English

Abstract

A lot of efforts have been given toward designing a perfect NIDS that has a high detection rate and low false alarm rate. Some have used misuse detection technique which fails to detect zero-day attacks, while the problem of using supervised learning is the cost of producing labeled dataset which is essential for training the model and also the model is trained on known attacks which may fail to detect new variant attacks. On the other hand, unsupervised learning has the problem of labeling the generated clusters. Once-Class Classification learning technique (OCC) suffers from the high dimensional network feature spaces, Also, problems may arise when large differences in density exist. To overcome these problems, we proposed OCC-NIDS model based on the standard deviation of service’s normal behaviour. Through this model we dealt with each network service as single class instead of dealing with all network services as a single class. By this way we use just the relevant features of each service, hence reducing the high dimensional network feature spaces and also ensure that each class has – a proximately – uniform distribution. The proposed model proved that it is able to detect abnormal network traffic with high detection rate and low false positive rate. It achieved 99.72% detection rate and 99.65% accuracy rate with a false alarm rate reached 0.7% and false positive rate 0.005% on KDD Cup’99 dataset.