Learning to Detect Network Intrusion from a Few Labeled Events and Background Traffic

Abstract : Intrusion detection systems (IDS) analyse network traffic data with the goal to reveal malicious activities and incidents. A general problem with learning within this domain is a lack of relevant ground truth data, i.e. real attacks, capturing malicious behaviors in their full variety. Most of existing solutions thus, up to a certain level, rely on rules designed by network domain experts. Although there are advantages to the use of rules, they lack the basic ability of adapting to traffic data. As a result, we propose an ensemble tree bagging classifier, capable of learning from an extremely small number of true attack representatives, and demonstrate that, incorporating a general background traffic, we are able to generalize from those few representatives to achieve competitive results to the expert designed rules used in existing IDS Camnep.
Complete list of metadatas

Cited literature [28 references]  Display  Hide  Download

https://hal.archives-ouvertes.fr/hal-01410151
Contributor : Hal Ifip <>
Submitted on : Tuesday, December 6, 2016 - 2:44:33 PM
Last modification on : Tuesday, March 27, 2018 - 5:14:02 PM
Long-term archiving on : Tuesday, March 21, 2017 - 2:42:16 AM

File

978-3-319-20034-7_9_Chapter.pd...
Files produced by the author(s)

Licence


Distributed under a Creative Commons Attribution 4.0 International License

Identifiers

Citation

Gustav Šourek, Ondřej Kuželka, Filip Železný. Learning to Detect Network Intrusion from a Few Labeled Events and Background Traffic. 9th Autonomous Infrastructure, Management, and Security (AIMS), Jun 2015, Ghent, Belgium. pp.73-86, ⟨10.1007/978-3-319-20034-7_9⟩. ⟨hal-01410151⟩

Share

Metrics

Record views

62

Files downloads

105