Reaching a Consensus on Access Detection by a Decision System César Guevara Dep. Computer Architecture and Automatic Control Complutense University of Madrid Madrid, Spain cesargue@ucm.es José Antonio Martín Dep. Computer Architecture and Automatic Control Complutense University of Madrid Madrid, Spain jamartinh@fdi.ucm.es Matilde Santos Dep. Computer Architecture and Automatic Control Complutense University of Madrid Madrid, Spain msantos@ucm.es Victoria López Dep. Computer Architecture and Automatic Control Complutense University of Madrid Madrid, Spain vlopezlo@ucm.es Abstract—Classification techniques based on Artificial Intelligence are computational tools that have been applied to detection of intrusions (IDS) with encouraging results. They are able to solve problems related to information security in an efficient way. The intrusion detection implies the use of huge amount of information. For this reason heuristic methodologies have been proposed. In this paper, decision trees, Naive Bayes, and supervised classifying systems UCS, are combined to improve the performance of a classifier. In order to validate the system, a scenario based on real data of the NSL-KDD99 dataset is used. Keywords-artificial intelligence; heuristic methodologies; intrusiondDetection (IDS); decision trees; supervised dlassifying system UCS; naive Bayes I. INTRODUCTION Currently, Intrusion Detection Systems (IDS) are commonplace for network security and computer systems, and more and more frequently new forms of attacks, some considerably complex, appear [1]. The majority of IDS analyzes the traffic of the network and rejects whatever intrusion of a user in the information system. The analysis completed by the IDS takes places generally at a low level, generating isolated alarms and handling an immense quantity of information. Other types of IDS utilize what is called an anomalies filter that is applied to the information of the server and the databases. The field of intrusion detection continues as an open research line concerning the developing of dynamic methodologies that are able to adapt themselves to the evolution of the computer attacks, each time more sophisticated and complicated. The strategies that IDS utilizes can be classified into two groups: detection of incorrect use, and detection of anomalies. The methodology of the Intrusion Detection Based on Anomalies, the strategy which is discussed in this article, is demanding and complex. Although it has reached good results, it is not entirely adaptable to the needs of the current technologies. The detection of the incorrect use of a computer system requires the knowledge of the sequence of activities that constitutes an attack, which must have been stored in a database. The stored information is compared with the patterns of previous attacks. If they coincide, an alarm or warning is set off. This is the most commonly used strategy and in fact there are even commercial software that facilities it. Its main advantages lies in the speed, as it is just to find the similarity with the pattern of intrusion (already uploaded) and that the number of false positives is generally low (reliability and precision). However, some disadvantages are the incapacity to detect new attacks in a dynamic way, and furthermore the necessity of being continually updating the patterns´ databases with new cases [2, 3]. So, it is based on the intrusion behaviour and tries to identify this pattern. On the other hand, detection of anomalies is based on the information of the normal behavior of a user. Every other different behavior is identified as an intrusion. Therefore it is based on the normal behavior pattern. Some of the disadvantages are that this method generates a considerable amount of false positives and the normal behavior of the users is quite difficult to be modeled, mainly due to the necessity of storing the information and the learning of the users´ behavior [4]. With these premises in mind, our proposal is to develop a dynamic method for the detection of intrusion by means of the analysis of the anomalies in the network traffic. The first step to reach this objective is to apply different classification strategies that come from the Artificial Intelligence field. Intrusion detection has been approached before using data mining techniques, classification in particular [5, 6]. Specifically we have tried decision trees, Naive Bayes, and supervised classification systems. Then, we combine some of This work has been partially supported by the Ministry of Higher Education, Science, Technology and Innovation (SENESCYT) of the Government of the Republic of Ecuador.