An autonomous labeling approach to support vector machines algorithms for network traffic anomaly detection

Authors:
Carlos A. Catania;Facundo Bromberg;Carlos García Garino
Affiliations:
ITIC, Universidad Nacional de Cuyo, Mendoza, Argentina;Dept. Sistemas de Información, FRM - UTN, Mendoza, Argentina;ITIC, Universidad Nacional de Cuyo, Mendoza, Argentina and Facultad de Ingeniería, Universidad Nacional de Cuyo, Mendoza, Argentina
Venue:
Expert Systems with Applications: An International Journal
Year:
2012

Citing 9
Cited 1

A training algorithm for optimal margin classifiers

COLT '92 Proceedings of the fifth annual workshop on Computational learning theory
Support-Vector Networks

Machine Learning
Snort - Lightweight Intrusion Detection for Networks

LISA '99 Proceedings of the 13th USENIX conference on System administration
Estimating the Support of a High-Dimensional Distribution

Neural Computation
An introduction to ROC analysis

Pattern Recognition Letters - Special issue: ROC analysis in pattern recognition
Data mining approaches for intrusion detection

SSYM'98 Proceedings of the 7th conference on USENIX Security Symposium - Volume 7
Intrusion detection using sequences of system calls

Journal of Computer Security
The Problem of False Alarms: Evaluation with Snort and DARPA 1999 Dataset

TrustBus '08 Proceedings of the 5th international conference on Trust, Privacy and Security in Digital Business
Data mining-based intrusion detectors

Expert Systems with Applications: An International Journal

Self-advising support vector machine

Knowledge-Based Systems

Quantified Score

Hi-index	12.05

Visualization

Abstract

In the past years, several support vector machines (SVM) novelty detection approaches have been applied on the network intrusion detection field. The main advantage of these approaches is that they can characterize normal traffic even when trained with datasets containing not only normal traffic but also a number of attacks. Unfortunately, these algorithms seem to be accurate only when the normal traffic vastly outnumbers the number of attacks present in the dataset. A situation which can not be always hold. This work presents an approach for autonomous labeling of normal traffic as a way of dealing with situations where class distribution does not present the imbalance required for SVM algorithms. In this case, the autonomous labeling process is made by SNORT, a misuse-based intrusion detection system. Experiments conducted on the 1998 DARPA dataset show that the use of the proposed autonomous labeling approach not only outperforms existing SVM alternatives but also, under some attack distributions, obtains improvements over SNORT itself.