Evaluation of Machine Learning Algorithms for Intrusion Detection System

Intrusion detection system (IDS) is one of the implemented solutions against harmful attacks. Furthermore, attackers always keep changing their tools and techniques. However, implementing an accepted IDS system is also a challenging task. In this paper, several experiments have been performed and evaluated to assess various machine learning classifiers based on KDD intrusion dataset. It succeeded to compute several performance metrics in order to evaluate the selected classifiers. The focus was on false negative and false positive performance metrics in order to enhance the detection rate of the intrusion detection system. The implemented experiments demonstrated that the decision table classifier achieved the lowest value of false negative while the random forest classifier has achieved the highest average accuracy rate

Packet Classification based on Boundary Cutting analysis by using Bloom Filters

Packet classification has received a great deal of attention over the half decade in applications such as Quality of Service (QoS), security, firewalls, Network Intrusion Detection System (NIDS), multimedia services, differentiated services. They perform different operations at different flows. Existing decision-tree-based packet classification algorithms, HiCuts and HyperCuts perform search by geometrical representation of rules in a classifier by searching for a geometric space to which packet belongs. These decision tree algorithms have complications in finding number of cuts and the field. Also fixed interval-based cutting not covers the actual space for each rule. Hence it is ineffective and requires huge storage requirement. In recent years, Bloom Filter, which is space-efficient and probabilistic data structure for membership queries, becomes popular in many network applications. It requires small amount of memory and used to avoid lookups to sustain high throughput. It handles the large database and provides security in network applications like NIDS. This paper presents a boundary cutting (BC) scenario which exploits the structure of classifiers. It finds out the space that each rule covers and perform cutting according to rule boundary. Hence it is deterministic, and more effective in providing improved search performance and efficient in memory requirement. Security roles are also considered during classification. DOI: 10.17762/ijritcc2321-8169.15075

Hierarchical TCP network traffic classification with adaptive optimisation

Nowadays, with the increasing deployment of modern packet-switching networks, traffic classification is playing an important role in network administration. To identify what kinds of traffic transmitting across networks can improve network management in various ways, such as traffic shaping, differential services, enhanced security, etc. By applying different policies to different kinds of traffic, Quality of Service (QoS) can be achieved and the granularity can be as fine as flow-level. Since illegal traffic can be identified and filtered, network security can be enhanced by employing advanced traffic classification. There are various traditional techniques for traffic classification. However, some of them cannot handle traffic generated by applications using non-registered ports or forged ports, some of them cannot deal with encrypted traffic and some techniques require too much computational resources. The newly proposed technique by other researchers, which uses statistical methods, gives an alternative approach. It requires less resources, does not rely on ports and can deal with encrypted traffic. Nevertheless, the performance of the classification using statistical methods can be further improved. In this thesis, we are aiming for optimising network traffic classification based on the statistical approach. Because of the popularity of the TCP protocol, and the difficulties for classification introduced by TCP traffic controls, our work is focusing on classifying network traffic based on TCP protocol. An architecture has been proposed for improving the classification performance, in terms of accuracy and response time. Experiments have been taken and results have been evaluated for proving the improved performance of the proposed optimised classifier. In our work, network packets are reassembled into TCP flows. Then, the statistical characteristics of flows are extracted. Finally the classes of input flows can be determined by comparing them with the profiled samples. Instead of using only one algorithm for classifying all traffic flows, our proposed system employs a series of binary classifiers, which use optimised algorithms to detect different traffic classes separately. There is a decision making mechanism for dealing with controversial results from the binary classifiers. Machining learning algorithms including k-nearest neighbour, decision trees and artificial neural networks have been taken into consideration together with a kind of non-parametric statistical algorithm — Kolmogorov-Smirnov test. Besides algorithms, some parameters are also optimised locally, such as detection windows, acceptance thresholds. This hierarchical architecture gives traffic classifier more flexibility, higher accuracy and less response time