Mining Audit Data for Intrusion Detection Systems Using Support Vector Machines and Neural Networks

This paper concerns using learning machines for intrusion detection. Two classes of learning machines are studied: Artificial Neural Networks (ANNs) and Support Vector Machines (SVMs). We show that SVMs are superior to ANNs for intrusion detection in three critical respects: SVMs train, and run, an order of magnitude faster; SVMs scale much better; and SVMs give higher classification accuracy. We also address the related issue of ranking the importance of input features, which is itself a problem of great interest in modeling. Since elimination of the insignificant and/or useless inputs leads to a simplification of the problem and possibly faster and more accurate detection, feature selection is very important in intrusion detection. Two methods for feature ranking are presented: the first one is independent of the modeling tool, while the second method is specific to SVMs. The two methods are applied to identify the important features in the 1999 DARPA intrusion data. It is shown that the two methods produce results that are largely consistent. We present various experimental results that indicate that SVM-based intrusion detection using a reduced number of features can deliver enhanced or comparable performance. An SVM-based IDS for class-specific detection is thereby proposed. Intrusion detection, Feature selection, Machine learning