Nowadays, as information systems are more open to the Internet, the importance of secure networks is tremendously increased. New intelligent Intrusion Detection Systems (IDSs) which are based on sophisticated algorithms rather than current signature-base detections are in demand. In this paper, we propose a new data-mining based technique for intrusion detection using an ensemble of binary classifiers with feature selection and multiboosting simultaneously. Our model employs feature selection so that the binary classifier for each type of attack can be more accurate, which improves the detection of attacks that occur less frequently in the training data. Based on the accurate binary classifiers, our model applies a new ensemble approach which aggregates each binary classifier’s decisions for the same input and decides which class is most suitable for a given input. During this process, the potential bias of certain binary classifier could be alleviated by other binary classifiers’ decision. Our model also makes use of multiboosting for reducing both variance and bias. The experimental results show that our approach provides better performance in terms of accuracy and cost than the winner entry of the ‘Knowledge Development and Data mining’ (KDD) ’99 cup challenge. Future works will extend our analysis to a new ‘Protected Repository for the Defense of Infrastructure against Cyber Threats’ (PREDICT) dataset as well as real network data.

1. S. Kumar, "Classification and detection of computer intrusions", Ph.D. thesis, Purdue Univ., West Lafayette, IN, 1995.
2. W. Lee and D. Xiang "Information-theoretic measures for anomaly detection", In Proc. of the 2001 IEEE Symp. on Security and Privacy, Oakland, CA, May, 2001, pp. 130-143.
3. A. K. Ghosh, A. Schwartzbard, and M. Schatz, "Learning program behavior profiles for intrusion detection", Proc. of 1st USENIX Workshop on Intrusion Detection and Network Monitoring, Santa Clara, CA, April, 1999, pp. 51-62.
4. W. Lee and S. J. Stolfo, "Data mining approaches for intrusion detection", Proc. of the 7th USENIX Security Symp., San Antonio, TX, 1998.
5. W. Lee, S. J. Stolfo, and K. W. Mok "A data mining framework for building intrusion detection models", Proc. of the 1999 IEEE Symp. on Security and Privacy, Oakland, CA, May, 1999, pp. 120-132.
6. W. Lee, R. A. Nimbalkar, K. K. Yee, S. B. Patil, P. H. Desai, T. T. Tran, and S. J. Stolfo, "A data mining and Cidf based approach for detecting novel and distributed intrusions", Lectures Notes in Computer Science, Vol. 1907, pp. 49- 54, 2000.
7. The UCI KDD Archive, "KDD cup 1999 data", http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html
8. MIT Lincoln Laboratory, "DARPA intrusion detection evaluation", http://www.ll.mit.edu/IST/ideval/, MA, USA.
9. S. Mukkamala and A. H. Sung, "Identifying significant features for network forensic analysis using artificial intelligent techniques", International Journal of Digital Evidence, Vol. 1, Issue 4, Winter 2003.
10. S. Chebrolu, A. Abraham, and J. P. Thomas, "Feature deduction and ensemble design of intrusion detection systems", Computer & Security, Vol. 24, Issue 4, June 2005, pp. 295-307.
11. Y. Freund and R. E. Schapire, "A decision-theoretic generalization of on-line learning and an application to boosting", Journal of Computer and System Sciences, Vol. 55, Issue 1, August 1997, pp. 119-139.
12. L. Breiman, "Bagging predictors", Technical Report No. 421, Department of Statistics, University of California Berkeley, September 1994.
13. J. R. Quinlan, "C4.5: programs for machine learning", Morgan Kaufmann Publishers, 1993.
14. E. Bauer and R. Kohavi, "An empirical comparison of voting classification algorithms: bagging, boosting and variants", Machine Learning, Vol. 36, Nos. 1-2, 1999, pp. 105-139.
15. G. I. Webb, "Multiboosting: a technique for combining boosting and wagging", Machine Learning, Vol. 40, 2000, pp. 159-196.
16. T. Brugger, “KDD Cup '99 dataset (network intrusion) considered harmful”, http://www.kdnuggets.com/news/2007/ n18/4i.html
17. PREDICT Coordinating Center, “PREDICT overview”, https://www.predict.org/Portals/0/files/Documentation/MANUAL%2 0OF%20OPERATIONS/PREDICT_Overview_final.pdf?
18. S. Kullback, "The Kullback-Leibler distance", The American Statistician, 1987, pp.340-341.
19. B. Pfahringer, "Winning the KDD99 classification cup: Bagged Boosting", ACM SIGKDD Explorations Newsletter, Vol. 1, Issue 2, 2000, pp. 65-66.

Intrusion Detection Data Mining Ensemble Approach Feature Selection Multiboosting