Article Preview
Top1. Introduction
Technology advances have made access to the internet an important part of people’s daily life which has led to a growing increase in the number of people connecting to the Internet. One of the most difficult challenges that come along with the technology advances is the security breaches that keep on evolving. The first step in securing networks is to define a security policy. It consists of rules to ensure that security properties (confidentiality, integrity, availability) apply to the data of the system being studied. However, it is virtually impossible to have a completely secured network and protect it from all possible attacks only with these rules. Thus, to overcome this problem, it is necessary to detect these attacks as soon as possible in order to react quickly and avoid serious damage. An intrusion detection system can identify whether network traffic behavior is normal or anomalous and alert network administrators. Intrusion detection is equivalent to a classification problem where specific analytical techniques are used to improve the accuracy of classifiers in effectively identifying the intrusive behavior. There are two main approaches to intrusion detection: Misuse detection and anomaly detection. The first approach involves looking for signatures of known attacks, and basically works by looking for abusive activities compared with all existing attacks. Anomaly detection indicates malicious activities by analyzing past activities to see if a behavior is not consistent with the normal behavior. In prior solutions, signature-based techniques were largely used to detect all the attacks captured in their signature databases, but the current situation will reach a point where the use of such techniques leads to inefficient and inaccurate detection due to the high false alarm rate. In recent years, innovative approaches including anomaly-based detection have been proposed to detect anomalies including data mining, statistical analysis and artificial intelligence techniques. There have been many recent studies that combine different data mining and machine learning techniques in order to improve detection performance. However, combining several sophisticated techniques increase the overall complexity which leads very likely to a high computational burden. On the other hand, and on a practical point of view, many benchmarks were used in literature to test and evaluate any solution dedicated to intrusion detection. KDD cup 99 (The Fifth International Conference on Knowledge Discovery and Data Mining) remains the most known of them, but, its use leads to some problems (redundant attacks, unuseful features). This is the reason why some authors focused on deducing the most important features leading to better results while using KDD cup 99. In addition, even if KDD is composed of training and testing datasets, some authors (Lin, Ke, & Tsai, 2015) used only the first dataset to train and test their contribution. This is not realistic and may lead to biased results. Therefore, in this study we propose a novel approach to intrusion detection that is based on improving the k-Nearest Neighbors (k-NN) classifier performance. Specifically, given a dataset, and a data sample to classify, the k nearest neighbors of the data sample in each possible dataset class are identified. Then, the sum of the distances between these k neighbors and the data sample is calculated for each class. At the end, the data sample is assigned to the class with the smallest distance sum. We focus mainly on comparing our contribution to the CANN (the Cluster center And Nearest Neighbors) (Lin et al., 2015) approach. Our work has been organized as follows. The related works are discussed in section 2. In section 3, the proposed approach for intrusion detection is introduced. Section 4 describes the experiments and simulation results. Finally, Section 5 concludes the paper.