The neural network models for IDS based on the asymmetric costs of false negative errors and false positive errors

doi:10.1016/S0957-4174(03)00007-1

Expert Systems with Applications

Volume 25, Issue 1, July 2003, Pages 69-75

https://doi.org/10.1016/S0957-4174(03)00007-1 Get rights and content

Abstract

This paper investigates the asymmetric costs of false positive and negative errors to enhance the IDS performance. The proposed method utilizes the neural network model to consider the cost ratio of false negative errors to false positive errors. Compared with false positive errors, false negative errors incur a greater loss to organizations which are connected to the systems by networks. This method is designed to accomplish both security and system performance objectives. The results of our empirical experiment show that the neural network model provides high accuracy in intrusion detection. In addition, the simulation results show that the effectiveness of intrusion detection can be enhanced by considering the asymmetric costs of false negative and false positive errors.

Introduction

The rapid growth of networks in information systems has resulted in the increasing attention to Intrusion Detection Systems (IDS), which many companies have adopted to protect their information assets (Verwoerd and Hunt, 2002). IDS are the software with the functions of detecting, identifying and responding to unauthorized or abnormal activities on a target system (Denning, 1987, Richards, 1999). Intrusion Detection is an area with increasing concerns in the Internet community. In response to this concern, many automated IDS have been developed (Biermann et al., 2001). In recent years, data mining techniques such as statistical methods and artificial approaches have been successfully applied in the context of network intrusion detection (Heatley and Otto, 1998). Data mining is a process of sifting through large volumes of data to discover trends and patterns. Most of the IDS designed so far, however, have difficulty in accurately classifying intrusive attempts. IDS inevitably make errors even though many techniques are employed for detecting fatal attacks on a server.

The purpose of IDS is to distinguish between intruders and normal users. It is difficult to remove all possible errors due to the enormous variety and complexity of today's networks. Although data mining has become a very useful technique by reducing the information overload and improving the performance of IDS, two types of errors result in evoking inevitable IDS costs. These errors consist of false positive errors and false negative errors in IDS. The false positive errors occur because the IDS sensor misinterprets normal packets or activities as an attack. These errors can degrade the productivity of the systems by invoking unnecessary countermeasures. On the other hand, false negative errors occur because an attacker is misclassified as a normal user. A fatal problem may arise from a false negative error as unauthorized or abnormal activities generate unexpected or undesirable operations of the systems. False negative errors cause great losses for organizations which are connected to the systems by networks. The risk of false negative errors is higher than the risk for false positive errors. However, most studies of IDS that employ the data mining techniques have focused on improving the prediction ability for unauthorized or abnormal users (Heatley and Otto, 1998).

In most cases of the operation of IDS in organizations, IDS operators rely on their experience to identify and resolve unexpected false negative error issues (White et al., 1996). This study proposes a method to analyze and reduce the total costs based on the asymmetric costs of errors in the IDS. This study adopts the neural network model, which has shown successful results for detecting and identifying unauthorized or abnormal activities from the networks (Lee et al., 1999). The objective of the proposed method is to minimize the loss for an organization under an open network environment. This study employs the neural network model for intrusion detection. Furthermore, the study analyzes the cost-effectiveness of the false error levels and presents experimental results for the validation of our intrusion detection model.

The remainder of this paper consists of four sections. The next section presents the introduction of IDS and the studies of data mining approaches for IDS. The research model of this study is addressed in detail in Section 3. In Section 4, the asymmetric costs of false negative errors and false positive errors are validated by experimental results. Finally, this paper is concluded with the summary, contributions and limitations.

Section snippets

Intrusion detection systems

An intrusion is an unauthorized access or usage of the resources of a computer system (Esmaili, et al., 1996). IDS are the software with the functions of detecting, identifying and responding to unauthorized or abnormal activities on a target system (Denning, 1987, Richards, 1999). The goal of the IDS is to provide a mechanism for the detection of security violations either in real-time or batch-mode (Debar et al., 1989, Debar et al., 1992). Violations are initiated either by outsiders

Asymmetric costs of errors for IDS

In this paper, we adopt neural networks for the purpose of improving the performance of IDS. Neural networks have shown promising performance for intrusion detection (Bonifacio et al., 1998, Lippmann and Cunningham, 2000). Neural networks adapt well to changing circumstances and environmental factors and handle the fuzziness and bias aspects of human decision making (Hill and Remus, 1994). In the past decade, neural networks have been successfully applied to the various areas such as finance (

Data

Experimental data were collected randomly by the IDS sensor from Cyber-PATROL, Inc. in Korea. Cyber-PATROL, a fully integrated security services company, provides IT security services in Korea like Counterpane Internet Security does in Washington, DC. The sample consisted of 10 210 cases that include normal and attack patterns. The sample was divided into two subsets of in-sample and out-of-sample. The input variables of the neural network models for intrusion detection are described in Table 2

Conclusion

There have been a variety of studies and systems designed to detect intrusion by using data mining approaches. However, most studies addressed the measure of system performance as providing prediction accuracy without considering the asymmetric costs of errors in intrusion detection. In this study we proposed a neural network model based on asymmetric costs of false positive errors and false negative errors. The first phase of this study develops a neural network model for intrusion detection.

References (29)

E. Biermann et al.
A comparison of intrusion detection systems
Computer and Security
(2001)
R. Hecht-Nielsen
Applications of counterpropagation networks
Neural Networks
(1988)
T. Hill et al.
Neural network models for intelligent support of managerial decision making
Decision Support Systems
(1994)
T. Hong et al.
Knowledge-based data mining of news information on the Internet using cognitive maps and neural networks
Expert Systems with Applications
(2002)
H. Hruschka et al.
Comparing performance of feedforward neural nets and K-means for cluster-based market segmentation
European Journal of Operational Research
(1999)
K. Kim et al.
Genetic algorithms approach to feature discretization in artificial neural networks for the prediction of stock price index
Expert Systems with Applications
(2000)
K.Y. Lam et al.
A data reduction method for intrusion detection
Systems Software
(1996)
R.P. Lippmann et al.
Improving intrusion detection performance using keyword selection and neural networks
Computer Networks
(2000)
K. Richards
Network based intrusion detection: a review of technologies
Computer and Security
(1999)
T. Verwoerd et al.
Intrusion detection techniques and approaches
Computer Communication
(2002)

J.M. Bonifacio et al.

Neural networks applied in intrusion detection system

Proceedings of the IEEE, International Joint Conference

(1998)

H. Debar et al.

Towards a taxonomy of intrusion-detection systems

Computer Networks

(1989)

H. Debar et al.

A neural network component for an intrusion detection system

IEEE Computer Society Symposium Research in Security and Privacy

(1992)

D.E. Denning

An intrusion detection model

IEEE Trans. S.E.

(1987)

Cited by (86)

Intrusion detection method based on improved social network search algorithm
2024, Computers and Security
The network security problem in today's world is becoming more and more prominent, and intrusion detection as a branch in the field of network security has been developed tremendously. At present, back propagation (BP) neural network is widely used in intrusion detection. However, its weights and thresholds are randomly initialized, so that fall into local optimal after training. To solve this problem, an intrusion detection model based on improved social network search (ISNS) algorithm to optimize BP neural network is proposed. The model first uses chaotic mapping and elite mechanism to improve the original Social Network Search (SNS) algorithm, and then uses the ISNS algorithm to filter the initial weights and thresholds of the BP neural network, and constructs the neural network with the optimal values to avoid falling into local optimum. The experimental results show that the proposed method solves the problem that the traditional BP neural network is easy to fall into local optimum. At the same time, the ISNS_BP model achieves better classification performance than other models, and the accuracy on the NSL-KDD and UNSW-NB15 datasets reaches 98.62% and 93.97%, respectively.
Maximizing total yield in safety hazard monitoring of online reviews
2023, Expert Systems with Applications
Many firms face challenges in monitoring their products for evidence of safety hazards, which can have profoundly negative effects both on consumers and on firms’ financial standings. Monitoring online reviews has the potential to unveil vital safety insights, but the volume of the data poses practical challenge. A popular recent approach to safety surveillance has involved utilizing “smoke terms” customized to the safety-related language in each product category. In this work, we suggest two new methods for deriving smoke terms: piecewise smoke terms and sum of ranks smoke terms. In addition, we address the question of whether smoke terms can be trained to perform well across product categories. We find that our new smoke term methods show improvement in performance upon traditional approaches, such as sentiment analysis, for detecting mentions of safety hazards. We find that piecewise smoke terms in particular performed well across all multiple product categories. We also found that while it is difficult for a cross-category technique to match the performance of a category-specific technique, our novel set of cross-category smoke terms performed with great promise and offer substantial improvement upon sentiment analysis.
A feature reduced intrusion detection system using ANN classifier
2017, Expert Systems with Applications
Citation Excerpt :
Another drawback is, if an attacker knows that he or she is being profiled, they can slowly change the profile to train the anomaly detection system of intruder's malicious behavior as normal. False positives and false negatives errors also lead to inevitable costs (Joo, Hong, & Han, 2003). Such systems can be further categorized into Network Intrusion Detection System (NIDS) and Host Intrusion Detection System (HIDS).
Rapid increase in internet and network technologies has led to considerable increase in number of attacks and intrusions. Detection and prevention of these attacks has become an important part of security. Intrusion detection system is one of the important ways to achieve high security in computer networks and used to thwart different attacks. Intrusion detection systems have curse of dimensionality which tends to increase time complexity and decrease resource utilization. As a result, it is desirable that important features of data must be analyzed by intrusion detection system to reduce dimensionality. This work proposes an intelligent system which first performs feature ranking on the basis of information gain and correlation. Feature reduction is then done by combining ranks obtained from both information gain and correlation using a novel approach to identify useful and useless features. These reduced features are then fed to a feed forward neural network for training and testing on KDD99 dataset. Pre-processing of KDD-99 dataset has been done to normalize number of instances of each class before training. The system then behaves intelligently to classify test data into attack and non-attack classes. The aim of the feature reduced system is to achieve same degree of performance as a normal system. The system is tested on five different test datasets and both individual and average results of all datasets are reported. Comparison of proposed method with and without feature reduction is done in terms of various performance metrics. Comparisons with recent and relevant approaches are also tabled. Results obtained for proposed method are really encouraging.
Anomaly Detection Using Hybrid Neuro Genetic Model
2022, Journal of Interconnection Networks
Network intrusion detection system by learning jointly from tabular and text-based features
2024, Expert Systems
A Machine-Learning-Based Approach to Build Zero-False-Positive IPSs for Industrial IoT and CPS with a Case Study on Power Grids Security
2024, IEEE Transactions on Industry Applications

View all citing articles on Scopus

¹: Tel.: +82-2-958-3131; fax: +82-2-958-3604.

²: Tel.:+82-2-958-3613; fax: +82-2-958-3604.

View full text

The neural network models for IDS based on the asymmetric costs of false negative errors and false positive errors

Abstract

Introduction

Section snippets

Intrusion detection systems

Asymmetric costs of errors for IDS

Data

Conclusion

Computer and Security

Neural Networks

Decision Support Systems

Expert Systems with Applications

European Journal of Operational Research

Expert Systems with Applications

Systems Software

Computer Networks

Computer and Security

Computer Communication

Neural networks applied in intrusion detection system

Proceedings of the IEEE, International Joint Conference

Towards a taxonomy of intrusion-detection systems

Computer Networks

A neural network component for an intrusion detection system

IEEE Computer Society Symposium Research in Security and Privacy

An intrusion detection model

IEEE Trans. S.E.