Active learning for network intrusion detection

Authors:
Nico Görnitz;Marius Kloft;Konrad Rieck;Ulf Brefeld
Affiliations:
Technische Universität Berlin, Berlin, Germany;Technische Universität Berlin, Berlin, Germany;Technische Universität Berlin, Berlin, Germany;Technische Universität Berlin, Berlin, Germany
Venue:
Proceedings of the 2nd ACM workshop on Security and artificial intelligence
Year:
2009

Citing 19
Cited 1

Fast training of support vector machines using sequential minimal optimization

Advances in kernel methods
A vector space model for automatic indexing

Communications of the ACM
Code-Red: a case study on the spread and victims of an internet worm

Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment
Network traffic anomaly detection based on packet bytes

Proceedings of the 2003 ACM symposium on Applied computing
Support Vector Data Description

Machine Learning
Using Active Learning in Intrusion Detection

CSFW '04 Proceedings of the 17th IEEE workshop on Computer Security Foundations
The Spread of the Witty Worm

IEEE Security and Privacy
Estimating the Support of a High-Dimensional Distribution

Neural Computation
MisleadingWorm Signature Generators Using Deliberate Noise Injection

SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
Minimum Enclosing and Maximum Excluding Machine for Pattern Description and Discrimination

ICPR '06 Proceedings of the 18th International Conference on Pattern Recognition - Volume 03
Learning DFA representations of HTTP for protecting web applications

Computer Networks: The International Journal of Computer and Telecommunications Networking
Polymorphic blending attacks

USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
Transductive support vector machines for structured variables

Proceedings of the 24th international conference on Machine learning
On the infeasibility of modeling polymorphic shellcode

Proceedings of the 14th ACM conference on Computer and communications security
McPAD: A multiple classifier system for accurate payload-based anomaly detection

Computer Networks: The International Journal of Computer and Telecommunications Networking
A multi-model approach to the detection of web-based attacks

Computer Networks: The International Journal of Computer and Telecommunications Networking - Web security
Detecting unknown network attacks using language models

DIMVA'06 Proceedings of the Third international conference on Detection of Intrusions and Malware & Vulnerability Assessment
Pattern classification via single spheres

DS'05 Proceedings of the 8th international conference on Discovery Science
Anagram: a content anomaly detector resistant to mimicry attack

RAID'06 Proceedings of the 9th international conference on Recent Advances in Intrusion Detection

Intrusion detection using disagreement-based semi-supervised learning: detection enhancement and false alarm reduction

CSS'12 Proceedings of the 4th international conference on Cyberspace Safety and Security

Quantified Score

Hi-index	0.00

Visualization

Abstract

Anomaly detection for network intrusion detection is usually considered an unsupervised task. Prominent techniques, such as one-class support vector machines, learn a hypersphere enclosing network data, mapped to a vector space, such that points outside of the ball are considered anomalous. However, this setup ignores relevant information such as expert and background knowledge. In this paper, we rephrase anomaly detection as an active learning task. We propose an effective active learning strategy to query low-confidence observations and to expand the data basis with minimal labeling effort. Our empirical evaluation on network intrusion detection shows that our approach consistently outperforms existing methods in relevant scenarios.