An Intelligent Network Intrusion Detection System Based on Multi-Modal Support Vector Machines

An Intelligent Network Intrusion Detection System Based on Multi-Modal Support Vector Machines

Srinivasa K G (Department of Computer Science and Engineering, M. S. Ramaiah Institute of Technology, Bangalore, Karnataka, India)
Copyright: © 2013 |Pages: 16
DOI: 10.4018/ijisp.2013100104


Increase in the number of network based transactions for both personal and professional use has made network security gain a significant and indispensable status. The possible attacks that an Intrusion Detection System (IDS) has to tackle can be of an existing type or of an entirely new type. The challenge for researchers is to develop an intelligent IDS which can detect new attacks as efficiently as they detect known ones. Intrusion Detection Systems are rendered intelligent by employing machine learning techniques. In this paper we present a statistical machine learning approach to the IDS using the Support Vector Machine (SVM). Unike conventional SVMs this paper describes a milti model approach which makes use of an extra layer over the existing SVM. The network traffic is modeled into connections based on protocols at various network layers. These connection statistics are given as input to SVM which in turn plots each input vector. The new attacks are identified by plotting them with respect to the trained system. The experimental results demonstrate the lower execution time of the proposed system with high detection rate and low false positive number. The 1999 DARPA IDS dataset is used as the evaluation dataset for both training and testing. The proposed system, SVM NIDS is bench marked with SNORT (Roesch, M. 1999), an open source IDS.
Article Preview

1. Introduction

The Intrusion detection has been an active field of research for about two decades. Over these years the world has seen intrusions of varying intensities ranging from small and less intense attacks such as port sweep or port scanning to attacks which compromise the whole network. In response the researchers have developed systems to counterfeit these intrusions. Every attack is characterized by a signature which is detected from the network traffic. The efficiency of the network intrusion detection system (NIDS) is dependent on the variety of the attacks it can identify. Intrusion detectors typically base their decisions either on signature or anomaly characterization. A wide range of Artificial Intelligence (AI) techniques have been adopted in IDSs. Initially, Rule Based Systems (RBSs) were the first to be employed successfully, and are still at the core of many IDSs. This allows for IDSs that automatically filter network traffic and/or analyze user data to identify patterns of known intrusions. This method is apt to detect previously known attacks. In case of unseen attacks, only an appropriate abstraction of the pattern can be deployed to predict intrusions and they are inherently unable to detect new attacks. Anomaly based IDS pick up abnormalities in the characteristics to classify the suspect as an attack. These classification approaches range from statistical, inference methods to techniques which are inspired from the human immune system or bio-inspired in general. The primary strength of this approach is its ability to recognize new attacks, while the bottleneck is that, to attain required accuracy intensive training is necessary. The efficiency depends largely on the diversity of the training data set and the aptness of the parameters used in the training. This paper deals with an implementation of intrusion detection on the lines of anomaly based system by adopting a statistical machine learning approach. Based on the parameters used for training, SVM (Cristianini, N., & Shawe-Taylor, J., 2000) creates a hyper plane which can be viewed as the demarcation between the regions. The number of regions being involved is decided by the choice of classification method within SVM. The accuracy of the classification relies largely on the optimality of the parameters used for classification. In intrusion detection the standard set of attacks and their corresponding parameters are used to draw this hyper plane. The hyper plane divides the region into classes of attacks and normal part. The parameters of the suspect are also plotted with respect to the hyper plane. If this plot lies in the normal zone then it is credited to be safe else it is signaled as an attack. The system formulation takes place in two stages, training and testing. The system learns from the statistics during the training and draws the hyper plane. Testing scores the efficiency of the trained system to detect attacks.

Complete Article List

Search this Journal:
Open Access Articles: Forthcoming
Volume 13: 4 Issues (2019): Forthcoming, Available for Pre-Order
Volume 12: 4 Issues (2018): 3 Released, 1 Forthcoming
Volume 11: 4 Issues (2017)
Volume 10: 4 Issues (2016)
Volume 9: 4 Issues (2015)
Volume 8: 4 Issues (2014)
Volume 7: 4 Issues (2013)
Volume 6: 4 Issues (2012)
Volume 5: 4 Issues (2011)
Volume 4: 4 Issues (2010)
Volume 3: 4 Issues (2009)
Volume 2: 4 Issues (2008)
Volume 1: 4 Issues (2007)
View Complete Journal Contents Listing