Information Technology Reference
In-Depth Information
Approach Based Ensemble Methods for Better
and Faster Intrusion Detection
Emna Bahri, Nouria Harbi and Hoa Nguyen Huu
ERIC Laboratory, University of Lyon, 5, Avenue Pierre-Mendes France 69500, France
{emna.bahri,nouria.harbi,Hoa.nguyenHuu}@univ-lyon2.fr
Abstract.
This study introduces a new method based on Greedy-Boost,
a multiple classifier system, for better and faster intrusion detection. De-
tection of the anomalies in the data-processing networks is regarded as a
problem of data classification allowing to use data mining and machine
learning techniques to perform intrusion detection. With such automatic
processing procedures, human expertise only focuses on a small set of
potential anomalies which may result in important time savings and ef-
ficiency. In order to be scalable and ecient, these kinds of approaches
must respect important requirements. The first is to obtain a high level
of precision, that is to be able to detect a maximum of anomalies with
a minimum of false alarms. The second is to detect potential anomalies
as fast as possible. We propose Greedy-Boost, a new approach of boost-
ing which is based on an adaptive combination of multiple classifiers to
perform the precision of the detection. This approach uses an aspect of
smooth that ensures stability of the classifier system and offers speed of
detection. The experimental results, conducted on the KDD99 dataset,
prove that our proposed approach outperforms several state-of-the-art
methods, particularly in detecting rare attack types.
Keywords:
Ensemble methods, boosting, data mining, intrusion detec-
tion systems, Greedy-Boost.
1
Introduction
During the past decades, the noticeable proliferation of sophisticated attack tools
has not only posed a big challenge to computer security community but also been
a great anxiety of organizations in defending their assets from illicitly intrusive
activities. The increase of attacks proves that security mechanisms such as fire-
walls and anti-virus are not strong enough to protect network systems. Within
such a context, many intrusion detection approaches have been proposed to
handle computer and network security problems. We find two common analy-
sis techniques for intrusion detection : misuse and anomaly detection. In fact,
misuse detection uses a collection of knownattackstoconstructamisusemodel
that is usually in forms of set of rules (or signatures). However, anomaly detec-
tion builds a model by employing information (dataset) about normal behavior.
The detection mechanism here is based on the deviation between an instance
Search WWH ::
Custom Search