Browse > Article
http://dx.doi.org/10.13089/JKIISC.2018.28.2.385

A Practical Feature Extraction for Improving Accuracy and Speed of IDS Alerts Classification Models Based on Machine Learning  

Shin, Iksoo (University of Science & Technology)
Song, Jungsuk (University of Science & Technology)
Choi, Jangwon (Korea Institute of Science & Technology Information)
Kwon, Taewoong (Korea Institute of Science & Technology Information)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.28, no.2, 2018 , pp. 385-395 More about this Journal
Abstract
With the development of Internet, cyber attack has become a major threat. To detect cyber attacks, intrusion detection system(IDS) has been widely deployed. But IDS has a critical weakness which is that it generates a large number of false alarms. One of the promising techniques that reduce the false alarms in real time is machine learning. However, there are problems that must be solved to use machine learning. So, many machine learning approaches have been applied to this field. But so far, researchers have not focused on features. Despite the features of IDS alerts are important for performance of model, the approach to feature is ignored. In this paper, we propose new feature set which can improve the performance of model and can be extracted from a single alarm. New features are motivated from security analyst's know-how. We trained and tested the proposed model applied new feature set with real IDS alerts. Experimental results indicate the proposed model can achieve better accuracy and false positive rate than SVM model with ordinary features.
Keywords
Network security; IDS; false alarm; machine learning; SVM;
Citations & Related Records
연도 인용수 순위
  • Reference
1 K. Scarfone and M. Peter, "Guide to intrusion detection and prevention systems (IDPS)," NIST Special Publication-800-94, Feb. 2007.
2 T. Pietraszek, "Using adaptive alert classification to reduce false positive in intrusion detection," Recent Advances in Intrusion Detection, pp. 102-124, 2004.
3 N. Hubballi and S. Vinoth, "False alarm minimization techniques in sig- nature-based intrusion detection sys- tems: A survey," Computer Communications, vol. 49, pp. 1-17, Aug. 2014.   DOI
4 G. Spathoulas and K. Sokratis, "Methods for post-processing of alerts in intrusion detection: A survey," International Journal of Information Security Science, vol. 2, no. 2, pp. 64-80, June 2013.
5 R. Sommer and P. Vern. "Enhancing byte-level network intrusion detection signatures with context," Proceedings of the 10th ACM conference on Computer and communications security. ACM, pp. 262-271, Oct. 2003.
6 S.J. Yang, A. Stotz, J. Holsopple, M. Sudit, and M. Kuhl, "High level information fusion for tracking and projection of multistage cyber attacks," Information Fusion, vol. 10, issue. 1, pp. 107-121, Jan. 2009.   DOI
7 E. Raftopoulos and D. Xenofontas, "Detecting, validating and characterizing computer infections in the wild," Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conference. ACM, pp. 29-44, Nov. 2011.
8 G. Spathoulas and K. Sokratis, "Enhancing IDS performance through comprehensive alert post-processing," Computers & Security, vol. 37, pp. 176-196, Sep. 2013.   DOI
9 M.S. Shin, E.H. Kim, and K.H. Ryu, "False alarm classification model for net- work-based intrusion detection system," International Conference on Intelligent Data Engineering and Automated Learning, pp. 259-265, Aug. 2004.
10 T. Pietraszek and A. Tanner, "Data mining and machine learning-Towards reducing false positives in intrusion detection," Information Security Technical Report, vol. 10, pp. 169-183, 2005.   DOI
11 C. Thomas and N. Balakrishnan, "Performance enhancement of intrusion detection systems using advances in sensor fusion," pp. 1-7, July 2008.
12 G. Tjhai, S. Furnell, M. Papadaki, and N. Clarke, "A preliminary two-stage alarm correlation and filtering system using SOM neural network and K-means algorithm," Computers & Security, vol. 29, pp. 712-723, Sep. 2010.   DOI
13 S. Benferhat, A. Boudjelida, K. Tabia, and H. Drias, "An intrusion detection and alert correlation approach based on revising probabilistic classifiers using expert knowledge," Applied Intelligence, vol. 38, pp. 520-540, 2013.   DOI
14 N. Hubballi, S. Biswas, and S. Nandi, "Network specific false alarm reduction in intrusion detection system," Security and Communication Networks, vol. 4, pp. 1339-1349, Nov. 2011.   DOI
15 C. Chiu, Y. Lee, C Chang, W. Luo, and H Huang, "Semi-supervised learning for false alarm reduction," Industrial conference on data mining, pp. 595-605, 2010.
16 Y. Meng and L. Kwok, "Adaptive false alarm filter using machine learning in intrusion detection," Practical applications of intelligent systems, pp. 573-584, 2011.
17 Y. Meng and L. Kwok, "Intrusion detection using disagreement-based semi-supervised learning: detection enhancement and false alarm reduction," Cyberspace Safety and Security, pp. 483-497, 2012.
18 Y. Meng and L. Kwok, "Enhancing false alarm reduction using pool-based active learning in network intrusion detection," International Conference on Information Security Practice and Experience 2013, pp. 1-15, 2013.
19 W. Li, W. Meng, X. Luo, and L. Kwok, "MVPSys: Towards practical multi-view based false alarm reduction system in network intrusion detection," Computers & Security, vol. 60, pp. 177-192, 2016.   DOI
20 H. Liang, L. Taihui, X. Nannan, and H. Jiejun, "False positive elimination in in- trusion detection based on clustering," 12th International Conference on Fuzzy Systems and Knowledge Discovery (FSKD), pp. 519-523, Aug. 2015.
21 C.W. Hsu, C.C. Chang, and C.J. Lin, "A practical guide to support vector classification," pp. 1-16, 2003.
22 T. Alapaholuoma, J. Nieminen, J. Ylinen, T. Seppala, and P. Loula, "A behavior-based method for rationalizing the amount of ids alert data," ICCGI 2012, The Seventh International Multi-Conference on Computing in the Global Information Technology, June 2012.
23 J.O. Nehinbe, "Automated method for reducing false positives," 2010 International Conference on Intelligent Systems, Modelling and Simulation, pp. 54-59, Jan. 2010.
24 V. Vapnik, "The nature of statistical learning theory," Springer science & business media, 2013.
25 C.C. Chang and C.J. Lin, " LIBSVM: a library for support vector machines," ACM transactions on intelligent systems and technology, vol. 2, issue. 3, Apr. 2011.