Dendron: Genetic trees driven rule induction for network intrusion detection systems

摘要

AbstractIntrusion detection systems (IDSs) are essential entities in a network topology aiming to safeguard the integrity and availability of sensitive assets in the protected systems. In misuse detection systems, which is the topic of the paper at hand, the detection process relies on specific attack signatures (rules) in an effort to distinguish between legitimate and malicious network traffic. Generally, three major challenges are associated with any IDS of this category: identifying patterns of new attacks with high accuracy, ameliorating the human-readability of the detection rules, and rightly designating the category these attacks belong to. To this end, we proposeDendron, a methodology for generating new detection rules which are able to classify both common and rare types of attacks. Our methodology takes advantage of both Decision Trees and Genetic Algorithms for the sake of evolving linguistically interpretable and accurate detection rules. It also integrates heuristic methods in the evolutionary process aiming to deal with the challenging nature of the network traffic, which generally biases machine learning techniques to neglect the minority classes of a dataset. The experimental results, using KDDCup’99, NSL-KDD and UNSW-NB15 datasets, reveal thatDendronis able to achieve superior results over other state-of-the-art and legacy techniques under several classification metrics, while at the same time is able to significantly detect rare intrusive incidents.Highlights•A rule induction method is proposed in the context of misuse intrusion detection.•Decision trees & genetic algorithms are combined to provide accurate detection rules.•The rules are human-readable and detect both rare and popular intrusive incidents.•We propose a weighted selection probability function for evolving unbiased decision trees.•Our method treats imbalanced datasets fairly and increases accuracy in minor classes.