Article

Naive Bayes vs decision trees in intrusion detection systems

Authors:
Nahla Ben Amor

Institute Supérieur de Gestion, Le Bardo, Tunisie

Institute Supérieur de Gestion, Le Bardo, Tunisie
View Profile

,
Salem Benferhat

Université d'Artois, Rue Jean Souvraz, Lens, Cedex, France

Université d'Artois, Rue Jean Souvraz, Lens, Cedex, France
View Profile

,
Zied Elouedi

Institute Supérieur de Gestion, Le Bardo, Tunisie

Institute Supérieur de Gestion, Le Bardo, Tunisie
View Profile

SAC '04: Proceedings of the 2004 ACM symposium on Applied computingMarch 2004Pages 420–424https://doi.org/10.1145/967900.967989

Published:14 March 2004Publication History

SAC '04: Proceedings of the 2004 ACM symposium on Applied computing

Pages 420–424

ABSTRACT

Bayes networks are powerful tools for decision and reasoning under uncertainty. A very simple form of Bayes networks is called naive Bayes, which are particularly efficient for inference tasks. However, naive Bayes are based on a very strong independence assumption. This paper offers an experimental study of the use of naive Bayes in intrusion detection. We show that even if having a simple structure, naive Bayes provide very competitive results. The experimental study is done on KDD'99 intrusion data sets. We consider three levels of attack granularities depending on whether dealing with whole attacks, or grouping them in four main categories or just focusing on normal and abnormal behaviours. In the whole experimentations, we compare the performance of naive Bayes networks with one of well known machine learning techniques which is decision tree. Moreover, we compare the good performance of Bayes nets with respect to existing best results performed on KDD'99.

References

Axelsson, S.: Intrusion detection systems: a survey and taxonomy. Technical report 99-15, March 2000.]]Google Scholar
Breiman, L., Friedman, J. H., Olshen, R. A., Stone, C. J.: Classification and regression trees. Monterey, CA Wadsworth & Brooks, 1984.]]Google Scholar
Cooper, G. F.: Computational complexity of probabilistic inference using Bayes belief networks. Artificial Intelligence, Vol. 42, 393--405, 1990.]] Google ScholarDigital Library
Hyafil, L., Rivest, R. L: Constructing optimal binary decision trees is NP-complete. Information Processing Letters, 5(1):15--17, 1976.]]Google ScholarCross Ref
Jensen, F. V.: Introduction to Bayesien networks. UCL Press, 1996.]] Google ScholarDigital Library
John, G.: Enhancements to the Data Mining Process. PhD thesis, Stanford University, 1997.]] Google ScholarDigital Library
Kumar, S., Spafford., E. H.: A software architecture to support misuse intrusion detection. In proceedings of the 18th National Information Security Conference, 194--204, 1995.]]Google Scholar
Ilgun, K., Kemmerer., R. A., Porras, P. A.: State transition: A rule-based intrusion detection approach. IEEE Transactions on Software Engineering, 21(3), 181--199, 1995.]] Google ScholarDigital Library
Lunt, T.: Detecting intruders in computer systems. In proceedings of the Sixth Annual Symposium and Technical Displays on Physical and Electronic Security, 1993.]]Google Scholar
Pearl J.: Probabilistic Reasoning in intelligent systems: networks of plausible inference. Morgan Kaufmman, Los Altos, CA, 1988.]] Google ScholarDigital Library
Porras, P. A., Neumann., P. G., EMERALD: Event monitoring enabling responses to anomalous live disturbances. In proceedings of the 20th National Information Systems Security Conference, Baltimore, Maryland, USA, NIST, 353--365, 1997.]]Google Scholar
Quinlan, J. R.: C4.5, Programs for machine learning. Morgan Kaufmann San Mateo Ca, 1993.]] Google ScholarDigital Library
Quinlan, J. R.: Bagging, boosting, and C4.5. Proceedings of the thirteenth national conference on AI, Vol. 1, 725--730, 1997.]]Google Scholar
Valdes, A., Skinner K.: Adaptive Model-based Monitoring for Cyber Attack Detection. In proceedings of Recent Advances in Intrusion Detection (RAID 2000), Toulouse, France, 80--92, 2000.]] Google ScholarDigital Library
http://kdd.ccs.uci.edu/databases/kddcup99/task.html]]Google Scholar
R. Marty: Snort the open source network IDS, http://www.snort.org/, 2001.]]Google Scholar

Naive Bayes vs decision trees in intrusion detection systems
1. Computing methodologies
  1. Machine learning
    1. Learning paradigms
      1. Supervised learning
    2. Machine learning approaches

Recommendations

Naive Bayes models for probability estimation
ICML '05: Proceedings of the 22nd international conference on Machine learning

Naive Bayes models have been widely used for clustering and classification. However, they are seldom used for general probabilistic learning and inference (i.e., for estimating and computing arbitrary joint, conditional and marginal distributions). In ...
Read More
Averaged Naive Bayes Trees: A New Extension of AODE
ACML '09: Proceedings of the 1st Asian Conference on Machine Learning: Advances in Machine Learning

Naive Bayes (NB) is a simple Bayesian classifier that assumes the conditional independence and augmented NB (ANB) models are extensions of NB by relaxing the independence assumption. The averaged one-dependence estimators (AODE) is a classifier that ...
Read More
Tree-augmented naïve Bayes-based model for intrusion detection system

Despite enormous efforts for detecting unauthorised attempts to access a system or a network using an Intrusion Detection System (IDS), a major shortcoming still remains, which is the high False Positive (FP) rate, i.e. incorrect classification of the ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
SAC '04: Proceedings of the 2004 ACM symposium on Applied computing
March 2004
1733 pages
ISBN:1581138121
DOI:10.1145/967900
Conference Chair:
Hisham M. Haddad
Kennesaw State University
,
Program Chairs:
Andrea Omicini
Università degli Studi di Bologna a Cesena
,
Roger L. Wainwright
University of Tulsa
,
Publications Chair:
Lorie M. Liebrock
New Mexico Institute of Mining and Technology
Copyright © 2004 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 14 March 2004
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Qualifiers
- Article
Conference

Acceptance Rates
Overall Acceptance Rate1,650of6,669submissions,25%
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 228
  Total Citations
  View Citations
- 4,291
  Total Downloads
- Downloads (Last 12 months)90
- Downloads (Last 6 weeks)13
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Naive Bayes vs decision trees in intrusion detection systems

SAC '04: Proceedings of the 2004 ACM symposium on Applied computing

ABSTRACT

References

Cited By

Recommendations

Naive Bayes models for probability estimation

Averaged Naive Bayes Trees: A New Extension of AODE

Tree-augmented naïve Bayes-based model for intrusion detection system