A novel hybrid intrusion detection method integrating anomaly detection with misuse detection

Authors:
Gisung Kim;Seungmin Lee;Sehun Kim
Affiliations:
Institute for IT Convergence, KAIST, Guseong-dong, Yuseong-gu, Daejeon 305-701, South Korea;Future Research Creative Laboratory, ETRI 218 Gajeong-ro, Yuseong-gu, Daejeon 305-700, South Korea;Institute for IT Convergence, KAIST, Guseong-dong, Yuseong-gu, Daejeon 305-701, South Korea
Venue:
Expert Systems with Applications: An International Journal
Year:
2014

Citing 11
Cited 1

One-class svms for document classification

The Journal of Machine Learning Research
Estimating the Support of a High-Dimensional Distribution

Neural Computation
A Hybrid Network Intrusion Detection Technique Using Random Forests

ARES '06 Proceedings of the First International Conference on Availability, Reliability and Security
Using an Ensemble of One-Class SVM Classifiers to Harden Payload-based Anomaly Detection Systems

ICDM '06 Proceedings of the Sixth International Conference on Data Mining
Hybrid Intrusion Detection with Weighted Signature Generation over Anomalous Internet Episodes

IEEE Transactions on Dependable and Secure Computing
One-class support vector machines-an application in machine fault detection and classification

Computers and Industrial Engineering
The WEKA data mining software: an update

ACM SIGKDD Explorations Newsletter
An intelligent intrusion detection system (IDS) for anomaly and misuse detection in computer networks

Expert Systems with Applications: An International Journal
A detailed analysis of the KDD CUP 99 data set

CISDA'09 Proceedings of the Second IEEE international conference on Computational intelligence for security and defense applications
Tree Decomposition for Large-Scale SVM Problems

The Journal of Machine Learning Research
LIBSVM: A library for support vector machines

ACM Transactions on Intelligent Systems and Technology (TIST)

A novel intrusion detection system based on feature generation with visualization strategy

Expert Systems with Applications: An International Journal

Quantified Score

Hi-index	12.05

Visualization

Abstract

In this paper, a new hybrid intrusion detection method that hierarchically integrates a misuse detection model and an anomaly detection model in a decomposition structure is proposed. First, a misuse detection model is built based on the C4.5 decision tree algorithm and then the normal training data is decomposed into smaller subsets using the model. Next, multiple one-class SVM models are created for the decomposed subsets. As a result, each anomaly detection model does not only use the known attack information indirectly, but also builds the profiles of normal behavior very precisely. The proposed hybrid intrusion detection method was evaluated by conducting experiments with the NSL-KDD data set, which is a modified version of well-known KDD Cup 99 data set. The experimental results demonstrate that the proposed method is better than the conventional methods in terms of the detection rate for both unknown and known attacks while it maintains a low false positive rate. In addition, the proposed method significantly reduces the high time complexity of the training and testing processes. Experimentally, the training and testing time of the anomaly detection model is shown to be only 50% and 60%, respectively, of the time required for the conventional models.