earticle

영어

Hybrid intrusion detection systems that make use of data mining techniques, in order to improve effectiveness, have been actively pursued in the last decade. However, their complexity to build detection models has become very expensive when confronted with large-scale datasets, making them unviable for real-time retraining. In order to overcome the limitation of the conventional hybrid method, we propose a new lightweight hybrid intrusion detection method that consists of a combination of feature selection, clustering and classification. According to our hypothesis that there are different natures of attack events in each of network protocols, the proposed method examines each of network protocol data separately, but their processes are the same. First, the training dataset is divided into training subsets, depending on their type of network protocol. Next, each training subset is reduced dimensionally by eliminating the irrelevant and redundant features throughout the feature selection process; and then broken down into disjointed regions, depending on their similar feature values, by K -Means clustering. Lastly, the C4.5 decision tree is used to build multiple misuse detection models for suspicious regions, which deviate from the normal and anomaly regions. As a result, each detection model is built from high-quality data, which are less complex and consist of relevant data. For better understanding of the enhanced performance, the proposed method was evaluated through experiments using the NSL-KDD dataset. The experimental results indicate that the proposed method is better in terms of effectiveness (F-value: 0.9957, classification accuracy: 99.52%, false positive rate: 0.26%), and efficiency (the training and testing times of the proposed method are approximately 33% and 25%, respectively, of the time required for its comparison) than the conventional hybrid method using the same algorithm.