A three-tier IDS via data mining approach

We introduced a three-tier architecture of intrusion detection system which consists of a blacklist, a whitelist and a multi-class support vector machine classifier. The first tier is the blacklist that will filter out the known attacks from the traffic and the whitelist identifies the normal traffics. The rest traffics, the anomalies detected by the whitelist, were then be classified by a multi-class SVM classifier into four categories: PROBE, DoS, R2L and U2R. Many data mining and machine learning techniques were applied here. We design this three-tier IDS based on the KDD'99 benchmark dataset. Our system has 94.71% intrusion detection rate and 93.52% diagnosis rate. The averag cost for each connection is 0.1781. All of these results are better than those of KDD'99 winner's. Our three-tier architecture design also provides the flexibility for the practical usage. The network system administrator can add the new patterns into the blacklist and allows to do fine tuning of the whitelist according to the environment of their network system and security policy.

[1]  Ian H. Witten,et al.  Weka-A Machine Learning Workbench for Data Mining , 2005, Data Mining and Knowledge Discovery Handbook.

[2]  Yuh-Jye Lee,et al.  SSVM: A Smooth Support Vector Machine for Classification , 2001, Comput. Optim. Appl..

[3]  Johannes Fürnkranz,et al.  Incremental Reduced Error Pruning , 1994, ICML.

[4]  Ulrich H.-G. Kreßel,et al.  Pairwise classification and support vector machines , 1999 .

[5]  Vladimir N. Vapnik,et al.  The Nature of Statistical Learning Theory , 2000, Statistics for Engineering and Information Science.

[6]  Wenke Lee,et al.  A Data Mining Framework for Constructing Features and Models for Intrusion Detection Systems , 1999 .

[7]  Salvatore J. Stolfo,et al.  A Behavior-Based Approach to Securing Email Systems , 2003, MMM-ACNS.

[8]  PfahringerBernhard Winning the KDD99 classification cup , 2000 .

[10]  R.K. Cunningham,et al.  Evaluating intrusion detection systems: the 1998 DARPA off-line intrusion detection evaluation , 2000, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[11]  Nello Cristianini,et al.  An Introduction to Support Vector Machines and Other Kernel-based Learning Methods , 2000 .

[12]  Richard Lippmann,et al.  The 1999 DARPA off-line intrusion detection evaluation , 2000, Comput. Networks.

[13]  Michael I. Jordan,et al.  Computer Intrusion Detection and Network Monitoring: A Statistical Viewpoint , 2001 .

[14]  Salvatore J. Stolfo,et al.  A framework for constructing features and models for intrusion detection systems , 2000, TSEC.

[15]  Glenn Fung,et al.  Proximal support vector machine classifiers , 2001, KDD '01.

[16]  Bernhard Pfahringer,et al.  Winning the KDD99 classification cup: bagged boosting , 2000, SKDD.

[17]  Vladimir Vapnik,et al.  The Nature of Statistical Learning , 1995 .

[18]  Su-Yun Huang,et al.  Model selection for support vector machines via uniform design , 2007, Comput. Stat. Data Anal..

[19]  Dustin Boswell,et al.  Introduction to Support Vector Machines , 2002 .

[20]  William W. Cohen Fast Effective Rule Induction , 1995, ICML.