Constructing important features from massive network traffic for lightweight intrusion detection

Wei Wang; Yongzhong He; Jiqiang Liu; Sylvain Gombault

Constructing important features from massive network traffic for lightweight intrusion detection

View Fulltext

Author(s): Wei Wang ¹ ; Yongzhong He ¹ ; Jiqiang Liu ¹ ; Sylvain Gombault ²
- Affiliations: 1: School of Computer and Information Technology, Beijing Jiaotong University, No. 3 Shuangyuancun, Beijing 100044, People's Republic of China ;
  2: Institut Mines Telecom/Telecom Bretagne, Université européenne de Bretagne, France
Source: Volume 9, Issue 6, November 2015, p. 374 – 379
DOI: 10.1049/iet-ifs.2014.0353 , Print ISSN 1751-8709, Online ISSN 1751-8717

Received 30/07/2014, Accepted 17/03/2015, Revised 15/02/2015, Published 30/04/2015

Efficiently processing massive data is a big issue in high-speed network intrusion detection, as network traffic has become increasingly large and complex. In this work, instead of constructing a large number of features from massive network traffic, the authors aim to select the most important features and use them to detect intrusions in a fast and effective manner. The authors first employed several techniques, that is, information gain (IG), wrapper with Bayesian networks (BN) and Decision trees (C4.5), to select important subsets of features for network intrusion detection based on KDD'99 data. The authors then validate the feature selection schemes in a real network test bed to detect distributed denial-of-service attacks. The feature selection schemes are extensively evaluated based on the two data sets. The empirical results demonstrate that with only the most important 10 features selected from all the original 41 features, the attack detection accuracy almost remains the same or even becomes better based on both BN and C4.5 classifiers. Constructing fewer features can also improve the efficiency of network intrusion detection.

References

1. 1)
  - 18. Wang, W., Guan, X., Zhang, X., Yang, L.: ‘Profiling program behavior for anomaly intrusion detection based on the transition and frequency property of computer audit data’, Comput. Sec., 2006, 25, (7), pp. 539–550 (doi: 10.1016/j.cose.2006.05.005).
2. 2)
  - 5. Wang, W., Gombault, S., Guyet, T.: ‘Towards fast detecting intrusions: Using key attributes of network traffic’. ICIMP, 2008, pp. 86–91.
3. 3)
  - 7. Hu, W., Gao, J., Wang, Y., Wu, O., Maybank, S.: ‘Online adaboost-based parameterized methods for dynamic distributed network intrusion detection’, IEEE Trans. Cybern., 2014, 44, (1), pp. 66–82 (doi: 10.1109/TCYB.2013.2247592).
4. 4)
  - 19. Wang, W., Guyet, T., Quiniou, R., Cordier, M., Masseglia, F., Zhang, X.: ‘Autonomic intrusion detection: Adaptively detecting anomalies over unlabeled audit data streams in computer networks’, Knowl.-Based Syst., 2014, 70, pp. 103–117 (doi: 10.1016/j.knosys.2014.06.018).
5. 5)
  - 15. Han, G., Jiang, J., Shen, W., Shu, L., Rodrigues, J.: ‘IDSEP: a novel intrusion detection scheme based on energy prediction in cluster-based wireless sensor networks’, IET Inf. Sec., 2013, 2, (7), pp. 97–105 (doi: 10.1049/iet-ifs.2012.0052).
6. 6)
  - 1. Snort, http://www.snort.org/, December 2014.
7. 7)
  - 22. Das, S.: ‘Filters, wrappers and a boosting-based hybrid for feature selection’. ICML, 2001, pp. 74–81.
8. 8)
  - 2. Lee, W., Stolfo, W.: ‘A framework for constructing features and models for intrusion detection systems [J]’, ACM Trans. Inf. Syst. Sec., 2000, 3, (4), pp. 227–261 (doi: 10.1145/382912.382914).
9. 9)
  - [25]. Bhuyan, M., Bhattacharyya, D., Kalita, J.: ‘Network anomaly detection: methods, systems and tools’, IEEE Commun. Surv. Tutor., 2014, 16, pp. 303–336 (doi: 10.1109/SURV.2013.052213.00046).
10. 10)
  - 17. Wang, W., Zhang, X., Gombault, S.: ‘Constructing attribute weights from computer audit data for effective intrusion detection’, J. Syst. Softw., 2009, 82, (12), pp. 1974–1981 (doi: 10.1016/j.jss.2009.06.040).
11. 11)
  - 3. KDD Cup 1999 data (Computer network intrusion detection): http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html, 1999 (retrieved in December, 2014).
12. 12)
  - 11. Song, J., Takakurb, H., Okabe, Y., Nakao, K.: ‘Toward a more practical unsupervised anomaly detection system [J]’, Inf. Sci., 2013, 231, (10), pp. 4–14 (doi: 10.1016/j.ins.2011.08.011).
13. 13)
  - 13. Elhag, S., Fernandez, A., Bawakid, A., Alshomrani, S., Herrera, F.: ‘On the combination of genetic fuzzy systems and pairwise learning for improving detection rates on intrusion detection systems’, Expert Syst. Appl., 2015, 42, (1), pp. 193–202 (doi: 10.1016/j.eswa.2014.08.002).
14. 14)
  - 24. Heckerman, D.: ‘A tutorial on learning with Bayesian networks, microsoft research’. Technical Report MSRTR-95-06, 1995.
15. 15)
  - 26. Wang, W., Gombault, S.: ‘Efficient detection of DDoS attacks with important attributes’. CRiSIS, 2008, pp. 61–67.
16. 16)
  - 16. Kyriakopoulos, K., Aparicio-Navarro, F., Parish, D.: ‘Manual and automatic assigned thresholds in multi-layer data fusion intrusion detection system for 802.11 attacks’, IET Inf. Sec., 2014, 8, (1), pp. 42–50 (doi: 10.1049/iet-ifs.2012.0302).
17. 17)
  - 4. Yu, L., Liu, H.: ‘Feature selection for high-dimensional data: A fast correlation-based filter solution’. ICML, 2003, pp. 856–863.
18. 18)
  - 21. Sung, H., Mukkamala, S.: ‘Identifying important features for intrusion detection using support vector machines and neural networks’. Sympon Applications and the Internet, 2003.
19. 19)
  - 23. Duda, O., Hart, E., Stork, G.: ‘Pattern classification’ (China Machine Press, Beijing, 2004, 2nd edn.).
20. 20)
  - 14. El-Khatib, K.: ‘Impact of feature reduction on the efficiency of wireless intrusion detection systems [J]’, IEEE Trans. Parallel Distrib. Syst., 2010, 21, (8) (doi: 10.1109/TPDS.2009.142).
21. 21)
  - 10. Chitrakar, R., Huang, C.: ‘Selection of candidate support vectors in incremental SVM for network intrusion detection’, Comput. Secur., 2014, 45, pp. 231–241 (doi: 10.1016/j.cose.2014.06.006).
22. 22)
  - 20. Wang, W., Guan, X., Zhang, X.: ‘Processing of massive audit data streams for real-time anomaly intrusion detection’, Comput. Commun., 2008, 31, (1), pp. 58–72 (doi: 10.1016/j.comcom.2007.10.010).
23. 23)
  - 9. Ghosh, A., Gottlieb, M., Naidu, A., et al: ‘Managing high volume data for network attack detection using real-time flow filtering [J]’, China Commun., 2013, 10, (3), pp. 56–66 (doi: 10.1109/CC.2013.6488830).
24. 24)
  - 12. Gowrison, G., Ramar, K., Muneeswaran, K., Revathi, T.: ‘Minimal complexity attack classification intrusion detection system [J]’, Appl. Soft Comput., 2013, 13, (2), pp. 921–927 (doi: 10.1016/j.asoc.2012.09.017).
25. 25)
  - 25. Quinlan, R.: ‘C4.5: Programs for machine learning’ (Morgan Kaufmann Publishers, 1993).
26. 26)
  - 8. Feng, W., Zhang, Q., Hu, G., Huang, J.: ‘Mining network data for intrusion detection through combining SVMs with ant colony networks’, Future Gener. Comput. Syst., 2014, 37, pp. 127–140 (doi: 10.1016/j.future.2013.06.027).

Login

Not registered yet?

Share

Tools

Login to add to favourites

Key

Constructing important features from massive network traffic for lightweight intrusion detection

References

Related content