. Man Cybern..

[4]  Reza Ebrahimpour,et al.  Combining Multiple Classifiers: Diversify with Boosting and Combining by Stacking , 2007 .

[5]  Stuart E. Schechter,et al.  Fast Detection of Scanning Worm Infections , 2004, RAID.

[6]  Philip K. Chan,et al.  PHAD: packet header anomaly detection for identifying hostile network traffic , 2001 .

[7]  Mark Crovella,et al.  Diagnosing network-wide traffic anomalies , 2004, SIGCOMM '04.

[8]  Ahren Studer,et al.  Empirical Analysis of Rate Limiting Mechanisms , 2005, RAID.

[9]  Syed Ali Khayam,et al.  A Comparative Evaluation of Anomaly Detectors under Portscan Attacks , 2008, RAID.

[10]  Steven L. Scott,et al.  A Bayesian paradigm for designing intrusion detection systems , 2004, Computational Statistics & Data Analysis.

[11]  Fuad Rahman,et al.  Multiple Classifier Combination for Character Recognition: Revisiting the Majority Voting System and Its Variations , 2002, Document Analysis Systems.

[12]  Matthew M. Williamson,et al.  Throttling viruses: restricting propagation to defeat malicious mobile code , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..

[13]  Donald F. Towsley,et al.  Detecting anomalies in network traffic using maximum entropy estimation , 2005, IMC '05.

[14]  Ahmad Fuad Rezaur Rahman,et al.  Exploiting second order information to design a novel multiple expert decision combination platform for pattern classification , 1997 .

[15]  Hari Balakrishnan,et al.  Fast portscan detection using sequential hypothesis testing , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[16]  Jason Lee,et al.  The devil and packet trace anonymization , 2006, CCRV.

[17]  Kavé Salamatian,et al.  Combining filtering and statistical methods for anomaly detection , 2005, IMC '05.

[18]  Jiri Matas,et al.  On Combining Classifiers , 1998, IEEE Trans. Pattern Anal. Mach. Intell..

[19]  Ahmad Fuad Rezaur Rahman,et al.  Enhancing consensus in multiple expert decision fusion , 2000 .

[20]  Richard Lippmann,et al.  The 1999 DARPA off-line intrusion detection evaluation , 2000, Comput. Networks.