I. J. Computer Network and Information Security, 2016, 1, 35-42 Published Online January 2016 in MECS (http://www.mecs-press.org/) DOI: 10.5815/ijcnis.2016.01.05 Copyright © 2016 MECS I.J. Computer Network and Information Security, 2016, 1, 35-42 Intrusion Detection with Multi-Connected Representation Abdelkader Khobzaoui Dr Moulay Tahar University, Saida, Algeria Email: akhobzaoui@yahoo.fr Abderrahmane Yousfate Djilali Liabes University, Sidi Bel Abbes, Algeria Email: yousfate@univ-sba.dz Abstract—Recently, considerable attention has been given to data mining techniques to improve the performance of intrusion detection systems (IDS). This has led to the application of various classification and clustering techniques for the purpose of intrusion detection. Most of them assume that behaviors, both normal and intrusions, are represented implicitly by connected classes. We state that such assumption isn't evident and is a source of the low detection rate and false alarm. This paper proposes a suitable method able to reach high detection rate and overcomes the disadvantages of conventional approaches which consider that behaviors must be closed to connected representation only. The main strategy of the proposed method is to segment sufficiently each behavior representation by connected subsets called natural classes which are used, with a suitable metric, as tools to build the expected classifier. The results show that the proposed model has many qualities compared to conventional models; especially regarding those have used DARPA data set for testing the effectiveness of their methods. The proposed model provides decreased rates both for false negative rates and for false positives. Index Terms—Connected representation, Discriminant Analysis, Mahalanobis distance, mixture of probability laws, multi-connected representation, natural class, synthetic class. I. INTRODUCTION Recently, methods of data mining and machine learning become the principal basis of intrusion detection system (IDS) study. The both methods are often statistics- based or computational intelligence-based. In the literature, anomaly or misuse detections techniques used to build an intrusion detection system consider generally that each intrusion or normal behavior representation in the assumed topological space is implicitly a connected set. Actually, this assumption isn’t evident. A simple illustration of the representation of some behavior classes by Principal Component Analysis applied to the KDD’99 data set [10] shows that there exists some representations which can be non-connected (for example, see Fig. 1); even the normal class is concerned. According to separating hyper plane theorem (Hahn-Banach theorem and its corollaries), this non- connectivity persists in high dimension spaces even if the dimension is infinite. Therefore, if geometric representation of some behavior (normal or abnormal) is non-connected by setting a number of features, the addition of further features preserves the non connectedness of this representation. This remark yields that both misuse and anomaly used models will be affected considerably by this work in case where these models assume that classes are connected unfairly. a) Normal b) Neptune c) Satan Fig.1. 2D representation of some behaviors