C4.5: programs for machine learning
C4.5: programs for machine learning
The base-rate fallacy and its implications for the difficulty of intrusion detection
CCS '99 Proceedings of the 6th ACM conference on Computer and communications security
Proceedings of the seventh ACM SIGKDD international conference on Knowledge discovery and data mining
Journal of Network and Systems Management
Naive Bayes vs decision trees in intrusion detection systems
Proceedings of the 2004 ACM symposium on Applied computing
Detecting Network Attacks in the Internet via Statistical Network Traffic Normality Prediction
Journal of Network and Systems Management
Distributed Management Architecture for Cooperative Detection and Reaction to DDoS Attacks
Journal of Network and Systems Management
Optimizing the Scalability of Network Intrusion Detection Systems Using Mobile Agents
Journal of Network and Systems Management
Protocol Analysis in Intrusion Detection Using Decision Tree
ITCC '04 Proceedings of the International Conference on Information Technology: Coding and Computing (ITCC'04) Volume 2 - Volume 2
Detecting Distributed Denial-of-Service Attacks Using Kolmogorov Complexity Metrics
Journal of Network and Systems Management
Decision tree classifier for network intrusion detection with GA-based feature selection
Proceedings of the 43rd annual Southeast regional conference - Volume 2
Inferring internet denial-of-service activity
SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
Hi-index | 0.00 |
Machine learning or data mining technologies are often used in network intrusion detection systems. An intrusion detection system based on machine learning utilizes a classifier to infer the current state from the observed traffic attributes. The problem with learning-based intrusion detection is that it leads to false positives and so incurs unnecessary additional operation costs. This paper investigates a method to decrease the false positives generated by an intrusion detection system that employs a decision tree as its classifier. The paper first points out that the information-gain criterion used in previous studies to select the attributes in the tree-constructing algorithm is not effective in achieving low false positive rates. Instead of the information-gain criterion, this paper proposes a new function that evaluates the goodness of an attribute by considering the significance of error types. The proposed function can successfully choose an attribute that suppresses false positives from the given attribute set and the effectiveness of using it is confirmed experimentally. This paper also examines the more trivial leaf rewriting approach to benchmark the proposed method. The comparison shows that the proposed attribute evaluation function yields better solutions than the leaf rewriting approach.