PASCAL - Pattern Analysis, Statistical Modelling and Computational Learning

Anomaly detection in computer networks using linear SVMs
Carolina Fortuna, Blaz Fortuna and Mihael Mohorcic
In: Conference on Data Mining and Data Warehouses, 12 Oct 2007, Ljubljana, Slovenia.


Modern computer networks are subject to various malicious attacks. Since attacks are becoming more sophisticated and networks are becoming larger there is a need for an efficient intrusion detection systems (IDSs) that can distinguish between legitimate and illegitimate traffic and be able to signal attacks in real time, before serious damages are produced. In this paper we use linear support vector machines (SVMs) for detecting abnormal traffic patterns in the KDD Cup 1999 data. The IDS system is supposed to distinguish normal traffic from intrusions and to classify the intrusions into four classes: DoS, probe, R2L and U2R. The dataset is quite unbalanced, with 79% of the traffic belonging to the DoS category, 19% is normal traffic and less than 2% constitute the other three categories. This paper studies the performance of IDSs based on linear multiclass SVMs with highest confidence (one-to-all), majority (one-to-one) and two level (one-to-all-3categ) voting on this particular dataset. The one-to-all-3categ IDS is tailored to perform well on the unbalanced dataset but it proves to be less efficient when trained on large datasets. The one-to-one IDS turns to perform the best on larger training dataset. The best performing IDS has a 90.9% intrusion detection rate, 90.7% intrusion diagnosis rate and 0.2479 average cost per test example (ACTE).

PDF - Requires Adobe Acrobat Reader or other PDF viewer.
EPrint Type:Conference or Workshop Item (Paper)
Project Keyword:Project Keyword UNSPECIFIED
Subjects:Learning/Statistics & Optimisation
ID Code:4107
Deposited By:Carolina Fortuna
Deposited On:29 March 2008