Abstract- A lot of efforts have been given toward designing a perfect NIDS that has a high detection rate and low false alarm rate. Some have used misuse detection technique which fails to detect zero-day attacks, while the problem of using supervised learning is the cost of producing labeled dataset which is essential for training the model and also the model is trained on known attacks which may fail to detect new variant attacks. On the other hand, unsupervised learning has the problem of labeling the generated clusters. Once-Class Classification learning technique (OCC) suffers from the high dimensional network feature spaces, Also, problems may arise when large differences in density exist. To overcome these problems, we proposed OCC-NIDS model based on the standard deviation of service’s normal behaviour. Through this model we dealt with each network service as single class instead of dealing with all network services as a single class. By this way we use just the relevant features of each service, hence reducing the high dimensional network feature spaces and also ensure that each class has – a proximately – uniform distribution. The proposed model proved that it is able to detect abnormal network traffic with high detection rate and low false positive rate. It achieved 99.72% detection rate and 99.65% accuracy rate with a false alarm rate reached 0.7% and false positive rate 0.005% on KDD Cup’99 dataset.
Keywords: Network Intrusion Detection, Service’s Normal Behaviour, One-Class Classification, Standard Deviation
Abstract: Misuse detection is the traditional technique used in Network Intrusion Detection Systems (NIDSs) which relies on matching the current behavior of network with pre-defined attacks’ signatures. This technique is effective to detect the majority of known attacks, but fails to protect from unknown threats, such as zero-day exploits. In addition the increasing diversity and polymorphism of network attacks further obstruct modeling signatures, such that there is a high demand for alternative detection techniques. Many researchers are still trying to solve the problem by using new machine learning techniques such as supervised or unsupervised learning; however producing labeled dataset for supervised learning is difficult, also it is difficult to label the generated clusters to normal or abnormal in unsupervised learning. To overcome these issues we have proposed a novel technique by using semi-supervised learning technique which based on the standard deviation of the normal behavior by which we attempt to detect attacks by calculating their deviations from the normal cluster in observed data.
Keywords: Network Intrusion Detection, Anomaly detection, Semi-supervised learning, Standard Deviation.