Abstract
With successful machine learning applications in many fields, researchers tried to introduce machine learning into intrusion detection systems for building classification models. Although experimental results showed that these classification models could produce higher accuracy in predicting network attacks on the offline datasets, compared with the operational intrusion detection systems, machine learning is rarely deployed in the real intrusion detection environment. This is what we call the last mile problem with the machine learning approach to network intrusion detection, the discrepancy between the strength and requirements of machine learning and network operational semantics. In this paper, we aim to bridge the aforementioned gap. In particular, an LCC-RF-RFEX feature selection approach is proposed to select optimal features of the specific type of attacks from dataset, and then, an intrusion-specific approach is introduced to convert them into detection patterns that can be used by the nonmachine-learning detector for the corresponding specific attack detection in the real-world network environment. To substantiate our approach, we take Snort, KDDCup’99 dataset, and Dos attacks as the experimental subjects to demonstrate how to close the last-mile gap. For the specific type of Dos attacks in the KDDCup’99 dataset, we use the LCC-RF-RFEX method to select optimal feature subset and utilize our intrusion-specific approach to generate new rules in Snort by using them. Comparing performance differences between the existing Snort rule set and our augmented Snort rule set with regard to Dos attacks, the experimental results showed that our approach expanded Snort’s detection capability of Dos attacks, on average, reduced up to 25.28% false-positive alerts for Teardrop attacks and Synflood attacks, and decreased up to 98.87% excessive alerts for Mail bomb attacks.
Highlights
Intrusion detection systems (IDS) are part of the network security infrastructure designed to provide timely detection of various malicious attacks and take proactive responses to safeguard a network system
Many pieces of literature usually focus on improving the performance of the classification models by modifying machine learning algorithms rather than solving the “last mile problem.” erefore, compared to the related literature, this paper mainly focuses on bridging the gap between the strength and requirements of ML/data mining (DM) and network operational semantics
We focus on the “last mile problem” between ML/DM and the operational network IDS and propose an intrusion-specific approach to bridge the semantic gap between ML/DM and network operations. e intrusion-specific method for closing the last-mile gap mainly uses ML/DM technologies to abstract the optimal features for the specific attack from the dataset and converts them into the building blocks that can be used by the signaturebased IDS to characterize signatures of the specific attack
Summary
Intrusion detection systems (IDS) are part of the network security infrastructure designed to provide timely detection of various malicious attacks and take proactive responses to safeguard a network system. For classification models obtained through ML/ DM for signature-based or anomaly based detection, it is hard to convert them into appropriate operations that can be used by the actual no-machine-learning IDS products for the specific attacks detection in a real-world network environment. Many pieces of literature usually focus on improving the performance of the classification models by modifying machine learning algorithms rather than solving the “last mile problem.” erefore, compared to the related literature, this paper mainly focuses on bridging the gap between the strength and requirements of ML/DM and network operational semantics. Our intrusion-specific method for closing the last-mile gap aims to convert the features on which the classification models operate into the corresponding building blocks of the signature-based IDS, and the signature-based IDS can use them to define the detection patterns for specific attacks.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
