Professional Documents
Culture Documents
Vol 8 No 0103
Vol 8 No 0103
Vol 8 No 0103
net/publication/348191515
CITATION READS
1 21
3 authors, including:
N. Raghavendra Sai
K L University
95 PUBLICATIONS 291 CITATIONS
SEE PROFILE
All content following this page was uploaded by N. Raghavendra Sai on 04 January 2021.
472
INTERNATIONAL JOURNAL OF INNOVATIVE TECHNOLOGY AND CREATIVE ENGINEERING (ISSN:2045-8711)
VOL.8 NO.3 MARCH 2018
473
INTERNATIONAL JOURNAL OF INNOVATIVE TECHNOLOGY AND CREATIVE ENGINEERING (ISSN:2045-8711)
VOL.8 NO.3 MARCH 2018
Resulting to pre-processing, five getting ready reports are scenario has lower false alarm rate, but has poor diagnosis
made. In each one of the records, one attack compose performance, meaning that it detects most of the alarms, but it
addresses the positive class and the different ambushes doesn’t classify them correctly. The high ACTE appears to
address the negative class. originate from misclassifying DoS assaults (more than
220.000 occurrences out of 311.000) for R2L assaults. At last,
the one-to-all3categ IDS gives the best outcomes: great
ACTE, great location and determination rates and low false
alert rate. In any case, this outcome may be additionally
enhanced by parameter tuning or expanding the measure of
the preparation dataset.
474
INTERNATIONAL JOURNAL OF INNOVATIVE TECHNOLOGY AND CREATIVE ENGINEERING (ISSN:2045-8711)
VOL.8 NO.3 MARCH 2018
REFERENCES
[1] KDD Cup 1999 Task Description,
http://kdd.ics.uci.edu/databases/kddcup99/task.html
[2] Bernhard Pfahringer, Winning the KDD99
Classification Cup: Bagged Boosting, ACM
SIGKDD Explorations Newsletter, Volume 1, Issue
It can be seen in Table 4 that the one-to-all IDS 2, p. 65-66 January 2000.
performs well on normal and DoS connections, on probe it [3] Itzhak Levin, KDD-99 Classifier Learning Contest
has a rather poor performance (70.1% diagnosis) and LLSoft’s Results Overview, ACM SIGKDD
misclassifies most of U2R (15.7% diagnosis) and R2L (2.2% Explorations Newsletter, Volume 1, Issue 2, p. 67-75
diagnosis) connections. Most of the misclassified probe, U2R January 2000.
and R2L connections are classified as normal. The models for [4] Vladimir Miheev, Alexei Vopilov, Ivan Shabalin,
normal and DoS traffic are fairly accurate since they had a The MP13 Approach to the KDD'99 Classifier
large set of training instances to build on. The one-to-one IDS Learning Contest, SIGKDD Explorations Newsletter,
performs better than one-to-all IDS as can be seen in Table 5. Volume 1, Issue 2, p76-77 January 2000.
This IDS performs significantly better than one-to-all IDS on [5] Tsong Song Hwang, Tsung-Ju Lee, Yuh-Jye Lee, A
classifying U2R and R2L connections: it classifies 45.7% of Three-tier IDS via Data Mining Approach,
U2R connections and 9.3% of R2L connections. The R2L MineNet’07, June 12, 2007, San Diego, California,
connections are spread in space so that linear SVM proves to USA
be inefficient for building a good model for classifying these [6] W. Lee. A Data Mining Framework for Constructing
instances. We noticed a tradeoff: the more accurate the SVM Features and Models for Intrusion Detection
model for classifying R2L connections, the poorest in Systems. PhD thesis, Columbia University, 1999.
classifying normal connections and the other way around. The [7] Computer Security and Intrusion Detection,
one-to-all-3categ IDS performs worse than the other two http://www.acm.org/crossroads/xrds11-1/csid.html
IDSs in classifying R2L and U2R attacks, and performs [8] H. Gunes Kayacik, Nur Zincir-Heywood, Malcolm I.
slightly better on classifying probe attacks. It seems indeed Heywood, Selecting Features for Intrusion Detection:
that linear SVM is limited in building a good model for A Feature Relevance Analysis on KDD ’99
separating normal traffic from R2L due to the spread of these Benchmark,http://www.unb.ca/pstnet/pst2005/Shaug
connections. Even though we introduced the one-to-all-3categ hnessy%20Room/Oct13/GK_FeatRelevance.ppt#256
IDS in order to perform better at separating the three minority ,1,Selecting Features for Intrusion Detection: A
classes from the two major ones (normal and DoS), it seems Feature Relevance Analysis on KDD 99 Benchmark
like the model built using SVM is not accurate enough so that [9] Results of the KDD Cup 1999 Classifier Learning
this voting system proves efficient. Most of the R2L Contest,http://wwwcse.ucsd.edu/users/elkan/clresults
connections do not pass the first level voting, being classified .html
as normal. Comparing to relevant results in the literature, the [10] TextGarden–Text Mining Tools,
IDSs studied in the paper are less accurate. The one-to-one http://kt.ijs.si/Dunja/textgarden/
IDS with 0.2479 ACTE would rank 8th in the KDD Cup [11] C. Cortes and V. Vapnik, Support-Vector Networks,
1999 contest. Higher accuracy can be obtained by increasing Machine Learning, 20(3):273-297, September 1995.
the complexity of the system. SVMs with different kernels [12] Y.-J. Lee and O. L. Mangasarian. SSVM: A smooth
can be used for building better models, but with this support vector machine. Computational Optimization
approach, classification speed would decrease [11], this is and Applications, 20:5–22, 2001. Data Mining
undesired in real time IDSs. Hybrid systems that combine Institute, University of Wisconsin, Technical Report
several machine learning methods or that combine machine 99-03.
learning methods with the more classical ones based on
475