An Improved Anomalous Intrusion Detection Model

The volume of cyber-attack targeting network resources within the cyberspace is steadily increasing and evolving. Network intrusions compromise the confidentiality, integrity or availability of network resources causing reputational damage and the consequential financial loss. One of the key cyber-defense tools against these attacks is the Intrusion Detection System. Existing anomalous intrusion detection models often misclassified normal network traffics as attacks while minority attacks go undetected due to an extreme imbalance in network traffic data. This leads to a high false positive and low detection rate. This study focused on improving the detection accuracy by addressing the class imbalanced problem which is often associated with network traffic dataset. Live network traffic packets were collected within the test case environment with Wireshark during normal network activities, Syncflood attack, slowhttppost attack and exploitation of known vulnerabilities on a targeted machine. Fifty-two features including forty-two features similar to Knowledge Discovery in Database (KDD ’99) intrusion detection dataset were extracted from the packet meta-data using Spleen tool. The features were normalized with min-max normalization algorithm and Information Gain algorithm was used to select the best discriminatory features from the feature space. An anomalous intrusion detection model was formulated by a cascade of k-means clustering algorithm and random-forest classifier. The proposed model was simulated and its performance was evaluated using detection accuracy, sensitivity, and specificity as metrics. The result of the evaluation showed 10% higher detection accuracy, 29% sensitivity, and 0.2% specificity than the existing model. Keywords— anomalous, cyber-attack, Detection, Intrusio