IJBTT

Network Intrusion Detection Using One-Class Classification Based on Standard Deviation of Service`s Normal Behavior

	International Journal of Computer Trends and Technology (IJCTT)
	© 2015 by IJCTT Journal
	Volume-26 Number-1
	Year of Publication : 2015
	Authors : Tawfiq S. Barhoom, Ramzi A. Matar
	DOI :  10.14445/22312803/IJCTT-V26P104

Tawfiq S. Barhoom, Ramzi A. Matar "Network Intrusion Detection Using One-Class Classification Based on Standard Deviation of Service`s Normal Behavior". International Journal of Computer Trends and Technology (IJCTT) V26(1):17-25, August 2015. ISSN:2231-2803. www.ijcttjournal.org. Published by Seventh Sense Research Group.

Abstract -
A lot of efforts have been given toward designing a perfect NIDS that has a high detection rate and low false alarm rate. Some have used misuse detection technique which fails to detect zero-day attacks, while the problem of using supervised learning is the cost of producing labeled dataset which is essential for training the model and also the model is trained on known attacks which may fail to detect new variant attacks. On the other hand, unsupervised learning has the problem of labeling the generated clusters. Once-Class Classification learning technique (OCC) suffers from the high dimensional network feature spaces, Also, problems may arise when large differences in density exist. To overcome these problems, we proposed OCC-NIDS model based on the standard deviation of service`s normal behaviour. Through this model we dealt with each network service as single class instead of dealing with all network services as a single class. By this way we use just the relevant features of each service, hence reducing the high dimensional network feature spaces and also ensure that each class has - a proximately - uniform distribution. The proposed model proved that it is able to detect abnormal network traffic with high detection rate and low false positive rate. It achieved 99.72% detection rate and 99.65% accuracy rate with a false alarm rate reached 0.7% and false positive rate 0.005% on KDD Cup`99 dataset.

References
[1] ISC, ISC Internet domain survey (January 2015). Internet Systems Consortium, Inc . http://ftp.isc.org/www/survey/reports/2015/01. Accessd on: 13/02/2015, 2015.
[2] Ben-David, S., T. Lu, and D. Pál. Does Unlabeled Data Provably Help? Worst-case Analysis of the Sample Complexity of Semi-Supervised Learning. in COLT. 2008.
[3] McHugh, J., Intrusion and intrusion detection. International Journal of Information Security, 2001. 1(1): p. 14-35.
[4] Moore, D., et al., Inside the slammer worm. IEEE Security & Privacy, 2003. 1(4): p. 33-39.
[5] Heady R, et al., The Architecture of a Network Level Network Intrusion Detection System. (Technical Report CS90-20) University of New Mexico: Department of Computer Science, 1990.
[6] Sobh, T.S., Wired and wireless intrusion detection system: Classifications, good characteristics and state-of-the-art. Computer Standards & Interfaces, 2006. 28: p. 670–694.
[7] Sperotto, A., et al., An overview of IP flow-based intrusion detection. Communications Surveys & Tutorials, IEEE, 2010. 12(3): p. 343-356.
[8] Engen, V., Machine learning for network based intrusion detection: an investigation into discrepancies in findings with the KDD cup`99 data set and multi-objective evolution of neural network classifier ensembles from imbalanced data, 2010, Bournemouth University.
[9] Nguyen, T.T. and G. Armitage, A survey of techniques for internet traffic classification using machine learning. Communications Surveys & Tutorials, IEEE, 2008. 10(4): p. 56-76.
[10] Bhuyan, M.H., D. Bhattacharyya, and J.K. Kalita. An effective unsupervised network anomaly detection method. in Proceedings of the International Conference on Advances in Computing, Communications and Informatics. 2012. ACM.
[11] Barhoom, T.S. and R.A. Matar, Network Intrusion Detection Using Semi-Supervised Learning Based on Normal Behaviour`s Standard Deviation. Network, 2015. 4(1).
[12] Khan, S.S. and M.G. Madden, A survey of recent trends in one class classification, in Artificial Intelligence and Cognitive Science2010, Springer. p. 188-197.
[13] Laskov, P., et al., Learning intrusion detection: supervised or unsupervised?, in Image Analysis and Processing–ICIAP 20052005, Springer. p. 50-57.
[14] Hameed, S.M. and S.S. Sulaiman, Intrusion Detection Using a Mixed Features Fuzzy Clustering Algorithm. Iraq Journal of Science (IJS), 2012. 53(2).
[15] Leung, K. and C. Leckie. Unsupervised anomaly detection in network intrusion detection using clusters. in Proceedings of the Twenty-eighth Australasian conference on Computer Science-Volume 38. 2005. Australian Computer Society, Inc.
[16] Amoli, P.V. and T. Hamalainen. Real time multi stage unsupervised intelligent engine for NIDS to enhance detection rate of unknown attacks. in Information Science and Technology (ICIST), 2013 International Conference on. 2013. IEEE.
[17] Li, J., W. Zhang, and K. Li, A Novel Semi-supervised SVM based on Tri-training for Intrusition Detection. Journal of computers, 2010. 5(4): p. 638-645.
[18] Jiang, S., et al., A clustering-based method for unsupervised intrusion detections. Pattern Recognition Letters, 2006. 27(7): p. 802-810.
[19] Rassam, M.A., M. Maarof, and A. Zainal, A survey of intrusion detection schemes in wireless sensor networks. American Journal of Applied Sciences, 2012. 9(10): p. 1636- 1652.
[20] Zhu, X., Semi-supervised learning literature survey. Computer Sciences Technical Report 1530, University of Wisconsin–Madison, 2005.
[21] Wang, J., K. Zhang, and D.-s. Ren. An anomaly intrusion detection algorithm based on minimal diversity semisupervised clustering. in Computer Science and Computational Technology, 2008. ISCSCT`08. International Symposium on. 2008. IEEE.
[22] Lu, T.T., Fundamental limitations of semi-supervised learning. M.S. thesis, Dept. of Comput. Sci., Univ. of Waterloo, Waterloo, ON, Canada, 2009.
[23] Li, K.-L., et al. Improving one-class SVM for anomaly detection. in Machine Learning and Cybernetics, 2003 International Conference on. 2003. IEEE.
[24] Araki, S., et al. Unknown Attack Detection by Multistage One-Class SVM Focusing on Communication Interval. in Neural Information Processing. 2014. Springer.
[25] Winter, P., E. Hermann, and M. Zeilinger. Inductive intrusion detection in flow-based network data using one-class support vector machines. in New Technologies, Mobility and Security (NTMS), 2011 4th IFIP International Conference on. 2011. IEEE.
[26] Giacinto, G., et al., Intrusion detection in computer networks by a modular ensemble of one-class classifiers. Information Fusion, 2008. 9(1): p. 69-82.
[27] KDD, The third international knowledge discovery and data mining tools competition dataset (KDD99 Cup). http://kdd.ics.uci.edu/databases/kddcup99/ ; Accessed on: 24/12/2014. 1999.
[28] Kyoto2006+, Dataset, http://www.takakura.com/Kyoto_data/. 2009.
[29]. Suykens, J.A., Advances in learning theory: methods, models, and applications. Vol. 190 P. 391. 2003: IOS Press.
[30] Olson, D.L. and D. Delen, Advanced data mining techniques2008: Springer Science & Business Media.
[31] Ma, J. and G. Dai. Anomaly detection in computer networks using dissimilarity-based one-class classifiers. in Intelligent Systems Design and Applications, 2008. ISDA`08. Eighth International Conference on. 2008. IEEE.
[32] Anazida Zainal, Mohd Aizaini Maarof, and Siti Mariyam Shamsuddin, Ensemble Classifiers for Network Intrusion Detection System. Journal of Information Assurance and Security, 2009. Vol. 4 p. 217-225.
[33] Javitz, H.S.V., A., The NIDES statistical component: Description and justication. Technical report, SRI International., 1993.
[34] Denning, D., An intrusion detection model. In IEEE Transactions on Software Engineering 13., 1987.
[35] Kriegel, H.-P., P. Kröger, and A. Zimek. Outlier detection techniques. in Tutorial at the 13th Pacific-Asia Conference on Knowledge Discovery and Data Mining. 2009.
[36] Jiawei Han, Micheline Kamber, and Jian Pei, Data mining :s concepts and techniques, 3rd ed.2012, 225 Wyman Street, Waltham, MA 02451, USA: Morgan Kaufmann Publishers is an imprint of Elsevier.

Keywords
Network Intrusion Detection, Service`s Normal Behaviour, One-Class Classification, Standard Deviation