Intrusion detection is the process of monitoring the events occurring in a computer system or network and analyzing them for signs of intrusions. There have been a lot of researches done to invent an ideal intrusion detection system (IDS) that is a system which can detect both known attacks and new attacks. Support vector machines (SVM) has been known as a promising methods for classification accuracy and its generalization ability. In this research, we design an SVM-based intrusion detection system which combines a hierarchical clustering algorithm, feature selection process and SVM classification techniques. The hierarchical clustering will provide SVM with a high quality training instances from the original training set. The feature selection process will eliminate unimportant features from the training set so that the model SVM produced can be used to classify the network traffic data accurately. Our experiments which use KDD Cup 1999 data set show that our method can achieve high accuracy classification rate with a low false positive rate.

Intrusion detection is the process of monitoring the events occurring in a computer system or network and analyzing them for signs of intrusions. There have been a lot of researches done to invent an ideal intrusion detection system (IDS) that is a system which can detect both known attacks and new attacks. Support vector machines (SVM) has been known as a promising methods for classification accuracy and its generalization ability. In this research, we design an SVM-based intrusion detection system which combines a hierarchical clustering algorithm, feature selection process and SVM classification techniques. The hierarchical clustering will provide SVM with a high quality training instances from the original training set. The feature selection process will eliminate unimportant features from the training set so that the model SVM produced can be used to classify the network traffic data accurately. Our experiments which use KDD Cup 1999 data set show that our method can achieve high accuracy classification rate with a low false positive rate.

[1] Fayyad, U. M., G. Piatetsky-Saphiro, and P. Smyth. The KDD process for extracting useful knowledge from volumes of data. Communications of the ACM 39(11), 27-34, November 1996.
[2] H. Yu, J. Yang, J. Han, and X. Li, Classifying Large Data Sets Using SVM with Hierarchical Clusters, In Proc 2003 Int. Conf. on Knowledge Discovery in Databases (KDD’03).
[3] T. Zhang, R. Ramakrishnan, and M. Livny. BIRCH: an efficient data clustering method for very large databases, In Proc. ACM SIGMOD Int. Conf. Management of Data (SIGMOD’96), pp. 103–114, 1996.
[4] S. Guha, R. Rastogi, and K. Shim. Cure: An efficient clustering algorithm for large databases. In Proc. 1998 ACM-SIGMOD Int. Conf. Management of Data (SIGMOD’98), pages 73–84, Seattle, WA, June 1998.
[5] S. Guha, R. Rastogi, and K. Shim. ROCK: A robust clustering algorithm for categorical attributes. In Proc. 1999 Int. Conf. Data Engineering (ICDE’99), pages 512–521, Sydney, Australia, March 1999.
[6] G. Karypis, E.-H. Han, and V. Kumar. CHAMELEON: A hierarchical clustering algorithm using dynamic modeling. COMPUTER, 32:68–75, 1999.
[7] Vapnik, V. The Nature of Statistical Learning Theory. New York, NY: Springer-Verlag, 1995.
[8] Boser, B. E., I. Guyon, and V. Vapnik. A training algorithm for optimal margin classifiers. In Proceedings of the Fifth Annual Workshop on Computational Learning Theory, pp. 144-152. ACM Press, 1992.
[9] A. Sundaram, “An introduction to intrusion detection”. ACM Cross Roads, vol. 2, no. 4, Apr. 1996.
[10] Hsu, C.-W., Chang, C.-C., and C.-J. Lin. A Practical Guide to Support Vector Classification, 2007.
[11] http://www.csie.ntu.edu.tw/~cjlin/libsvm
[12] KDD Cup 1999 Intrusion detection data set: http://kdd.ics.uci.edu/databases /kddcup99/kddcup99.html
[13] A. Abraham, C. Grosan, and C. Martin-Vide, “ Evolutionary Design of Intrusion Detection Programs“, International Journal of Network Security, Vol.4, No.3, pp 328-339, 2007.
[14] Y. Bouzida and F. Cuppens, “Neural Networks vs. Decision Trees for Intrusion Detection”, 2006.
[15] B. Pfahringer, Winning the KDD99 classification cup: bagged boosting, SIGKDD Explorations 1 (2) 65–66, 2000.
[16] I. Levin, KDD-99 classifier learning contest LLSoft’s results overview. SIGKDD explorations, ACM SIGKDD 1 (2) 67–75, 2000.
[17] Chimphlee W., Abdullah A. H., Md Sap M. N., Srinoy S., and Chimphlee S., “Anomaly-Based Intrusion Detection using Fuzzy Rough Clustering”. International Conference on Hybrid Information Technology (ICHIT'06), 2006.
[18] Toosi A. N., Kahani M., “A new approach to intrusion detection based on an evolutionary soft computing model using neuro-fuzzy classifiers”, Computer Communications 30, pp 2201–2212, 2007.
[19] Novikov D., Yampolskiy R. V., Reznik L.. “Anomaly Detection Based Intrusion Detection”, Proceedings of the Third International Conference on Information Technology: New Generations (ITNG'06), 2006.
[20] M.R. Sabhnani, G. Serpen, “Application of machine learning algorithms to KDD intrusion detection dataset within misuse detection context”, in: Proceedings of International Conference on Machine Learning: Models, Technologies, and Applications, 23–26 June 2003, Las Vegas, Nevada, USA, 2003, pp. 209–215.
[21] Xuren W., Famei H., Rongsheng X., “Modeling Intrusion DetectionSystem by Discovering Association Rule in Rough Set Theory Framework”. International Conference on Computational Intelligence for Modelling Control and Automation, and International Conference on Intelligent Agents, Web Technologies and Internet Commerce (CIMCA-IAWTIC'06), 2006.