Local outlier factor and stronger one class classifier based hierarchical model for detection of attacks in network intrusion detection dataset

作     者：Alampallam Ramaswamy VASUDEVAN Subramanian SELVAKUMAR 

作者机构：CDBR-SSE Lab Department of Computer Science and Engineering National Institute of Technology Tiruchirappalli (NITT) Tiruchirappalli 620015 India 

出 版 物：《Frontiers of Computer Science》 (中国计算机科学前沿（英文版）)

年 卷 期：2016年第10卷第4期

页      面：755-766页

核心收录：

学科分类：0810[工学-信息与通信工程] 12[管理学] 1201[管理学-管理科学与工程(可授管理学、工学学位)] 0808[工学-电气工程] 0839[工学-网络空间安全] 08[工学] 0701[理学-数学] 0812[工学-计算机科学与技术（可授工学、理学学位）] 

基　　金：the sponsorship provided by National Technical Research Organization (NTRO), New Delhi INDIA under the Collaborative Directed Basic Research (CDBR) - Smart and Secure Environment (SSE) Project for generating the SSENet-2011 dataset 

主　　题：hierarchical model DP clustering LOF Dis-cretizer one class classifier NIDS 

摘      要：Identification of attacks by a network intrusion detection system （NIDS） is an important task. In signature or rule based detection, the previously encountered attacks are modded, and signatures/rules are extracted. These rules are used to detect such attacks in future, but in anomaly or outlier detection system, the normal network traffic is modeled. Any deviation from the normal model is deemed to be an outlier/attack. Data mining and machine learning techniques are widely used in offline NIDS. Unsupervised and supervised learning techniques differ the way NIDS dataset is treated. The characteristic features of unsupervised and supervised learning are finding patterns in data, detecting outliers, and determining a learned function for input features, generalizing the data instances respectively. The intuition is that if these two techniques are combined, better performance may be obtained. Hence, in this paper the advantages of unsupervised and supervised techniques are inherited in the proposed hierarchical model and devised into three stages to detect attacks in NIDS dataset. NIDS dataset is clustered using Dirichiet process （DP） clustering based on the underlying data distribution. Iteratively on each cluster, local denser areas are identified using local outlier factor （LOF） which in turn is discretized into four bins of separation based on LOF score. Further, in each bin the normal data instances are modeled using one class classifier （OCC）. A combination of Density Estimation method, Reconstruction method, and Boundary methods are used for OCC model. A product rule combination of the three methods takes into consideration the strengths of each method in building a stronger OCC model. Any deviation from this model is considered as an attack. Experiments are conducted on KDD CUP＇99 and SSENet-2011 datasets. The results show that the proposed model is able to identify attacks with higher detection rate and low false alarms.