Abstract’ In this paper, an incremental hybrid intrusion
detection system is introduced. This system combines
incremental misuse detection and incremental anomaly
detection. It can learn new classes of intrusions that are not exist
in the training dataset for incremental misuse detection. As the
framework has low computational complexity, it is suitable for
real-time or on-line learning. Also experimental evaluation on
KDD Cup dataset are presented
KeyWords: incremental learning, ensemble of weak classifiers,
hybrid, Learn++
I. INTRODUCTION
With the fast growing of network-based services and sensitive
information on the networks, the number and the severity of
network-based computer attacks have significantly increased.
Although a wide range of security technologies such as
information encryption, access control, and intrusion
prevention can protect network-based systems, there are still
many undetected intrusions.
An intrusion can be defined as “any set of actions that
attempt to compromise the integrity, confidentiality or
availability of a resource”. An IDS can detect and identify
intrusion behavior or intrusion attempts in a computer system
by monitoring and analyzing network packets or system audit
logs, and then sends intrusion alerts to system administrators
in real time. Intrusion detection techniques can be categorized
into misuse detection and anomaly detection [1].
Misuse detection systems use patterns of well-known
attacks or weak spots of the system to identify intrusions. The
main shortcoming of such systems[2,3,4] are the necessity of
hand-coding of known intrusion patterns and their inability to
detect any future(unknown) intrusions not matched with the
patterns stored in the system.
Anomaly detection systems, on the other hand, firstly
establish normal user behavior patterns (profiles) and then try
to determine whether deviations from the established normal
profiles can be flagged as intrusions. The main advantage of
anomaly detection systems is that they can detect new types
of unknown intrusions [5,6,7].
In recent years, the continual emergence of new attacking
methods has caused great loss to the whole society. So, the
advantage of detecting future attacks has specially led to an
increasing interest in incremental learning techniques. The
traditional methods commonly build a static intrusion
detection model on the prior training dataset, and then utilize
this model to predict on new network behavior data.
However, the network behavior model does not change
continually along with detecting and analyzing process. Thus
the initially learnt intrusion detection model can not adapt to
the new network behavior pattern, which causes an increase in
the false positive rate and decreases the detection precision of
the system
In order to improve intrusion detection with high detection
rate, with the ability of detection new unknown attacks, and
continually adapt model to cope with new network behaviors,
we propose a hybrid intrusion detection system which
combines the incremental misuse intrusion detection and
incremental anomaly detection. In addition, when intrusion
detection dataset is so large that whole dataset can’t be loaded
into the main memory, the original dataset can be partitioned
into several subsets, and then the detection model is
dynamically modified according to other training subsets after
the detection model built on one subset.
Weak classifiers are those that obtain 50 percent
classification accuracy on it own training data [16].
Ensembles are combinations of several models whose
individual predictions are combined in some manner (e.g.,
averaging or voting) to form a final prediction [12].
Several hybrid intrusion detection systems have been
proposed for combining misuse detection and anomaly
detection [8,9,10]. We proposed hybrid intrusion detection
system based on incremental learning. We use ensemble of
weak classifiers for implementing incremental misuse
intrusion detection system. Intrusion detection systems using
ensemble of weak classifiers generally possesses lower
computational complexity than other frameworks which that
use strong classifier, because of using weak classifier with
lower computational complexity. We use on-line k-mean
algorithm for incremental anomaly detection to detect
unknown intrusions.
The rest of the paper is organized as follows: related work
presented in section II, hybrid system architecture presented
in section III, the proposed architecture presented in section
IV, KDD Cup Dataset presented in Section V, experimental
evaluation presented in section V, comparison to other
algorithms presented in section VII computational complexity
presented in section VIII and finally we conclude the paper in
the conclusion section.