Intrusion Detection Systems (IDS) have become important and widely used tools for ensuring network security Since the amount of audit data that an IDS needs to examine is very large even for a small network, audit data reduction is often a necessary task. To maximize the time performance, scalability, and fast re-training or tuning of an IDS, irrelevant features in audit data must be identified and eliminated from examination by the IDS. This paper concerns ranking the importance of input features for IDS. We use the DARPA data initially provided for the KDD'99 competition and perform experiments using neural networks (NN) and support vector machines (SVM). To rank the significance of the 41 input features in the data, we first build NN and SVM that achieve a high-level of accuracy. Next, input features are deleted, one at a time, and NN and SVM are trained based on the reduced input. The performance of the NN and SVM are then compared with the original NN and SVM to determine the significance of the deleted feature. A number of simulation results are presented, including binary classifications (normal and attack) and five-class classifications (normal, and four classes of attacks). It is demonstrated that a large number of the (41) input features are unimportant and may be eliminated, without significantly lowering the performance of the IDS.
展开▼