The neural network models for IDS based on the asymmetric costs of false negative errors and false positive errors
Introduction
The rapid growth of networks in information systems has resulted in the increasing attention to Intrusion Detection Systems (IDS), which many companies have adopted to protect their information assets (Verwoerd and Hunt, 2002). IDS are the software with the functions of detecting, identifying and responding to unauthorized or abnormal activities on a target system (Denning, 1987, Richards, 1999). Intrusion Detection is an area with increasing concerns in the Internet community. In response to this concern, many automated IDS have been developed (Biermann et al., 2001). In recent years, data mining techniques such as statistical methods and artificial approaches have been successfully applied in the context of network intrusion detection (Heatley and Otto, 1998). Data mining is a process of sifting through large volumes of data to discover trends and patterns. Most of the IDS designed so far, however, have difficulty in accurately classifying intrusive attempts. IDS inevitably make errors even though many techniques are employed for detecting fatal attacks on a server.
The purpose of IDS is to distinguish between intruders and normal users. It is difficult to remove all possible errors due to the enormous variety and complexity of today's networks. Although data mining has become a very useful technique by reducing the information overload and improving the performance of IDS, two types of errors result in evoking inevitable IDS costs. These errors consist of false positive errors and false negative errors in IDS. The false positive errors occur because the IDS sensor misinterprets normal packets or activities as an attack. These errors can degrade the productivity of the systems by invoking unnecessary countermeasures. On the other hand, false negative errors occur because an attacker is misclassified as a normal user. A fatal problem may arise from a false negative error as unauthorized or abnormal activities generate unexpected or undesirable operations of the systems. False negative errors cause great losses for organizations which are connected to the systems by networks. The risk of false negative errors is higher than the risk for false positive errors. However, most studies of IDS that employ the data mining techniques have focused on improving the prediction ability for unauthorized or abnormal users (Heatley and Otto, 1998).
In most cases of the operation of IDS in organizations, IDS operators rely on their experience to identify and resolve unexpected false negative error issues (White et al., 1996). This study proposes a method to analyze and reduce the total costs based on the asymmetric costs of errors in the IDS. This study adopts the neural network model, which has shown successful results for detecting and identifying unauthorized or abnormal activities from the networks (Lee et al., 1999). The objective of the proposed method is to minimize the loss for an organization under an open network environment. This study employs the neural network model for intrusion detection. Furthermore, the study analyzes the cost-effectiveness of the false error levels and presents experimental results for the validation of our intrusion detection model.
The remainder of this paper consists of four sections. The next section presents the introduction of IDS and the studies of data mining approaches for IDS. The research model of this study is addressed in detail in Section 3. In Section 4, the asymmetric costs of false negative errors and false positive errors are validated by experimental results. Finally, this paper is concluded with the summary, contributions and limitations.
Section snippets
Intrusion detection systems
An intrusion is an unauthorized access or usage of the resources of a computer system (Esmaili, et al., 1996). IDS are the software with the functions of detecting, identifying and responding to unauthorized or abnormal activities on a target system (Denning, 1987, Richards, 1999). The goal of the IDS is to provide a mechanism for the detection of security violations either in real-time or batch-mode (Debar et al., 1989, Debar et al., 1992). Violations are initiated either by outsiders
Asymmetric costs of errors for IDS
In this paper, we adopt neural networks for the purpose of improving the performance of IDS. Neural networks have shown promising performance for intrusion detection (Bonifacio et al., 1998, Lippmann and Cunningham, 2000). Neural networks adapt well to changing circumstances and environmental factors and handle the fuzziness and bias aspects of human decision making (Hill and Remus, 1994). In the past decade, neural networks have been successfully applied to the various areas such as finance (
Data
Experimental data were collected randomly by the IDS sensor from Cyber-PATROL, Inc. in Korea. Cyber-PATROL, a fully integrated security services company, provides IT security services in Korea like Counterpane Internet Security does in Washington, DC. The sample consisted of 10 210 cases that include normal and attack patterns. The sample was divided into two subsets of in-sample and out-of-sample. The input variables of the neural network models for intrusion detection are described in Table 2
Conclusion
There have been a variety of studies and systems designed to detect intrusion by using data mining approaches. However, most studies addressed the measure of system performance as providing prediction accuracy without considering the asymmetric costs of errors in intrusion detection. In this study we proposed a neural network model based on asymmetric costs of false positive errors and false negative errors. The first phase of this study develops a neural network model for intrusion detection.
References (29)
- et al.
A comparison of intrusion detection systems
Computer and Security
(2001) Applications of counterpropagation networks
Neural Networks
(1988)- et al.
Neural network models for intelligent support of managerial decision making
Decision Support Systems
(1994) - et al.
Knowledge-based data mining of news information on the Internet using cognitive maps and neural networks
Expert Systems with Applications
(2002) - et al.
Comparing performance of feedforward neural nets and K-means for cluster-based market segmentation
European Journal of Operational Research
(1999) - et al.
Genetic algorithms approach to feature discretization in artificial neural networks for the prediction of stock price index
Expert Systems with Applications
(2000) - et al.
A data reduction method for intrusion detection
Systems Software
(1996) - et al.
Improving intrusion detection performance using keyword selection and neural networks
Computer Networks
(2000) Network based intrusion detection: a review of technologies
Computer and Security
(1999)- et al.
Intrusion detection techniques and approaches
Computer Communication
(2002)
Neural networks applied in intrusion detection system
Proceedings of the IEEE, International Joint Conference
Towards a taxonomy of intrusion-detection systems
Computer Networks
A neural network component for an intrusion detection system
IEEE Computer Society Symposium Research in Security and Privacy
An intrusion detection model
IEEE Trans. S.E.
Cited by (86)
Intrusion detection method based on improved social network search algorithm
2024, Computers and SecurityMaximizing total yield in safety hazard monitoring of online reviews
2023, Expert Systems with ApplicationsA feature reduced intrusion detection system using ANN classifier
2017, Expert Systems with ApplicationsCitation Excerpt :Another drawback is, if an attacker knows that he or she is being profiled, they can slowly change the profile to train the anomaly detection system of intruder's malicious behavior as normal. False positives and false negatives errors also lead to inevitable costs (Joo, Hong, & Han, 2003). Such systems can be further categorized into Network Intrusion Detection System (NIDS) and Host Intrusion Detection System (HIDS).
Anomaly Detection Using Hybrid Neuro Genetic Model
2022, Journal of Interconnection NetworksA Machine-Learning-Based Approach to Build Zero-False-Positive IPSs for Industrial IoT and CPS with a Case Study on Power Grids Security
2024, IEEE Transactions on Industry Applications