Minimizing False Positives of a Decision Tree Classifier for Intrusion Detection on the Internet

Authors:
Satoru Ohta;Ryosuke Kurebayashi;Kiyoshi Kobayashi
Affiliations:
Faculty of Engineering, Toyama Prefectural University, Imizu-shi, Toyama, Japan 939-0398;Network Solutions Busimess Headquarters, NTT Advanced Technology Corporation, Totsuka-ku, Yokohama-shi, Japan;NTT Network Innovation Laboratories, NTT Corporation, Yokosuka-shi, Japan
Venue:
Journal of Network and Systems Management
Year:
2008

Citing 12
Cited 0

C4.5: programs for machine learning

C4.5: programs for machine learning
The base-rate fallacy and its implications for the difficulty of intrusion detection

CCS '99 Proceedings of the 6th ACM conference on Computer and communications security
Discovering outlier filtering rules from unlabeled data: combining a supervised learner with an unsupervised learner

Proceedings of the seventh ACM SIGKDD international conference on Knowledge discovery and data mining
Proactive Intrusion Detection and Distributed Denial of Service Attacks—A Case Study in Security Management

Journal of Network and Systems Management
Naive Bayes vs decision trees in intrusion detection systems

Proceedings of the 2004 ACM symposium on Applied computing
Detecting Network Attacks in the Internet via Statistical Network Traffic Normality Prediction

Journal of Network and Systems Management
Distributed Management Architecture for Cooperative Detection and Reaction to DDoS Attacks

Journal of Network and Systems Management
Optimizing the Scalability of Network Intrusion Detection Systems Using Mobile Agents

Journal of Network and Systems Management
Protocol Analysis in Intrusion Detection Using Decision Tree

ITCC '04 Proceedings of the International Conference on Information Technology: Coding and Computing (ITCC'04) Volume 2 - Volume 2
Detecting Distributed Denial-of-Service Attacks Using Kolmogorov Complexity Metrics

Journal of Network and Systems Management
Decision tree classifier for network intrusion detection with GA-based feature selection

Proceedings of the 43rd annual Southeast regional conference - Volume 2
Inferring internet denial-of-service activity

SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10

Quantified Score

Hi-index	0.00

Visualization

Abstract

Machine learning or data mining technologies are often used in network intrusion detection systems. An intrusion detection system based on machine learning utilizes a classifier to infer the current state from the observed traffic attributes. The problem with learning-based intrusion detection is that it leads to false positives and so incurs unnecessary additional operation costs. This paper investigates a method to decrease the false positives generated by an intrusion detection system that employs a decision tree as its classifier. The paper first points out that the information-gain criterion used in previous studies to select the attributes in the tree-constructing algorithm is not effective in achieving low false positive rates. Instead of the information-gain criterion, this paper proposes a new function that evaluates the goodness of an attribute by considering the significance of error types. The proposed function can successfully choose an attribute that suppresses false positives from the given attribute set and the effectiveness of using it is confirmed experimentally. This paper also examines the more trivial leaf rewriting approach to benchmark the proposed method. The comparison shows that the proposed attribute evaluation function yields better solutions than the leaf rewriting approach.