International Journal of Database Theory and Application Vol.7, No.2 (2014), pp.59-70 http://dx.doi.org/10.14257/ijdta.2014.7.2.06 ISSN: 2005-4270 IJDTA Copyright ⓒ 2014 SERSC An Efficient Hybrid Intrusion Detection System based on C5.0 and SVM Vahid Golmah Department of Computer Engineering, Neyshabur Branch, , Islamic Azad University,Neyshabur, Iran v.golmah@in.iut.ac.ir Abstract Nowadays, much attention has been paid to intrusion detection system (IDS) which is closely linked to the safe use of network services. Several machine-learning paradigms including neural networks, linear genetic programming (LGP), support vector machines (SVM), Bayesian networks, multivariate adaptive regression splines (MARS) fuzzy inference systems (FISs), etc. have been investigated for the design of IDS. In this paper, we develop a hybrid method of C5.0 and SVM and investigate and evaluate the performance of our proposed method with DARPA dataset. The motivation for using the hybrid approach is to improve the accuracy of the intrusion detection system when compared to using individual SVM and individual SVM. Keywords: Data Mining, Intrusion Detection System(IDS), Support vectors machines (SVM), C5.0 Algorithm 1. Introduction The rapid development and popularity of Internet is resulted to the security of networks is increasingly become great significance and it has been a focus in the current research. Nowadays, much attention has been paid to intrusion detection system (IDS) which is closely linked to the safe use of network services. However, it is not easy to discern the attack and the normal network visit [1]. In today’s intrusion detection system (IDS), large-scale data clustering and classification have become increasingly important and a challenging area. Although various tools and methods have been proposed, few are sufficient and efficient enough for real applications due to the exponential growing-in-size and high dimensional data inputs [2]. Intrusion Detection Systems (IDSs) are designed to defend computer systems from various cyber attacks and computer viruses. IDSs build effective classification models or patterns to distinguish normal behaviors from abnormal behaviors that are represented by network data. There are two primary assumptions in the research of intrusion detection: (1) user and program activities are observable by computer systems (e.g., via system auditing mechanisms), and (2) normal and intrusion activities must have distinct behaviors [2]. In the intrusion detection field two different approaches can be observed: misuse detection and anomaly detection. The main idea behind misuse detection is to represent attacks in a form of a pattern or a signature in such a way that even variations of these attacks can be detected. Based on these signatures, this approach detects attacks through a large set of rules describing every known attack. The main disadvantage of the signature based approach is its difficulty for detecting unknown attacks. The main goal of the anomaly detection approach is to build a statistical model for describing normal traffic. Then, any deviation from this model Online Version Only. Book made by this file is ILLEGAL.