Information Technology Reference
In-Depth Information
needed for detection and the model such as in [13] and[14]. Taking advantages
from these two techniques, hybrid methods are proposed. These methods can
more eciently handle both misuse and anomaly detection problems. It is worth
noting that recently proposed methods are prone to hybridized mechanisms, e.g.,
ensemble or aggregation systems. This type of approach presents the subject of
this paper.
We introduce a new approach of intrusion detection that inherits at the same
time the attributes bases of the anomaly detection approach and misuse de-
tection approach. This hybrid approach is based on a new ensemble method,
Greedy-Boost, adapted to the data networks to improve the reliability of the in-
trusiondetectionsystemsandtoreducethe time of intrusion detection. The use
of aggregation reduces the number of false alarms (false-positives) and especially
the number of undetected attacks (false-negative).
This paper is organized as follows. In section 2, we present the state of the
art of principals hybrid intrusion detection methods, i.e., ensemble methods,
systematically summarize and compares several related works to find out new
applicable research directions. In section 3, we present our hybrid approach based
on an ensemble method we called Greedy-Boost and detail the principle of the
new algorithm. We also prove theoretically the stability (convergence) of the
approach. This is the essential feature of our algorithm because it shows why
Greedy-Boost leads to more ecient and scalable results than classical ensemble
methods. The dataset used in the experiments,aswellastheresultsarepresented
in section 4. Finally, in section 5, we conclude and give several future works issues.
2 Hybrid Methods for IDS Using Ensemble Methods
The main idea of ensemble method is to build several classifiers and then aggregate
the outputs of all classifiers to make decision for the final outcome. The core pur-
pose of an ensemble is to increase classification accuracy and decrease error rate.
Because each type of classifier can produce different results, ensemble method
takes advantages of the strong points of each individual classifier to induce a better
final outcome. There are many types of ensemble proposed in the machine learn-
ing literature. With respect to architecture, individual classifiers can in general
be structured in forms of parallel (e.g., bagging), sequential (e.g., boosting), or
hybrid. For making decision, the composer of classifiers can apply various mech-
anisms such as majority voting, Bayesian combination, distribution summation,
entropy weighting, and so on. Many studies have applied the diversity of ensem-
ble methods to the intrusion detection problem. It is worth noting that most of
the studies report that ensemble method considerably enhances the eciency of
'rare-class' detection and anomaly detection. Giacinto et al. introduce an ensemble
system including three groups of classifiers that correspond to three subsets of fea-
tures (i.e., intrinsic features, trac features, and content features) [2]. Each group
of classifiers is trained from one out of the three above feature subsets. Then, three
simple fusion functions (i.e., majority vote, average, and belief) are employed for
aggregation. A subsequent work of the same authors describes an ensemble ar-
chitecture including multiple one-class k-means classifiers [6]. Each classifier is
Search WWH ::
Custom Search