Network Intrusion Detection Using One-Class Classification Based on Standard Deviation of Service's Normal Behavior

Abstract

Computer networks and internet have been increasingly used in our daily life. Due to the explosive growth of network attacks, network intrusion detection systems (NIDS) have become an essential network component which plays a vital role for computer networks' security. The main purpose of NIDS is to protect network resources from any unauthorized access that may gather confidential data, affect its availability or violate its data integrity. A lot of efforts have been given toward designing a perfect NIDS that has a high detection rate and low false alarm rate. Some have used misuse detection technique which fails to detect zero-day attacks, such that there is a high demand for alternative detection techniques. The problems of using supervised learning is the cost of producing labeled dataset, and also the model is trained on known attacks which may fail to detect new variant attacks. On the other hand, unsupervised learning has the problem of labeling the generated clusters; which cluster is normal or abnormal. Semi-supervised learning techniques suffers from the limitation that it cannot outperform supervised classification unless the analyst is absolutely certain that there is some nontrivial relationship between labeled and the unlabeled distribution. Because of the limitations of previous learning techniques, and because of the increasing diversity and polymorphism of network attacks, a fourth learning technique called One-Class Classification (OCC) has been used to learn the behavior of single class, which is commonly normal traffic, to detect any deviation from it. However when applying this technique on network as a whole it suffers from the high dimensional network feature spaces. Also, problems may arise when large differences in density exist. To overcome these problems, we proposed a primary OCC-NIDS model based on the standard deviation of service's normal behavior. Through this model we dealt with each network service as single class instead of dealing with all network services as a single class. By this way we use just the relevant features of each service, hence reducing the high dimensional network feature spaces and also ensure that each class has - a proximately - uniform distribution. We evaluated the proposed primary model on our testbed dataset and on KDD Cup'99 datasets. The proposed model proved that it has the ability to detect abnormal network traffic with high detection rate and low false positive rate. Our proposed model achieved 98.14% detection rate and 98.74% accuracy rate with 0.13% false positive rate on our testbed dataset. While on KDD Cup'99 dataset our model achieved 99.88% detection rate and 99.6% accuracy rate with a false alarm rate reached 0.77% and false positive rate 0.028%.