Increasing coverage to improve detection of network and host anomalies

For intrusion detection, the LERAD algorithm learns a succinct set of comprehensible rules for detecting anomalies, which could be novel attacks. LERAD validates the learned rules on a separate held-out validation set and removes rules that cause false alarms. However, removing rules with possible high coverage can lead to missed detections. We propose three techniques for increasing coverage- Weighting, Replacement and Hybrid. Weighting retains previously pruned rules and associate weights to them. Replacement, on the other hand, substitutes pruned rules with other candidate rules to ensure high coverage. We also present a Hybrid approach that selects between the two techniques based on training data coverage. Empirical results from seven data sets indicate that, for LERAD, increasing coverage by Weighting, Replacement and Hybrid detects more attacks than Pruning with minimal computational overhead