Information Technology Reference
In-Depth Information
trained from a training subset containing a specific attack type belonging to a spe-
cific attack class (e.g., Neptune is one of twenty one attack types and belongs to
DoS attack class in the KDD99 dataset). The process of ensemble is based on the
Decision Template method. The proposed architecture aims at labeling a given
instance to belong to a normal or known attack class, and thus is called misuse
detection. More adaptively, Abadeh et al. employ Fuzzy Logic Theory to develop
an ensemble method [7]. This study introduces a parallel genetic local search al-
gorithm to generate fuzzy rule sets for each class label in the training set. Each of
these rule sets is utilized to build a fuzzy classifier. Then, a decision fusion pro-
cedure is in charge of determining a class label for a given instance. Comparably,
Zainal et al. describe an ensemble model that utilizes three different learning al-
gorithms (classifiers), i.e., linear genetic programming, neural fuzzy inference sys-
tem, and random forest [3]. Each classifier is trained by the same training set and
assigned to a weight calculated given the strength of the classifier. For decision
making, a composer of classifiers determines a class label for a given instance ac-
cording to the weights of classifiers.
Xiang et al. build a multi-level hybrid model by combining two techniques,
i.e., supervised decision tree and unsupervised Bayesian classification [1]. The
classifier model is hierarchically structured in forms of class labels in training
set. By experimenting on the KDD99 dataset, the authors motivated that the
model is especially ecient in improving false negative rate compared to other
methods. Apart from other methods that build classifiers from network header
data, Perdisci et al. introduce a multiple classifier system for anomaly detection
given network payload data [4]. This ensemble system comprises several one-
class SVM classifiers. In this study, different compact representations of payload
in different feature spaces are obtained by applying a dimensionality reduction
algorithm. Then, each one-class SVM classifier is trained by using these differ-
ent representations of payload. Given the outputs of classifiers, a final decision is
made by applying some fusion functions (e.g., average, product, majority vote).
The experiment is conducted on three datasets, i.e., Attack-Free Darpa Dataset,
Attack-Free Gatech (a dataset of Georgia Institute of Technology) and HTTP-
Attack Dataset. Based on ROC Curve Graph, detection rate of the proposed
method fluctuates from 80% to 99%. Zhang et al. apply a Random Forest Algo-
rithm, an ensemble method, to intrusion detection [9]. Random Forest produces
a forest of classification trees in which each tree is built from a different boot-
strap sample. Instead of using the class label attribute of training dataset for
classification analysis, the proposed method only uses the attribute service type
(e.g., HTTP, FTP) as the purpose of classification. In misuse detection, a given
instance is passed through the trees and then a 'majority vote' mechanism is
applied to label this instance. For outlier detection, the general idea is that if
an instance is classified as the one that is different from its own service type,
then this instance is regarded as an outlier. For example, if an HTTP connection
record is classified as FTP service type, this connection record is determined as
an outlier. More diversely, Makkamala et al. build an ensemble model using five
classifiers, i.e., resilient back propagation NN, scaled conjugate gradient NN,
Search WWH ::
Custom Search