AdaBoost Algorithm with Single Weak Classifier in Network Intrusion Detection

AdaBoost Algorithm with Single Weak Classifier in Network Intrusion Detection

P. Natesan (Kongu Engineering College, India), P. Balasubramanie (Kongu Engineering College, India) and G. Gowrison (Institute of Road and Transport Technology, India)
Copyright: © 2016 |Pages: 11
DOI: 10.4018/978-1-4666-8761-5.ch011


Recently machine learning based intrusion detection system developments have been subjected to extensive researches because they can detect both misuse detection and anomaly detection. In this paper, we propose an AdaBoost based algorithm for network intrusion detection system with single weak classifier. In this algorithm, the classifiers such as Bayes Net, Naïve Bayes and Decision tree are used as weak classifiers. KDDCup99 dataset is used in these experiments to demonstrate that boosting algorithm can greatly improve the classification accuracy of weak classification algorithms. Our approach achieves higher detection rate with low false alarm rates and is scalable for large datasets, resulting in an effective intrusion detection system.
Chapter Preview

1. Introduction

Intrusion detection techniques have become an active area in the research of computer security field over the past ten years. The goals of network intrusion detection are to identify, classify and possibly respond to malicious or suspicious activities. There are basically two types of intrusion detection systems namely misuse detection and anomaly detection. Anomaly detection system first learns normal system activities and then alerts all system events that deviate from the learned model. The advantage of anomaly detection is the ability to detect the unknown attack types. The main drawback of anomaly detection system is their high false positive rate (i.e) it mistakenly classify the normal behaviors as attacks. The misuse detection uses the signature of attacks to detect intrusions by modeling attacks. Misuse detection has higher detection rate than anomaly detection but it fails to detect unknown attacks.

Kayacik et al and Heywood (2003)proposed a hierarchical SOM for intrusion detection. They utilized the classification capability of the SOM on selected dimensions and specific attention is given to the hierarchical development of abstractions. The reported results showed that there was an increase in attack detection rate. AnazidaZainal (2009) demonstrated the ensemble of different learning paradigms by assigning proper weight to the individual classifiers. They have observed that there was an improvement on attack detection and significant reduction on false alarm.

Several hybrid IDS have been proposed recently to deal with the complexity of the intrusion detection problem by combining different machine learning algorithms. Shi-Jinn Horng and Ming-Yang Su (2011),were developed a hybrid intelligent IDS by incorporating a hierarchical clustering and support vector machines. The SVM theory was slightly modified in this research in order to be used with standard network intrusions dataset that contains labels. Cheng Xiang and Png Chin Yong (2008) designed IDS by combining the supervised tree classifiers and unsupervised Bayesian Clustering to detect intrusions.

Jiang Zhang (2006) proposed a new framework of unsupervised anomaly NIDS based on the outlier detection technique in random forests algorithm. The framework builds the patterns of network services over datasets labeled by the services. With the built in patterns, the framework detects attacks in the datasets using the outlier detection algorithm. This approach reduced the time complexity and cost of memory to a larger extent.

Giacinto at al (2007) took a slightly different approach. Their anomaly IDS was based on modular multiple classifier system where each module was designed for each group of protocols and services. The reported results showed that this approach provides a better trade-off between generalization abilities and false alarm generation than that provided by an individual classifier trained on the overall feature set. MrudulaGudadhe and Prakash (2010) have demonstrated a new ensemble boosted decision tree for intrusion detection system. The underlying idea of this approach is to combine simple rules to form an ensemble such that the performance of the single ensemble is improved.

Yongiin Liu et al (2010) constructed a classifier by using a decision tree as its base learner. The classification accuracy this algorithm is little better than SOM algorithms. Weiming Hu (2008) has proposed an adaboost based algorithm for network intrusion detection which uses decision stump as a weak learner. The decision rules are provided for both categorical and continuous features and some provision was made for handling the overfitting.

Complete Chapter List

Search this Book: