A cascaded classifier approach for improving detection rates on rare attack categories in network intrusion detection

Khor, Kok-Chin; Ting, Choo-Yee; Phon-Amnuaisuk, Somnuk

doi:10.1007/s10489-010-0263-y

Cited by 69 publications

(30 citation statements)

References 34 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Analysts encounter the class imbalance problem in many real-world applications, such as medical decision support system for colon polyp screening [10], retailing bank customer attrition analysis [17], network intrusion detection of rare attack categories [22], automotive engineering diagnosis [26], and vehicle diagnostics [27]. In these domains, a standard classifier needs to accurately detect a minority class.…”

mentioning

confidence: 99%

DBSMOTE: Density-Based Synthetic Minority Over-sampling TEchnique

2011

View full text Add to dashboard Cite

A dataset exhibits the class imbalance problem when a target class has a very small number of instances relative to other classes. A trivial classifier typically fails to detect a minority class due to its extremely low incidence rate. In this paper, a new over-sampling technique called DBSMOTE is proposed. Our technique relies on a density-based notion of clusters and is designed to oversample an arbitrarily shaped cluster discovered by DB-SCAN. DBSMOTE generates synthetic instances along a shortest path from each positive instance to a pseudocentroid of a minority-class cluster. Consequently, these synthetic instances are dense near this centroid and are sparse far from this centroid. Our experimental results show that DBSMOTE improves precision, F-value, and AUC more effectively than SMOTE, Borderline-SMOTE, and Safe-Level-SMOTE for imbalanced datasets.

show abstract

mentioning

confidence: 99%

DBSMOTE: Density-Based Synthetic Minority Over-sampling TEchnique

2011

View full text Add to dashboard Cite

show abstract

“…This dataset is still the most trustful and credible public benchmark dataset [53,54,55,56,57,58,59] for evaluating network intrusion detection algorithms. In the dataset, 41 features including 9 categorical features and 32 continuous features are extracted for each network connection.…”

Section: Methodsmentioning

confidence: 99%

Online Adaboost-Based Parameterized Methods for Dynamic Distributed Network Intrusion Detection

Gao

Wang

et al. 2014

IEEE Trans. Cybern.

142

View full text Add to dashboard Cite

Current network intrusion detection systems (NIDS) lack the adaptability to the frequently changing network environments. Furthermore, intrusion detection in the new distributed architectures is now a major requirement. In this paper, we propose two online Adaboost-based intrusion detection algorithms. In the first algorithm, a traditional online Adaboost process is used where decision stumps are used as weak classifiers. In the second algorithm, an improved online Adaboost process is proposed, and online GMMs are used as weak classifiers. We further propose a distributed intrusion detection framework, in which a local parameterized detection model is constructed in each node using the online Adaboost algorithm. A global detection model is constructed in each node by combining the local parametric models using a small number of samples in the node. This combination is achieved using an algorithm based on particle swarm optimization (PSO) and support vector machines (SVM). The global model in each node is used to detect intrusions. Experimental results show that the improved online Adaboost process with GMMs obtains a higher detection rate and a lower false alarm rate than the traditional online Adaboost process which uses decision stumps. Both the algorithms outperform existing intrusion detection algorithms. It is also shown that our PSO and SVM-based algorithm effectively combines the local detection models into the global model in each node: the global model in a node can handle the intrusion types which are found in other nodes, without sharing the samples of these intrusion types.

show abstract

“…Entropy is an important concept in the information theory to describe the uncertainty of random distribution. The GRIDEN algorithm uses the entropy to detect the boundary points, because the density of the grid at the boundary points is usually uneven, and entropy of the uneven distribution of grid points in the grid will be bigger, otherwise will be smaller [2]. The algorithm in the implementation process, the data space is divided into grids, and be identified according to the characteristics of neighbor grid density boundary grid and uneven distribution, and then calculate the measured data object density variation degree of entropy in the boundary grid range, finally determine the boundary points according to entropy.…”

Section: Boundary Point Detection Algorithm Based On Gridmentioning

confidence: 99%

Application of clustering analysis in Intrusion Detection

Zhang¹,

Li²,

Xu³

2017

The 3rd International Conference on Intelligent Energy and Power Systems (IEPS 2017)

View full text Add to dashboard Cite

Clustering technology and boundary point detection technology and its application in intrusion detection system are introduced in this paper from three aspects, which are the application of clustering analysis, boundary detection and clustering analysis in Intrusion Detection System. The data processing and the requirement of clustering algorithm for intrusion detection system are introduced in detail. Analyzed the result of the experiment environment and experiment, further validation of this project is based on the improved NPRIM algorithm applied to intrusion detection is effective and feasible. Boundary point detection technologyThe cluster boundary point is a point that has two or more clustering characteristics between the cluster and the cluster. The study of clustering boundary points is an important branch of clustering analysis, which plays an important role in disease prevention, biology, image retrieval, virtual reality, and improving clustering accuracy. Since Chenyi Xia first proposed the boundary point detection algorithm (BORDER) in 2006, researchers have proposed some boundary detection algorithms. In order to describe these algorithms, the algorithm is divided into four categories: density based boundary detection algorithm, grid based boundary detection algorithm and angle based boundary detection algorithm. Boundary point detection algorithm based on densityBased on the density of the boundary point detection algorithm is the use of clustering near the boundary of the uneven distribution of data objects to extract the characteristics of the clustering boundary point. On the noisy data set, the algorithm can separate the boundary point from the noise region, especially the uniform data set. BRIM is a typical boundary detection algorithm in this algorithm.In order to solve the existing problems of BORDER algorithm, BRIM is a density based boundary point detection algorithm, which can effectively detect the boundary of clustering in noisy data sets. The algorithm first according to the data object plus or minus the number of data points difference within half a neighborhood to calculating the boundary of points, and then the boundary is greater than the boundary degrees threshold  marked point boundary point.

show abstract

A cascaded classifier approach for improving detection rates on rare attack categories in network intrusion detection

Cited by 69 publications

References 34 publications

DBSMOTE: Density-Based Synthetic Minority Over-sampling TEchnique

DBSMOTE: Density-Based Synthetic Minority Over-sampling TEchnique

Online Adaboost-Based Parameterized Methods for Dynamic Distributed Network Intrusion Detection

Application of clustering analysis in Intrusion Detection

Contact Info

Product

Resources

About