ABSTRACT
Bayes networks are powerful tools for decision and reasoning under uncertainty. A very simple form of Bayes networks is called naive Bayes, which are particularly efficient for inference tasks. However, naive Bayes are based on a very strong independence assumption. This paper offers an experimental study of the use of naive Bayes in intrusion detection. We show that even if having a simple structure, naive Bayes provide very competitive results. The experimental study is done on KDD'99 intrusion data sets. We consider three levels of attack granularities depending on whether dealing with whole attacks, or grouping them in four main categories or just focusing on normal and abnormal behaviours. In the whole experimentations, we compare the performance of naive Bayes networks with one of well known machine learning techniques which is decision tree. Moreover, we compare the good performance of Bayes nets with respect to existing best results performed on KDD'99.
- Axelsson, S.: Intrusion detection systems: a survey and taxonomy. Technical report 99-15, March 2000.]]Google Scholar
- Breiman, L., Friedman, J. H., Olshen, R. A., Stone, C. J.: Classification and regression trees. Monterey, CA Wadsworth & Brooks, 1984.]]Google Scholar
- Cooper, G. F.: Computational complexity of probabilistic inference using Bayes belief networks. Artificial Intelligence, Vol. 42, 393--405, 1990.]] Google ScholarDigital Library
- Hyafil, L., Rivest, R. L: Constructing optimal binary decision trees is NP-complete. Information Processing Letters, 5(1):15--17, 1976.]]Google ScholarCross Ref
- Jensen, F. V.: Introduction to Bayesien networks. UCL Press, 1996.]] Google ScholarDigital Library
- John, G.: Enhancements to the Data Mining Process. PhD thesis, Stanford University, 1997.]] Google ScholarDigital Library
- Kumar, S., Spafford., E. H.: A software architecture to support misuse intrusion detection. In proceedings of the 18th National Information Security Conference, 194--204, 1995.]]Google Scholar
- Ilgun, K., Kemmerer., R. A., Porras, P. A.: State transition: A rule-based intrusion detection approach. IEEE Transactions on Software Engineering, 21(3), 181--199, 1995.]] Google ScholarDigital Library
- Lunt, T.: Detecting intruders in computer systems. In proceedings of the Sixth Annual Symposium and Technical Displays on Physical and Electronic Security, 1993.]]Google Scholar
- Pearl J.: Probabilistic Reasoning in intelligent systems: networks of plausible inference. Morgan Kaufmman, Los Altos, CA, 1988.]] Google ScholarDigital Library
- Porras, P. A., Neumann., P. G., EMERALD: Event monitoring enabling responses to anomalous live disturbances. In proceedings of the 20th National Information Systems Security Conference, Baltimore, Maryland, USA, NIST, 353--365, 1997.]]Google Scholar
- Quinlan, J. R.: C4.5, Programs for machine learning. Morgan Kaufmann San Mateo Ca, 1993.]] Google ScholarDigital Library
- Quinlan, J. R.: Bagging, boosting, and C4.5. Proceedings of the thirteenth national conference on AI, Vol. 1, 725--730, 1997.]]Google Scholar
- Valdes, A., Skinner K.: Adaptive Model-based Monitoring for Cyber Attack Detection. In proceedings of Recent Advances in Intrusion Detection (RAID 2000), Toulouse, France, 80--92, 2000.]] Google ScholarDigital Library
- http://kdd.ccs.uci.edu/databases/kddcup99/task.html]]Google Scholar
- R. Marty: Snort the open source network IDS, http://www.snort.org/, 2001.]]Google Scholar
- Naive Bayes vs decision trees in intrusion detection systems
Recommendations
Naive Bayes models for probability estimation
ICML '05: Proceedings of the 22nd international conference on Machine learningNaive Bayes models have been widely used for clustering and classification. However, they are seldom used for general probabilistic learning and inference (i.e., for estimating and computing arbitrary joint, conditional and marginal distributions). In ...
Averaged Naive Bayes Trees: A New Extension of AODE
ACML '09: Proceedings of the 1st Asian Conference on Machine Learning: Advances in Machine LearningNaive Bayes (NB) is a simple Bayesian classifier that assumes the conditional independence and augmented NB (ANB) models are extensions of NB by relaxing the independence assumption. The averaged one-dependence estimators (AODE) is a classifier that ...
Tree-augmented naïve Bayes-based model for intrusion detection system
Despite enormous efforts for detecting unauthorised attempts to access a system or a network using an Intrusion Detection System (IDS), a major shortcoming still remains, which is the high False Positive (FP) rate, i.e. incorrect classification of the ...
Comments