A Network Intrusion Detection Method using Independent Component Analysis Dayu Yang, Hairong Qi Electrical Engineering and Computer Science Department University of Tennessee Knoxville, TN 37996 (dyang, hqi@utk.edu) Abstract An intrusion detection system (IDS) detects illegal manipulations of computer systems. In intrusion de- tection systems, feature reduction, including feature extraction and feature selection, plays an important role in a sense of improving classification performance and reducing the computational complexity. Feature reduction is even more important when online detec- tion, which means less computational power and fast real time delivery compared with offline detection, is needed. In this paper, independent component analysis approach is applied to feature extraction in online net- work intrusion detection problem. We use the KDD Cup 99 data and try to reduce its 41 features such that signif- icant less number of features would be fed into kNN and SVM classifiers. Also, a decision fusion mathod is em- ployed to aggregate the results from multiple classifiers to achieve higher accuracy. 1. Introduction The idea of intrusion detection appeared in 1980 [2] and an early abstract intrusion detection model was proposed in 1987 by Denning [4]. Any action that is not legally allowed for a user to take towards an infor- mation system is called intrusion and intrusion detec- tion is a process of detecting and tracing inappropri- ate, incorrect, or anomalous activity targeted at com- puting and networking resources. As a countermeasure of the vast number of security incidents that occur on a network, network intrusion detection systems (NIDSs), have become an important component in the security infrastructure. NIDSs detect suspicious activities that may compromise networks security and alert the net- works administrator to respond to the threat. Based on the techniques used, NIDSs can be classified as either signature detection systems or anomaly detection sys- tems. Signature detection recognizes an intrusion based on known intrusions or attack characteristics or signa- tures. It identifies intruders who are trying to break in with some known techniques. The detection decision is made based on the knowledge of the model intrusive processes and what traces the detector should find in the observed system. Anomaly detection, which is based on the assumption that something abnormal is most likely to be an intrusion, identifies an intrusion by calculating a deviation from normal system behavior. Comprehen- sive discussion of approaches to network intrusion de- tection are available in [10, 13]. There are two intrusion detection environments. On- line detection has to minimize the security compromises and has less time and computational power to flag ille- gal actions when intrusions happen. Offline detection or offline analysis can provide more accurate detection results without the real-time constraints. In most of the real world intrusion detection applications, online de- tection is required. Feature reduction hence plays an important role in improving classification performance, reducing the computational complexity and delivering timely results. There are two basic ways to reduce the data dimen- sion. One is call feature selection. Feature selection is the technique of choosing a subset of relevant features for building robust learning models. It helps improve the performance by removing irrelevant and redundant features from the data. Researchers have adopted fea- ture selection methods such as feature ranking, relief, exhaustive search, etc [3, 6] to reduce the dimension of feature space. However, most of these methods have been heuristics, and trial and error and those chosen fea- ture sets are tied to specific classification methods fol- lowed, which make them hard to be automated methods. 978-1-4244-2175-6/08/$25.00 ©2008 IEEE