Hierarchical Classifier Combination and its Application in Networks Intrusion Detection Morteza Analoui Behrouz Minaei Bidgoli Mohammad Hossein Rezvani Computer Engineering Department Iran University of Science and Technology 16846-13114, Tehran, Iran analoui@iust.ac.ir minaeibi@cse.msu.edu rezvani@iust.ac.ir Abstract Intrusion detection is an effective mechanism to dealing with the attacks in computer networks. Pattern recognition techniques have been used for network intrusion detection for more than a decade. Almost all of such intrusion detection systems (IDSs) use an individual classifier to distinguish normal behavior patterns from attack signatures. Moreover these systems have a high false alarm rate and high cost. In this paper, a hierarchical classifier combiner is proposed to detect network intrusions based on the fusion of multiple well-known and efficient classifiers. The KDDCUP99 dataset is used to train and test the classifiers. The overall performance in terms of the overall error rate, average cost and the false alarm rate is investigated and discussed. Also, the performance of the proposed approach is compared with the performance of the most common non- hierarchical combination approaches as well as individual classifiers. 1. Introduction Intrusion detection system (IDS) is a system which uses the mechanisms that are developed to detect violations of a network security policy. There are two methods for intrusion detection: misuse detection and anomaly detection. Misuse detection is based on knowledge about signature of known attacks. The main disadvantage of misuse detection method is that it can only detect attacks trained for them and can not detect new or unknown attacks. The anomaly detection method is based on expected behaviour of user. Each attack causes a deviation from the normal pattern. Upon detecting such deviations, the anomaly detection system generates an alarm. The main drawback of this system is its high false alarm rate, while its main advantage is the ability to detect unknown attacks. Using pattern recognition approaches for the development of advanced IDSs combines the advantages of signature-based and anomaly-based IDS [1]. On the other hands, empirical observations show that the classifiers combined together yield better performance than individual classifiers [2]. In this work, we propose a hierarchical two-level fusion approach for IDS using three heterogeneous base classifiers. The performance of the proposed approach will be evaluated through experiments and will be compared with the performance of individual classifiers and non-hierarchical classifier combiners. The rest of the paper is organized as follows. In section 2, the previous researches about classifier combination for IDS will be reviewed and then the proposed two–level architecture will be presented. The data fusion approaches based on multiple classifiers are illustrated in section 3, where different combination methods used in our work will also be discussed. The experimental setups and the numerical examples of combinations in each level of the proposed approach are given in section 4 to illustrate operations performed by the model. In section 5, we conclude with the advantages of the proposed approach. 2. Related works and the proposed approach The recent achievements in pattern recognition theory have showed that the overall performance of classification may be improved by fusion of multiple base classifiers trained on different feature subsets (representations) [3, 4]. In the field of IDS researches, almost all researchers have used KDDCUP99 dataset to evaluate their models. We will give sufficient Seventh IEEE International Conference on Data Mining - Workshops 0-7695-3019-2/07 $25.00 © 2007 IEEE DOI 10.1109/ICDMW.2007.19 533 Authorized licensed use limited to: Iran Univ of Science and Tech. Downloaded on May 10,2010 at 15:14:20 UTC from IEEE Xplore. Restrictions apply.