set classified, as “probe” indeed belongs to Probe. The overall accuracy of the classification is 97.04 with a false positive rate of 2.76% and false negative rate of 0.20.
Table 2. Performance
of resilient back propagation neural network
Probe DoS U2Su R2L
Table 3. Performance of SVMs
Because SVMs are only capable of binary classifications, we employed five SVMs, for the 5-class classification problem.. We partition the data into the two classes of “Normal” and “Rest” (Probe, DoS, U2Su, R2L) patterns, where the rest is the collection of four classes of attack instances in the data set. The objective is to separate normal and attack patterns. We repeat this process for all classes. Training is done using the RBF (radial bias function) kernel option; an important point of the kernel function is that it defines the feature space in which the training set examples will be classified. Table 3 summarizes the results of the experiments using SVMs.
Training time (sec)
Testing time (sec)
5. Ranking The Significance of Features
Feature selection and ranking [16,17] is an important issue in intrusion detection. Of the large number of features that can be monitored for intrusion detection purpose, which are truly useful, which are less significant, and which may be useless? The question is relevant because the elimination of useless features (the so-called audit
trail reduction) enhances the accuracy of detection while speeding computation, thus improving the overall performance of an IDS. The feature
and selection problem for intrusion detection is similar
up the ranking various
engineering problems that are characterized by:
Having a large number of input variables
of importance to the output y; i.e., some elements of x are essential, some are less important, some of them may not be mutually independent, and some may be useless or irrelevant (in determining the value of y)