A Decision Tree Classifier for Intrusion Detection Priority Tagging

Adel Ammar

doi:10.4236/jcc.2015.34006

Journal of Computer and Communications > Vol.3 No.4, April 2015

A Decision Tree Classifier for Intrusion Detection Priority Tagging

Adel Ammar^*
College of Computer and Information Sciences, Computer Sciences Department, Al-Imam Mohammad Ibn Saud Islamic University, Riyadh, KSA.
DOI: 10.4236/jcc.2015.34006 PDF HTML XML 5,401 Downloads 7,096 Views Citations

Abstract

Snort rule-checking is one of the most popular forms of Network Intrusion Detection Systems (NIDS). In this article, we show that Snort priorities of true positive traffic (real attacks) can be approximated in real-time, in the context of high speed networks, by a decision tree classifier, using the information of only three easily extracted features (protocol, source port, and destination port), with an accuracy of 99%. Snort issues alert priorities based on its own default set of attack classes (34 classes) that are used by the default set of rules it provides. But the decision tree model is able to predict the priorities without using this default classification. The obtained tagger can provide a useful complement to an anomaly detection intrusion detection system.

Keywords

Intrusion Detection, Network Security, Snort, Machine Learning, Classification, Decision Tree

Share and Cite:

Ammar, A. (2015) A Decision Tree Classifier for Intrusion Detection Priority Tagging. Journal of Computer and Communications, 3, 52-58. doi: 10.4236/jcc.2015.34006.

Conflicts of Interest

The authors declare no conflicts of interest.

References

[1]	McCanne, S., Leres, C. and Jacobson, V. (1994) Libpcap, Lawrence Berkeley National Labs.
[2]	Roesch, M. (1999) Snort: Lightweight Intrusion Detection for Networks. LISA, 99, 229-238.
[3]	Lo, O., Graves, J. and Buchanan, W. (2010) Towards a Framework for the Generation of Enhanced Attack/Background Network Traffic for Evaluation of Network-Based Intrusion Detection Systems. Proceedings of the 9th European Conference on Information Warfare and Security, Academic Conferences Limited, 190.
[4]	Day, D. and Burns, B. (2011) A Performance Analysis of Snort and Suricata Network Intrusion Detection and Prevention Engines. ICDS 2011, The 5th International Conference on Digital Society, 187-192.
[5]	Albin, E. and Rowe, N.C. (2012) A Realistic Experimental Comparison of the Suricata and Snort Intrusion-Detection Systems. 26th International Conference on Advanced Information Networking and Applications Workshops (WAINA), 122-127. http://dx.doi.org/10.1109/WAINA.2012.29
[6]	Shiravi, A., Shiravi, H., Tavallaee, M. and Ghorbani, A.A. (2012) Toward Developing a Systematic Approach to Generate Benchmark Datasets for Intrusion Detection. Computers & Security, 31, 357-374. http://dx.doi.org/10.1016/j.cose.2011.12.012
[7]	Safavian, S.R. and Landgrebe, D.A. (1991) Survey of Decision Tree Classifier Methodology. IEEE Transactions on Systems, Man and Cybernetics, 21, 660-674. http://dx.doi.org/10.1109/21.97458
[8]	Akthar, F. and Hahne, C. (2012) Rapid Miner 5 Operator Reference.
[9]	Murthy, S.K. (1998) Automatic Construction of Decision Trees from Data: A Multi-Disciplinary Survey. Data Mining and Knowledge Discovery, 24, 345-389. http://dx.doi.org/10.1023/A:1009744630224
[10]	Berzal, F., Cubero, J.C., Cuenca, F. and Martin-Bautista, M.J. (2003) On the Quest for Easy-to-Understand Splitting Rules. Data & Knowledge Engineering, 44, 31-48. http://dx.doi.org/10.1016/S0169-023X(02)00062-9
[11]	Quinlan, J.R. (1986) Induction of Decision Trees. Machine Learning, 1, 81-106. http://dx.doi.org/10.1007/BF00116251
[12]	Quinlan, J.R. (2014) C4.5: Programs for Machine Learning. Elsevier.
[13]	Olshen, L.B.J.F.R. and Stone, C.J. (1984) Classification and Regression Trees. Wadsworth International Group, 93, 101.
[14]	Berzal, F., Cubero, J.C., Cuenca, F. and Martin-Bautista, M.J. (2003) On the Quest for Easy-to-Understand Splitting Rules. Data & Knowledge Engineering, 44, 31-48. http://dx.doi.org/10.1016/S0169-023X(02)00062-9
[15]	Martin, J.K. (1997) An Exact Probability Metric for Decision Tree Splitting and Stopping. Machine Learning, 28, 257-291. http://dx.doi.org/10.1023/A:1007367629006
[16]	Kubat, M., Holte, R.C. and Matwin, S. (1998) Machine Learning for the Detection of Oil Spills in Satellite Radar Images. Machine Learning, 30, 195-215. http://dx.doi.org/10.1023/A:1007452223027
[17]	Fawcett, T. and Provost, F.J. (1996) Combining Data Mining and Machine Learning for Effective User Profiling. KDD, 8-13.
[18]	Zhou, Z.H. and Liu, X.Y. (2006) Training Cost-Sensitive Neural Networks with Methods Addressing the Class Imbalance Problem. IEEE Transactions on Knowledge and Data Engineering, 18, 63-77. http://dx.doi.org/10.1109/TKDE.2006.17

Journals Menu

Follow SCIRP

	customer@scirp.org
	+86 18163351462(WhatsApp)
	1655362766

	Paper Publishing WeChat

Journals Menu

Home

About SCIRP

Service

Policies