Intrusion Detection Model Based on Rough Set and Random Forest

Introduction

Intrusion detection system (Anderson, 1980) is proven to be an effective way of network security defense. Many artificial intelligence methods such as deep learning, support vector machine (SVM), fuzzy sets, outliers, random forest, artificial immune and rough sets are introduced in intrusion detection, and many breakthroughs are obtained.

Kishor Kumar developed an intrusion detection system using support vector machine (SVM), but the system could not classify attacks (Kumar, Kumar, Basha & Reddy, 2019). Alyaseen established an intrusion detection model based on support vector machine (SVM) and extreme learning, the model raised the anomaly detection rate, but had lower detection rates when data set had less samples (Al-Yaseen, Othman, & Nazri, 2017).

Yang proposed an Effective Intrusion Detection System using the Modified Density Peak Clustering Algorithm and Deep Belief Networks(MDPCA-DBN). MDPCA-DBN reduced the size of the training set, and improved the testing efficiency, but had the problem of high rate of false positives (Yang, Zheng, Wu, Niu, & Yang, 2019).

Song designed an anti-adversarial Hidden Markov Model for Network-Based Intrusion Detection (AA-HMM), AA-HMM improved the online learning ability of system, but it had more parameters, the values of parameters had greater influences on the test results, it had weak classification ability on different attacks (Song, Pons, & Yen, 2018).

In order to improve the detection rate, precision rate, accuracy rate, and reduce false positives rate, Random Forest(RF) is becoming a hot spot of current research. Inspired by bagging algorithm and random selection segmentation algorithm, LEO proposed random forest algorithm (Breiman, 2001). JooHwa proposed an autoencoder-conditional and the generative adversarial networks and random forest (AE-CGAN-RF), RF was used to classify characteristic data (Lee, & Park, 2019).

For the same attacks had similar network traffic, Ren built a multi-level random forest model, and used it to detect abnormal behaviors (Ren, Liu, Wang, He, & Zhao, 2019). According to the similarity of the decision trees, redundant attribute values were reduced (Liu, Zhao, & Liu, 2018). RF algorithm can effectively solve the imbalance of feature data, improve the detection performance of intrusion detection, but detection performances of small sample attack are poorer.

Artificial immune is evolved from the biological immune system, which is improved to have the adaptability of intrusion detection. Kim proposed a dynamic clonal selection algorithm.^. Yin designed an improved clonal selection algorithm, the algorithm is used to select the best individual and clone them, it enhanced the accuracy in intrusion detection, reduce the false positives rate (Y, & Feng, 2017). IDS builds a dynamic and adaptive information defense system through the artificial immune system. Current clonal selection algorithm optimizes the detection rules of small sample by cloning and selecting antibodies, because of the low detection rate, high false positives rate, they cannot be used in intrusion detection.

SVM, FS, outliers and RF are applied in IDS for decision rules, they need to deal with large amounts of log data, the redundant data processing requires a long time, and have weak mining capacity for missing data. For rough set algorithm is more complex, processing of large amounts of log data is slower, but it has reduction ability for redundant data dimension, especially the ability to effectively complete the missing data.