Share This Article:

A Decision Tree Classifier for Intrusion Detection Priority Tagging

Abstract Full-Text HTML XML Download Download as PDF (Size:254KB) PP. 52-58
DOI: 10.4236/jcc.2015.34006    4,422 Downloads   5,172 Views   Citations
Author(s)    Leave a comment


Snort rule-checking is one of the most popular forms of Network Intrusion Detection Systems (NIDS). In this article, we show that Snort priorities of true positive traffic (real attacks) can be approximated in real-time, in the context of high speed networks, by a decision tree classifier, using the information of only three easily extracted features (protocol, source port, and destination port), with an accuracy of 99%. Snort issues alert priorities based on its own default set of attack classes (34 classes) that are used by the default set of rules it provides. But the decision tree model is able to predict the priorities without using this default classification. The obtained tagger can provide a useful complement to an anomaly detection intrusion detection system.

Conflicts of Interest

The authors declare no conflicts of interest.

Cite this paper

Ammar, A. (2015) A Decision Tree Classifier for Intrusion Detection Priority Tagging. Journal of Computer and Communications, 3, 52-58. doi: 10.4236/jcc.2015.34006.


[1] McCanne, S., Leres, C. and Jacobson, V. (1994) Libpcap, Lawrence Berkeley National Labs.
[2] Roesch, M. (1999) Snort: Lightweight Intrusion Detection for Networks. LISA, 99, 229-238.
[3] Lo, O., Graves, J. and Buchanan, W. (2010) Towards a Framework for the Generation of Enhanced Attack/Background Network Traffic for Evaluation of Network-Based Intrusion Detection Systems. Proceedings of the 9th European Conference on Information Warfare and Security, Academic Conferences Limited, 190.
[4] Day, D. and Burns, B. (2011) A Performance Analysis of Snort and Suricata Network Intrusion Detection and Prevention Engines. ICDS 2011, The 5th International Conference on Digital Society, 187-192.
[5] Albin, E. and Rowe, N.C. (2012) A Realistic Experimental Comparison of the Suricata and Snort Intrusion-Detection Systems. 26th International Conference on Advanced Information Networking and Applications Workshops (WAINA), 122-127.
[6] Shiravi, A., Shiravi, H., Tavallaee, M. and Ghorbani, A.A. (2012) Toward Developing a Systematic Approach to Generate Benchmark Datasets for Intrusion Detection. Computers & Security, 31, 357-374.
[7] Safavian, S.R. and Landgrebe, D.A. (1991) Survey of Decision Tree Classifier Methodology. IEEE Transactions on Systems, Man and Cybernetics, 21, 660-674.
[8] Akthar, F. and Hahne, C. (2012) Rapid Miner 5 Operator Reference.
[9] Murthy, S.K. (1998) Automatic Construction of Decision Trees from Data: A Multi-Disciplinary Survey. Data Mining and Knowledge Discovery, 24, 345-389.
[10] Berzal, F., Cubero, J.C., Cuenca, F. and Martin-Bautista, M.J. (2003) On the Quest for Easy-to-Understand Splitting Rules. Data & Knowledge Engineering, 44, 31-48.
[11] Quinlan, J.R. (1986) Induction of Decision Trees. Machine Learning, 1, 81-106.
[12] Quinlan, J.R. (2014) C4.5: Programs for Machine Learning. Elsevier.
[13] Olshen, L.B.J.F.R. and Stone, C.J. (1984) Classification and Regression Trees. Wadsworth International Group, 93, 101.
[14] Berzal, F., Cubero, J.C., Cuenca, F. and Martin-Bautista, M.J. (2003) On the Quest for Easy-to-Understand Splitting Rules. Data & Knowledge Engineering, 44, 31-48.
[15] Martin, J.K. (1997) An Exact Probability Metric for Decision Tree Splitting and Stopping. Machine Learning, 28, 257-291.
[16] Kubat, M., Holte, R.C. and Matwin, S. (1998) Machine Learning for the Detection of Oil Spills in Satellite Radar Images. Machine Learning, 30, 195-215.
[17] Fawcett, T. and Provost, F.J. (1996) Combining Data Mining and Machine Learning for Effective User Profiling. KDD, 8-13.
[18] Zhou, Z.H. and Liu, X.Y. (2006) Training Cost-Sensitive Neural Networks with Methods Addressing the Class Imbalance Problem. IEEE Transactions on Knowledge and Data Engineering, 18, 63-77.

comments powered by Disqus

Copyright © 2020 by authors and Scientific Research Publishing Inc.

Creative Commons License

This work and the related PDF file are licensed under a Creative Commons Attribution 4.0 International License.