Network Attacks Identification using consistency based feature selection and Self Organizing Maps Zeon Trevor Fernando & I.Sumaiya Thaseen, Ch.Aswani Kumar, School of Computing Science and Engineering School of Information Technology and Engineering, VIT University VIT University, Chennai, Tamil Nadu, India Vellore, Tamil Nadu, India. Email: sumaiyathaseen@gmail.com Abstract— Anomaly detection is one of the major areas of research with the tremendous development of computer networks. Any intrusion detection model designed should have the ability to visualize high dimensional data with high processing and accurate detection rate. Integrated Intrusion detection models combine the advantage of low false positive rate and shorter detection time. Hence this paper proposes an anomaly detection model by deploying consistency based feature selection, J48 decision tree and self organizing map (SOM). Experimental analysis has been carried on KDD99 data set and each of the features selected using the integrated mechanism has been able to identify the attacks in the data set. Keywords— Self Organizing Map, Consistency based Feature Selection, Intrusion Detection Systems. I. INTRODUCTION Network security is steadily gaining lot of attention in the current research due to the advances in Internet domain. Most of the attention nowadays is with the development of intrusion detection systems(IDS) for utilizing the network services safely. An IDS acts as a defensive solution to identify malicious activities in the network[7].IDS can be classified into two types based on the detection approaches: misuse and anomaly detection. Misuse detection models use available knowledge on attack data to identify attack traces. Anomaly detection identifies intrusions by discovering the behavior of normal profile. Any variation from the regular activity is identified as an anomalous one. The advantage of anomaly detection models in comparison to misuse based models is their ability to identify new attack patterns which have no signature and the disadvantage being high false positive rate [9]. Anomaly detection models developed using machine learning and statistical algorithms provide a human independent solution to overcome the problem of rapid attacks which are mostly identified in worm propagation. There are two approaches to design a model: Supervised methods have a predefined knowledge on the system and unsupervised methods generate knowledge from the data provided to the model. Unsupervised approach can generate suitable labels for a given dataset without human intervention. Though supervised learning has high detection performance and relatively high processing rate, it requires additional load of preprocessing to identify the relation between successive differences of learning inputs. Hence we employ an unsupervised approach in our model. Self Organizing Maps (SOM) is a new powerful method that has been successfully applied in complex application areas where traditional methods have failed. Due to the non linear nature of SOM, they can handle complex situations. The department of Computer and Informatics, Technical University of Kosice designed an intrusion detection model which was an application of neural network SOM. The proposed model utilizes the benchmark dataset namely the KDD 99 data set used by many researchers.KDD 99 data set is used in our analysis for training and testing of the proposed model[8]. Anomaly detection model identifies suspicious behavior based on the pattern of normal behavior. Neural networks is a potential domain used for solving many classification problems.SOM is used for examining high dimensional data and has been proved to be successful in many data mining applications. Consistency based feature selection is used along with SOM to identify the major features for determining the attack type. This model is successfully implemented and tested. II. RELATED WORK Artificial intelligence techniques play a major role for modeling intrusion detection systems. Neural networks is a promising domain which has been applied for many classification problems. Sumaiya et al[16] gave an analysis of supervised tree based classifiers for intrusion detection system wherein different classifier models along with feature selection was applied to obtain an optimized record set for determining whether a packet is of normal or anomaly type. Pachgare et al[1] used Self Organizing Maps (SOM) to implement an intrusion detection model 162 978-1-4799-3486-7/14/$31.00 c 2014 IEEE