Indirect classification approaches: a comparative study in network intrusion detection

Abstract

The application of data mining and machine learning techniques to the network intrusion detection domain has recently gained importance. This paper presents a set of indirect classification techniques for addressing the multi-category classification problem in network intrusion detection. In contrast to indirect classification techniques, direct classification techniques generally extend associated binary classifiers to handle multi-category classification problems. An indirect classification technique decomposes the original multi-category problem into multiple binary classification problems based on some criteria. We investigate the one vs. one and one vs. rest approaches for building the binary classifiers, the results of which are then merged using a combining strategy. Three different combining strategies are investigated in our study, and they are Hamming decoding, loss-based decoding, and soft-max function. Consequently, we evaluate six different indirect classification techniques in our study. To our knowledge, there are no existing works that evaluate as many indirect classification techniques. The six indirect classification approaches are investigated and relatively evaluated in the context of DARPA KDD 1999 offline intrusion detection project. Our empirical evaluation indicated that among the binarisation techniques, the one vs. one technique yielded generally better results; while among the combining strategies, the loss-based decoding and Hamming-decoding techniques yielded better results than the soft-max function. This study demonstrates the usefulness of the indirect classification approach for network intrusion detection.