A Hybrid Model for Anomaly-Based Intrusion Detection in Complex Computer Networks

Abstract

Anomaly-based intrusion detection classifiers detect the notion of normality and classify both intrusion and/or misuse as either 'normal' or 'anomaly'. In complex computer networks, the number of the training records is often large which makes the evaluation of the classifiers computationally expensive. In this paper we present a feature selection and instances normalization algorithm that reduces the dimensionality of the dataset size, decrease processing time and increase accuracy of two classifier models, namely weighted k-Nearest Neighbor (wk-NN) and Feedforward Neural Network (FNN). The experiments are conducted on three daily records of the real computer network traffic data derived from the Kyoto 2006+ dataset. The results show high accuracy of both wk-NN and FNN classifiers but variations in mutual decisions on detected anomalies. Variations are determined with the novel hybrid model by performing logical exclusive or operation to the predicted outcomes. Improvement in the anomaly detection ranges from 0.67% to 8.08%.