Abstract

The paper proposes a cascaded multi-classifier two-phase intrusion detection (TP-ID) approach that can be trained to monitor incoming traffic for any suspicious data. It addresses the issue of efficient detection of intrusion in traffic and further classifies the suspicious traffic as a DDoS attack or flash event. Features portraying the behaviour of normal, DDoS attack, and flash event are extracted from historical data obtained after merging CAIDA'07, SlowDoS2016, CIC-IDS-2017, and WorldCup 1998 benchmark datasets available online along with the commercial dataset for e-shopping assistant website. Information gain is applied to rank and select the most relevant features. TP-ID applies supervised learning algorithms in the two phases. Each phase tests the set of classifiers, the best of which is chosen for building a model. The performance of the system is evaluated using the detection rate, false-positive rate, mean absolute percentage error, and classification rate. The proposed approach classifies the traffic anomalies with a 99% detection rate, 0.43% FPR, and 99.51% classification rate.

Full Text
Published version (Free)

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call