Databases Reference
In-Depth Information
Table 2.2.
Evolving classification rules by EC.
Type
Contributions
GA
Binary Classifiers
Refs. 29, 32, 33, 26, 27, 28, 42
Multi-classifiers
Refs. 30, 31, 43, 44, 45, 46, 47, 48
Tree GP
Binary Classifiers
Refs. 49, 50, 51
Multi-classifiers
Refs. 52, 53
work described in Refs. 28-31 and 43 uses classic GAs with niching to help
cover all data instances with a minimum set of accurate rules. Mischiatti
and Neri
32,33
use the REGAL to model normal network trac. REGAL
54
is
a distributed genetic algorithm-based system. It exhibits several novelties,
such as a hybrid Pittsburgh and Michigan learning approach, a new
selection operator allowing the population to asymptotically converge
to multiple local optima, a new model of distribution and migration,
etc. Dam and Shafi
44-48
report initial attempts to extend XCS, an
evolutionary Learning Classifier System (LCS), to intrusion detection
problems. Although XCSs have shown excellent performance on some data
mining tasks, many enhancements, such as mutation and deletion operators,
and a distance metric for unseen data in the testing phase, are still needed
to tackle hard intrusion detection problems.
44
Tree-based GP, on the other hand, uses different tree structures for
binary and multi-class classification: the parse tree shown in Fig. 2.4(a)
for binary classification,
49-51
and a decision tree as in Fig. 2.4(b) for
multiple class classification.
52,53
Crosbie
49
and Folino
et al.
52,53
improve
the performance of a GP system by introducing cooperation between
individuals. The former use autonomous agents, each being a GP-evolved
program to detect intrusions from only one data source. The latter deploy
their system in a distributed environment by using an island model.
Recently, there is a trend to evolve
fuzzy
classification rules, in
effect a combination of fuzzy logic and evolutionary computation. Fuzzy
logic, dealing with the vague and imprecise, is appropriate for intrusion
detection for two reasons. First, intrusion detection problems involve many
numeric attributes, and various derived statistical measures. Building
models directly on numeric data causes substantial detection errors. For
example, an intrusion that deviates only slightly from a model may not
be detected or a small change in normal behavior may cause a false alarm.
